Share via

Arc-enabled Kubernetes Pod kube-aad-proxy failing to start

Desmond Kirrane 40 Reputation points
2024-09-02T12:19:16.9366667+00:00

I'm seeing the Arc Agent kube-aad-proxy Pod failing with x509: certificate signed by unknown authority

It's using container version: mcr.microsoft.com/azurearck8s/kube-aad-proxy:1.18.3

From the Kubernetes Node itself I have no problem curling the endpoint curl -v https://sts.windows.net/<myTenantId>/.well-known/openid-configuration

Full log

time="2024-09-02T12:05:29Z" level=fatal msg="Failed to create authenticator. Error:Get \"https://sts.windows.net/<myTenantId>/.well-known/openid-configuration\": tls: failed to verify certificate: x509: certificate signed by unknown authority
failed to create provider for azure
github.com/azure-core/ClusterConfigurationAgent/kube-aad-proxy/pkg/auth.NewAADAuthenticator
\t/usr/local/ClusterConfigurationAgent/kube-aad-proxy/pkg/auth/aadAuthenticator.go:89
github.com/azure-core/ClusterConfigurationAgent/kube-aad-proxy/pkg/server.(*Server).ListenAndServe
\t/usr/local/ClusterConfigurationAgent/kube-aad-proxy/pkg/server/server.go:137
github.com/azure-core/ClusterConfigurationAgent/kube-aad-proxy/cmd.NewRunCmd.func1
\t/usr/local/ClusterConfigurationAgent/kube-aad-proxy/cmd/run.go:33
github.com/spf13/cobra.(*Command).execute
\t/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:987
github.com/spf13/cobra.(*Command).ExecuteC
\t/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115
github.com/spf13/cobra.(*Command).Execute
\t/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039
main.main\n\t/usr/local/ClusterConfigurationAgent/kube-aad-proxy/main.go:32
runtime.main
\t/usr/local/go/src/runtime/proc.go:271\nruntime.goexit
\t/usr/local/go/src/runtime/asm_amd64.s:1695"
Azure Arc
Azure Arc

A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 41,386 Reputation points MVP Volunteer Moderator
    2026-04-23T17:57:37.2133333+00:00

    Hello Desmond !

    Thank you for posting on MS Learn Q&A.

    This usually means the problem is in the pod TLS trust chain, not basic connectivity.

    Since kube-aad-proxy is failing with that error when reaching https://sts.windows.net/..., I think that the Arc agent pod is likely seeing a certificate chain that its container trust store does not recognize.

    The fact that curl works from the Kubernetes node does not fully rule this out because the node and the container can have different trust stores and may even take different proxy/egress paths.

    For Azure Arc enabled Kubernetes, sts.windows.net, login.microsoftonline.com, and login.windows.net are required outbound endpoints and Arc expects HTTPS with publicly verifiable certificates. In proxy environments, a trusted proxy certificate may need to be injected into Arc agent pods via proxy certificate configuration.

    You can resolve this by bypassing TLS inspection for the required Arc/Microsoft identity endpoints or

    configuring Arc with the correct proxy settings and trusted proxy CA certificate so the agent pods trust the inspected certificate chain.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.