You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
kubectl describe pod azurefile-app-7d5c76688b-b6sw8
But it reported the following error:
MountVolume.MountDevice failed for volume "pv-azurefile" : rpc error: code = Internal desc = volume(AAD_Connect_Lab1#rtest2#myfileshare1) mount //rtest2.file.core.chinacloudapi.cn/myfileshare1 on /var/lib/kubelet/plugins/kubernetes.io/csi/file.csi.azure.com/45fab33759835d02974715b1dcdc8406be5d6245ed30a551ba8dc46549190118/globalmount failed with setCredentialCache failed for rtest2.file.core.chinacloudapi.cn with error: exit status 1, output: [-] Error calling AzAuthenticatorLib: -1
Error getting Kerberos service ticket, check /var/log/syslog for more information.
Checked /var/log/syslog but there is no useful findings,
randy@Randy-linux-vm:~$ tail -f /var/log/syslog
2026-01-15T07:45:01.795251+00:00 Randy-linux-vm CRON[6050]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2026-01-15T07:46:32.011141+00:00 Randy-linux-vm systemd[1]: Starting fwupd-refresh.service - Refresh fwupd metadata and update motd...
2026-01-15T07:46:32.037378+00:00 Randy-linux-vm systemd[1]: fwupd-refresh.service: Deactivated successfully.
2026-01-15T07:46:32.037646+00:00 Randy-linux-vm systemd[1]: Finished fwupd-refresh.service - Refresh fwupd metadata and update motd.
2026-01-15T07:50:03.914184+00:00 Randy-linux-vm systemd[1]: Starting sysstat-collect.service - system activity accounting tool...
2026-01-15T07:50:03.916111+00:00 Randy-linux-vm systemd[1]: sysstat-collect.service: Deactivated successfully.
2026-01-15T07:50:03.916678+00:00 Randy-linux-vm systemd[1]: Finished sysstat-collect.service - system activity accounting tool.
2026-01-15T07:55:01.808657+00:00 Randy-linux-vm CRON[6658]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2026-01-15T07:56:20.317197+00:00 Randy-linux-vm python3[1141]: 2026-01-15T07:56:20.316896Z INFO ExtHandler ExtHandler [HEARTBEAT] Agent WALinuxAgent-2.14.0.1 is running as the goal state agent [DEBUG HeartbeatCounter: 11;HeartbeatId: B21B8C20-BA0A-43BF-9F23-FEADC29F6ECB;UpdateGSErrors: 0;AutoUpdate: 1;UpdateMode: SelfUpdate;]
2026-01-15T07:56:34.074003+00:00 Randy-linux-vm systemd[1]: Started session-43.scope - Session 43 of User randy.
What you expected to happen:
The pod should be started successfully
How to reproduce it:
# Create user assigned MI
RG2=azureRBACRg
AKS2=aksAzureRBAC
IDENTITYNAME=aksIdentity
az identity create --name $IDENTITYNAME --resource-group $RG2
# "clientId": "a6113c46-1f5f-4c4d-8d48-3ee5b387f0c1",
# "principalId": "2c269bee-3b8d-46ad-ab29-e0b3ac9a7f54",
# Assign required roles
az role assignment create --assignee "2c269bee-3b8d-46ad-ab29-e0b3ac9a7f54" --role "Storage Blob Data Contributor" --scope "/subscriptions/baae6b03-e980-4e69-8309-306a98bda15e/resourceGroups/AAD_Connect_Lab1/providers/Microsoft.Storage/storageAccounts/rtest2"
# Enable CSI driver
az aks update -g $RG2 -n $AKS2 --enable-disk-driver --enable-file-driver --enable-blob-driver --enable-snapshot-controller
mid="$(az identity list -g "azureRBACRg" --query "[?name == 'aksIdentity'].principalId" -o tsv)"
# Replace wit your Storage account group and stroage acccout name
said="$(az storage account list -g "AAD_Connect_Lab1" --query "[?name == 'rtest2'].id" -o tsv)"
az role assignment create --assignee-object-id "$mid" --role "Storage File Data SMB MI Admin" --scope "$said"
# Create pv
vi azurefile-sc.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-azurefile
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: azurefile-csi
mountOptions:
- dir_mode=0777 # modify this permission if you want to enhance the security
- file_mode=0777
- uid=0
- gid=0
- mfsymlinks
- cache=strict # https://linux.die.net/man/8/mount.cifs
- nosharesock # reduce probability of reconnect race
- actimeo=30 # reduce latency for metadata-heavy workload
- nobrl # disable sending byte range lock requests to the server
csi:
driver: file.csi.azure.com
