Skip to content

Commit 93838cd

Browse files
itechedititechedit
authored
Update csi-secrets-store-troubleshooting.md
1 parent b7a99ff commit 93838cd

File tree

1 file changed

+0
-48
lines changed

1 file changed

+0
-48
lines changed

articles/aks/csi-secrets-store-troubleshooting.md

Lines changed: 0 additions & 48 deletions
Original file line numberDiff line numberDiff line change
@@ -100,53 +100,5 @@ You can test the connectivity to your Azure key vault from the pod that's runnin
100100
curl -X GET 'https://<KEY_VAULT_NAME>.vault.azure.net/secrets/<SECRET_NAME>?api-version=7.2' -H "Authorization: Bearer <ACCESS_TOKEN_ACQUIRED_ABOVE>"
101101
```
102102
103-
It means the provider pod is unable to access the AKV instance because:
104-
105-
- There is a firewall rule blocking egress traffic from the provider.
106-
- Network policies configured in the cluster that’s blocking egress traffic.
107-
- The provider pods run on hostNetwork. So if there is a policy blocking this traffic or there are network jitters on the node it could result in the above failure. Check for policies configured to block traffic and allowlist the provider pods. Also, ensure there is connectivity to Azure AD and Key Vault from the node.
108-
109-
You can test Key Vault connectivity from pod running on host network as follows:
110-
111-
- Create Pod
112-
113-
```bash
114-
cat <<EOF | kubectl apply -f -
115-
apiVersion: v1
116-
kind: Pod
117-
metadata:
118-
name: curl
119-
spec:
120-
hostNetwork: true
121-
containers:
122-
- args:
123-
- tail
124-
- -f
125-
- /dev/null
126-
image: curlimages/curl:7.75.0
127-
name: curl
128-
dnsPolicy: ClusterFirst
129-
restartPolicy: Always
130-
EOF
131-
```
132-
133-
- Exec into the Pod created above
134-
135-
```bash
136-
kubectl exec -it curl -- sh
137-
```
138-
139-
- Authenticate with AKV
140-
141-
```bash
142-
curl -X POST 'https://login.microsoftonline.com/<AAD_TENANT_ID>/oauth2/v2.0/token' -d 'grant_type=client_credentials&client_id=<AZURE_CLIENT_ID>&client_secret=<AZURE_CLIENT_SECRET>&scope=https://vault.azure.net/.default'
143-
```
144-
145-
- Try getting a secret already created in AKV
146-
147-
```bash
148-
curl -X GET 'https://<KEY_VAULT_NAME>.vault.azure.net/secrets/<SECRET_NAME>?api-version=7.2' -H "Authorization: Bearer <ACCESS_TOKEN_ACQUIRED_ABOVE>"
149-
```
150-
151103
<!-- LINKS EXTERNAL -->
152104
[aad-troubleshooting]: https://azure.github.io/aad-pod-identity/docs/troubleshooting/

0 commit comments

Comments
 (0)