Enable Pod Identities on AKS¶
This section will guide you though enabling the Pod identities feature on your AKS cluster which is necessary for running Arrikto Enterprise Kubeflow.
What You’ll Need¶
- A configured management environment.
- An existing AKS cluster.
- Access to the AKS cluster.
Procedure¶
Register the
EnablePodIdentityPreview
feature:root@rok-tools:~# az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService { "id": "/subscriptions/a8eb0222-2657-4a68-ae60-f06536139029/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/EnablePodIdentityPreview", "name": "Microsoft.ContainerService/EnablePodIdentityPreview", "properties": { "state": "Registered" }, "type": "Microsoft.Features/providers/features" }Troubleshooting
The command failed with an authorization error
If the above command fails with an error message similar to the following:
(AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Features/providers/features/register/action' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319' or the scope is invalid. If access was recently granted, please refresh your credentials.it means that your identity does not have sufficient permissions to register an Azure feature.
To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has
Owner
permissions. If you only haveReader
permissions, contact your administrator to grantOwner
permissions to your identity or to register theEnablePodIdentityPreview
feature for you.Wait for it to become Registered:
root@rok-tools:~# az feature list -o table \ > --query "[?contains(name, 'Microsoft.ContainerService/EnablePodIdentityPreview')].{Name:name,State:properties.state}" Name State --------------------------------------------------- ---------- Microsoft.ContainerService/EnablePodIdentityPreview RegisteredTroubleshooting
The command failed with an authorization error
If the above command fails with an error message similar to the following:
(AuthorizationFailed) The client '82a19692-1c50-4f24-b3e2-95675ddc5213' with object id '82a19692-1c50-4f24-b3e2-95675ddc5213' does not have authorization to perform action 'Microsoft.Features/features/read' over scope '/subscriptions/a8eb0222-2657-4a68-ae60-f06536139029' or the scope is invalid. If access was recently granted, please refresh your credentials.it means that your identity does not have sufficient permissions to list Azure features.
To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either
Owner
orReader
permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.Refresh the registration of the corresponding resource provider:
root@rok-tools:~# az provider register -n Microsoft.ContainerServiceTroubleshooting
The command failed with an authorization error
If the above command fails with an error message similar to the following:
(AuthorizationFailed) The client '82a19692-1c50-4f24-b3e2-95675ddc5213' with object id '82a19692-1c50-4f24-b3e2-95675ddc5213' does not have authorization to perform action 'Microsoft.ContainerService/register/action' over scope '/subscriptions/a8eb0222-2657-4a68-ae60-f06536139029' or the scope is invalid. If access was recently granted, please refresh your credentials.it means that your identity does not have sufficient permissions to register an Azure provider.
To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has
Owner
permissions. If you only haveReader
permissions, contact your administrator to grantOwner
permissions to your identity or to register theMicrosoft.ContainerService
provider for you.Update your AKS cluster to enable Pod identities:
root@rok-tools:~# az aks update \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} \ > --enable-pod-identityTroubleshooting
The command failed with a ‘Bad Request’ error.
If the command failed with the following message:
Operation failed with status: 'Bad Request'. Details: PodIdentity addon requires managed identity.it means that you have not enabled managed identities on your AKS cluster. Make sure you have followed the Create AKS Cluster section.
The command failed with an authorization error
If the above command fails with an error message similar to the following:
(AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/write' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.it means that your identity does not have sufficient permissions to update an AKS cluster.
To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has
Owner
permissions. If you only haveReader
permissions, contact your administrator to grantOwner
permissions to your identity or to enable Pod identities in your cluster for you.
Summary¶
You have successfully updated your AKS cluster to enable Pod Identities.