Reputation: 277
error: getting assigned identities for pod in CREATED state failed - AKS AAD-Pod identity
I'm getting the below error for the pod in NMI logs for aks (1.14.8) with use of managed identity AAD-POD identity. I have followed the steps as specified in https://github.com/Azure/aad-pod-identity, except that we want to use the managed identity for the azure sql paas. ref link: https://trstringer.com/connect-k8s-apps-msi/
E0618 17:19:40.762387 1 server.go:370] failed to get matching identities for pod: default/schedulerserviceapi-7fc4dc9547-95vbw, error: getting assigned identities for pod default/schedulerserviceapi-7fc4dc9547-95vbw in CREATED state failed after 16 attempts, retry duration [5]s. Error: <nil>
Upvotes: 1
Views: 5244
Answers (2)
Reputation: 166467
Make sure your configured identities and bindings to match pods.
Read more: Best Practices and Demo.
Find below example for pod using multiple AzureIdentities.
AzureIdentities
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
name: az-id-1
spec:
type: 0
resourceID: <ResourceID of az-id-1>
clientID: <ClientID of az-id-1>
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
name: az-id-2
spec:
type: 0
resourceID: <ResourceID of az-id-2>
clientID: <ClientID of az-id-2>
AzureIdentityBinding
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
name: az-id-1-binding
spec:
azureIdentity: az-id-1
selector: az-id-combined
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
name: az-id-2-binding
spec:
azureIdentity: az-id-2
selector: az-id-combined
Pod
apiVersion: v1
kind: Pod
metadata:
name: demo
labels:
aadpodidbinding: az-id-combined
...
Note: if you do not specify which managed identity to use (e.g.
az login -i) then one of the managed identities matching theaadpodidbindingselector will be selected at random. To make sure the right managed identity is used for a particular workload, make sure you specify the managed identity'sclientId(e.g.az login -i -u <CLIENT ID>) orresourceID(e.gaz login -i -u <RESOURCE ID>) when authenticating.
Check files at deploy/demo for more examples.
To list all Azure identities in your cluster, run:
kubectl get azureidentities -A
Upvotes: 1
Reputation: 1051
The likely cause for this is that your cluster service principal does not have the role Managed Identity Operator.
You can check the logs of the mic service, and look for the following log snippet "not have permission to perform action Microsoft.ManagedIdentity/userAssignedIdentities/assign/action'"
You can assign the role to the service principal using the CLI commands below:
# retrieve cluster service principal clientId ($SP_CLIENT_ID below)
az aks show -g $RESOURCE_GROUP -n $AKS_CLUSTER_NAME --query servicePrincipalProfile.clientId -o tsv
# assign role to SP
az role assignment create --role "Managed Identity Operator" --assignee $SP_CLIENT_ID --scope /subscriptions/$SUBSCRIPTION_ID/resourcegroups/$RESOURCE_GROUP
ref: https://github.com/Azure/aad-pod-identity/issues/585
Upvotes: 3
Related Questions
- Azure AKS - This container service is in a failed state
- Azure Kubernetes Error when running "az aks get-credentials" command
- How to assign Azure Pod Identity on local kubernetes(k8s) cluster (while developing)
- Kubernetes pod throwing CredentialUnavailableException: EnvironmentCredential authentication unavailable
- Azure Kubernetes Error when running "az aks get-credentials --resource-group AKSResourceGroupName --name AKSClusterName" command
- AKS Pod fail to access Azure Key Vault
- Failed to create a service principal. You can use an existing service principal or try again later
- AKS - incorrect Pod Status
- aks reporting "Insufficient pods"
- Azure - az aks cli azure ad error