0
votes

I am following the article mentioned below for creating dynamic persistent volume claims.

https://docs.microsoft.com/en-us/azure/aks/azure-disks-dynamic-pv

I created a Persistent volume claim using :

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: taskmanager-01
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: managed-premium
  resources:
    requests:
      storage: 16Gi

Question 01 :

From what I understand, the Persistent Volume and the actual underlying disk will be provisioned when this is created.

Is this correct ?

Question 02 :

kubectl get pvc -n <namespace>

returns me the status of my PVC as Pending. I get the following errors in the kubernetes event list

Failed to provision volume with StorageClass "managed-premium": 

azure.BearerAuthorizer#WithAuthorization: 
Failed to refresh the Token for request to 

https://management.azure.com/subscriptions/xxxx/resourceGroups/MC_XXXX/providers/Microsoft.Compute/disks/kubernetes-dynamic-pvc-651cef89-49ae-11e9-8104-0a58ac1f222a?api-version=2016-04-30-preview: 

StatusCode=401 
Original Error: adal: Refresh request failed. Status Code = '401'.


{
  "error": "invalid_client",
  "error_description": "AADSTS7000215: Invalid client secret is provided.\r\n
 Trace ID: xxxx\r\nCorrelation ID: xxxxr\nTimestamp: 2019-03-18 18:49:42Z",
  "error_codes": [
    7000215
  ],
  "timestamp": "2019-03-18 18:49:42Z",
  "trace_id": "xxxx",
  "correlation_id": "xxxx"
}
1

1 Answers

1
votes
  1. yes, with dynamic it will get provisioned on the fly
  2. pretty sure this error means your service principal doesnt have permissions to the resource group or its secret is expired.

one way to check that would be to find that information from the AKS resource (under servicePrincipalProfile >> clientId. using say az aks list -g %resource-group%) and check if it has permissions to the resource group. if it does, you can try rotating the secret to a new one

https://docs.microsoft.com/en-us/azure/aks/update-credentials