NotAllAgentPoolOrchestratorVersionSpecifiedAndUnchanged during `az aks update --enable-managed-identity`
See original GitHub issueRelated command
az aks update --resource-group <> --name <> --enable-managed-identity --assign-identity <> --assign-kubelet-identity <>
OR the simplified:
az aks update --resource-group <> --name <> --enable-managed-identity
(both give same error, which I believe is a validation error before proceeding)
Describe the bug
We recently updated our Azure Managed AKS clusters and their control-plane from:
kubernetesVersion
: 1.21.2
-> 1.22.6
orchestratorVersion
: 1.21.2
-> 1.22.6
As a followup to these upgrades we also want to enable managed-identities for the same cluster.
However the API call during the above az aks update --enabled-managed-identity
command, is returning some unexpected output, which I believe may be a bug between the HTTP API payload versions:
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/.../resourceGroups/.../providers/Microsoft.ContainerService/managedClusters/...?api-version=2022-04-01 HTTP/1.1" 200 None
...
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {
"id": "/subscriptions/.../resourcegroups/.../providers/Microsoft.ContainerService/managedClusters/...",
...
"kubernetesVersion": "1.22.6",
"currentKubernetesVersion": "1.22.6",
...
"orchestratorVersion": "1.21.2",
"currentOrchestratorVersion": "1.22.6",
...
I believe the orchestratorVersion
returned from the above API calls is then passed on the AKS update call:
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/.../resourceGroups/.../providers/Microsoft.ContainerService/managedClusters/...?api-version=2022-04-01'
...
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {
...
"mode": "System", "orchestratorVersion": "1.21.2", "upgradeSettings": ...
}
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/cbe888f6-e994-4f24-aabc-1834bf620d36/resourceGroups/staginguk/providers/Microsoft.ContainerService/managedClusters/staginguk-primary-aks?api-version=2022-04-01 HTTP/1.1" 400 394
cli.azure.cli.core.sdk.policies: Response status: 400
Which means we hit this exception response:
cli.azure.cli.core.sdk.policies: {
"code": "NotAllAgentPoolOrchestratorVersionSpecifiedAndUnchanged",
"message": "Using managed cluster api, all Agent pools' OrchestratorVersion must be all specified or all unspecified. If all specified, they must be stay unchanged or the same with control plane. For agent pool specific change, please use per agent pool operations: https://aka.ms/agent-pool-rest-api",
"subcode": ""
}
To Reproduce
- Upgrade a Azure AKS cluster & orchestratorVersion.
- Attempt to enable managed identities with:
az aks update --resource-group <> --name <> --enable-managed-identity
Expected behaviour
The cluster should utilise the new managed identities & be present the json represenation of the AKS cluster. via:
identityProfile
& kubeletIdentityProfile
blocks.
Environment summary
az --version
azure-cli 2.37.0
core 2.37.0
telemetry 1.0.6
Extensions:
datafactory 0.5.0
Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1
Python location '/home/mitchell/test-venv/bin/python3'
Extensions directory '/home/mitchell/.azure/cliextensions'
Python (Linux) 3.8.10 (default, Mar 15 2022, 12:22:08)
[GCC 9.4.0]
Additional context n/a
Issue Analytics
- State:
- Created a year ago
- Comments:22 (11 by maintainers)
Top GitHub Comments
@verysonglaa Based on my discussion with the Product Owners, the above fix has been deployed to all regions. Note that the agentpools have been fixed. Customers should have consistent orchestratorVersion and currentOrchestratorVersion now. If you are still facing the same issue, please open a support ticket. Our Support Professional will get in touch with you and troubleshoot this further.
@mdhomer Please share the below details over email. My email
navba [ @ ] microsoft . com
Awaiting your reply.