SparebankenVest / azure-key-vault-to-kubernetes

Azure Key Vault to Kubernetes (akv2k8s for short) makes it simple and secure to use Azure Key Vault secrets, keys and certificates in Kubernetes.
https://akv2k8s.io
Apache License 2.0
439 stars 97 forks source link

[Question] failed to get auto cmd ... UNAUTHORIZED #484

Open jamesperi opened 1 year ago

jamesperi commented 1 year ago

Note: Make sure to check out known issues (https://github.com/sparebankenvest/azure-key-vault-to-kubernetes#known-issues) before submitting

Your question

How do I verify default aks credentials are being used, I believe i've supplied the aks cluster default credentials (i think??) Reader/acrPull to the ACR but It looks like i've missed some authorization somewhere. Or is this issue not an authorization issue and related to the webhook? I'm lost and looking for help here!! I'm not sure if this is the seat to keyboard interface thats the problem, or if i am actually running into a bug?

NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION akv2k8s akv2k8s 1 2023-02-27 18:41:31.893585041 +0000 UTC deployed akv2k8s-2.3.0 1.4.0

Error creating: Internal error occurred: failed calling webhook "pods.env-injector.admission.spv.no": failed to call webhook: an error on the server ("{\"response\":{\"uid\":\"b05d078f-8bff-4ca7-a3fc-78a445697016\",\"allowed\":false,\"status\":{\"metadata\":{},\"status\":\"Failure\",\"message\":\"failed to get auto cmd, error: GET https://28363devopsacr.azurecr.io/oauth2/token?scope=repository%3Aattphs-rasp%3Apull\\u0026service=28363devopsacr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.\ncannot fetch image descriptor\ngithub.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.getImageConfig\n\t/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:144\ngithub.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.(Registry).GetImageConfig\n\t/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:103\nmain.getContainerCmd\n\t/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/registry.go:39\nmain.podWebHook.mutateContainers\n\t/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:143\nmain.podWebHook.mutatePodSpec\n\t/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:299\nmain.vaultSecretsMutator\n\t/go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/main.go:163\ngithub.com/slok/kubewebhook/pkg/webhook/mutating.MutatorFunc.Mutate\n\t/go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/mutator.go:25\ngithub.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.mutatingAdmissionReview\n\t/go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:128\ngithub.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.Review\n\t/go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:120\ngithub.com/slok/kubewebhook/pkg/webhook/internal/instrumenting.(Webhook).Review\n\t/go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/internal/ins") has prevented the request from succeeding

To Reproduce If question relates to a certain behavior, describe steps to reproduce:

Logs If applicable, add logs to help add context to your question.

$ az aks check-acr --name hgphs-westus2-dr-aks-01 --resource-group hgphs-westus2-dr-rg-01 --acr 28363devopsacr.azurecr.io Merged "hgphs-westus2-dr-aks-01" as current context in /tmp/tmpriic11sh WARNING: version difference between client (1.26) and server (1.24) exceeds the supported minor version skew of +/-1

[2023-02-28T01:34:47Z] Checking host name resolution (28363devopsacr.azurecr.io): SUCCEEDED [2023-02-28T01:34:47Z] Canonical name for ACR (28363devopsacr.azurecr.io): 28363devopsacr.privatelink.azurecr.io. [2023-02-28T01:34:47Z] Checking managed identity... [2023-02-28T01:34:47Z] Kubelet managed identity client ID: 5222b31a-2198-4fb6-9c0b-90c9a42d5d14 [2023-02-28T01:34:48Z] Validating managed identity existance: SUCCEEDED [2023-02-28T01:34:48Z] Validating image pull permission: SUCCEEDED [2023-02-28T01:34:48Z] Your cluster can pull images from 28363devopsacr.azurecr.io!

