search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.97k stars 2.95k forks source link

az aks command invoke FAILS for any helm operation #18759

Open rbickel opened 3 years ago

rbickel commented 3 years ago

Describe the bug When trying to run a helm command using the az aks command on an AKS cluster, every helm command fails with a permission exception. Example of failing command: az aks command invoke -g <group> -n <name> -c "helm install happy-panda bitnami/wordpress"

command started at 2021-07-07 11:20:17+00:00, finished at 2021-07-07 11:20:17+00:00, with exitcode=1
Error: mkdir /.cache: permission denied

Or the following command from the documentation: az aks command invoke -g <group> -n <name> -c "helm repo add bitnami https://charts.bitnami.com/bitnami && helm repo update && helm install my-release bitnami/nginx"

command started at 2021-07-07 11:29:10+00:00, finished at 2021-07-07 11:29:10+00:00, with exitcode=1
Error: mkdir /.config: permission denied

To Reproduce AKS Private Cluster: no AKS version: 1.19.11 Node pool version: 1.19.11

Run any helm command from az aks command az aks command invoke -g (g) -n (n) -c "helm repo add bitnami https://charts.bitnami.com/bitnami && helm repo update && helm install my-release bitnami/nginx"

Expected behavior Should install the helm chart accordingly

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.6.8
Installer: MSI

azure-cli 2.22.1 *

Extensions:
aks-preview 0.5.19
connectedk8s 1.1.3
customlocation 0.1.2
k8s-extension 0.3.0

Additional Context

ghost commented 3 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.

Issue Details
**Describe the bug** When trying to run a helm command using the `az aks command` on an AKS cluster, every **helm command fails** with a permission exception. Example of failing command: `az aks command invoke -g -n -c "helm install happy-panda bitnami/wordpress"` ``` command started at 2021-07-07 11:20:17+00:00, finished at 2021-07-07 11:20:17+00:00, with exitcode=1 Error: mkdir /.cache: permission denied ``` Or the following command from the documentation: `az aks command invoke -g -n -c "helm repo add bitnami https://charts.bitnami.com/bitnami && helm repo update && helm install my-release bitnami/nginx"` ``` command started at 2021-07-07 11:29:10+00:00, finished at 2021-07-07 11:29:10+00:00, with exitcode=1 Error: mkdir /.config: permission denied ``` **To Reproduce** AKS Private Cluster: no AKS version: 1.19.11 Node pool version: 1.19.11 Run any helm command from `az aks command` az aks command invoke -g (g) -n (n) -c "helm repo add bitnami https://charts.bitnami.com/bitnami && helm repo update && helm install my-release bitnami/nginx" **Expected behavior** Should install the helm chart accordingly ## Environment Summary ``` Windows-10-10.0.19041-SP0 Python 3.6.8 Installer: MSI azure-cli 2.22.1 * Extensions: aks-preview 0.5.19 connectedk8s 1.1.3 customlocation 0.1.2 k8s-extension 0.3.0 ``` ## Additional Context
Author: rbickel
Assignees: -
Labels: `AKS`, `Service Attention`, `needs-triage`
Milestone: -
yonzhan commented 3 years ago

route to service team

miwithro commented 3 years ago

@rbickel can you ensure that the account you are using to use the run command has the following rights.

"Microsoft.ContainerService/managedClusters/runcommand/action"

It sounds as if this right was explicitly denied for your user account.

rbickel commented 3 years ago

I am subscription owner and kubectl commands work smoothly though. It is a vanilla cluster rbac enabled

On Wed, Jul 7, 2021, 17:51 miwithro @.***> wrote:

@rbickel https://github.com/rbickel can you ensure that the account you are using to use the run command has the following rights.

"Microsoft.ContainerService/managedClusters/runcommand/action"

It sounds as if this right was explicitly denied for your user account.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Azure/azure-cli/issues/18759#issuecomment-875719719, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC2NX7FYHVWG4VK6KGLBDDTTWRZWLANCNFSM476PES4A .

rbickel commented 3 years ago

@miwithro any idea/suggestion ?

miwithro commented 3 years ago

@haitch to comment.

haitch commented 3 years ago

I think this breaks when we switch to use non-root user to improve security.

I will look into fix this ASAP.