0

I have a hyperledger fabric blockchain network (v2.2.0) deployed using blockchain-automation-framework (BAF) in AKS. I am trying to execute a DR Scenario to recover a complete network using Velero. I have taken a backup of a namespace using velero (installed with restic) by annotating the volumes of all the pods in the namespace. Then I created an another cluster (AKS) and done the restore. The restoration didn't say any error, but all the pods in the restored namespace got stalled in "Init" status. I can see the following "Events" when did the pod describe,

Warning FailedAttachVolume 2m (x11 over 8m12s) attachdetach-controller AttachVolume.Attach failed for volume "pvc-693766c2-24d1-46df-8f3b-6e61e47714c2" : Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: {"error":{"code":"AuthorizationFailed","message":"The client '5cb44ec6-fe67-4783-a7ec-827ce5787ea7' with object id '5cb44ec6-fe67-4783-a7ec-827ce5787ea7' does not have authorization to perform action 'Microsoft.Compute/disks/read' over scope '/subscriptions/subs_id/resourceGroups/rg/providers/Microsoft.Compute/disks/kubernetes-dynamic-pvc-693766c2-24d1-46df-8f3b-6e61e47714c2' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

Can anyone explain me the reason? Thanks in Advance!

Soundarya
  • 153
  • 1
  • 2
  • 12

1 Answers1

1

I'm not familiar with the specific service that you are using, but 5cb44ec6-fe67-4783-a7ec-827ce5787ea7 looks like a service principal ID.

The error says that it's a permission matter over the /subscriptions/subs_id/resourceGroups/rg/providers/Microsoft.Compute/disks/kubernetes-dynamic-pvc-693766c2-24d1-46df-8f3b-6e61e47714c2 resource. Therefore, I would look into the permissions associated to that service principal (e.g., you may give more permissions to the service principal over the entire resource group)

Mark
  • 405
  • 4
  • 10