当前位置：文江博客话题详情

Aci-Connector-Linux Pod for crashloopbackoff状态中的Azure AKS

发布于 2025-02-11 14:54:10 字数 897 浏览 2 评论 0 原文

尝试使用 azure kubernetes cluster 使用 terraform ，我试图设置虚拟节点时遇到了问题。

当我检查ACI-Connector-Linux的POD时，我会遇到以下错误：

Events:
  Type     Reason   Age                     From     Message
  ----     ------   ----                    ----     -------
  Normal   Pulled   41m (x50 over 4h26m)    kubelet  Container image "mcr.microsoft.com/oss/virtual-kubelet/virtual-kubelet:1.4.1" already present on machine
  Warning  BackOff  68s (x1222 over 4h26m)  kubelet  Back-off restarting failed container

我还授予了Azure Kubernetes群集的系统标识，使用此处的文档 - ，但我仍会遇到crressloopbackoff状态错误。

原文

I am having an issue when trying to setup Virtual Nodes for Azure Kubernetes cluster using Terraform.

When I check the pod for the aci-connector-linux, I get the below error:

Events:
  Type     Reason   Age                     From     Message
  ----     ------   ----                    ----     -------
  Normal   Pulled   41m (x50 over 4h26m)    kubelet  Container image "mcr.microsoft.com/oss/virtual-kubelet/virtual-kubelet:1.4.1" already present on machine
  Warning  BackOff  68s (x1222 over 4h26m)  kubelet  Back-off restarting failed container

I've also granted the System Assigned identity of the Azure Kubernetes Cluster the required contributor role using the documentation here - https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/examples/kubernetes/aci_connector_linux/main.tf but I'm still getting CrashLoopBackOff status error.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

孤凫 2025-02-18 14:54:10

我终于修复了它。

该问题是由 aci-connector-linux 的过时文档引起的 - https://github.com/terraform-providers/terraform-providers/terraform-provider-provider-provider-provider-azurerm/blob/blob/master/master/master/examples/examples/kubernetes/kubernetes/kubernetes/kubernetes/acci_connector/acconnector/mainux/main.linux/main.tlin.tlin.linf 将角色分配给Azure Kubernetes群集的托管身份

这是我修复它的方式：

Azure Kubernetes服务创建了节点资源组，该节点与Kubernetes群集的资源组分开。在节点资源组中，AKS为 aci-connector-linux 创建了托管身份。节点资源组的名称通常为 mc_＆lt; kubernetesourcegroupname_kuberneteservicename-kubernetesresourcegroupegroupegroupegroupegrouplopation＆gt; ，因此，如果您的 strong> kubernetesresorcegroupnetesresourcegroupname> kertems myRecern 是 my-test-cluster ，并且如果 kubernetesresourcegroupopocation westeurope ，则节点资源组将为 mc_myresourcegroup_my-test_my-test -cluster_westeurope 。您可以在资源组下查看Azure门户中的资源。

接下来，您可以使用命令查看 aci-connector-linux pod的日志来查看问题的根本原因：

kubectl logs aci-connector-linux-577bf54d75-qm9kl -n kube-system

您将像这样输出：

time =“ 2022-06-29T15：23：38z” level =致命msg =”错误初始化提供商azure：错误设置网络配置文件：查找子网时错误：api呼叫到https://management.azure.com/subscriptions/0237fb7-7530-43ba-96ae-927yhfad80d1/resourcegroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/my- vnet/subnets/k8s-aci-node-pool-subnet？api version = 2018-08-01 ：get http响应状态代码403错误代码“授权代码”：客户端'560DF3E9B-9F64-4FAF-AFAF-AA7C.AA7C7C.AA7C7C。 -6TDG779F81C7'与对象ID'560DF3E9B-9F64-4FAF-AA7C-6TDG779F81C7'无权执行Action'Microsoft.network/virtualnetworks/virtualnetworks/subnets/subnets/subnets/spope'/sscope'/scope'/0237-7-0237FB77-0237FB7-0237FB 0d1 /ResourceGroups/MyResourceGroup/providers/microsoft.network/virtualnetworks/my-vnet/subnets/k8s-aci-node-node-pool-subnet'或范围无效。如果最近授予访问权限，请刷新您的凭据。”

您可以使用以下代码在 terraform 中对此进行修复：

# Get subnet ID
data "azurerm_subnet" "k8s_aci" {
  name                 = "k8s-aci-node-pool-uat-subnet"
  virtual_network_name = "sparkle-uat-vnet"
  resource_group_name  = data.azurerm_resource_group.main.name
}

# Get the Identity of a service principal
data "azuread_service_principal" "aks_aci_identity" {
  display_name = "aciconnectorlinux-${var.kubernetes_cluster_name}"
  depends_on = [module.kubernetes_service_uat]
}

