Exercise - Create an Azure Kubernetes Service cluster. Not being able to create the AKS service

issam bahri 1 Reputation point
2021-12-14T16:55:03.23+00:00

Hello TEam,

I'm starting to do the excise where to create an aks .

I started running the following command:

az aks create \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--node-count 2 \
--enable-addons http_application_routing \
--generate-ssh-keys \
--node-vm-size Standard_B2s \
--network-plugin azure

But i'm encountring the following error

(RequestDisallowedByPolicy) Provisioning of resource(s) for container service aks-contoso-video in resource group learn-e776a3d3-169a-474c-bec9-beb90e122930 failed. Message: Resource 'aks-nodepool1-12846700-vmss' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"containers-assignment","id":"/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45/providers/Microsoft.Authorization/policyAssignments/containers-assignment"},"policyDefinition":{"name":"Allowed resource types","id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c"},"policySetDefinition":{"name":"containers-initiative","id":"/providers/Microsoft.Management/managementGroups/learn-sandbox-prod/providers/Microsoft.Authorization/policySetDefinitions/containers-initiative"},"policyDefinitionReferenceId":"allowed-resource-types_1"}]'.. Details:
Code: RequestDisallowedByPolicy
Message: Provisioning of resource(s) for container service aks-contoso-video in resource group learn-e776a3d3-169a-474c-bec9-beb90e122930 failed. Message: Resource 'aks-nodepool1-12846700-vmss' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"containers-assignment","id":"/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45/providers/Microsoft.Authorization/policyAssignments/containers-assignment"},"policyDefinition":{"name":"Allowed resource types","id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c"},"policySetDefinition":{"name":"containers-initiative","id":"/providers/Microsoft.Management/managementGroups/learn-sandbox-prod/providers/Microsoft.Authorization/policySetDefinitions/containers-initiative"},"policyDefinitionReferenceId":"allowed-resource-types_1"}]'.. Details:

Do you have some idea how to fix that ?

Thanks
Issam

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,975 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. SRIJIT-BOSE-MSFT 4,331 Reputation points Microsoft Employee
    2021-12-14T20:14:25.287+00:00

    @issam bahri ,

    I tried reproducing the situation through the SandBox environment provided through this tutorial and following were my observations:

    • An Azure Policy Initiative containers-assignment is assigned to the scope Concierge Subscription/learn-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx which has the following Policies:
      157556-image.png
    • The definition of the Policy Allowed resource types (Reference ID: allowed-resource-types_1) is as follows:
       {  
      
      "properties": {
      "displayName": "Allowed resource types",
      "policyType": "BuiltIn",
      "mode": "Indexed",
      "description": "This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'.",
      "metadata": {
      "version": "1.0.0",
      "category": "General"
      },
      "parameters": {
      "listOfResourceTypesAllowed": {
      "type": "Array",
      "metadata": {
      "description": "The list of resource types that can be deployed.",
      "displayName": "Allowed resource types",
      "strongType": "resourceTypes"
      }
      }
      },
      "policyRule": {
      "if": {
      "not": {
      "field": "type",
      "in": "[parameters('listOfResourceTypesAllowed')]"
      }
      },
      "then": {
      "effect": "deny"
      }
      }
      },
      "id": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c",
      "type": "Microsoft.Authorization/policyDefinitions",
      "name": "a08ec900-254a-4555-9bf5-e42af04b5c5c"
      }
    • Upon attempting a Duplicate Initiative operation, under the Policy Parameters I could see:
      157528-image.png
    • Among the 37 selected values for the Allowed resource types parameter name (Reference ID: allowed-resource-types_1), virtualMachineScaleSet/* resource types were not selected. Hence assuming that the existing Initiative definition wasn't assigned with these values in the Policy Parameters > Allowed resource types parameter. This disallowed your AKS node pool Virtual machine Scale Set aks-nodepool1-12846700-vmss to be deployed.
    • As it so happens that the user of the SandBox environment provided through this tutorial does not have Microsoft.Authorization/PolicyAssignments/write permission on the scope Concierge Subscription/learn-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and hence the container-initiative automated assignment cannot be modified or removed by the user.

    I would recommend you to report this issue at the Report feedback section at the end of this document (as shown below). You can add details from this thread to support your feedback.

    157612-image.png
    157613-image.png

    ----
    Hope this helps.

    Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.
    0 comments No comments

  2. duongthaiha 6 Reputation points
    2022-01-28T18:27:08.07+00:00

    I have the same problem today Jan 2022.

    0 comments No comments

  3. Fabricio Gianeri 1 Reputation point
    2022-02-01T00:05:35.483+00:00

    Same Issue

    0 comments No comments

  4. Angel Merino 1 Reputation point
    2022-02-11T12:03:04.44+00:00

    Issue still there

    0 comments No comments

  5. Hornung, Jason 1 Reputation point
    2022-02-16T19:40:09.6+00:00

    Also the same issue. Come on MS! How are we supposed to learn?

    0 comments No comments