Azure internal load balancer with Azure Kubernetes Service not working

7/12/2018

I am trying to connect to internal load balancer using the below link: https://docs.microsoft.com/en-us/azure/aks/internal-lb

I see a non existing user in error message I am receiving:

Warning  CreatingLoadBalancerFailed  3m (x7 over 9m)  service-controller  Error creating load balancer (will retry): failed to ensure load balancer for service default/azure-vote-front: network.SubnetsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '91c18461-XXXXXXXX---1441d7bcea67' with object id '91c18461-XXXXXXXXX-1441d7bcea67' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/996b68c3-ec32-46d4-8d0e-80c6da2c1a3b/resourceGroups/<<resource group>>/providers/Microsoft.Network/virtualNetworks/<<VNET>>/subnets/<<subnet id>>

When I search this user in my azure subscription, I do not find it. Any help shall be highly appreciated

Below is my manifest file

apiVersion: apps/v1beta1
    kind: Deployment
    metadata:
      name: azure-vote-back
    spec:
      replicas: 1
      template:
        metadata:
          labels:
            app: azure-vote-back
        spec:
          containers:
          - name: azure-vote-back
            image: redis
            ports:
            - containerPort: 6379
              name: redis
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: azure-vote-back
    spec:
      ports:
      - port: 6379
      selector:
        app: azure-vote-back
    ---
    apiVersion: apps/v1beta1
    kind: Deployment
    metadata:
      name: azure-vote-front
    spec:
      replicas: 1
      strategy:
        rollingUpdate:
          maxSurge: 1
          maxUnavailable: 1
      minReadySeconds: 5 
      template:
        metadata:
          labels:
            app: azure-vote-front
        spec:
          containers:
          - name: azure-vote-front
            image: phishbotstagingregistry.azurecr.io/azure-vote-front:v1
            ports:
            - containerPort: 80
            resources:
              requests:
                cpu: 250m
              limits:
                cpu: 500m
            env:
            - name: REDIS
              value: "azure-vote-back"
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: azure-vote-front
      annotations:
        service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    spec:
      type: LoadBalancer
      ports:
      - port: 80
      selector:
        app: azure-vote-front
-- GKS
azure
azure-aks
azure-kubernetes
kubernetes

1 Answer

7/13/2018

When you created AKS you provided wrong credentials (or stripped permissions later). So the service principal AKS is not authorized to create that resource (which the error clearly states).

Code="AuthorizationFailed" Message="The client '91c18461-XXXXXXXX---1441d7bcea67' with object id '91c18461-XXXXXXXXX-1441d7bcea67' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/996b68c3-ec32-46d4-8d0e-80c6da2c1a3b/resourceGroups/<>/providers/Microsoft.Network/virtualNetworks/<>/subnets/<>

You can use az aks list --resource-group <your-resource-group> to find your service principal, but the error kinda gives that away.

-- 4c74356b41
Source: StackOverflow