Skip to content

Commit ee8c8c0

Browse files
Celiazhou1Celiazhou1
authored
Update vmextensionerror-oraspullunauthorized.md
1 parent b467340 commit ee8c8c0

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

support/azure/azure-kubernetes/error-codes/vmextensionerror-oraspullunauthorized.md

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
title: OrasPullUnauthorizedVMExtensionError when creating AKS clusters
3-
description: Learn how to troubleshoot the OrasPullUnauthorizedVMExtensionError error (212) and when you try to create and deploy an Azure Kubernetes Service (AKS) cluster.
4-
ms.date: 05/02/2025
3+
description: Learn how to troubleshoot the OrasPullUnauthorizedVMExtensionError error (212) when you try to create and deploy an Azure Kubernetes Service (AKS) cluster.
4+
ms.date: 05/07/2025
55
ms.reviewer: xinhl, v-weizhu
66
ms.service: azure-kubernetes-service
77
#Customer intent: As an Azure Kubernetes user, I want to troubleshoot the OrasPullUnauthorizedVMExtensionError error code (OrasPullUnauthorizedVMExtensionError (212)) so that I can successfully create and deploy an Azure Kubernetes Service (AKS) cluster.
@@ -23,21 +23,21 @@ When you try to create an AKS cluster with the outbound type `none` or `block`,
2323
2424
## Cause
2525

26-
For [network isolated cluster](/azure/aks/concepts-network-isolated), egress traffic is limited. The feature introduces private acr cache rule as proxy to download necessary binary/images from MAR for AKS to bootstrap. It's suggested to disable anonymous access to the ACR. The AKS node will use the kubelet identity to access the ACR. If the `acrpull` permission is not set correctly or the kubelet identity is not bound to the VM instance, an unauthorized error will occur.
26+
For [network isolated cluster](/azure/aks/concepts-network-isolated), egress traffic is limited. The feature introduces private Azure Container Registry (ACR) cache that acts as a proxy to download necessary binary or images from Microsoft Artifact Registry (MAR) for AKS bootstrap. It's suggested to disable anonymous access to the ACR. The AKS node uses the kubelet identity to access the ACR. If the `acrpull` permission isn't set correctly or the kubelet identity isn't bound to the VM instance, an unauthorized error occurs.
2727

2828
## Solution
2929

3030
To resolve this issue, follow these steps:
3131

32-
1. Access the VM instance using SSH to get the log file`/var/log/azure/cluster-provision.log`. Review the log to determine if the issue is related to a 401 error, Azure Instance Metadata Service (IMDS) connection timeout, or an identity not found with HTTP code 400.
32+
1. Access the VM instance using Secure Shell (SSH) to get the log file`/var/log/azure/cluster-provision.log`. Review the log to determine if the issue is related to a 401 error, Azure Instance Metadata Service (IMDS) connection time-out, or an identity not found with HTTP code 400.
3333

34-
2. Retrieve the ACR resource ID that AKS uses as the bootstrap ACR by running the folllowing command:
34+
2. Retrieve the ACR resource ID that AKS uses as the bootstrap ACR by running the following command:
3535

3636
```console
3737
export REGISTRY_ID=$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query 'bootstrapProfile.containerRegistryId' -o tsv)
3838
```
3939

40-
3. If the issue is related to a 401 error, check if the kubelet identity has the `acrpull` permission to the ACR by running the folllowing command:
40+
3. If the issue is related to a 401 error, check if the kubelet identity has the `acrpull` permission to the ACR by running the following command:
4141

4242
```console
4343
export KUBELET_IDENTITY_PRINCIPAL_ID=$(az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query 'identityProfile.kubeletidentity.clientId' -o tsv)
@@ -49,9 +49,9 @@ To resolve this issue, follow these steps:
4949
az role assignment create --role AcrPull --scope ${REGISTRY_ID} --assignee-object-id ${KUBELET_IDENTITY_PRINCIPAL_ID} --assignee-principal-type ServicePrincipal
5050
```
5151

52-
4. If the log error indicates that the identity isn't found, manually bind the kubelet identity to the VMSS for a quick fix.
52+
4. If the log error indicates that the identity isn't found, manually bind the kubelet identity to the Virtual Machine Scale Set (VMSS) for a quick fix.
5353

54-
5. If the issue is related to IMDS connection timeout, submit a support ticket.
54+
5. If the issue is related to IMDS connection time-out, submit a support ticket.
5555
6. Reconcile the cluster if the preceding operations are completed.
5656

5757
## References
@@ -62,4 +62,4 @@ To resolve this issue, follow these steps:
6262

6363
- [container registry authentication managed identity](/azure/container-registry/container-registry-authentication-managed-identity)
6464

65-
[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
65+
[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

0 commit comments

Comments
 (0)