Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Application Gateway and AKS nodes created in separate resource groups - Application Gateway Insufficient Permission on Subnet #679

Closed
saikovvuri opened this issue Jan 20, 2024 · 1 comment
Closed

Application Gateway and AKS nodes created in separate resource groups - Application Gateway Insufficient Permission on Subnet #679

saikovvuri opened this issue Jan 20, 2024 · 1 comment
Labels
stale An issue that hasn't had a lot of love recently

Comments

@saikovvuri
Copy link

saikovvuri commented Jan 20, 2024
edited
Loading

Describe the bug
The deployment template creates App Gateway instance and AKS nodes in separate resource group resulting in AGIC identity not having the network contributor permission on the App Gateway subnet.

To Reproduce
Steps to reproduce the behavior:
Ran this deployment script generated by the helper

az group create -l EastUS2 -n az-k8s-aauj-rg

az deployment group create -g az-k8s-aauj-rg --template-uri https://github.com/Azure/AKS-Construction/releases/download/0.10.3/main.json --parameters
resourceName=az-k8s-aauj
agentCount=1
upgradeChannel=stable
JustUseSystemPool=true
agentCountMax=20
osDiskType=Managed
osDiskSizeGB=32
custom_vnet=true
registries_sku=Premium
acrPushRolePrincipalId=$(az ad signed-in-user show --query id --out tsv)
omsagent=true
retentionInDays=30
networkPolicy=azure
azurepolicy=audit
authorizedIPRanges="["172.5.172.116/32"]"
ingressApplicationGateway=true
appGWcount=0
appGWsku=Standard_v2
appGWmaxCount=10
appgwKVIntegration=true
keyVaultAksCSI=true
keyVaultCreate=true
keyVaultOfficerRolePrincipalId=$(az ad signed-in-user show --query id --out tsv)
automationAccountScheduledStartStop=Weekday

Got this error from the agic pod logs
controller.go:141] network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status= Code="ApplicationGatewayInsufficientPermissionOnSubnet"

Expected behavior
Resolve this by following this instructions

Get application gateway id from AKS addon profile
appGatewayId=$(az aks show -n myCluster -g myResourceGroup -o tsv --query "addonProfiles.ingressApplicationGateway.config.effectiveApplicationGatewayId")

Get Application Gateway subnet id
appGatewaySubnetId=$(az network application-gateway show --ids $appGatewayId -o tsv --query "gatewayIPConfigurations[0].subnet.id")

Get AGIC addon identity
agicAddonIdentity=$(az aks show -n myCluster -g myResourceGroup -o tsv --query "addonProfiles.ingressApplicationGateway.identity.clientId")

Assign network contributor role to AGIC addon identity to subnet that contains the Application Gateway
az role assignment create --assignee $agicAddonIdentity --scope $appGatewaySubnetId --role "Network Contributor"

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
@github-actions GitHub Actions
Copy link
Contributor

Issue smells stale, no activity for 30 days. Stale Label will be removed if the issue is updated, otherwise closed in a month.

@github-actions github-actions bot added the stale An issue that hasn't had a lot of love recently label Feb 19, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale An issue that hasn't had a lot of love recently
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@saikovvuri