azure-cli-extensions icon indicating copy to clipboard operation
azure-cli-extensions copied to clipboard
verified publisher icon Azure

azconnected k8s does not work beteeen Tenants

Open tshaiman opened this issue 2 years ago • 4 comments

when tring to connect Azure Arc Extension for K8s between 2 Azure Tenants , you get "unauthorized error"

Related command

az connectedk8s connect --name $name --resource-group $rg --location westus2 --correlation-id c18ab9d0-685e-48e7-ab55-12588447b0ed

Logs

This operation might take a while...

Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error Response: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

Extension name (the extension in question)

connectedk8s

Detailed Description / Reproducing Steps

  1. Go to some Azure Tenant ( for simplicy I will the term "tenant01" here )

  2. under the tenant subscription ( I will call it "sub01" that belongs to "tenant01") create AKS Cluster

  3. Connect to the cluster : "az aks get-credentials ....." , perform sanity , ensure "kubectl get pods/get nodes" are working

  4. at this stage your .kube/config points to the newly created cluster on Tenant 01

  5. go to another Tenant / Subscription ( "tenant02/ sub02") and go to new AKS Arc Enabled Cluster

  6. change the CLI subscription accordingly : az account set --subscription "sub02"

  7. create a new AKS-Arc Enabled cluster , reach the Az CLI Step

  8. from the onboarding instruction on Azure Portal you will need to run the CLI

az connectedk8s connect --name $name --resource-group $rg --location westus2 --correlation-id c18ab9d0-685e-48e7-ab55-12588447b0ed

Bug : You are getting Unauthorized 401 :

This operation might take a while...

Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error Response: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

additional Info

  • Aks ARc was designde in order to onboard K8s cluster from OnPrem/Edge/Cloud-To-Cloud Scenario . it works from local Kind Cluster and from othre Cloud Providers. the fact that you cannot onboard anothre AKS cluster from another Tenant seems limiting.

tshaiman avatar Apr 05 '23 06:04 tshaiman

Thank you for opening this issue, we will look into it.

yonzhan avatar Apr 05 '23 06:04 yonzhan

Adding SErvice attention since this is non-customer reported.

navba-MSFT avatar Apr 10 '23 02:04 navba-MSFT

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.

Issue Details

when tring to connect Azure Arc Extension for K8s between 2 Azure Tenants , you get "unauthorized error"

Related command

az connectedk8s connect --name $name --resource-group $rg --location westus2 --correlation-id c18ab9d0-685e-48e7-ab55-12588447b0ed

Logs

This operation might take a while...

Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error Response: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

Extension name (the extension in question)

connectedk8s

Detailed Description / Reproducing Steps

  1. Go to some Azure Tenant ( for simplicy I will the term "tenant01" here )

  2. under the tenant subscription ( I will call it "sub01" that belongs to "tenant01") create AKS Cluster

  3. Connect to the cluster : "az aks get-credentials ....." , perform sanity , ensure "kubectl get pods/get nodes" are working

  4. at this stage your .kube/config points to the newly created cluster on Tenant 01

  5. go to another Tenant / Subscription ( "tenant02/ sub02") and go to new AKS Arc Enabled Cluster

  6. change the CLI subscription accordingly : az account set --subscription "sub02"

  7. create a new AKS-Arc Enabled cluster , reach the Az CLI Step

  8. from the onboarding instruction on Azure Portal you will need to run the CLI

az connectedk8s connect --name $name --resource-group $rg --location westus2 --correlation-id c18ab9d0-685e-48e7-ab55-12588447b0ed

Bug : You are getting Unauthorized 401 :

This operation might take a while...

Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error Response: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

additional Info

  • Aks ARc was designde in order to onboard K8s cluster from OnPrem/Edge/Cloud-To-Cloud Scenario . it works from local Kind Cluster and from othre Cloud Providers. the fact that you cannot onboard anothre AKS cluster from another Tenant seems limiting.
Author: tshaiman
Assignees: zhoxing-ms
Labels:

AKS, Subscription, Service Attention, Connected Kubernetes, Auto-Assign
Milestone: -

ghost avatar Apr 10 '23 02:04 ghost

Hi @tshaiman, checking in on this older issue. Sorry it never got a meaningful response. Is this still an active issue for you?

mbifeld avatar Dec 09 '25 16:12 mbifeld