-
Bug
-
Resolution: Duplicate
-
Critical
-
None
-
4.14
-
No
-
Proposed
-
False
-
Description of problem:
When creating an azure workload identity cluster on an existing vnet, the creation failed due to permission errors. The worker node can't be provisioned. creating a cluster on an existing vnet, encountering this permission bug, all the workload Identity that need to access the cloud need to have permission on the resource group of the created vnet as well before they can go to access it, is it supported in this scenario? If we support this scenario, then this could be a bug here.
Version-Release number of selected component (if applicable):
registry.ci.openshift.org/ocp/release:4.14.0-0.nightly-2023-09-12-195514
How reproducible:
Always
Steps to Reproduce:
1. creating an azure workload identity cluster on an existing vnet. 2. 3.
Actual results:
1.[hmx@fedora ~]$ oc get machine.m -n openshift-machine-api
NAME PHASE TYPE REGION ZONE AGE
mihuang1500-cs7xr-master-0 Running Standard_D8s_v3 eastus 2 4h16m
mihuang1500-cs7xr-master-1 Running Standard_D8s_v3 eastus 3 4h16m
mihuang1500-cs7xr-master-2 Running Standard_D8s_v3 eastus 1 4h16m
mihuang1500-cs7xr-worker-eastus1-m85mq Failed 4h5m
mihuang1500-cs7xr-worker-eastus2-krks7 Failed 4h5m
mihuang1500-cs7xr-worker-eastus3-8jxc5 Failed 4h5m
2.Status:
Conditions:
Last Transition Time: 2023-09-15T03:09:07Z
Status: True
Type: Drainable
Last Transition Time: 2023-09-15T03:09:07Z
Message: Instance has not been created
Reason: InstanceNotCreated
Severity: Warning
Status: False
Type: InstanceExists
Last Transition Time: 2023-09-15T03:09:07Z
Status: True
Type: Terminable
Error Message: failed to reconcile machine "mihuang1500-cs7xr-worker-eastus1-m85mq": network.SubnetsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '9b2e21fb-ba00-4c9c-ba01-36a554279c37' with object id '9b2e21fb-ba00-4c9c-ba01-36a554279c37' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuang1500-15020037-rg/providers/Microsoft.Network/virtualNetworks/mihuang1500-vnet/subnets/mihuang1500-worker-subnet' or the scope is invalid. If access was recently granted, please refresh your credentials."
Error Reason: InvalidConfiguration
Last Updated: 2023-09-15T03:09:40Z
Phase: Failed
Provider Status:
Conditions:
Last Transition Time: 2023-09-15T03:09:20Z
Message: failed to create nic mihuang1500-cs7xr-worker-eastus1-m85mq-nic for machine mihuang1500-cs7xr-worker-eastus1-m85mq: unable to create VM network interface: network.SubnetsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '9b2e21fb-ba00-4c9c-ba01-36a554279c37' with object id '9b2e21fb-ba00-4c9c-ba01-36a554279c37' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/mihuang1500-15020037-rg/providers/Microsoft.Network/virtualNetworks/mihuang1500-vnet/subnets/mihuang1500-worker-subnet' or the scope is invalid. If access was recently granted, please refresh your credentials."
Reason: MachineCreationFailed
Status: False
Type: MachineCreated
Metadata:
Events: <none>
Expected results:
Additional info:
- blocks
-
CCO-380 CI Integration-Azure Managed Identity (Workload Identity) Support
-
- Closed
-
- duplicates
-
-
- Closed
-