Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: "400 Bad Request" when importing ManagedClusters with asoctl v2.2.0 #3200

Closed
comptonad opened this issue Aug 22, 2023 · 3 comments · Fixed by #3212
Closed

Bug: "400 Bad Request" when importing ManagedClusters with asoctl v2.2.0 #3200

comptonad opened this issue Aug 22, 2023 · 3 comments · Fixed by #3212
Assignees
Labels
bug 🪲 Something isn't working
Milestone

Comments

@comptonad
Copy link

Version of Azure Service Operator

✗ kubectl get deployment -n azureserviceoperator-system azureserviceoperator-controller-manager -o wide
NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE     CONTAINERS                IMAGES                                                                                         SELECTOR
azureserviceoperator-controller-manager   1/1     1            1           3d21h   manager,kube-rbac-proxy   mcr.microsoft.com/k8s/azureserviceoperator:v2.1.0,gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1   control-plane=controller-manager

Describe the bug
In asoctl v2.1.0 I am able to import ManagedCluster resources but after upgrading to v2.2.0 I am not.

To Reproduce

  1. Create an AKS cluster or use existing one
  2. On v2.2.0 of asoctl run the following
asoctl import azure-resource "/subscriptions/<subid>/resourceGroups/<rg-name>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>" -o cluster.yaml

Expected behavior

Behavior should be the same between version

Screenshots

Attempt using v2.2.0

✗ asoctl version
asoctl v2.2.0 darwin

✗ asoctl import azure-resource "/subscriptions/<subid>/resourceGroups/<rg-name>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>" -o cluster.yaml
08:51:25 ERR Failed error="importing containerservice.azure.com/TrustedAccessRoleBinding for resource /subscriptions/<subid>/resourceGroups/<rg-name>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>: unable to list resources of type Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings: GET https://management.azure.com/subscriptions/<subid>/resourceGroups/<rg-name>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>/trustedAccessRoleBindings\n--------------------------------------------------------------------------------\nRESPONSE 400: 400 Bad Request\nERROR CODE: BadRequest\n--------------------------------------------------------------------------------\n{\n  \"code\": \"BadRequest\",\n  \"details\": null,\n  \"message\": \"Preview feature Microsoft.ContainerService/TrustedAccessPreview not registered.\",\n  \"subcode\": \"\"\n}\n--------------------------------------------------------------------------------\n" kind=ManagedCluster.containerservice.azure.com name=<cluster-name>
08:51:25 ERR Failed imports error="importing containerservice.azure.com/TrustedAccessRoleBinding for resource /subscriptions/<subid>/resourceGroups/<rg-name>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>: unable to list resources of type Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings: GET https://management.azure.com/subscriptions/<subid>/resourceGroups/<rg-name>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>/trustedAccessRoleBindings\n--------------------------------------------------------------------------------\nRESPONSE 400: 400 Bad Request\nERROR CODE: BadRequest\n--------------------------------------------------------------------------------\n{\n  \"code\": \"BadRequest\",\n  \"details\": null,\n  \"message\": \"Preview feature Microsoft.ContainerService/TrustedAccessPreview not registered.\",\n  \"subcode\": \"\"\n}\n--------------------------------------------------------------------------------\n" Count=1 Group=containerservice.azure.com Kind=ManagedCluster
Import Azure Resources  [=============================================================================================================================================================] 100 %
08:51:25 ERR failed to execute command error="failed to import any resources: failed during import of <cluster-name>"

Attempt using v2.1.0

✗ ./asoctl version
asoctl v2.1.0 darwin

✗ ./asoctl import azure-resource "/subscriptions/<subid>/resourceGroups/<rg-name>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>" -o cluster.yaml
08:52:14 INF Imported kind=ManagedCluster.containerservice.azure.com name=<cluster-name>
08:52:14 INF Imported kind=RoleAssignment.authorization.azure.com name=29af165b-8fcc-4e0d-aedb-10c33190b514
08:52:16 INF Imported kind=ManagedClustersAgentPool.containerservice.azure.com name=compworkflow
08:52:16 INF Summary Count=1 Group=authorization.azure.com Kind=RoleAssignment Reason= Status=Imported
08:52:16 INF Summary Count=2 Group=authorization.azure.com Kind=RoleAssignment Reason="access forbidden" Status=Skipped
08:52:16 INF Summary Count=5 Group=authorization.azure.com Kind=RoleAssignment Reason="role assignment is inherited" Status=Skipped
08:52:16 INF Summary Count=1 Group=containerservice.azure.com Kind=ManagedCluster Reason= Status=Imported
08:52:16 INF Summary Count=1 Group=containerservice.azure.com Kind=ManagedClustersAgentPool Reason= Status=Imported
08:52:16 INF Writing to a single file file=cluster.yaml
Import Azure Resources  [=============================================================================================================================================================] 100 %

Additional context

Permissions, account, etc. are not modified between attempts and changing of asoctl versions.

@theunrepentantgeek
Copy link
Member

I've found the bug.

In ASO v2.2.0, we introduced support for TrustedAccessRoleBinding.

When asoctl v2.2.0 runs, it queries for any TrustedAccessRoleBinding resources associated with your cluster, but the request is rejected by ARM because your subscription hasn't been onboarded.

When asoctl v2.1.0 runs, it never tries to query for TrustedAccessRoleBinding resources, and thus never encounters the error.

The error returned by ARM is correct, but shouldn't be resulting in asoctl aborting the import run. The import process should continue, with the user informed of the partial error.

@comptonad
Copy link
Author

Thanks for the update.

... because your subscription hasn't been onboarded.

Can you please elaborate more on what it means to be onboarded?

@matthchr matthchr added bug 🪲 Something isn't working and removed needs-triage 🔍 labels Aug 28, 2023
@matthchr matthchr added this to the v2.3.0 milestone Aug 28, 2023
@theunrepentantgeek
Copy link
Member

Not every Azure Feature is enabled for every subscription.

For example, the Azure Kubernetes Service Trusted Access feature is currently in preview. Anyone who wants to use it can do so (it's a public preview), but the feature is only turned on when someone explicitly uses Trusted Access.

You can see a list of all features, including whether they are enabled for you or not, by running az feature list.

@github-project-automation github-project-automation bot moved this from Backlog to Recently Completed in Azure Service Operator Roadmap Aug 29, 2023
@matthchr matthchr moved this from Recently Completed to Ready for Release in Azure Service Operator Roadmap Sep 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 🪲 Something isn't working
Projects
Development

Successfully merging a pull request may close this issue.

3 participants