Enable Pod Identities on AKS

This section will guide you though enabling the Pod identities feature on your AKS cluster which is necessary for running Arrikto Enterprise Kubeflow.

See also

• Official guide for enabling Pod identities on AKS

What You’ll Need

• A configured management environment.
• An existing AKS cluster.
• Access to the AKS cluster.

Procedure

1. Register the EnablePodIdentityPreview feature:

   

   root@rok-tools:~# az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService { "id": "/subscriptions/a8eb0222-2657-4a68-ae60-f06536139029/providers/Microsoft.Features/providers/Microsoft.ContainerService/features/EnablePodIdentityPreview", "name": "Microsoft.ContainerService/EnablePodIdentityPreview", "properties": { "state": "Registered" }, "type": "Microsoft.Features/providers/features" }

   Troubleshooting

   The command failed with an authorization error

   If the above command fails with an error message similar to the following:

   

   (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.Features/providers/features/register/action' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319' or the scope is invalid. If access was recently granted, please refresh your credentials.

   it means that your identity does not have sufficient permissions to register an Azure feature.

   To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has Owner permissions. If you only have Reader permissions, contact your administrator to grant Owner permissions to your identity or to register the EnablePodIdentityPreview feature for you.

2. Wait for it to become Registered:

   

   root@rok-tools:~# az feature list -o table \ > --query "[?contains(name, 'Microsoft.ContainerService/EnablePodIdentityPreview')].{Name:name,State:properties.state}" Name State --------------------------------------------------- ---------- Microsoft.ContainerService/EnablePodIdentityPreview Registered

   Troubleshooting

   The command failed with an authorization error

   If the above command fails with an error message similar to the following:

   

   (AuthorizationFailed) The client '82a19692-1c50-4f24-b3e2-95675ddc5213' with object id '82a19692-1c50-4f24-b3e2-95675ddc5213' does not have authorization to perform action 'Microsoft.Features/features/read' over scope '/subscriptions/a8eb0222-2657-4a68-ae60-f06536139029' or the scope is invalid. If access was recently granted, please refresh your credentials.

   it means that your identity does not have sufficient permissions to list Azure features.

   To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

3. Refresh the registration of the corresponding resource provider:

   

   root@rok-tools:~# az provider register -n Microsoft.ContainerService

   Troubleshooting

   The command failed with an authorization error

   If the above command fails with an error message similar to the following:

   

   (AuthorizationFailed) The client '82a19692-1c50-4f24-b3e2-95675ddc5213' with object id '82a19692-1c50-4f24-b3e2-95675ddc5213' does not have authorization to perform action 'Microsoft.ContainerService/register/action' over scope '/subscriptions/a8eb0222-2657-4a68-ae60-f06536139029' or the scope is invalid. If access was recently granted, please refresh your credentials.

   it means that your identity does not have sufficient permissions to register an Azure provider.

   To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has Owner permissions. If you only have Reader permissions, contact your administrator to grant Owner permissions to your identity or to register the Microsoft.ContainerService provider for you.

4. Update your AKS cluster to enable Pod identities:

   

   root@rok-tools:~# az aks update \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} \ > --enable-pod-identity

   Troubleshooting

   The command failed with a ‘Bad Request’ error.

   If the command failed with the following message:

   

   Operation failed with status: 'Bad Request'. Details: PodIdentity addon requires managed identity.

   it means that you have not enabled managed identities on your AKS cluster. Make sure you have followed the Create AKS Cluster section.

   The command failed with an authorization error

   If the above command fails with an error message similar to the following:

   

   (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/write' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.

   it means that your identity does not have sufficient permissions to update an AKS cluster.

   To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has Owner permissions. If you only have Reader permissions, contact your administrator to grant Owner permissions to your identity or to enable Pod identities in your cluster for you.

Summary

You have successfully updated your AKS cluster to enable Pod Identities.

What’s Next

The next step is to deploy Rok.

• Deploy Rok

PreviousNext