This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway to act as the ingress for an AKS cluster.
Describe the bug
We received the following error on deploying our AppGW :
...
Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment
-bf6785d8d-87lgm", UID:"uiuiduid-4dff-4496-ba43-0ed031542ed7", APIVersion:"v1", ResourceVersion:"102567", FieldPath:""}): type: 'Warning
' reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Origina
l Error: Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' with object id 'xxxxxxxx-551c-46a7-
b1c2-e4eb093784ce' has permission to perform action 'Microsoft.Network/applicationGateways/write' on scope '/subscriptions/xxxxxxxx-6a2d
-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev'; however, it does n
ot have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscript
ions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw
-keyvault-kubota-dev' or the linked scope(s) are invalid."
...
Output of kubectl describe pod -n kube-system ingress-appgw-deployment-76768b7d9d-bvmz9.
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 6s default-scheduler Successfully assigned kube-system/ingress-appgw-deployment-76768b
7d9d-bvmz9 to aks-agentpool-16208625-vmss000000
Normal Pulled 7s kubelet Container image "mcr.microsoft.com/azure-application-gateway/kube
rnetes-ingress:1.5.2" already present on machine
Normal Created 7s kubelet Created container ingress-appgw-container
Normal Started 6s kubelet Started container ingress-appgw-container
Warning FailedApplyingAppGwConfig 6s azure/application-gateway network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending
request: StatusCode=0 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client '26d26833-434a-4094-a124-82ddd684dc0c' wi
th object id '26d26833-434a-4094-a124-82ddd684dc0c' has permission to perform action 'Microsoft.Network/applicationGateways/write' on sc
ope '/subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/ag
w-kubota-dev'; however, it does not have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' o
n the linked scope(s) '/subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdent
ity/userAssignedIdentities/id-agw-keyvault-kubota-dev' or the linked scope(s) are invalid."
PS: this issue is similar to this. And i run :
az role assignment create --role "Managed Identity Operator" --assignee xxxxxxxx-551c-46a7-b1c2-e4eb093784ce --scope /subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev
Describe the bug We received the following error on deploying our AppGW :
To Reproduce Follow these steps
Ingress Controller details
kubectl describe pod -n kube-system ingress-appgw-deployment-76768b7d9d-bvmz9
.PS: this issue is similar to this. And i run :
az role assignment create --role "Managed Identity Operator" --assignee xxxxxxxx-551c-46a7-b1c2-e4eb093784ce --scope /subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev
And the permission was added successfully:
But the error mentioned in logs still present.