Could not find role name: clusterAdmin in subscription: XXXX, resourceGroup: XXXXX, managed cluster resource: XXXX

[mordf]

Getting this error: Could not find role name: clusterAdmin in subscription: XXXX, resourceGroup: XXXXX, managed cluster resource: XXXX when trying to run the build from Jenkins It worked on Thursday, what was changed?

Is this a change in AKS API again?

[aysahu]

We are also getting similar issue : Connect to null failed:

[kristianhald]

We have the same error and I have been trying to debug it.

When our Jenkins server executes and calls Azure with 'Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action', then the result is: "properties": { "statusCode": "NotFound", "serviceRequestId": "0a533973-08bf-4a9e-856e-baa640aebd22", "statusMessage": "{\"code\":\"NotFound\",\"message\":\"Could not find role name: clusterAdmin in subscription: <subscription-id>, resourceGroup: <resource-group>, managed cluster resource: <resource-name>.\"}" },

However, I have manually tried calling via Postman the accessProfiles endpoint with clusterAdmin as the role using the JWT, that is used when I browse on the Azure Portal. The response contains the kubeConfig property and the result in the activity log is: "properties": { "statusCode": "OK", "serviceRequestId": "06b7495b-cbac-40ff-b40c-3324b3a27339" },

I have called using both apiVersion '2019-02-01' and '2018-08-01-preview'. Both work using my own user. Do anyone know which apiVersion the plugin uses?

Our Jenkins credentials use a service principal and this has the same Owner permissions as I do, which means Jenkins should have the same permissions as I do to execute the listCredentials call to the Azure Management endpoint.

I have been digging through the source code to determine how the plugin calls the Azure Rest endpoint, but got stuck at https://github.com/Azure/azure-libraries-for-java/blob/master/azure-mgmt-resources/src/main/java/com/microsoft/azure/management/resources/implementation/ResourcesInner.java#L2438 as I do not know what implementation the 'service' variable is and what 'getById' does specifically. I do not have anything in regards to a Java environment setup, so I can only dig through using github browsing.

Hopefully someone will have more luck.

[HoveringHalibut]

API version 2019-04-01 returns a 404 on when making the call to providers/Microsoft.ContainerService/managedClusters//accessProfiles/clusterAdmin

I have a case open with Microsoft and am pursuing a solution with them.

[HoveringHalibut]

Here's a one-off build that fixes the API issue for the short-term (NOTE: it also has support for the cloud stats plugin that I hacked in a couple months ago): https://github.com/HoveringHalibut/azure-container-agents-plugin/tree/AzureSDK-1.17

It's working for me, but no guarantees beyond that. I included the compiled hpi in the target directory.

[kristianhald]

Can't say anything about the above, but the "sister" plugin, that allows to deploy to AKS just got an update regarding the same error and looks good.

https://github.com/jenkinsci/azure-acs-plugin/pull/17/commits/8c1523ea0d9df9afa11d432c0ed83bb7488f5bab

Anything we can use?

[HoveringHalibut]

The change to the azure-acs-plugin uses a much shorter (I would call it better) path to write the kubeconfig file to disk.

It would take changes to the getKubernetesClient and connect functions in the KubernetesService class, but could eliminate the need for the getAksProperties and getConfigViaBase64 functions by leveraging the getAdminKubeConfigContent function.

I don't have time to work on the modifications right now, but may try to work on it tonight if no one else picks it up.

[mordf]

Things started working for me this morning if any of you still experiencing issues i'll keep this open but if it's working for you as well i'll close the issue

[HoveringHalibut]

The 2019-04-01 API is now responding normally to the accessProfile/clusterAdmin request.