# make sure volumeHandle is unique for every identical share in the cluster
volumeHandle: "AAD_Connect_Lab1#rtest2#myfileshare1"
volumeAttributes:
resourceGroup: AAD_Connect_Lab1 # optional, node resource group by default if it's not provided
storageAccount: rtest2 # ensure that the `SMBOauth` property is enabled on this account
shareName: myfileshare1
mountWithManagedIdentity: "true"
# optional, clientID of the managed identity, kubelet identity would be used by default if it's empty
clientID: "a6113c46-1f5f-4c4d-8d48-3ee5b387f0c1"
kubectl apply -f azurefile-sc.yaml
# Create pv
vi azurefile-sc.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: pvc-azurefile
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
storageClassName: azurefile-csi_
kubectl apply -f azurefile-pvc.yaml
# Deploy app
vi azurefile-app.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: azurefile-app
spec:
replicas: 1
selector:
matchLabels:
app: azurefile-app
template:
metadata:
labels:
app: azurefile-app
spec:
containers:
- name: app-container
image: dockerhub.azk8s.cn/library/nginx
volumeMounts:
- name: azurefile-volume
mountPath: /mnt/azure
volumes:
- name: azurefile-volume
persistentVolumeClaim:
claimName: pvc-azurefile
kubectl apply -f azurefile-app.yaml
What happened:
Cx is asking the steps to Mount Azure SMB file share with user assigned managed identity.
I tried to follow this guide : https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/docs/managed-identity-mount.md to the configuration in Lab in Azure China.
kubectl describe pod azurefile-app-7d5c76688b-b6sw8But it reported the following error:
MountVolume.MountDevice failed for volume "pv-azurefile" : rpc error: code = Internal desc = volume(AAD_Connect_Lab1#rtest2#myfileshare1) mount //rtest2.file.core.chinacloudapi.cn/myfileshare1 on /var/lib/kubelet/plugins/kubernetes.io/csi/file.csi.azure.com/45fab33759835d02974715b1dcdc8406be5d6245ed30a551ba8dc46549190118/globalmount failed with setCredentialCache failed for rtest2.file.core.chinacloudapi.cn with error: exit status 1, output: [-] Error calling AzAuthenticatorLib: -1
Error getting Kerberos service ticket, check /var/log/syslog for more information.
Checked /var/log/syslog but there is no useful findings,
randy@Randy-linux-vm:~$ tail -f /var/log/syslog
2026-01-15T07:45:01.795251+00:00 Randy-linux-vm CRON[6050]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2026-01-15T07:46:32.011141+00:00 Randy-linux-vm systemd[1]: Starting fwupd-refresh.service - Refresh fwupd metadata and update motd...
2026-01-15T07:46:32.037378+00:00 Randy-linux-vm systemd[1]: fwupd-refresh.service: Deactivated successfully.
2026-01-15T07:46:32.037646+00:00 Randy-linux-vm systemd[1]: Finished fwupd-refresh.service - Refresh fwupd metadata and update motd.
2026-01-15T07:50:03.914184+00:00 Randy-linux-vm systemd[1]: Starting sysstat-collect.service - system activity accounting tool...
2026-01-15T07:50:03.916111+00:00 Randy-linux-vm systemd[1]: sysstat-collect.service: Deactivated successfully.
2026-01-15T07:50:03.916678+00:00 Randy-linux-vm systemd[1]: Finished sysstat-collect.service - system activity accounting tool.
2026-01-15T07:55:01.808657+00:00 Randy-linux-vm CRON[6658]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2026-01-15T07:56:20.317197+00:00 Randy-linux-vm python3[1141]: 2026-01-15T07:56:20.316896Z INFO ExtHandler ExtHandler [HEARTBEAT] Agent WALinuxAgent-2.14.0.1 is running as the goal state agent [DEBUG HeartbeatCounter: 11;HeartbeatId: B21B8C20-BA0A-43BF-9F23-FEADC29F6ECB;UpdateGSErrors: 0;AutoUpdate: 1;UpdateMode: SelfUpdate;]
2026-01-15T07:56:34.074003+00:00 Randy-linux-vm systemd[1]: Started session-43.scope - Session 43 of User randy.
What you expected to happen:
The pod should be started successfully
How to reproduce it:
Anything else we need to know?:
Environment:
kubectl version):1.34.1uname -a):6.14.0-1017-azure update deployment scripts & doc for v0.2.0-alpha #17~24.04.1-Ubuntu SMP Mon Dec 1 20:10:50 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux