Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

CreatingLoadBalancerFailed on AKS cluster with advanced networking #357

New issue
Copy link
New issue
Copy link
Closed
Closed
CreatingLoadBalancerFailed on AKS cluster with advanced networking#357
Copy link
Labels
docs
@nphmuller

Description

@nphmuller
nphmuller
opened on May 9, 2018
Issue body actions

kubectl version

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:22:21Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.6", GitCommit:"9f8ebd171479bec0ada837d7ee641dec2f8c6dd1", GitTreeState:"clean", BuildDate:"2018-03-21T15:13:31Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

Repro:

  • Deploy new AKS cluster.
    • Used latest version at the time (1.9.6)
    • In networking tab pick advanced
  • kubectl run nginx --image=nginx --replicas=1 --port=80
  • kubectl expose deployment nginx --port=80 --target-port=80 --type=LoadBalancer
  • kubectl get service nginx -w: EXTERNAL-IP stuck at <pending>
  • kubectl describe service nginx will show the following events:
Type     Reason                      Age               From                Message
  ----     ------                      ----              ----                -------
  Normal   EnsuringLoadBalancer        1m (x9 over 16m)  service-controller  Ensuring load balancer
  Warning  CreatingLoadBalancerFailed  1m (x9 over 16m)  service-controller  Error creating load balancer (will retry): failed to ensure load balancer for service default/nginx: ensure(default/nginx): lb(kubernetes) - failed to ensure host in pool: "network.InterfacesClient#CreateOrUpdate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"LinkedAuthorizationFailed\" Message=\"The client 'XXX' with object id 'XXX' has permission to perform action 'Microsoft.Network/networkInterfaces/write' on scope '/subscriptions/XXX/resourceGroups/MC_XXX/providers/Microsoft.Network/networkInterfaces/aks-agentpool-XXX-nic-0'; however, it does not have permission to perform action 'Microsoft.Network/virtualNetworks/subnets/join/action' on the linked scope(s) '/subscriptions/XXX/resourceGroups/XXX-OTHER/providers/Microsoft.Network/virtualNetworks/XXX/subnets/XXX'.\""

Workaround:

Manually give Owner permission (Contributor doesn't work) to the service principal for the subnet.

gree-gorey, vaaleyard and GimmeDaKitty

Metadata

Metadata

Assignees

No one assigned

    Labels

    docs

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.