Closed dbilleci-lightstream closed 5 years ago
Here's the log from the node:
$ tail -f /var/log/kv-driver.log
Fri Feb 15 03:28:12 UTC 2019 mount
Fri Feb 15 03:28:12 UTC 2019 /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume -logtostderr=1 -vaultName=thetestkeyvault -vaultObjectNames=TEST -resourceGroup=TestKeyVault-Rg -dir=/var/lib/kubelet/pods/5042e81c-30ca-11e9-a56b-3af4beca0834/volumes/azure~kv/test -subscriptionId=11111111-1111-1111-1111-111111111111 -cloudName= -tenantId=22222222-2222-2222-2222-222222222222 -aADClientSecret= -aADClientID= -usePodIdentity=true -podNamespace=default -podName=nginx-flex-kv-podid -vaultObjectVersions= -vaultObjectTypes=secret
Fri Feb 15 03:28:16 UTC 2019 umount
Fri Feb 15 03:28:16 UTC 2019 ERROR: {"status": "Failure", "message": "/etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume failed, Fri Feb 15 03:28:12 UTC 2019 /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume -logtostderr=1 -vaultName=thetestkeyvault -vaultObjectNames=TEST -resourceGroup=TestKeyVault-Rg -dir=/var/lib/kubelet/pods/5042e81c-30ca-11e9-a56b-3af4beca0834/volumes/azure~kv/test -subscriptionId=11111111-1111-1111-1111-111111111111 -cloudName= -tenantId=22222222-2222-2222-2222-222222222222 -aADClientSecret= -aADClientID= -usePodIdentity=true -podNamespace=default -podName=nginx-flex-kv-podid -vaultObjectVersions= -vaultObjectTypes=secret "}
Fri Feb 15 03:30:18 UTC 2019 ismounted | not mounted
Fri Feb 15 03:30:18 UTC 2019 PODNAME: nginx-flex-kv-podid
Fri Feb 15 03:30:18 UTC 2019 mount
Fri Feb 15 03:30:18 UTC 2019 /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume -logtostderr=1 -vaultName=thetestkeyvault -vaultObjectNames=TEST -resourceGroup=TestKeyVault-Rg -dir=/var/lib/kubelet/pods/5042e81c-30ca-11e9-a56b-3af4beca0834/volumes/azure~kv/test -subscriptionId=11111111-1111-1111-1111-111111111111 -cloudName= -tenantId=22222222-2222-2222-2222-222222222222 -aADClientSecret= -aADClientID= -usePodIdentity=true -podNamespace=default -podName=nginx-flex-kv-podid -vaultObjectVersions= -vaultObjectTypes=secret
Fri Feb 15 03:30:38 UTC 2019 umount
Fri Feb 15 03:30:38 UTC 2019 ERROR: {"status": "Failure", "message": "/etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume failed, Fri Feb 15 03:30:18 UTC 2019 /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume -logtostderr=1 -vaultName=thetestkeyvault -vaultObjectNames=TEST -resourceGroup=TestKeyVault-Rg -dir=/var/lib/kubelet/pods/5042e81c-30ca-11e9-a56b-3af4beca0834/volumes/azure~kv/test -subscriptionId=11111111-1111-1111-1111-111111111111 -cloudName= -tenantId=22222222-2222-2222-2222-222222222222 -aADClientSecret= -aADClientID= -usePodIdentity=true -podNamespace=default -podName=nginx-flex-kv-podid -vaultObjectVersions= -vaultObjectTypes=secret "}
Fri Feb 15 03:32:40 UTC 2019 ismounted | not mounted
Fri Feb 15 03:32:40 UTC 2019 PODNAME: nginx-flex-kv-podid
Fri Feb 15 03:32:40 UTC 2019 mount
Fri Feb 15 03:32:40 UTC 2019 /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume -logtostderr=1 -vaultName=thetestkeyvault -vaultObjectNames=TEST -resourceGroup=TestKeyVault-Rg -dir=/var/lib/kubelet/pods/5042e81c-30ca-11e9-a56b-3af4beca0834/volumes/azure~kv/test -subscriptionId=11111111-1111-1111-1111-111111111111 -cloudName= -tenantId=22222222-2222-2222-2222-222222222222 -aADClientSecret= -aADClientID= -usePodIdentity=true -podNamespace=default -podName=nginx-flex-kv-podid -vaultObjectVersions= -vaultObjectTypes=secret
