0

I have followed the walkthrough provided in this link

And at step 6, I have tried to create a pod with the volume linked to the keyvault.

But it is not able to access the volume.

kubectl get pods
NAME                                         READY   STATUS              RESTARTS   AGE
busybox-secrets-store-inline                 0/1     ContainerCreating   0          27s
csi-csi-secrets-store-provider-azure-2fwqd   1/1     Running             0          45m
csi-secrets-store-csi-driver-d6zjv           3/3     Running             0          45m


 kubectl describe pod busybox-secrets-store-inline
Name:         busybox-secrets-store-inline
Namespace:    default
Priority:     0
Node:         aks-agentpool-22716505-vmss000001/10.240.0.5
Start Time:   Mon, 26 Jul 2021 21:45:02 +0530
Labels:       <none>
Annotations:  <none>
Status:       Pending
IP:
IPs:          <none>
Containers:
  busybox:
    Container ID:
    Image:         k8s.gcr.io/e2e-test-images/busybox:1.29
    Image ID:
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sleep
      10000
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /mnt/secrets-store from secrets-store-inline (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-g7shm (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  secrets-store-inline:
    Type:              CSI (a Container Storage Interface (CSI) volume source)
    Driver:            secrets-store.csi.k8s.io
    FSType:
    ReadOnly:          true
    VolumeAttributes:      secretProviderClass=azure-kvname
  default-token-g7shm:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-g7shm
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason       Age    From               Message
  ----     ------       ----   ----               -------
  Normal   Scheduled    3m50s  default-scheduler  Successfully assigned default/busybox-secrets-store-inline to aks-agentpool-22716505-vmss000001
  Warning  FailedMount  110s   kubelet            MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = DeadlineExceeded desc = context deadline exceeded
  Warning  FailedMount  107s   kubelet            Unable to attach or mount volumes: unmounted volumes=[secrets-store-inline], unattached volumes=[secrets-store-inline default-token-g7shm]: timed out waiting for the condition

How to fix this?

uday
  • 257
  • 2
  • 21

1 Answers1

0

This is usually a permissions issue. Make sure you have specified the service principal ID and Password correctly, and make sure you have granted it access to the key vault using the access policies, this is separate to the Azure RBAC permissions.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • I have done the steps as it is in the link: https://azure.github.io/secrets-store-csi-driver-provider-azure/demos/standard-walkthrough/ Can you please let me know if any thing missed which are not mentioned in this link? Access policy means I guess it was mentioned in step 3 of the link. – uday Jul 27 '21 at 13:54