$ k logs akv2k8s-envinjector-54f6b56cc9-9xh5r -n akv2k8s I0227 18:41:34.179198 1 version.go:31] "version info" version="1.4.0" commit="15d87b2" buildDate="2022-12-08T21:19:10Z" component="webhook" I0227 18:41:34.179282 1 main.go:290] "active settings" httpPort="8080" httpPortExternal="80" tlsPort="8443" tlsPortExternal="443" mtlsPort="9443" mtlsPortExternal="9443" serveMetrics=false authType="azureCloudConfig" useAuthService=true dockerInspectionTimeout=20 cloudConfigPath="/etc/kubernetes/azure.json" logLevel="4" authServiceName="akv2k8s-envinjector" mtlsPortExternal="9443" mtlsPort="9443" I0227 18:41:34.179581 1 main.go:359] "using cloudConfig for auth - reading credentials" file="/etc/kubernetes/azure.json" I0227 18:41:34.179910 1 provider.go:274] "azure: using managed identity extension to retrieve access token" id="5222b31a-2198-4fb6-9c0b-90c9a42d5d14" I0227 18:41:34.179926 1 provider.go:281] "azure: using managed identity extension to retrieve access token" id="5222b31a-2198-4fb6-9c0b-90c9a42d5d14" I0227 18:41:34.179974 1 main.go:377] "checking credentials by getting authorizer" I0227 18:41:34.191144 1 plugins.go:43] Registered credential provider "akv2k8s" I0227 18:41:34.191176 1 auth.go:54] "auth service ca cert" file="/var/ca-cert/tls.crt" I0227 18:41:34.191184 1 auth.go:55] "auth service ca key" file="/var/ca-cert/tls.key" I0227 18:41:34.191282 1 main.go:393] "serving auth validation endpoint" path=":8080/auth/{namespace}/{pod}" I0227 18:41:34.191302 1 main.go:397] "serving health endpoint" path=":8080/healthz" I0227 18:41:34.191375 1 main.go:444] "serving encrypted auth endpoint" path=":9443/auth" 2023/02/27 18:41:34 [WARN] no tracer active I0227 18:41:34.191459 1 main.go:420] "serving encrypted webhook endpoint" path=":8443/pods" I0227 18:41:34.191479 1 main.go:423] "serving encrypted healthz endpoint" path=":8443/healthz" 2023/02/28 00:58:31 [DEBUG] reviewing request 84da1dd5-0965-46b4-b94d-b7f427fbe404, named: hgphs/ I0228 00:58:31.323023 1 main.go:142] "found pod to mutate" pod="hgphs/" I0228 00:58:31.323045 1 pod.go:285] "creating client certificate to use with auth service" hgphs/="(MISSING)" I0228 00:58:31.323052 1 clientCert.go:25] "creating x509 key pair for ca cert and key" I0228 00:58:31.323139 1 clientCert.go:32] "parse certificate" I0228 00:58:31.323163 1 clientCert.go:38] "generating client key" I0228 00:58:31.334819 1 clientCert.go:44] "generating serial number" I0228 00:58:31.334833 1 clientCert.go:66] "crating x509 certificate" I0228 00:58:31.336897 1 pod.go:292] "mutate init-containers" hgphs/="(MISSING)" I0228 00:58:31.336911 1 pod.go:298] "mutate containers" hgphs/="(MISSING)" I0228 00:58:31.336918 1 pod.go:116] "found container to mutate" container="hgphs/attphs-rasp-image" I0228 00:58:31.336925 1 pod.go:119] "checking for env vars to inject" container="hgphs/attphs-rasp-image" I0228 00:58:31.336936 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlusername-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 00:58:31.336948 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlpasswd-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 00:58:31.336958 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlhost-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 00:58:31.336973 1 pod.go:122] "found env var to inject" env="dr-staging-oidc-client-id-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 00:58:31.336985 1 registry.go:30] "getting container command for container" container="hgphs/attphs-rasp-image" I0228 00:58:31.336999 1 registry.go:36] "no cmd override in kubernetes for container, checking docker image configuration for entrypoint and cmd" image="28363devopsacr.azurecr.io/attphs-rasp:4.3.4.557" container="hgphs/attphs-rasp-image" E0228 00:58:31.430423 1 main.go:165] "failed to mutate" err=< failed to get auto cmd, error: GET https://28363devopsacr.azurecr.io/oauth2/token?scope=repository%3Aattphs-rasp%3Apull&service=28363devopsacr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. cannot fetch image descriptor github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.getImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:144 github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.(Registry).GetImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:103 main.getContainerCmd /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/registry.go:39 main.podWebHook.mutateContainers /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:143 main.podWebHook.mutatePodSpec /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:299 main.vaultSecretsMutator /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/main.go:163 github.com/slok/kubewebhook/pkg/webhook/mutating.MutatorFunc.Mutate /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/mutator.go:25 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.mutatingAdmissionReview /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:128 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:120 github.com/slok/kubewebhook/pkg/webhook/internal/instrumenting.(Webhook).Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/internal/instrumenting/instrumenting.go:42 github.com/slok/kubewebhook/pkg/http.HandlerFor.func1 /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/http/handler.go:64 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:2109 github.com/gorilla/mux.(Router).ServeHTTP /go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 net/http.serverHandler.ServeHTTP /usr/local/go/src/net/http/server.go:2947 net/http.(conn).serve /usr/local/go/src/net/http/server.go:1991 runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:1594

