Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article discusses how to troubleshoot why you can't create a file share on a storage account that's used for dynamic provisioning on Azure Kubernetes Service (AKS).
Symptoms
When you create a file share on a storage account that's used for dynamic provisioning, the PersistentVolumeClaim (PVC) is stuck in the Pending status. In this case, if you run the kubectl describe pvc command, you receive the following error:
persistentvolume-controller (combined from similar events):
Failed to provision volume with StorageClass "azurefile":
failed to create share kubernetes-dynamic-pvc-xxx in account xxx:
failed to create file share, err:
storage: service returned error: StatusCode=403, ErrorCode=AuthorizationFailure,
ErrorMessage=This request is not authorized to perform this operation.
Cause
The Kubernetes persistentvolume-controller isn't on the network that was chosen when the Allow access from network setting was enabled for Selected networks on the storage account. Especially, when you specify useDataPlaneAPI: "true" on the storage class, the persistentvolume-controller uses the data plane API for file share creation/deletion/resizing. However, this will fail when a firewall or virtual network is set on the storage account.
Workaround
Create a file share and set up your AKS cluster to use static provisioning with Azure Files.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.