'AKS Application Gateway Ingress Controller Issue

Below is the exception facing while implementing AGIC in AKS

Readiness Prob is failing for the ingress-azure

Events: Type Reason Age From Message

Normal Scheduled 5m22s default-scheduler Successfully assigned default/ingress-azure-fc5dcbcd8-bsgt8 to aks-agentpool-22890870-vmss000002 Normal Pulling 5m22s kubelet Pulling image "mcr.microsoft.com/azure-application-gateway/kubernetes-ingress:1.4.0" Normal Pulled 5m22s kubelet Successfully pulled image "mcr.microsoft.com/azure-application-gateway/kubernetes-ingress:1.4.0" in 121.018102ms Normal Created 5m22s kubelet Created container ingress-azure Normal Started 5m22s kubelet Started container ingress-azure Warning Unhealthy 21s (x30 over 5m11s) kubelet Readiness probe failed: Get "http://10.240.xx.xxx:8123/health/ready": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

kubectl logs -f mic_xxxx:

failed to update user-assigned identities on node aks-agentpool-2xxxxx-vmss (add [1], del [0], update[0]), error: failed to get identity resource, error: failed to get vmss aks-agentpool-2xxxx-vmss in resource group MC_Axx-xx_axxx-ak8_koreacentral, error: failed to get vmss aks-agentpool-2xxxxx-vmss in resource group MC_Axx-axxx_agw-ak8_koreacentral, error: compute.VirtualMachineScaleSetsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '4xxxxxx-xxxxxxx-7xxx-xxxxxxx' with object id '4xxxxxx-xxxxxxx-7xxx-xxxxxxx' does not have authorization to perform action 'Microsoft.Compute/virtualMachineScaleSets/read' over scope '/subscriptions/{subscription_id}/resourceGroups/{MC_rg_name}/providers/Microsoft.Compute/virtualMachineScaleSets/aks-agentpool-2xxxxx-vmss' or the scope is invalid. If access was recently granted, please refresh your credentials."

Steps Implemented:

  1. AKS cluster with RABAC enabled & Azure CNI
  2. 2 subnets in the same vnet with same resource group (Not the RG which starts with MC_)
  3. Provided the contributor & reader access to the AGW after implementing it.
  4. Applied kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/v1.8.8/deploy/infra/deployment-rbac.yaml
  5. Made changes according in the helm-config.yaml and authenticated using identityResourceID.

Suggested us on this exception. Thanks.

azure-devopsazure-aksazure-application-gatewayazure-waf


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Azure AVD - Add VM to host pool - custom config URLs | Json file format

The term 'AzCopy' is not recognized as a name of a cmdlet, function, script file

Problem in Azure DevOps pipeline restoring AutoMapper NuGet package in .net 6

TFS Work Item Migration from 2018 to Azure Devops

Prevent quotes from disappearing in JSON in between Azure DevOps tasks

Azure Pipeline to trigger Pipeline using YAML

Cannot run container that build from azure pipeline with Spring boot

Azure Data Factory not interpreting well an array global parameter

Azure DevOps publish Nuget to hosted feed

How to update Azure Devops test results with to display PassedOnRerun

How to exclude a repository from Cross Repo policies?

in azure devops, How can we tell which stories are in a release candidate?

Tag a Docker container as latest in Azure DevOps

Azure DevOps Pipeline - dotnet restore Package Content Hash Validation Fails

Change Azure DevOps Organization setting through REST API