pod="hgphs/" 2023/02/28 00:58:31 [ERROR] admission webhook error: failed to get auto cmd, error: GET https://28363devopsacr.azurecr.io/oauth2/token?scope=repository%3Aattphs-rasp%3Apull&service=28363devopsacr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. cannot fetch image descriptor github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.getImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:144 github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.(Registry).GetImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:103 main.getContainerCmd /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/registry.go:39 main.podWebHook.mutateContainers /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:143 main.podWebHook.mutatePodSpec /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:299 main.vaultSecretsMutator /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/main.go:163 github.com/slok/kubewebhook/pkg/webhook/mutating.MutatorFunc.Mutate /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/mutator.go:25 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.mutatingAdmissionReview /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:128 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:120 github.com/slok/kubewebhook/pkg/webhook/internal/instrumenting.(Webhook).Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/internal/instrumenting/instrumenting.go:42 github.com/slok/kubewebhook/pkg/http.HandlerFor.func1 /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/http/handler.go:64 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:2109 github.com/gorilla/mux.(Router).ServeHTTP /go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 net/http.serverHandler.ServeHTTP /usr/local/go/src/net/http/server.go:2947 net/http.(conn).serve /usr/local/go/src/net/http/server.go:1991 runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:1594 2023/02/28 01:02:37 [DEBUG] reviewing request 7e5afad9-b587-49d5-a945-639b73e3c326, named: hgphs/ I0228 01:02:37.440778 1 main.go:142] "found pod to mutate" pod="hgphs/" I0228 01:02:37.440795 1 pod.go:285] "creating client certificate to use with auth service" hgphs/="(MISSING)" I0228 01:02:37.440802 1 clientCert.go:25] "creating x509 key pair for ca cert and key" I0228 01:02:37.440889 1 clientCert.go:32] "parse certificate" I0228 01:02:37.440908 1 clientCert.go:38] "generating client key" I0228 01:02:37.453953 1 clientCert.go:44] "generating serial number" I0228 01:02:37.453968 1 clientCert.go:66] "crating x509 certificate" I0228 01:02:37.456009 1 pod.go:292] "mutate init-containers" hgphs/="(MISSING)" I0228 01:02:37.456022 1 pod.go:298] "mutate containers" hgphs/="(MISSING)" I0228 01:02:37.456029 1 pod.go:116] "found container to mutate" container="hgphs/attphs-rasp-image" I0228 01:02:37.456035 1 pod.go:119] "checking for env vars to inject" container="hgphs/attphs-rasp-image" I0228 01:02:37.456046 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlusername-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:02:37.456061 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlpasswd-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:02:37.456071 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlhost-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:02:37.456085 1 pod.go:122] "found env var to inject" env="dr-staging-oidc-client-id-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:02:37.456097 1 registry.go:30] "getting container command for container" container="hgphs/attphs-rasp-image" I0228 01:02:37.456108 1 registry.go:36] "no cmd override in kubernetes for container, checking docker image configuration for entrypoint and cmd" image="28363devopsacr.azurecr.io/attphs-rasp:4.3.4.557" container="hgphs/attphs-rasp-image" E0228 01:02:37.573158 1 main.go:165] "failed to mutate" err=< failed to get auto cmd, error: GET https://28363devopsacr.azurecr.io/oauth2/token?scope=repository%3Aattphs-rasp%3Apull&service=28363devopsacr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. cannot fetch image descriptor github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.getImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:144 github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.(Registry).GetImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:103 main.getContainerCmd /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/registry.go:39 main.podWebHook.mutateContainers /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:143 main.podWebHook.mutatePodSpec /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:299 main.vaultSecretsMutator /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/main.go:163 github.com/slok/kubewebhook/pkg/webhook/mutating.MutatorFunc.Mutate /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/mutator.go:25 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.mutatingAdmissionReview /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:128 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:120 github.com/slok/kubewebhook/pkg/webhook/internal/instrumenting.(Webhook).Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/internal/instrumenting/instrumenting.go:42 github.com/slok/kubewebhook/pkg/http.HandlerFor.func1 /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/http/handler.go:64 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:2109 github.com/gorilla/mux.(Router).ServeHTTP /go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 net/http.serverHandler.ServeHTTP /usr/local/go/src/net/http/server.go:2947 net/http.(conn).serve /usr/local/go/src/net/http/server.go:1991 runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:1594 pod="hgphs/" 2023/02/28 01:02:37 [ERROR] admission webhook error: failed to get auto cmd, error: GET https://28363devopsacr.azurecr.io/oauth2/token?scope=repository%3Aattphs-rasp%3Apull&service=28363devopsacr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. cannot fetch image descriptor github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.getImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:144 github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.