将 Azure 磁盘附加到 AKS pod 时出现权限错误
Permissions error when attaching Azure Disk to AKS pod
我已经与这个错误作斗争几个小时了。找到了几篇文章,但到目前为止没有任何帮助。
我的工作基于 https://docs.microsoft.com/en-us/azure/aks/azure-disk-volume 中的“操作指南 > 配置数据卷 > Azure 磁盘 - 静态”。据我所知,我没有遗漏任何步骤。
我在 YAML 文件中通过配置定义如下:
kind: Deployment
metadata:
name: phio-dep-db
namespace: production
spec:
selector:
matchLabels:
app: phio
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: phio
spec:
terminationGracePeriodSeconds: 1
volumes:
- name: dbvolume
azureDisk:
diskName: PHIO_DB_VOL
diskURI: /subscriptions/<my-sub-id/resourceGroups/<my-grp>/providers/Microsoft.Compute/disks/PHIO_DB_VOL
kind: Managed
containers:
- image: phioweb.azurecr.io/phiodb
name: db
ports:
- containerPort: 3306
volumeMounts:
- mountPath: /var/lib/mysql
name: dbvolume
但是,当我执行 kubectl apply -f .yml 时,pod 永远不会启动。如果我执行“kubectl describe all -n production”,我会看到以下内容:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 31m default-scheduler Successfully assigned production/phio-dep-db-6c6ddc885-p4ntg to aks-nodepool1-18816840-vmss000001
Warning FailedAttachVolume 79s (x23 over 31m) attachdetach-controller AttachVolume.Attach failed for volume "dbvolume" : compute.DisksClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<GUID>' with object id '<same GUID>' does not have authorization to perform action 'Microsoft.Compute/disks/read' over scope '/subscriptions/<my-sub-id/resourceGroups/<my-grp>/providers/Microsoft.Compute/disks/PHIO_DB_VOL' or the scope is invalid. If access was recently granted, please refresh your credentials."
Warning FailedMount 23s (x14 over 29m) kubelet, aks-nodepool1-18816840-vmss000001 Unable to mount volumes for pod "phio-dep-db-6c6ddc885-p4ntg_production(0e326781-2936-4451-9446-9608a8f41439)": timeout expired waiting for volumes to attach or mount for pod "production"/"phio-dep-db-6c6ddc885-p4ntg". list of unmounted volumes=[dbvolume]. list of unattached volumes=[dbvolume default-token-s7svk]
MS 文档中没有任何关于向 Azure 磁盘分配权限的内容,而且 YAML 中也没有我遗漏的明显参数。
有人知道我遗漏了什么吗?
非常感谢。
(我已经对输出进行了一些清理,但这都是测试,并且 Azure 订阅将在这项工作之后被分箱,即使它说生产)
来自文档 here
When you create an Azure disk for use with AKS, you can create the disk resource in the node resource group. This approach allows the AKS cluster to access and manage the disk resource.If you instead create the disk in a separate resource group, you must
grant the Azure Kubernetes Service (AKS) service principal for your
cluster the Contributor role to the disk's resource group.
Alternatively, you can use the system assigned managed identity for
permissions instead of the service principal. For more information,
see Use managed identities
来自文档 here
您可能需要访问另一个资源组中的现有磁盘资源。分配以下一组角色权限之一:
- 创建自定义角色并定义以下角色权限:
微软Compute/disks/read
微软.Compute/disks/write
- 或者,在资源组上分配存储帐户参与者内置角色
我已经与这个错误作斗争几个小时了。找到了几篇文章,但到目前为止没有任何帮助。
我的工作基于 https://docs.microsoft.com/en-us/azure/aks/azure-disk-volume 中的“操作指南 > 配置数据卷 > Azure 磁盘 - 静态”。据我所知,我没有遗漏任何步骤。
我在 YAML 文件中通过配置定义如下:
kind: Deployment
metadata:
name: phio-dep-db
namespace: production
spec:
selector:
matchLabels:
app: phio
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: phio
spec:
terminationGracePeriodSeconds: 1
volumes:
- name: dbvolume
azureDisk:
diskName: PHIO_DB_VOL
diskURI: /subscriptions/<my-sub-id/resourceGroups/<my-grp>/providers/Microsoft.Compute/disks/PHIO_DB_VOL
kind: Managed
containers:
- image: phioweb.azurecr.io/phiodb
name: db
ports:
- containerPort: 3306
volumeMounts:
- mountPath: /var/lib/mysql
name: dbvolume
但是,当我执行 kubectl apply -f .yml 时,pod 永远不会启动。如果我执行“kubectl describe all -n production”,我会看到以下内容:
Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 31m default-scheduler Successfully assigned production/phio-dep-db-6c6ddc885-p4ntg to aks-nodepool1-18816840-vmss000001 Warning FailedAttachVolume 79s (x23 over 31m) attachdetach-controller AttachVolume.Attach failed for volume "dbvolume" : compute.DisksClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<GUID>' with object id '<same GUID>' does not have authorization to perform action 'Microsoft.Compute/disks/read' over scope '/subscriptions/<my-sub-id/resourceGroups/<my-grp>/providers/Microsoft.Compute/disks/PHIO_DB_VOL' or the scope is invalid. If access was recently granted, please refresh your credentials." Warning FailedMount 23s (x14 over 29m) kubelet, aks-nodepool1-18816840-vmss000001 Unable to mount volumes for pod "phio-dep-db-6c6ddc885-p4ntg_production(0e326781-2936-4451-9446-9608a8f41439)": timeout expired waiting for volumes to attach or mount for pod "production"/"phio-dep-db-6c6ddc885-p4ntg". list of unmounted volumes=[dbvolume]. list of unattached volumes=[dbvolume default-token-s7svk]
MS 文档中没有任何关于向 Azure 磁盘分配权限的内容,而且 YAML 中也没有我遗漏的明显参数。
有人知道我遗漏了什么吗?
非常感谢。
(我已经对输出进行了一些清理,但这都是测试,并且 Azure 订阅将在这项工作之后被分箱,即使它说生产)
来自文档 here
When you create an Azure disk for use with AKS, you can create the disk resource in the node resource group. This approach allows the AKS cluster to access and manage the disk resource.If you instead create the disk in a separate resource group, you must grant the Azure Kubernetes Service (AKS) service principal for your cluster the Contributor role to the disk's resource group. Alternatively, you can use the system assigned managed identity for permissions instead of the service principal. For more information, see Use managed identities
来自文档 here
您可能需要访问另一个资源组中的现有磁盘资源。分配以下一组角色权限之一:
- 创建自定义角色并定义以下角色权限: 微软Compute/disks/read 微软.Compute/disks/write
- 或者,在资源组上分配存储帐户参与者内置角色