Exercise - Create an Azure Kubernetes Service cluster. Not being able to create the AKS service

Question

Hello TEam,

I'm starting to do the excise where to create an aks .

I started running the following command:

az aks create \
--resource-group $RESOURCE_GROUP \
--name $CLUSTER_NAME \
--node-count 2 \
--enable-addons http_application_routing \
--generate-ssh-keys \
--node-vm-size Standard_B2s \
--network-plugin azure

But i'm encountring the following error

(RequestDisallowedByPolicy) Provisioning of resource(s) for container service aks-contoso-video in resource group learn-e776a3d3-169a-474c-bec9-beb90e122930 failed. Message: Resource 'aks-nodepool1-12846700-vmss' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"containers-assignment","id":"/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45/providers/Microsoft.Authorization/policyAssignments/containers-assignment"},"policyDefinition":{"name":"Allowed resource types","id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c"},"policySetDefinition":{"name":"containers-initiative","id":"/providers/Microsoft.Management/managementGroups/learn-sandbox-prod/providers/Microsoft.Authorization/policySetDefinitions/containers-initiative"},"policyDefinitionReferenceId":"allowed-resource-types_1"}]'.. Details:
Code: RequestDisallowedByPolicy
Message: Provisioning of resource(s) for container service aks-contoso-video in resource group learn-e776a3d3-169a-474c-bec9-beb90e122930 failed. Message: Resource 'aks-nodepool1-12846700-vmss' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"containers-assignment","id":"/providers/Microsoft.Management/managementGroups/eab64c3d-95b6-9f1f-755f-9f8578c31e45/providers/Microsoft.Authorization/policyAssignments/containers-assignment"},"policyDefinition":{"name":"Allowed resource types","id":"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c"},"policySetDefinition":{"name":"containers-initiative","id":"/providers/Microsoft.Management/managementGroups/learn-sandbox-prod/providers/Microsoft.Authorization/policySetDefinitions/containers-initiative"},"policyDefinitionReferenceId":"allowed-resource-types_1"}]'.. Details:

Do you have some idea how to fix that ?

Thanks
Issam

Answer 1

@issam bahri ,

I tried reproducing the situation through the SandBox environment provided through this tutorial and following were my observations:

• An Azure Policy Initiative containers-assignment is assigned to the scope Concierge Subscription/learn-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx which has the following Policies:
  
• The definition of the Policy Allowed resource types (Reference ID: allowed-resource-types_1) is as follows:

   {  
  

  "properties": {
  "displayName": "Allowed resource types",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'.",
  "metadata": {
  "version": "1.0.0",
  "category": "General"
  },
  "parameters": {
  "listOfResourceTypesAllowed": {
  "type": "Array",
  "metadata": {
  "description": "The list of resource types that can be deployed.",
  "displayName": "Allowed resource types",
  "strongType": "resourceTypes"
  }
  }
  },
  "policyRule": {
  "if": {
  "not": {
  "field": "type",
  "in": "[parameters('listOfResourceTypesAllowed')]"
  }
  },
  "then": {
  "effect": "deny"
  }
  }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a08ec900-254a-4555-9bf5-e42af04b5c5c"
  }
• Upon attempting a Duplicate Initiative operation, under the Policy Parameters I could see:
  
• Among the 37 selected values for the Allowed resource types parameter name (Reference ID: allowed-resource-types_1), virtualMachineScaleSet/* resource types were not selected. Hence assuming that the existing Initiative definition wasn't assigned with these values in the Policy Parameters > Allowed resource types parameter. This disallowed your AKS node pool Virtual machine Scale Set aks-nodepool1-12846700-vmss to be deployed.
• As it so happens that the user of the SandBox environment provided through this tutorial does not have Microsoft.Authorization/PolicyAssignments/write permission on the scope Concierge Subscription/learn-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and hence the container-initiative automated assignment cannot be modified or removed by the user.

I would recommend you to report this issue at the Report feedback section at the end of this document (as shown below). You can add details from this thread to support your feedback.

----
Hope this helps.

Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

Answer 2

I have the same problem today Jan 2022.

Answer 3

Same Issue

Answer 4

Issue still there

Answer 5

Also the same issue. Come on MS! How are we supposed to learn?