(Registry).GetImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:103 main.getContainerCmd /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/registry.go:39 main.podWebHook.mutateContainers /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:143 main.podWebHook.mutatePodSpec /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:299 main.vaultSecretsMutator /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/main.go:163 github.com/slok/kubewebhook/pkg/webhook/mutating.MutatorFunc.Mutate /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/mutator.go:25 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.mutatingAdmissionReview /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:128 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:120 github.com/slok/kubewebhook/pkg/webhook/internal/instrumenting.(Webhook).Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/internal/instrumenting/instrumenting.go:42 github.com/slok/kubewebhook/pkg/http.HandlerFor.func1 /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/http/handler.go:64 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:2109 github.com/gorilla/mux.(Router).ServeHTTP /go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 net/http.serverHandler.ServeHTTP /usr/local/go/src/net/http/server.go:2947 net/http.(conn).serve /usr/local/go/src/net/http/server.go:1991 runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:1594 2023/02/28 01:08:05 [DEBUG] reviewing request 94273207-8e63-406e-9d6c-23331d53040d, named: hgphs/ I0228 01:08:05.287623 1 main.go:142] "found pod to mutate" pod="hgphs/" I0228 01:08:05.287639 1 pod.go:285] "creating client certificate to use with auth service" hgphs/="(MISSING)" I0228 01:08:05.287646 1 clientCert.go:25] "creating x509 key pair for ca cert and key" I0228 01:08:05.287732 1 clientCert.go:32] "parse certificate" I0228 01:08:05.287752 1 clientCert.go:38] "generating client key" I0228 01:08:05.306421 1 clientCert.go:44] "generating serial number" I0228 01:08:05.306439 1 clientCert.go:66] "crating x509 certificate" I0228 01:08:05.308494 1 pod.go:292] "mutate init-containers" hgphs/="(MISSING)" I0228 01:08:05.308507 1 pod.go:298] "mutate containers" hgphs/="(MISSING)" I0228 01:08:05.308514 1 pod.go:116] "found container to mutate" container="hgphs/attphs-rasp-image" I0228 01:08:05.308520 1 pod.go:119] "checking for env vars to inject" container="hgphs/attphs-rasp-image" I0228 01:08:05.308532 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlusername-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:08:05.308548 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlpasswd-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:08:05.308557 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlhost-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:08:05.308571 1 pod.go:122] "found env var to inject" env="dr-staging-oidc-client-id-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:08:05.308585 1 registry.go:30] "getting container command for container" container="hgphs/attphs-rasp-image" I0228 01:08:05.308596 1 registry.go:36] "no cmd override in kubernetes for container, checking docker image configuration for entrypoint and cmd" image="28363devopsacr.azurecr.io/attphs-rasp:4.3.4.557" container="hgphs/attphs-rasp-image" E0228 01:08:05.401955 1 main.go:165] "failed to mutate" err=< failed to get auto cmd, error: GET https://28363devopsacr.azurecr.io/oauth2/token?scope=repository%3Aattphs-rasp%3Apull&service=28363devopsacr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. cannot fetch image descriptor github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.getImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:144 github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.(Registry).GetImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:103 main.getContainerCmd /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/registry.go:39 main.podWebHook.mutateContainers /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:143 main.podWebHook.mutatePodSpec /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:299 main.vaultSecretsMutator /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/main.go:163 github.com/slok/kubewebhook/pkg/webhook/mutating.MutatorFunc.Mutate /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/mutator.go:25 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.mutatingAdmissionReview /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:128 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:120 github.com/slok/kubewebhook/pkg/webhook/internal/instrumenting.(Webhook).Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/internal/instrumenting/instrumenting.go:42 github.com/slok/kubewebhook/pkg/http.HandlerFor.func1 /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/http/handler.go:64 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:2109 github.com/gorilla/mux.(Router).ServeHTTP /go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 net/http.serverHandler.ServeHTTP /usr/local/go/src/net/http/server.go:2947 net/http.(conn).serve /usr/local/go/src/net/http/server.go:1991 runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:1594 pod="hgphs/" 2023/02/28 01:08:05 [ERROR] admission webhook error: failed to get auto cmd, error: GET https://28363devopsacr.azurecr.io/oauth2/token?scope=repository%3Aattphs-rasp%3Apull&service=28363devopsacr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. cannot fetch image descriptor github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.getImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:144 github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.(Registry).GetImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:103 main.getContainerCmd /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/registry.go:39 main.podWebHook.mutateContainers /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:143 main.podWebHook.mutatePodSpec /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:299 main.vaultSecretsMutator /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/main.go:163 github.com/slok/kubewebhook/pkg/webhook/mutating.MutatorFunc.Mutate /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/mutator.go:25 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.mutatingAdmissionReview /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:128 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:120 github.com/slok/kubewebhook/pkg/webhook/internal/instrumenting.(Webhook).Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/internal/instrumenting/instrumenting.go:42 github.com/slok/kubewebhook/pkg/http.HandlerFor.func1 /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/http/handler.go:64 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:2109 github.com/gorilla/mux.(Router).ServeHTTP /go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 net/http.serverHandler.ServeHTTP /usr/local/go/src/net/http/server.go:2947 net/http.(conn).serve /usr/local/go/src/net/http/server.go:1991 runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:1594 2023/02/28 01:35:40 [DEBUG] reviewing request 9925d025-a416-4d59-810f-dd108b17678b, named: hgphs/ I0228 01:35:40.996506 1 main.go:142] "found pod to mutate" pod="hgphs/" I0228 01:35:40.996523 1 pod.go:285] "creating client certificate to use with auth service" hgphs/="(MISSING)" I0228 01:35:40.996531 1 clientCert.go:25] "creating x509 key pair for ca cert and key" I0228 01:35:40.996617 1 clientCert.go:32] "parse certificate" I0228 01:35:40.996638 1 clientCert.go:38] "generating client key" I0228 01:35:41.026679 1 clientCert.go:44] "generating serial number" I0228 01:35:41.026702 1 clientCert.go:66] "crating x509 certificate" I0228 01:35:41.028757 1 pod.go:292] "mutate init-containers" hgphs/="(MISSING)" I0228 01:35:41.028772 1 pod.go:298] "mutate containers" hgphs/="(MISSING)" I0228 01:35:41.028779 1 pod.go:116] "found container to mutate" container="hgphs/attphs-rasp-image" I0228 01:35:41.028785 1 pod.go:119] "checking for env vars to inject" container="hgphs/attphs-rasp-image" I0228 01:35:41.028797 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlusername-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:35:41.028811 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlpasswd-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:35:41.028820 1 pod.go:122] "found env var to inject" env="dr-staging-mysqlhost-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:35:41.028833 1 pod.go:122] "found env var to inject" env="dr-staging-oidc-client-id-secret-inject@azurekeyvault" container="hgphs/attphs-rasp-image" I0228 01:35:41.028846 1 registry.go:30] "getting container command for container" container="hgphs/attphs-rasp-image" I0228 01:35:41.028854 1 registry.go:36] "no cmd override in kubernetes for container, checking docker image configuration for entrypoint and cmd" image="28363devopsacr.azurecr.io/attphs-rasp:4.3.4.557" container="hgphs/attphs-rasp-image" E0228 01:35:41.090033 1 main.go:165] "failed to mutate" err=< failed to get auto cmd, error: GET https://28363devopsacr.azurecr.io/oauth2/token?scope=repository%3Aattphs-rasp%3Apull&service=28363devopsacr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. cannot fetch image descriptor github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.getImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:144 github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.(Registry).GetImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:103 main.getContainerCmd /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/registry.go:39 main.podWebHook.mutateContainers /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:143 main.podWebHook.mutatePodSpec /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:299 main.vaultSecretsMutator /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/main.go:163 github.com/slok/kubewebhook/pkg/webhook/mutating.MutatorFunc.Mutate /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/mutator.go:25 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.mutatingAdmissionReview /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:128 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:120 github.com/slok/kubewebhook/pkg/webhook/internal/instrumenting.(Webhook).Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/internal/instrumenting/instrumenting.go:42 github.com/slok/kubewebhook/pkg/http.HandlerFor.func1 /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/http/handler.go:64 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:2109 github.com/gorilla/mux.(Router).ServeHTTP /go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 net/http.serverHandler.ServeHTTP /usr/local/go/src/net/http/server.go:2947 net/http.(conn).serve /usr/local/go/src/net/http/server.go:1991 runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:1594 pod="hgphs/" 2023/02/28 01:35:41 [ERROR] admission webhook error: failed to get auto cmd, error: GET https://28363devopsacr.azurecr.io/oauth2/token?scope=repository%3Aattphs-rasp%3Apull&service=28363devopsacr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information. cannot fetch image descriptor github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.getImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:144 github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry.(Registry).GetImageConfig /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/pkg/docker/registry/registry.go:103 main.getContainerCmd /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/registry.go:39 main.podWebHook.mutateContainers /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:143 main.podWebHook.mutatePodSpec /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/pod.go:299 main.vaultSecretsMutator /go/src/github.com/SparebankenVest/azure-key-vault-to-kubernetes/cmd/azure-keyvault-secrets-webhook/main.go:163 github.com/slok/kubewebhook/pkg/webhook/mutating.MutatorFunc.Mutate /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/mutator.go:25 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.mutatingAdmissionReview /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:128 github.com/slok/kubewebhook/pkg/webhook/mutating.mutationWebhook.Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/mutating/webhook.go:120 github.com/slok/kubewebhook/pkg/webhook/internal/instrumenting.(Webhook).Review /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/webhook/internal/instrumenting/instrumenting.go:42 github.com/slok/kubewebhook/pkg/http.HandlerFor.func1 /go/pkg/mod/github.com/slok/kubewebhook@v0.11.0/pkg/http/handler.go:64 net/http.HandlerFunc.ServeHTTP /usr/local/go/src/net/http/server.go:2109 github.com/gorilla/mux.(Router).ServeHTTP /go/pkg/mod/github.com/gorilla/mux@v1.8.0/mux.go:210 net/http.serverHandler.ServeHTTP /usr/local/go/src/net/http/server.go:2947 net/http.(conn).serve /usr/local/go/src/net/http/server.go:1991 runtime.goexit /usr/local/go/src/runtime/asm_amd64.s:1594