Fri Feb 15 03:32:41 UTC 2019 umount
Fri Feb 15 03:32:41 UTC 2019 ERROR: {"status": "Failure", "message": "/etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume failed, Fri Feb 15 03:32:40 UTC 2019 /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume -logtostderr=1 -vaultName=thetestkeyvault -vaultObjectNames=TEST -resourceGroup=TestKeyVault-Rg -dir=/var/lib/kubelet/pods/5042e81c-30ca-11e9-a56b-3af4beca0834/volumes/azure~kv/test -subscriptionId=11111111-1111-1111-1111-111111111111 -cloudName= -tenantId=22222222-2222-2222-2222-222222222222 -aADClientSecret= -aADClientID= -usePodIdentity=true -podNamespace=default -podName=nginx-flex-kv-podid -vaultObjectVersions= -vaultObjectTypes=secret "}
Fri Feb 15 03:34:43 UTC 2019 ismounted | not mounted
Fri Feb 15 03:34:43 UTC 2019 PODNAME: nginx-flex-kv-podid
Fri Feb 15 03:34:43 UTC 2019 mount
Fri Feb 15 03:34:43 UTC 2019 /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume -logtostderr=1 -vaultName=thetestkeyvault -vaultObjectNames=TEST -resourceGroup=TestKeyVault-Rg -dir=/var/lib/kubelet/pods/5042e81c-30ca-11e9-a56b-3af4beca0834/volumes/azure~kv/test -subscriptionId=11111111-1111-1111-1111-111111111111 -cloudName= -tenantId=22222222-2222-2222-2222-222222222222 -aADClientSecret= -aADClientID= -usePodIdentity=true -podNamespace=default -podName=nginx-flex-kv-podid -vaultObjectVersions= -vaultObjectTypes=secret
Fri Feb 15 03:34:43 UTC 2019 umount
Fri Feb 15 03:34:43 UTC 2019 ERROR: {"status": "Failure", "message": "/etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume failed, Fri Feb 15 03:34:43 UTC 2019 /etc/kubernetes/volumeplugins/azure~kv/azurekeyvault-flexvolume -logtostderr=1 -vaultName=thetestkeyvault -vaultObjectNames=TEST -resourceGroup=TestKeyVault-Rg -dir=/var/lib/kubelet/pods/5042e81c-30ca-11e9-a56b-3af4beca0834/volumes/azure~kv/test -subscriptionId=11111111-1111-1111-1111-111111111111 -cloudName= -tenantId=22222222-2222-2222-2222-222222222222 -aADClientSecret= -aADClientID= -usePodIdentity=true -podNamespace=default -podName=nginx-flex-kv-podid -vaultObjectVersions= -vaultObjectTypes=secret "}
Fri Feb 15 03:36:45 UTC 2019 ismounted | not mounted
Fri Feb 15 03:36:45 UTC 2019 PODNAME: nginx-flex-kv-podid
@dbilleci-lightstream Can you please provide the logs from the mic pod and the nmi pod running on the same host as your pod? aks-default-15419034-0
Another thing to check is if your identity is created in a different resource group as that of the AKS nodes (prefixed with 'MC_' ) then make sure you run the following to ensure your AKS service principal has the managed identity
role to assign permissions to your azure identity 0afbc123-3-eus2-uai
az role assignment create --role "Managed Identity Operator" --assignee <sp id> --scope <full id of the managed identity>
For more details, refer to: https://github.com/Azure/aad-pod-identity#providing-required-permissions-for-mic
Hi @ritazh thank you for your reply. Yes, the SPN attached to the AKS cluster is not part of the MC_ group. I checked the logs on the mic
pod and saw the error saying that the SPN did not have authorization to write userAction to the identity as you predicted.
