Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

Deployment will fail for cluster using user assigned identity when identity service is throttled #2082

Closed
norshtein opened this issue Oct 2, 2019 · 2 comments
Closed

Deployment will fail for cluster using user assigned identity when identity service is throttled #2082

norshtein opened this issue Oct 2, 2019 · 2 comments
Assignees
@norshtein
Labels
bug Something isn't working stale

Comments

@norshtein
Copy link
Member

Describe the bug
If the k8s cluster uses user assigned managed identity, in AKS-Engine generated template, the VM will not add the identity to its dependsOn:

    "resources": [
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "apiVersion": "[variables('apiVersionManagedIdentity')]",
            "name": "[variables('userAssignedID')]",
            "location": "[variables('location')]"
        },
        {
            "type": "Microsoft.Compute/virtualMachines",
            "apiVersion": "[variables('apiVersionCompute')]",
            "name": "[concat(variables('nodepool1VMNamePrefix'), copyIndex(variables('nodepool1Offset')))]",
            "location": "[variables('location')]",
            "dependsOn": [
                "[concat('Microsoft.Network/networkInterfaces/', variables('nodepool1VMNamePrefix'), 'nic-', copyIndex(variables('nodepool1Offset')))]",
                "[concat('Microsoft.Compute/availabilitySets/', variables('nodepool1AvailabilitySet'))]"
            ],
            "identity": {
                "type": "UserAssigned",
                "userAssignedIdentities": {
                    "[variables('userAssignedIDReference')]": {}
                }
            },
            ...

Normally it's OK because the creation of the identity is really fast, but when identity service is throttled(limitation is 8 requests per second per tenant according to identity team), the creation of identity will be slow and the deployment will fail because it tries to associate an non-existing identity to VM. The identity will be created finally but the deployment is early failed when trying to create VM.

Steps To Reproduce

Not always reproduce. Can only be reproduced for cluster using user assigned identity when identity service is throttled in tenant.

Expected behavior
The deployment should success.
AKS Engine version
All version.
Kubernetes version
All version.
Additional context
@norshtein norshtein added the bug Something isn't working label Oct 2, 2019
@norshtein
Copy link
Member Author

/assign @norshtein

@norshtein norshtein mentioned this issue Oct 14, 2019
Closed
4 tasks
@stale
Copy link

stale bot commented Dec 1, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 1, 2019
@stale stale bot closed this as completed Dec 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@norshtein norshtein

Labels
bug Something isn't working stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: VM and VMSS do not have user assigned identity in its dependsOn norshtein/aks-engine
1 participant
@norshtein