Additional context The configuration is largely default. so it's an out of the box install. There is no aad-pod-identity addon installed. It should be using the default AKS credentials. but again, unclear how to verify this. I've given Reader and acrPull to the aks cluster and as the output shows, i should be good???

$ az aks check-acr --name hgphs-westus2-dr-aks-01 --resource-group hgphs-westus2-dr-rg-01 --acr 28363devopsacr.azurecr.io Merged "hgphs-westus2-dr-aks-01" as current context in /tmp/tmpriic11sh WARNING: version difference between client (1.26) and server (1.24) exceeds the supported minor version skew of +/-1

[2023-02-28T01:34:47Z] Checking host name resolution (28363devopsacr.azurecr.io): SUCCEEDED [2023-02-28T01:34:47Z] Canonical name for ACR (28363devopsacr.azurecr.io): 28363devopsacr.privatelink.azurecr.io. [2023-02-28T01:34:47Z] Checking managed identity... [2023-02-28T01:34:47Z] Kubelet managed identity client ID: 5222b31a-2198-4fb6-9c0b-90c9a42d5d14 [2023-02-28T01:34:48Z] Validating managed identity existance: SUCCEEDED [2023-02-28T01:34:48Z] Validating image pull permission: SUCCEEDED [2023-02-28T01:34:48Z] Your cluster can pull images from 28363devopsacr.azurecr.io!

