Closed hjarraya closed 5 years ago
@hjarraya The entire AzureAssignedIdentity
creation process gets triggered when we create the volume at pod creation time. All these components (find identity, assign identity, retrieve token for key vault) will take time to complete. If volume mount fails, the kubelet will retry. Hence you are seeing errors in the log but looks like eventually all the dependent components got created successfully. So this is expected. Hope this helps.
Thank you for the explanation @ritazh , now we know not to investigate this. Gotta second @hjarraya though in that the behaviour does not seem consistent nor reliable; doesn't feel like it's purely a documentation issue.
closed via #94
This experience can be improved by fixing issue https://github.com/Azure/aad-pod-identity/issues/181
Currently the key vault calls to NMI is not retried by the key vault. The retry is getting added to the NMI calls themselves in https://github.com/Azure/aad-pod-identity/issues/181. Re opening this issue to ensure that we retry in the key vault itself when it tries to attempt reaching the NMI fails. This will give key vault flex volume ability to tune its retry attempts to ensure that the kubelet does not time out the mount attempt and make it more resilient from underlying vm/vmss assignment attempts by aad pod identity.
Closed via #102
Hi,
I am having an issue that I am not able to explain/isolate. When the pod starts it fails to mount and then after few minute it successfully mount the kv-flexvolume, this is not consistent sometimes it never mounts.
Here is the logs from the aks-default-38594516-0