无法使用 StorageClass 配置卷 - 无法获取存储帐户的存储密钥
Failed to provision volume with StorageClass - could not get storage key for storage account
我正在尝试为 pod 部署提供 PVC,但我遇到了这个错误:
Failed to provision volume with StorageClass "xxxxxxxxxxx": could not get storage key for storage account yyyyyyyyyyy: could not get storage key for storage account yyyyyyyyyyy: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 400, RawError: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 400, RawError: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to http://localhost:7788/subscriptions/zzzzzzzzzzz-aaaaaa-bbbbbb/resourceGroups/MC_kkkkkkkkkkkkkkkkkkkk/providers/Microsoft.Storage/storageAccounts/yyyyyyyyyyyyyyy/listKeys?api-version=2019-06-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'aaaaaa-bbbbbbbb-cccccccccccccccc' was not found in the directory 'ppppppppppp-aaaaaaaaaaaa-tttttttttttt'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
我是 AKS 的新手,我相信我缺少一些非常重要的东西,但在网上找不到任何帮助。
这是我已经仔细检查过的:
- 使用正确的帐户登录和订阅
- 引用的存储帐户确实存在
- 与AKS集群在同一个区域和资源组
存储class清单
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: xxxxxxxx
provisioner: kubernetes.io/azure-file
parameters:
skuName: Standard_LRS
storageAccount: yyyyyyyyyyyy
resourceGroup: MC_zzzzzzzzzzzzzzzzz
PVC 清单
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-pvc
spec:
accessModes:
- ReadWriteMany
storageClassName: xxxxxxxx
resources:
requests:
storage: 5Gi
我正在使用 Lens 来管理我的集群。 PVC资源挂在Pending状态:
你们能帮我解决一下吗?
根据 github 问题 here 如果集群没有服务主体或服务主体在 1 年有效期后过期,就会发生这种情况。
您可以通过运行下面的命令来验证它。通过在任何主节点或代理节点上打开 /etc/kubernetes/azure.json 文件来检索详细信息。
az login --service-principal -u <aadClientId> -p <aadClientSecret> -t <tenantId>
在 doc 之后更新或轮换凭据应该可以解决问题。
或者,您可以使用托管标识而不是服务主体来获取权限。托管标识比服务主体更易于管理,并且不需要更新或轮换。有关详细信息,请参阅 Use managed identities
我正在尝试为 pod 部署提供 PVC,但我遇到了这个错误:
Failed to provision volume with StorageClass "xxxxxxxxxxx": could not get storage key for storage account yyyyyyyyyyy: could not get storage key for storage account yyyyyyyyyyy: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 400, RawError: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 400, RawError: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to http://localhost:7788/subscriptions/zzzzzzzzzzz-aaaaaa-bbbbbb/resourceGroups/MC_kkkkkkkkkkkkkkkkkkkk/providers/Microsoft.Storage/storageAccounts/yyyyyyyyyyyyyyy/listKeys?api-version=2019-06-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'aaaaaa-bbbbbbbb-cccccccccccccccc' was not found in the directory 'ppppppppppp-aaaaaaaaaaaa-tttttttttttt'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
我是 AKS 的新手,我相信我缺少一些非常重要的东西,但在网上找不到任何帮助。
这是我已经仔细检查过的:
- 使用正确的帐户登录和订阅
- 引用的存储帐户确实存在
- 与AKS集群在同一个区域和资源组
存储class清单
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: xxxxxxxx
provisioner: kubernetes.io/azure-file
parameters:
skuName: Standard_LRS
storageAccount: yyyyyyyyyyyy
resourceGroup: MC_zzzzzzzzzzzzzzzzz
PVC 清单
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: my-pvc
spec:
accessModes:
- ReadWriteMany
storageClassName: xxxxxxxx
resources:
requests:
storage: 5Gi
我正在使用 Lens 来管理我的集群。 PVC资源挂在Pending状态:
你们能帮我解决一下吗?
根据 github 问题 here 如果集群没有服务主体或服务主体在 1 年有效期后过期,就会发生这种情况。
您可以通过运行下面的命令来验证它。通过在任何主节点或代理节点上打开 /etc/kubernetes/azure.json 文件来检索详细信息。
az login --service-principal -u <aadClientId> -p <aadClientSecret> -t <tenantId>
在 doc 之后更新或轮换凭据应该可以解决问题。
或者,您可以使用托管标识而不是服务主体来获取权限。托管标识比服务主体更易于管理,并且不需要更新或轮换。有关详细信息,请参阅 Use managed identities