tspearconquest commented 1 year ago

Hello!

I can see your kubelet Managed Identity is 5222b31a-2198-4fb6-9c0b-90c9a42d5d14, and that AKV2K8S is properly using this identity, and that az aks check-acr output also confirms this identity has pull permissions.

These lines below are the last 2 lines before your failure. The last line indicates that the pod doesn't have a command block. This isn't strictly required, however if you were to add one, it should work around the issue for you. What's happening is that akv2k8s is looking for the command block in order to override it to inject the azure keyvault binary as the first command in the container, so that the entrypoint of the container starts with the environment variables already populated with the values of the secrets in Keyvault. When it doesn't find that block in your pod, it has to download the image from ACR for itself in order to inspect it to find out the correct entrypoint so that it can add it after the mutation of the pod is completed.

I0228 00:58:31.336985 1 registry.go:30] "getting container command for container" container="hgphs/attphs-rasp-image"
I0228 00:58:31.336999 1 registry.go:36] "no cmd override in kubernetes for container, checking docker image configuration for entrypoint and cmd" image="28363devopsacr.azurecr.io/attphs-rasp:4.3.4.557" container="hgphs/attphs-rasp-image"

As to why this is failing when the identity has permissions... I'm not certain. It may help to know how you installed akv2k8s env-injector. Did you use helm? If so, what does your values.yaml look like, and what --set flags are you passing to the helm install or helm upgrade command?

MDXdarianhuotari commented 1 year ago

We are having a very similar issue. We've confirmed 2 workarounds: 1 - set a pod entrypoint / command in the deployment manifest 2 - downgrade akv2k8s chart version to 2.2.2

The problem makes sense w/r/t the injection process, but I don't understand why akv2k8s wouldn't have access to the image (we have the same situation as @jamesperi and we're using mostly default config) We're using the aadPodIdentity exclusion as per the documentation. We're using a user-assigned MI for the cluster and kubelets, and this MI has permissions to the KVs as well as the ACR that hosts our images.

I'm not sure if we need to apply a specific aadPodIdentity and aadPodIdentityBinding to the akv2k8s pods, in case they're not properly being inherited from the cluster / nodes?

Seems to be related to #495 , #417

MDXdarianhuotari commented 1 year ago

@tspearconquest - do you think following the steps in your comment here would be useful in this scenario? Specifically:

    keyVaultAuth: azureCloudConfig
    userDefinedMSI:
      enabled: true
      msi: "<my-identity-client-id>"
      subscriptionId: "<my-subscription-id>"
      tenantId: "<my-tenant-id>"
      azureCloudType: "azurePublicCloud"
    metrics:
      enabled: true

In our case, this identity is one that already exists and is the identity already being used by the kubelets and the cluster. It also already has the permissions needed.

Thanks in advance :thumbsup:

tspearconquest commented 1 year ago

It could work, I think it's worth exploring.

abhilashjoseph commented 1 year ago

We ran into this as well, when using azureCloudConfig with sp for access to the acr. The latest acr library currently only accepts image pull credentials, We have a PR here to add the capability to use the sp credentials when accessing the acr in akv2k8s, please review and test https://github.com/SparebankenVest/azure-key-vault-to-kubernetes/pull/631