I0215 16:27:42.096947 1 event.go:218] Event(v1.ObjectReference{Kind:"AzureIdentityBinding", Namespace:"default", Name:"0afbc123-3-eus2-uai-binding", UID:"317e14d2-30bc-11e9-a56b-3af4beca0834", APIVersion:"aadpodidentity.k8s.io/v1", ResourceVersion:"1160", FieldPath:""}): type: 'Warning' reason: 'binding apply error' Applying binding 0afbc123-3-eus2-uai-binding node aks-default-15419034-0 for pod nginx-flex-kv-podid-default-0afbc123-3-eus2-uai resulted in error compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=403 -- Original Error: Code="LinkedAuthorizationFailed" Message="The client 'abcdabcd-aaaa-bbbb-cccc-ddddeeeeffff' with object id 'abcdabcd-aaaa-bbbb-cccc-ddddeeeeffff' has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope '/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/MC_Backend-X-Stage-Eus2-Rg_Backend-X-Stage-Eus2-Aks_eastus2/providers/Microsoft.Compute/virtualMachines/aks-default-15419034-0'; however, it does not have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/11111111-1111-1111-1111-111111111111/resourcegroups/ManagedServiceIdentity-Stage-Eus2-Rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/0afbc123-3-eus2-uai'."
The reason I missed this step is that the README says this about installing aad-pod-identity:
"Deploy pod identity components to your cluster Follow *these steps* to install pod identity."
However not all steps are needed, and it is difficult to decide at what point to stop when you are new to the project. I would suggest we update the documentation there. I can help with a PR for this!
Next, I added the "Managed Identity Operator" permission to the AKS SPN, but the error message did not change at all.
$ az role assignment create --role "Managed Identity Operator" --assignee abcdabcd-aaaa-bbbb-cccc-ddddeeeeffff --scope /subscriptions/11111111-1111-1111-1111-111111111111/resourcegroups/ManagedServiceIdentity-Stage-Eus2-Rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/0afbc123-3-eus2-uai
{
"canDelegate": null,
"id": "/subscriptions/11111111-1111-1111-1111-111111111111/resourcegroups/ManagedServiceIdentity-Stage-Eus2-Rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/0afbc123-3-eus2-uai/providers/Microsoft.Authorization/roleAssignments/7eca8214-bca1-4dea-99e3-f750fc04d21f",
"name": "7eca8214-bca1-4dea-99e3-f750fc04d21f",
"principalId": "abcdabcd-aaaa-bbbb-cccc-ddddeeeeffff",
"resourceGroup": "ManagedServiceIdentity-Stage-Eus2-Rg",
"roleDefinitionId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
"scope": "/subscriptions/11111111-1111-1111-1111-111111111111/resourcegroups/ManagedServiceIdentity-Stage-Eus2-Rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/0afbc123-3-eus2-uai",
"type": "Microsoft.Authorization/roleAssignments"
}
I'm going to try and destroy everything and start from scratch again, I want to make sure this process works from the ground up each time as it will be deployed many times for us.
Do you know the reason why I would still be getting the error message even after adding the permission? I would think the change would be immediate? I'll post my results of the next attempt as well.
Thank you!
@dbilleci-lightstream
I would suggest we update the documentation there. I can help with a PR for this!
Yes this step should definitely be mentioned in the README. PRs are definitely welcome! 👍 If you have more issues on pod identity and if you are looking for more detailed steps, you can also checkout the pod identity repo: https://github.com/Azure/aad-pod-identity.
why I would still be getting the error message even after adding the permission
I have seen the permission assignment takes few minutes to kick in. You might also want to redeploy all the pod identity components just to be safe. One way to verify that the pod identity is working is to ensure the identity has been assigned to your node after you deployed the pod. Here is what it looks like from the Azure portal:
It worked on the new cluster I spun up! I waited about 5+ minutes after applying the permission on the old cluster, but the permission didn't kick in yet, I should have waited 30 minutes to make sure..sorry about that. But, a new cluster did work.
I see the identity mapped as you have shown in your image there to the VM node in the agentpool.
I might be able to run that same test again in a little to get the answer to those questions for you.
Thank you so much for all of your help, this is going to work great for us!
@dbilleci-lightstream Glad it's working for you. Closing this issue. But feel free to reopen or create new ones if you have other questions.
Ok thank you! Here's the PR for the docs mini-refresh, I did it from my personal account rather than my work account. https://github.com/Azure/kubernetes-keyvault-flexvol/pull/82
Thanks!
Hello, I'm trying this out for the first time. I've followed the instructions, I have a new cluster just setup today, and I've put together these steps for the whole process on a brand new cluster.
After I run this, the nginx pod won't start up, doing a describe shows this error:
My identity 0afbc123-3-eus2-uai does have Reader on the thetestkeyvault, as well as the secrets/certs/keys - get/list permissions
Here's my describe on the pod:
Thanks!