search

Azure / AKS

Azure Kubernetes Service
https://azure.github.io/AKS/
1.95k stars 305 forks source link

[BUG] updating api-server-authorized-ip-ranges reports AAD role propagation error #3911

Closed chouclee closed 3 days ago

chouclee commented 12 months ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

  1. Run command 

    az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --api-server-authorized-ip-ranges $newAuthorizedIps

  2. See error

    Waiting for AAD role to propagate[### ] 10.0000%
Waiting for AAD role to propagate[####### ] 20.0000%
Waiting for AAD role to propagate[########## ] 30.0000%
Waiting for AAD role to propagate[############## ] 40.0000%
Waiting for AAD role to propagate[################## ] 50.0000%
Waiting for AAD role to propagate[##################### ] 60.0000%
Waiting for AAD role to propagate[######################### ] 70.0000%
Waiting for AAD role to propagate[############################ ] 80.0000%
Waiting for AAD role to propagate[################################ ] 90.0000%WARNING: Could not create a role assignment for subnet. Are you an Owner on this subscription?

    The update was completed but taking ~6mins in order to wait for AAD role to propagate.

Expected behavior Why updating authorized ip list has anything to do with AAD role propagation? I think that one is only required for cluster creation?

Screenshots If applicable, add screenshots to help explain your problem.

Screenshot 2023-09-18 at 1 57 32 PM

Environment (please complete the following information):

Additional context Add any other context about the problem here.

nunoalima commented 9 months ago

Any updates here?

We're facing the same issue using both a user-assigned managed identity with Contributor rights over the AKS cluster and a regular AAD User account, also a Contributor.

What should be a relatively quick command is also taking over 6 minutes: az aks update --resource-group $AKS_RG --name $AKS_NAME --api-server-authorized-ip-ranges $IP

Azure CLI Using azure/login@v1 image Same outcome running locally using Azure CLI 2.54.0 and 2.55.0.

Logs image

MO2k4 commented 6 months ago

i am also facing this issue, is there any update on this? as this is really annoying

@AllenWen-at-Azure sorry for tagging you directly, but since i saw you on some other tickets, could u maybe have a look into this as well?

AllenWen-at-Azure commented 6 months ago

Hi @norshtein , could you please help check is this the same issue you fixed in https://github.com/Azure/azure-cli/issues/18528?

AllenWen-at-Azure commented 2 weeks ago

Hi @chouclee are you still facing this issue?

MO2k4 commented 3 days ago

@AllenWen-at-Azure this issue is still there

WARNING: Could not create a role assignment for Monitoring addon. Are you an Owner on this subscription?