Menu
I've been battling this error for a few hours now. Found several articles but nothing that has helped so far.
My work has been based on the "How-to guide > Configure data volumes > Azure Disk - Static" from https://learn.microsoft.com/en-us/azure/aks/azure-disk-volume. As far as I can tell, I've not missed any steps.
I have defined by config in a YAML file as so:
kind: Deployment
metadata:
name: phio-dep-db
namespace: production
spec:
selector:
matchLabels:
app: phio
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: phio
spec:
terminationGracePeriodSeconds: 1
volumes:
- name: dbvolume
azureDisk:
diskName: PHIO_DB_VOL
diskURI: /subscriptions/<my-sub-id/resourceGroups/<my-grp>/providers/Microsoft.Compute/disks/PHIO_DB_VOL
kind: Managed
containers:
- image: phioweb.azurecr.io/phiodb
name: db
ports:
- containerPort: 3306
volumeMounts:
- mountPath: /var/lib/mysql
name: dbvolume
However, when I do kubectl apply -f .yml, the pod never starts. If I do a "kubectl describe all -n production" I see the following:
Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 31m default-scheduler Successfully assigned production/phio-dep-db-6c6ddc885-p4ntg to aks-nodepool1-18816840-vmss000001 Warning FailedAttachVolume 79s (x23 over 31m) attachdetach-controller AttachVolume.Attach failed for volume "dbvolume" : compute.DisksClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<GUID>' with object id '<same GUID>' does not have authorization to perform action 'Microsoft.Compute/disks/read' over scope '/subscriptions/<my-sub-id/resourceGroups/<my-grp>/providers/Microsoft.Compute/disks/PHIO_DB_VOL' or the scope is invalid. If access was recently granted, please refresh your credentials." Warning FailedMount 23s (x14 over 29m) kubelet, aks-nodepool1-18816840-vmss000001 Unable to mount volumes for pod "phio-dep-db-6c6ddc885-p4ntg_production(0e326781-2936-4451-9446-9608a8f41439)": timeout expired waiting for volumes to attach or mount for pod "production"/"phio-dep-db-6c6ddc885-p4ntg". list of unmounted volumes=[dbvolume]. list of unattached volumes=[dbvolume default-token-s7svk]
There is nothing in the MS documentation about assigning permissions to the Azure Disk, and there are no apparent parameters I'm missing in the YAML.
Anyone got any ideas what I'm missing?
Many thanks.
(I've sanitized the output a little, but it's all test and the Azure subscription will be binned after this work, even though it says production)
506
What should I do? Ensure ports 22, 9000 and 1194 are open to connect to the API server. Check whether the tunnelfront or aks-link pod is running in the kube-system namespace using the kubectl get pods --namespace kube-system command. If it isn't, force deletion of the pod and it will restart.
To integrate with AKS, you create and use an Azure AD application that acts as an endpoint for the identity requests. The first Azure AD application you need gets Azure AD group membership for a user. The Azure AD service principal needs permissions to perform the following actions: Read directory data.
From the docs here
When you create an Azure disk for use with AKS, you can create the disk resource in the node resource group. This approach allows the AKS cluster to access and manage the disk resource.If you instead create the disk in a separate resource group, you must grant the Azure Kubernetes Service (AKS) service principal for your cluster the Contributor role to the disk's resource group. Alternatively, you can use the system assigned managed identity for permissions instead of the service principal. For more information, see Use managed identities
From the docs here
You may need to access existing Disk resources in another resource group. Assign one of the following set of role permissions:
60
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