# Assign role to aci identity
module "role_assignment_aci_nodepool_subnet" {
  source = "../../../modules/azure/role-assignment"

  role_assignment_scope        = data.azurerm_subnet.k8s_aci.id
  role_definition_name         = var.role_definition_name.net-contrib
  role_assignment_principal_id = data.azuread_service_principal.aks_aci_identity.id
}

您还可以使用下面的Azure CLI命令来实现此目标：

az role assignment create --assignee <Object (principal) ID> --role "Network Contributor" --scope <subnet-id>

Note Note 中获得的ID。

是您在错误消息

az role assignment create --assignee 560df3e9b-9f64-4faf-aa7c-6tdg779f81c7 --role "Network Contributor" --scope /subscriptions/0237fb7-7530-43ba-96ae-927yhfad80d1/resourcegroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/k8s-aci-node-pool-subnet

：对象（主） COM/HASHICORP/TERRAFORM-PROVIDER-ASURERM/essess/9733“ RER =“ Nofollow Noreferrer”> ACI Connector Linux应该导出与其附加的身份相关的身份

使用terraform创建具有“ systemAssigned”身份的AKS群集和aci_connector_linux profile启用启用不会导致创建虚拟节点

：//cloud.netapp.com/blog/azure-cvo-blg-azure-kubernetes-service-tutorial-interial-integrate-integrate-aks-with-aci“ rel =“ nofollow noreferrer”> azure kubernetes服务tutorial tutorial：如何与Aks Intectate Aks ack aks ack aks act azure容器实例

I finally fixed it.

The issue was caused by the Outdated documentation for aci-connector-linux here - https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/examples/kubernetes/aci_connector_linux/main.tf which assigns the role to the Managed identity of the Azure Kubernetes cluster

Here's how I fixed it:

Azure Kubernetes Service creates Node resource group which is separate from the resource group for the Kubernetes Cluster. Within the Node resource group, AKS creates a Managed Identity for the aci-connector-linux. The name of the Node resource group is usually MC_<KubernetesResourceGroupName_KubernetesServiceName-KubernetesResourceGroupLocation>, so if your KubernetesResourceGroupName is MyResourceGroup and if the KubernetesServiceName is my-test-cluster and if the KubernetesResourceGroupLocation westeurope, then the Node resource group will be MC_MyResourceGroup_my-test-cluster_westeurope. You can view the resources in the Azure Portal under Resource Groups.

Next, you can view the root cause of the issue by viewing the logs of the aci-connector-linux pod using the command:

kubectl logs aci-connector-linux-577bf54d75-qm9kl -n kube-system

And you will an output like this:

time="2022-06-29T15:23:38Z" level=fatal msg="error initializing provider azure: error setting up network profile: error while looking up subnet: api call to https://management.azure.com/subscriptions/0237fb7-7530-43ba-96ae-927yhfad80d1/resourcegroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/k8s-aci-node-pool-subnet?api-version=2018-08-01: got HTTP response status code 403 error code "AuthorizationFailed": The client '560df3e9b-9f64-4faf-aa7c-6tdg779f81c7' with object id '560df3e9b-9f64-4faf-aa7c-6tdg779f81c7' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/0237fb7-7530-43ba-96ae-927yhfad80d1/resourcegroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/k8s-aci-node-pool-subnet' or the scope is invalid. If access was recently granted, please refresh your credentials."

You can fix this in Terraform using the code below:

# Get subnet ID
data "azurerm_subnet" "k8s_aci" {
  name                 = "k8s-aci-node-pool-uat-subnet"
  virtual_network_name = "sparkle-uat-vnet"
  resource_group_name  = data.azurerm_resource_group.main.name
}

# Get the Identity of a service principal
data "azuread_service_principal" "aks_aci_identity" {
  display_name = "aciconnectorlinux-${var.kubernetes_cluster_name}"
  depends_on = [module.kubernetes_service_uat]
}

# Assign role to aci identity
module "role_assignment_aci_nodepool_subnet" {
  source = "../../../modules/azure/role-assignment"

  role_assignment_scope        = data.azurerm_subnet.k8s_aci.id
  role_definition_name         = var.role_definition_name.net-contrib
  role_assignment_principal_id = data.azuread_service_principal.aks_aci_identity.id
}

You can also achieve this using the Azure CLI command below:

az role assignment create --assignee <Object (principal) ID> --role "Network Contributor" --scope <subnet-id>

Note: The Object (principal) ID is the ID that you obtained in the error message.

An example is this:

az role assignment create --assignee 560df3e9b-9f64-4faf-aa7c-6tdg779f81c7 --role "Network Contributor" --scope /subscriptions/0237fb7-7530-43ba-96ae-927yhfad80d1/resourcegroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/k8s-aci-node-pool-subnet

Resources:

Aci connector linux should export the identity associated to its addon

Using Terraform to create an AKS cluster with "SystemAssigned" identity and aci_connector_linux profile enabled does not result in a creation of a virtual node

Azure Kubernetes Service Tutorial: How to Integrate AKS with Azure Container Instances

Fail to configure a load balancer (AKS)

回复收藏 0 原文

~没有更多了~