Resolve "az aks command invoke" failures
This article describes how to resolve az aks command invoke failures in Microsoft Azure CLI so that you can successfully connect to any Azure Kubernetes Service (AKS) cluster, especially to a private AKS cluster.
Other connection methods need to use extra configuration components, as shown in the following table.
| Connection methods | Extra configuration component |
|---|---|
| Virtual network | Virtual private network (VPN) |
| Peered network | Azure ExpressRoute |
| Private endpoint | Jumpbox |
The az aks command invoke Azure CLI command is an alternative way of connecting to a cluster that doesn't require extra configuration components.
When you run the az aks command invoke command, Azure CLI automatically creates a command-<ID> pod in the aks-command namespace to access the AKS cluster and retrieve the required information.
Prerequisites
The Kubernetes kubectl tool. To install kubectl by using Azure CLI, run the az aks install-cli command.
Symptoms
The following table lists common az aks command invoke error messages. Each error message has a link to the section that describes why the error is occurring, and how to fix it.
| Error message | Link |
|---|---|
| Operation returned an invalid status 'Not Found' | Cause 1: The pod can't be created because of node or resource constraints |
| Failed to run command in managed cluster due to kubernetes failure. details: admission webhook "validation.gatekeeper.sh" denied the request: <policy-specific-message> | Cause 2: Azure Policy doesn't allow the pod creation |
| Error from server (Forbidden): namespaces is forbidden: User "<ID>" cannot list resource "<resource>" in API group "" at the cluster scope | Cause 3: Required roles aren't granted |
| Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned: Response [400]; |
Cause 4: There's a Cloud Shell issue |
Cause 1: The pod can't be created because of node or resource constraints
The operation returns a Not Found status because the command-<ID> pod can't reach a successful state, such as Running. (In many cases, the pod stays in the Pending state.) In this case, the nodes aren't able to schedule the pod. This scenario can have different causes, such as the following causes:
- Resource constraints
- Nodes that have a
NotReadyorSchedulingDisabledstate - Nodes that have taints that the pod can't tolerate
- Other causes
Solution 1: Change the configuration so that you can schedule and run the pod
Make sure that the command-<ID> pod can be scheduled and run by adjusting the configuration. For example:
- Increase the node pool size and make sure it has no pod secluding constraints like taints so that the
command-<ID>pod can be deployed. - Adjust resource requests and limits in your pod specifications.
Cause 2: Azure Policy doesn't allow the pod creation
If you have specific Azure policies, the az aks command invoke command can fail because of a disallowed configuration in the command-<ID> pod. For example, you might have an Azure policy that requires a read-only root file system or other specific configuration.
Solution 2: Exempt the namespace for policies that prohibit pod creation
We recommend that you exempt the aks-command namespace for the associated Azure policies that don't allow the pod creation. For more information about exemption, see Understand scope in Azure Policy
To exempt an Azure Policy:
In the Azure portal, search for and select Policy.
In the Policy navigation pane, locate the Authoring section, and then select Assignments.
In the table of assignments, find the row that contains the Assignment name that you want to change, and then select the name of the assignment.
In the policy assignment page for that assignment, select Edit assignment.
Select the Parameters tab.
Clear the Only show parameters that need input or review option.
In the Namespace exclusions box, add the aks-command namespace to the list of namespaces to be excluded.
Alternatively, if the policy isn't a built-in policy, you can check the configuration of the command-<ID> pod, and adjust the policy as necessary. To explore the pod's YAML configuration, run the following command:
kubectl get pods command-<ID> --namespace aks-command --output yaml
You can exempt the aks-command namespace from restrictive policies by running the following command:
az policy exemption create --name ExemptAksCommand --scope /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.ContainerService/managedClusters/{aks-cluster} --policyAssignment /subscriptions/{subscription-id}/providers/Microsoft.Authorization/policyAssignments/{policy-assignment-id}
Cause 3: Required roles aren't granted
To use the az aks command invoke command, you must have access to the following roles on the cluster:
Microsoft.ContainerService/managedClusters/runCommand/actionMicrosoft.ContainerService/managedClusters/commandResults/read
If you don't have these roles, the az aks command invoke command can't retrieve the required information.
Solution 3: Add the required roles
To resolve this issue, follow these steps:
Add the
Microsoft.ContainerService/managedClusters/runCommand/actionandMicrosoft.ContainerService/managedClusters/commandResults/readroles.Assign the necessary roles to the user:
az role assignment create --assignee {user-principal-name} --role "Azure Kubernetes Service Cluster User Role" --scope /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.ContainerService/managedClusters/{aks-cluster}
Cause 4: There's a Cloud Shell issue
The az aks command invoke command isn't processed as expected when it's run directly in the Azure Cloud Shell environment. This is a known issue in Cloud Shell.
Solution 4a: Run the az login command first
In Cloud Shell, run the az login command before you run the az aks command invoke command. For example:
az login
az aks command invoke --resource-group {resource-group} --name {aks-cluster} --command "kubectl get pods"
Solution 4b: Run the command on a local computer or a virtual machine
Run the az aks command invoke command on a local computer or any virtual machine (VM) that has Azure CLI installed.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.