azure-docs icon indicating copy to clipboard operation
azure-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Missing service account cicd

Open jpocloud opened this issue 1 year ago • 1 comments

It seems there is a missing service account named 'cicd' after deploying. I did not have a cluster with RBAC enabled. Additionally, I would think attach-acr would be the more common approach instead of managing the docker secret yourself.

This is the failure after I got after deployment: 11m Warning FailedCreate replicaset/sampleapp-779c55fd4b Error creating: pods "sampleapp-779c55fd4b-" is forbidden: error looking up service account default/cicd: serviceaccount "cicd" not found

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

jpocloud avatar Jun 01 '23 19:06 jpocloud

@jpocloud Thanks for your feedback! We will investigate and update as appropriate.

SaibabaBalapur-MSFT avatar Jun 02 '23 05:06 SaibabaBalapur-MSFT

I applied a temp fix to the deployment.yml for the pipeline to work. Hopefully you may find this helpful.

  1. Add Role, Rolebinding & service account
  2. Update the acr url & repository name

Your deployment.yml should look like this

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: cicd
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["namespaces"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cicd-rolebind
  namespace: default
subjects:
- kind: ServiceAccount
  name: cicd
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: cicd # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cicd
  namespace: default
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sampleapp
  labels:
    app: sampleapp
spec:
  progressDeadlineSeconds: 3600
  replicas: 1
  selector:
    matchLabels:
      app: sampleapp
  template:
    metadata:
      labels:
        app: sampleapp
    spec:
      serviceAccountName: cicd
      containers:
      - name: sampleapp
        #replace <foobar> with your container registry. Example: contosodemo.azurecr.io
        image: <ACR name>.azurecr.io/<ACR repository name>
        imagePullPolicy: Always
        ports:
        - containerPort: 8000
        - containerPort: 8080

Additionally, I updated service.yml for testing, original service only contain an Internal IP within kubenet, so I would like to add a public IP for my desktop to access. Alternatively, you can create a vnet peering between your managed vnet to one of your existing vnet and access from one of your VM.

  1. Change the service > spec > type: from "ClusterIP" to "LoadBalancer"

Your Service.yml should look like this

apiVersion: v1
kind: Service
metadata:
  name: sampleapp
  labels:
    app: sampleapp
spec:
  selector:
    app: sampleapp
  ports:
  - name: metrics
    port: 8000
    protocol: TCP
    targetPort: 8000
  - name: http
    port: 8080
    protocol: TCP
    targetPort: 8080
  type: ClusterIP

--- 
  
apiVersion: v1
kind: Secret
metadata:
  name: sa1-token
  annotations:
    kubernetes.io/service-account.name: cicd
type: kubernetes.io/service-account-token

liam-ng avatar Jun 03 '23 18:06 liam-ng

@liam-ng Thanks for your inputs

@jpocloud It seems that you are facing an issue with the deployment of your application on Azure Kubernetes Service. The error message indicates that the service account named 'cicd' is not found. This error can occur if the service account is not created or if it is not properly configured.

To resolve this issue, you can create the service account 'cicd' in your Kubernetes cluster. You can create a service account using the following command:

kubectl create serviceaccount cicd

After creating the service account, you can link it to the pod by adding the following lines to your deployment YAML file:

spec: serviceAccountName: cicd

Regarding your second point, you are correct that using attach-acr is a more common approach than managing the Docker secret yourself. attach-acr command is used to attach an Azure Container Registry to an AKS cluster. This command creates a Kubernetes secret in the AKS cluster that contains the credentials required to authenticate with the registry. You can use this secret to pull images from the registry.

If you are still experiencing issues after trying these steps, I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request). Thank you for your time and patience throughout this issue.

ManoharLakkoju-MSFT avatar Jun 05 '23 06:06 ManoharLakkoju-MSFT