github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Known Issues/_index.md

github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Known Issues/_index.md (about)

     1  ---
     2  title: "Known Issues"
     3  linkTitle: "Known Issues"
     4  weight: 6
     5  date: 2020-10-04
     6  description: >
     7    This section lists the major known issues with aad-pod-identity.
     8  ---
     9  
    10  For a complete list of issues, please check our [GitHub issues page](https://github.com/Azure/aad-pod-identity/issues) or [file a new issue](https://github.com/Azure/aad-pod-identity/issues/new?assignees=&labels=bug&template=bug_report.md&title=) if your issue is not listed.
    11  
    12  - NMI pods not yet running during a cluster autoscaling event
    13  - User-assigned managed identity deleted and recreated with the same name in Azure
    14  
    15  ## NMI pods not yet running during a cluster autoscaling event
    16  
    17  NMI redirects Instance Metadata Service (IMDS) requests to itself by setting up iptables rules after it starts running on the node. During cluster scale up, there **might** be a scenario where the `kube-scheduler` schedules the workload pod before the NMI pod on the new nodes. In such a scenario, the token request will be directly sent to IMDS instead of being intercepted by NMI. What this means is that the workload pod that runs before the NMI pod on the node can access identities that it doesn't have access to.
    18  
    19  There is currently no solution in Kubernetes where a node can be set to `NoSchedule` until critical addons have been deployed to the cluster. There was a KEP for this particular enhancement - [kubernetes/enhancements#1003](https://github.com/kubernetes/enhancements/pull/1003) which is now closed.
    20  
    21  ## Identity not found
    22  
    23  When the user-assigned managed identities have been deleted and re-created in Azure with the same name, the changes aren't automatically reflected in the identities on the underlying VM/VMSS. `az <vm|vmss> identity show -g <resource group> -n <VM/VMSS name>` command output will show the identity with `null` principalID and clientID. Token request for this identity will fail with `identity not found` error.
    24  
    25  ```json
    26  {
    27    "principalId": null,
    28    "tenantId": null,
    29    "type": "UserAssigned",
    30    "userAssignedIdentities": {
    31      "/subscriptions/<sub>/resourcegroups/<resource group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity name>": {
    32        "clientId": "null",
    33        "principalId": "null"
    34      }
    35    }
    36  }
    37  
    38  ```
    39  
    40  Steps to take if the identity was deleted and re-created with same name -
    41  
    42  1. Remove identity manually from the VM/VMSS by running `az <vm|vmss> identity remove -g <rg> -n <VM/VMSS name> --identities <identity resource id>`
    43  2. Update the `AzureIdentity` with the new clientID for the recreated identity
    44  
    45  MIC will detect the change in `AzureIdentity` and reassign the identity. This reassignment will ensure the identity with correct clientID exists on the underlying VM/VMSS.
    46  
    47  ## NMI returns status 500 with list pod error
    48  
    49  See [Azure/aad-pod-identity#780](https://github.com/Azure/aad-pod-identity/issues/780) for more details.