[英]Azure internal load balancer with Azure Kubernetes Service not working
I am trying to connect to internal load balancer using the below link: https://docs.microsoft.com/en-us/azure/aks/internal-lb 我正在尝试使用以下链接连接到内部负载均衡器: https : //docs.microsoft.com/zh-cn/azure/aks/internal-lb
I see a non existing user in error message I am receiving: 我收到一条错误消息,看到一个不存在的用户:
Warning CreatingLoadBalancerFailed 3m (x7 over 9m) service-controller Error creating load balancer (will retry): failed to ensure load balancer for service default/azure-vote-front: network.SubnetsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '91c18461-XXXXXXXX---1441d7bcea67' with object id '91c18461-XXXXXXXXX-1441d7bcea67' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/996b68c3-ec32-46d4-8d0e-80c6da2c1a3b/resourceGroups/<<resource group>>/providers/Microsoft.Network/virtualNetworks/<<VNET>>/subnets/<<subnet id>>
When I search this user in my azure subscription, I do not find it. 当我在Azure订阅中搜索该用户时,找不到该用户。 Any help shall be highly appreciated 任何帮助将不胜感激
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: azure-vote-back
spec:
replicas: 1
template:
metadata:
labels:
app: azure-vote-back
spec:
containers:
- name: azure-vote-back
image: redis
ports:
- containerPort: 6379
name: redis
---
apiVersion: v1
kind: Service
metadata:
name: azure-vote-back
spec:
ports:
- port: 6379
selector:
app: azure-vote-back
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: azure-vote-front
spec:
replicas: 1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
minReadySeconds: 5
template:
metadata:
labels:
app: azure-vote-front
spec:
containers:
- name: azure-vote-front
image: phishbotstagingregistry.azurecr.io/azure-vote-front:v1
ports:
- containerPort: 80
resources:
requests:
cpu: 250m
limits:
cpu: 500m
env:
- name: REDIS
value: "azure-vote-back"
---
apiVersion: v1
kind: Service
metadata:
name: azure-vote-front
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: azure-vote-front
When you created AKS you provided wrong credentials (or stripped permissions later). 在创建AKS时,您提供了错误的凭据(或稍后删除了权限)。 So the service principal AKS is not authorized to create that resource (which the error clearly states). 因此,服务主体AKS无权创建该资源(错误明确指出)。
Code="AuthorizationFailed" Message="The client '91c18461-XXXXXXXX---1441d7bcea67' with object id '91c18461-XXXXXXXXX-1441d7bcea67' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/996b68c3-ec32-46d4-8d0e-80c6da2c1a3b/resourceGroups/<>/providers/Microsoft.Network/virtualNetworks/<>/subnets/<> 代码=“ AuthorizationFailed”消息=“客户端ID为'91c18461-XXXXXXXXX-1441d7bcea67'的客户端'91c18461-XXXXXXXX --- 1441d7bcea67'没有权限在范围'上执行操作'Microsoft.Network/virtualNetworks/subnets/read' /订阅/ 996b68c3-ec32-46d4-8d0e-80c6da2c1a3b / resourceGroups / <> /提供商/ Microsoft.Network / virtualNetworks / <> /子网/ <>
You can use az aks list --resource-group <your-resource-group>
to find your service principal, but the error kinda gives that away. 您可以使用az aks list --resource-group <your-resource-group>
来找到您的服务主体,但该错误还可以解决这个问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.