-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Errors for azure-wi-webhook-controller-manager pods on install: User \"system:serviceaccount:azure-workload-identity-system:azure-wi-webhook-admin\" cannot update resource \"mutatingwebhookconfigurations\" in API group \"admissionregistration.k8s.io\" at the cluster scope: Azure does not have opinion for this user. #856
Comments
If you're enabling the addon |
Ah. The WIF troubleshooting documentation suggested I debug in the I'm not entirely convinced that the one that was installed by default is working right now either, but now that I know where it is, I can at the very least look at the logs a bit and understand why. Would you suggest that I uninstall the helm chart, and should the one installed by |
The troubleshooting docs in this repo are specific to the helm chart installation. Thanks for point out the missing section in the AKS docs. There is room for improvement here.
Yes, you can uninstall the helm chart. Only a single instance of the webhook is required. |
It has been quite confusing to troubleshoot WIF and those were the only troubleshooting docs I could find (e.g. they're the top google result for "workload identity federation troubleshooting azure") - it might be helpful to also note in the troubleshooting docs where to find the troubleshooting docs for WIF that doesn't use the helm chart, or some information that's not specific to the helm chart information. Nothing on the docs that I can see would indicate it doesn't apply for AKS. The only other docs I've seen (as part of the error message I get when the request to Thanks for the help, though! I appreciate the help and information greatly. Feel free to close this. I'm still surprised the resource errored in the way it did on a fresh install, but ultimately I'm not blocked by it any more. |
There should be a separate troubleshooting guide in the AKS docs. @miwithro @karataliu could you'll track this?
This means the workload is using an old version of sdk which still relies on IMDS to get a managed identity token. Here are the minimum required SDK versions for workload identity: https://azure.github.io/azure-workload-identity/docs/topics/language-specific-examples/azure-identity-sdk.html.
The service account permission error could be because of multiple instances of the webhook. Just enabling the add-on with |
To clarify, there are two ways you can enable workload identity on AKS:
Using both together will result in a conflict. The cause for issue here is there is a non-namespace resource clusterrolebinding The suggestion here is to choose only one of the solutions (AKS integration or open source). |
Describe the bug
Hi there! I'm trying to set up a WIF enabled cluster. Here are all of the steps I've done so far:
az feature show --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview"
andaz provider register --namespace Microsoft.ContainerService
(once it's registered)az aks update -g wif-test_group -n wif-test --enable-workload-identity
az aks update -g wif-test_group -n wif-test --enable-oidc-issuer
az identity federated-credential create
to itThe above completed without issue (though the documentation was fairly scattered). The only step I think I'm missing is installing the webhook.
When I install the webhook through either of the approaches indicated here: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html - the two pods in the
azure-workload-identity-system
namespace are erroring with that error, and do not seem to be injecting anything into my annotated pods.This has been a clean install each time, and I've made sure to clean up each time.
I found a similar issue here: #777 but reinstallation doesn't fix it for me. I've tried many times to reinstall and always get this issue.
There could be something I'm missing, but this is a fresh workload-identity-webhook install on a fairly fresh (created last week) AKS cluster, so I kind of would expect this to 'just work' since this is meant to be the new way to do things. If there is something I'm missing, do let me know!
Steps To Reproduce
Install WIF admissions webhook using either of the approaches outlined here: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html
I'm using the latest Helm chart (I've done
helm repo update
) on an AKS cluster I made last week.Expected behavior
I shouldn't get errors when installing WIF into an AKS environment.
Logs
Environment
AKS
kubectl version
): Client Version: v1.26.3, Kustomize Version: v4.5.7, Server Version: v1.24.10cat /etc/os-release
): Macuname -a
): DarwinAdditional context
I'm looking to get my environment working so I can test a change to Vault Agent to support WIF authentication for Vault Agent.
The text was updated successfully, but these errors were encountered: