处于 CrashLoopBackOff 状态的 Azure AKS 的 aci-connector-linux pod

Question

我在尝试使用 Terraform 为 Azure Kubernetes 集群 设置 虚拟节点 时遇到问题。

当我检查 pod 的 aci-connector-linux 时，我收到以下错误：

Events:
  Type     Reason   Age                     From     Message
  ----     ------   ----                    ----     -------
  Normal   Pulled   41m (x50 over 4h26m)    kubelet  Container image "mcr.microsoft.com/oss/virtual-kubelet/virtual-kubelet:1.4.1" already present on machine
  Warning  BackOff  68s (x1222 over 4h26m)  kubelet  Back-off restarting failed container

我还使用此处的文档 - https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/examples/kubernetes/aci_connector_linux/main.tf 为 Azure Kubernetes 集群的系统分配身份授予了所需的参与者角色，但我仍然收到 CrashLoopBackOff 状态错误。

Answer 1

我终于修好了。

问题是由此处 aci-connector-linux 的过时文档引起的 - https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/examples/kubernetes/aci_connector_linux/main.tf 将角色分配给 Azure Kubernetes 集群的托管标识

这是我修复它的方法：

Azure Kubernetes 服务创建独立于 Kubernetes 集群的资源组的节点资源组。在节点资源组中，AKS 为 aci-connector-linux 创建托管标识。 Node 资源组的名称通常是 MC_<KubernetesResourceGroupName_KubernetesServiceName-KubernetesResourceGroupLocation>，所以如果您的 KubernetesResourceGroupName 是 MyResourceGroup 并且如果 KubernetesServiceName 是 my-test-cluster 并且如果 KubernetesResourceGroupLocation westeurope，那么节点资源组将为MC_MyResourceGroup_my-test-cluster_westeurope。您可以在 Azure 门户中的资源组下查看资源。

接下来，您可以使用以下命令查看aci-connector-linux pod 的日志来查看问题的根本原因：

kubectl logs aci-connector-linux-577bf54d75-qm9kl -n kube-system

你会得到这样的输出：

time="2022-06-29T15:23:38Z" level=fatal msg="error initializing provider azure: error setting up network profile: error while looking up subnet: api call to https://management.azure.com/subscriptions/0237fb7-7530-43ba-96ae-927yhfad80d1/resourcegroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/k8s-aci-node-pool-subnet?api-version=2018-08-01: got HTTP response status代码 403 错误代码“AuthorizationFailed”：对象 ID 为“560df3e9b-9f64-4faf-aa7c-6tdg779f81c7”的客户端“560df3e9b-9f64-4faf-aa7c-6tdg779f81c7”无权执行操作“Microsoft.Network/virtualNetworks/subnets” /read' 覆盖范围 '/subscriptions/0237fb7-7530-43ba-96ae-927yhfad80d1/resourcegroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/k8s-aci-node-pool-subnet' 或范围无效。如果最近授予访问权限，请刷新您的凭据。"

您可以使用以下代码在 Terraform 中解决此问题：

# Get subnet ID
data "azurerm_subnet" "k8s_aci" {
  name                 = "k8s-aci-node-pool-uat-subnet"
  virtual_network_name = "sparkle-uat-vnet"
  resource_group_name  = data.azurerm_resource_group.main.name
}

# Get the Identity of a service principal
data "azuread_service_principal" "aks_aci_identity" {
  display_name = "aciconnectorlinux-${var.kubernetes_cluster_name}"
  depends_on = [module.kubernetes_service_uat]
}

# Assign role to aci identity
module "role_assignment_aci_nodepool_subnet" {
  source = "../../../modules/azure/role-assignment"

  role_assignment_scope        = data.azurerm_subnet.k8s_aci.id
  role_definition_name         = var.role_definition_name.net-contrib
  role_assignment_principal_id = data.azuread_service_principal.aks_aci_identity.id
}

您也可以使用下面的 Azure CLI 命令实现此目的：

az role assignment create --assignee <Object (principal) ID> --role "Network Contributor" --scope <subnet-id>

一个例子是这样的：

az role assignment create --assignee 560df3e9b-9f64-4faf-aa7c-6tdg779f81c7 --role "Network Contributor" --scope /subscriptions/0237fb7-7530-43ba-96ae-927yhfad80d1/resourcegroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/k8s-aci-node-pool-subnet

资源：

Aci connector linux should export the identity associated to its addon

Using Terraform to create an AKS cluster with "SystemAssigned" identity and aci_connector_linux profile enabled does not result in a creation of a virtual node