Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAPZ isn't compatible within a vcluster, with workload identity enabled on AKS. #4681

Open
mjnovice opened this issue Mar 28, 2024 · 1 comment · May be fixed by #4682
Open

CAPZ isn't compatible within a vcluster, with workload identity enabled on AKS. #4681

mjnovice opened this issue Mar 28, 2024 · 1 comment · May be fixed by #4682
Labels
area/managedclusters Issues related to managed AKS clusters created through the CAPZ ManagedCluster Type kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@mjnovice
Copy link
Contributor

/kind bug

[Before submitting an issue, have you checked the Troubleshooting Guide?]

What steps did you take and what happened:
[A clear and concise description of what the bug is.]
Installed capz onto vcluster we see a clash in the volumes section

the pod section for pod created on host cluster, what vcluster will create it the following

  - name: azure-identity-token
    projected:
      defaultMode: 420
      sources:
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.annotations['vcluster.loft.sh/token-lkyoezps']
            mode: 420
            path: azure-identity-token

Pod creation on the host cluster fails because of

controller-manager-5bd448b8b4-gt44q                           Error syncing to physical cluster: Pod "capz-controller-manager-5bd448b8b4-gt44q-x-capz-syst-d6ecd524ea" is invalid: spec.volumes[3].name: Duplicate value: "azure-identity-token"

If we use --sync-label for vcluster to sync the label azure.workload.identity/use the workload identity webhook will try to add it, as the volumes section https://github.com/Azure/azure-workload-identity/blame/main/pkg/webhook/webhook.go#L401 are not the same, and the webhook tries to create it again.

What did you expect to happen:
CAPZ pod doesn't come up

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • cluster-api-provider-azure version: 1.14.0
  • Kubernetes version: (use kubectl version): 1.28
  • OS (e.g. from /etc/os-release):
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Mar 28, 2024
@JRBANCEL
Copy link

The azure-identity-token volume shouldn't be part of the Pod spec.
Only specify the azure.workload.identity/use: "true" label should be specified and let the Workload Identity do its work.

@mboersma mboersma added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Mar 28, 2024
@JRBANCEL JRBANCEL linked a pull request Mar 28, 2024 that will close this issue
Open
3 tasks
@dtzar dtzar added the area/managedclusters Issues related to managed AKS clusters created through the CAPZ ManagedCluster Type label May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/managedclusters Issues related to managed AKS clusters created through the CAPZ ManagedCluster Type kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
CAPZ Planning
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove projected service account volume for workload identity JRBANCEL/cluster-api-provider-azure
5 participants
@mboersma @JRBANCEL @mjnovice @dtzar @k8s-ci-robot