Skip to content

[BUG] microsoft.dapr extension fails on AKS Automatic — dapr-system service accounts blocked by aks-managed-protect-system-namespaces policy #5726

@OmnipotentOwl

Description

@OmnipotentOwl

Describe the bug

The microsoft.dapr extension cannot be installed on an AKS Automatic cluster. The Dapr pods enter CrashLoopBackOff because the aks-managed-protect-system-namespaces ValidatingAdmissionPolicy blocks them from creating the dapr-trust-bundle Secret and similar ConfigMaps in the dapr-system namespace, causing the extension installation to fail.

This is the same root cause as #5645 (which affected microsoft.flux), but for the Dapr extension. The fix released for Flux did not extend to Dapr — the dapr-system service accounts are still not exempted from the policy.

To Reproduce

  1. Create an AKS Automatic cluster
  2. Install the Dapr extension:
    az k8s-extension create \
      --resource-group <resource-group> \
      --cluster-name <cluster-name> \
      --cluster-type managedClusters \
      --name dapr \
      --extension-type microsoft.dapr \
      --auto-upgrade-minor-version true
  3. Observe that Dapr pods in dapr-system enter CrashLoopBackOff
  4. The extension installation fails with a timeout/rollback error similar to:
    ExtensionOperationFailed: Helm installation failed : Timed out waiting for
    the resource to come to a ready/completed state
    

Expected behavior

The microsoft.dapr extension should install and run on AKS Automatic without errors. As a Microsoft-managed extension, its service accounts should be exempt from the aks-managed-protect-system-namespaces policy, consistent with how other managed namespaces are treated.

Root cause

The dapr-system service accounts (e.g. dapr-operator, dapr-sentry, dapr-injector) are blocked from creating Secrets and ConfigMaps in the dapr-system namespace by the aks-managed-protect-system-namespaces ValidatingAdmissionPolicy:

secrets "dapr-trust-bundle" is forbidden: ValidatingAdmissionPolicy
'aks-managed-protect-system-namespaces' with binding
'aks-managed-protect-system-namespaces-binding' denied request:
Modification of resources in managed system namespaces is not allowed

The policy currently exempts service accounts from kube-system, gatekeeper-system, app-routing-system, and aks-istio-system — but not dapr-system, despite the Dapr extension being a Microsoft-managed AKS component deployed into that namespace.

Adding system:serviceaccounts:dapr-system to the exempt groups in the aks-managed-protect-system-namespaces ValidatingAdmissionPolicy should resolve this issue, consistent with the fix applied for microsoft.flux in #5645.

Environment (please complete the following information):

  • CLI Version: latest
  • Kubernetes version: 1.34.4
  • AKS tier: Automatic
  • Dapr extension version: latest

Additional context

This is a direct follow-up to #5645 at the request of @sjwaight (see #5645 (comment)).

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions