rancher · sunilarjun · Jan 23, 2025 · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025
@@ -2,7 +2,7 @@
 
 == Role-based Access Control
 
-When provisioning an AKS cluster in the Rancher UI, RBAC cannot be disabled. If role-based access control is disabled for the cluster in AKS, the cluster cannot be registered or imported into Rancher.
+When provisioning an AKS cluster in the Rancher UI, RBAC cannot be disabled. If role-based access control is disabled for the cluster in AKS, the cluster cannot be registered or imported into Rancher. In practice, this means that local accounts must be enabled in order to register an AKS cluster.
 
 Rancher can configure member roles for AKS clusters in the same way as any other cluster. For more information, see the section on xref:rancher-admin/users/authn-and-authz/manage-role-based-access-control-rbac/manage-role-based-access-control-rbac.adoc[role-based access control.]
 

@@ -29,6 +29,8 @@ Since, by default, Google Kubernetes Engine (GKE) doesn't grant the `cluster-adm
 
 To successfully import or provision EKS, AKS, and GKE clusters from Rancher, the cluster must have at least one managed node group.
 
+AKS clusters can be imported only if local accounts are enabled. If a cluster is configured to use Microsoft Entra ID for authentication, then Rancher will not be able to import it and report an error.
+
 EKS Anywhere clusters can be imported/registered into Rancher with an API address and credentials, as with any downstream cluster. EKS Anywhere clusters are treated as imported clusters and do not have full lifecycle support from Rancher.
 
 GKE Autopilot clusters aren't supported. See https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-standard-feature-comparison[Compare GKE Autopilot and Standard] for more information about the differences between GKE modes.
@@ -293,3 +295,23 @@ To annotate a registered cluster,
 . Click *Save*.
 
 *Result:* The annotation does not give the capabilities to the cluster, but it does indicate to Rancher that the cluster has those capabilities.
+
+== Troubleshooting
+
+This section lists some of the most common errors that may occur when importing a cluster and provides steps to troubleshoot them.
+
+=== AKS
+
+The following error may occur if local accounts are disabled in your cluster:
+
+[,shell]
+----
+Error: Getting static credential is not allowed because this cluster is set to disable local accounts. 
+----
+
+To resolve this issue, enable local accounts before attempting to xref:register-existing-clusters.adoc#_registering_a_cluster[import the cluster] again:
+
+[,shell]
+----
+az aks update --resource-group <resource-group> --name <cluster-name> --enable-local-accounts
+----
@@ -9,7 +9,7 @@
 
 == RBAC
 
-在 Rancher UI 中配置 AKS 集群时，无法禁用 RBAC。如果在 AKS 中为集群禁用了 RBAC，则无法在 Rancher 中注册或导入集群。
+在 Rancher UI 中配置 AKS 集群时，无法禁用 RBAC。如果在 AKS 中为集群禁用了 RBAC，则无法在 Rancher 中注册或导入集群。In practice, this means that local accounts must be enabled in order to register an AKS cluster.
 
 Rancher 可以使用与其他集群一样的方式为 AKS 集群配置成员角色。有关详细信息，请参阅 xref:rancher-admin/users/authn-and-authz/manage-role-based-access-control-rbac/manage-role-based-access-control-rbac.adoc[RBAC]。
 

@@ -27,6 +27,8 @@ kubectl create clusterrolebinding cluster-admin-binding \
 
 === EKS、AKS 和 GKE 集群
 
+AKS clusters can be imported only if local accounts are enabled. If a cluster is configured to use Microsoft Entra ID for authentication, then Rancher will not be able to import it and report an error.
+
 要成功将这些集群导入 Rancher 或从 Rancher 中配置它们，Elastic Kubernetes Service (EKS)、Azure Kubernetes Service (AKS) 和 Google Kubernetes Engine (GKE) 集群必须至少有一个托管节点组。此外，不支持 GKE Autopilot 集群。有关 GKE 模式之间差异，请参阅link:https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-standard-feature-comparison[比较 GKE Autopilot 和 Standard]。
 
 == 注册集群
@@ -291,3 +293,23 @@ Rancher 没有注册的 Kubernetes 集群（除了 RKE2 和 K3s Kubernetes 集
 . 单击**保存**。
 
 *结果*：注释并不是给集群提供功能，而是告知 Rancher 集群具有这些功能。
+
+== Troubleshooting
+
+This section lists some of the most common errors that may occur when importing a cluster and provides steps to troubleshoot them.
+
+=== AKS
+
+The following error may occur if local accounts are disabled in your cluster:
+
+[,shell]
+----
+Error: Getting static credential is not allowed because this cluster is set to disable local accounts. 
+----
+
+To resolve this issue, enable local accounts before attempting to xref:register-existing-clusters.adoc#_注册集群[import the cluster] again:
+
+[,shell]
+----
+az aks update --resource-group <resource-group> --name <cluster-name> --enable-local-accounts
+----
@@ -2,7 +2,7 @@
 
 == Role-based Access Control
 
-When provisioning an AKS cluster in the Rancher UI, RBAC cannot be disabled. If role-based access control is disabled for the cluster in AKS, the cluster cannot be registered or imported into Rancher.
+When provisioning an AKS cluster in the Rancher UI, RBAC cannot be disabled. If role-based access control is disabled for the cluster in AKS, the cluster cannot be registered or imported into Rancher. In practice, this means that local accounts must be enabled in order to register an AKS cluster.
 
 Rancher can configure member roles for AKS clusters in the same way as any other cluster. For more information, see the section on xref:rancher-admin/users/authn-and-authz/manage-role-based-access-control-rbac/manage-role-based-access-control-rbac.adoc[role-based access control.]
 

@@ -29,6 +29,8 @@ Since, by default, Google Kubernetes Engine (GKE) doesn't grant the `cluster-adm
 
 To successfully import or provision EKS, AKS, and GKE clusters from Rancher, the cluster must have at least one managed node group.
 
+AKS clusters can be imported only if local accounts are enabled. If a cluster is configured to use Microsoft Entra ID for authentication, then Rancher will not be able to import it and report an error.
+
 EKS Anywhere clusters can be imported/registered into Rancher with an API address and credentials, as with any downstream cluster. EKS Anywhere clusters are treated as imported clusters and do not have full lifecycle support from Rancher.
 
 GKE Autopilot clusters aren't supported. See https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-standard-feature-comparison[Compare GKE Autopilot and Standard] for more information about the differences between GKE modes.
@@ -293,3 +295,23 @@ To annotate a registered cluster,
 . Click *Save*.
 
 *Result:* The annotation does not give the capabilities to the cluster, but it does indicate to Rancher that the cluster has those capabilities.
+
+== Troubleshooting
+
+This section lists some of the most common errors that may occur when importing a cluster and provides steps to troubleshoot them.
+
+=== AKS
+
+The following error may occur if local accounts are disabled in your cluster:
+
+[,shell]
+----
+Error: Getting static credential is not allowed because this cluster is set to disable local accounts. 
+----
+
+To resolve this issue, enable local accounts before attempting to xref:register-existing-clusters.adoc#_registering_a_cluster[import the cluster] again:
+
+[,shell]
+----
+az aks update --resource-group <resource-group> --name <cluster-name> --enable-local-accounts
+----
@@ -9,7 +9,7 @@
 
 == RBAC
 
-在 Rancher UI 中配置 AKS 集群时，无法禁用 RBAC。如果在 AKS 中为集群禁用了 RBAC，则无法在 Rancher 中注册或导入集群。
+在 Rancher UI 中配置 AKS 集群时，无法禁用 RBAC。如果在 AKS 中为集群禁用了 RBAC，则无法在 Rancher 中注册或导入集群。In practice, this means that local accounts must be enabled in order to register an AKS cluster.
 
 Rancher 可以使用与其他集群一样的方式为 AKS 集群配置成员角色。有关详细信息，请参阅 xref:rancher-admin/users/authn-and-authz/manage-role-based-access-control-rbac/manage-role-based-access-control-rbac.adoc[RBAC]。
 

@@ -27,6 +27,8 @@ kubectl create clusterrolebinding cluster-admin-binding \
 
 === EKS、AKS 和 GKE 集群
 
+AKS clusters can be imported only if local accounts are enabled. If a cluster is configured to use Microsoft Entra ID for authentication, then Rancher will not be able to import it and report an error.
+
 要成功将这些集群导入 Rancher 或从 Rancher 中配置它们，Elastic Kubernetes Service (EKS)、Azure Kubernetes Service (AKS) 和 Google Kubernetes Engine (GKE) 集群必须至少有一个托管节点组。此外，不支持 GKE Autopilot 集群。有关 GKE 模式之间差异，请参阅link:https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-standard-feature-comparison[比较 GKE Autopilot 和 Standard]。
 
 == 注册集群
@@ -291,3 +293,23 @@ Rancher 没有注册的 Kubernetes 集群（除了 RKE2 和 K3s Kubernetes 集
 . 单击**保存**。
 
 *结果*：注释并不是给集群提供功能，而是告知 Rancher 集群具有这些功能。
+
+== Troubleshooting
+
+This section lists some of the most common errors that may occur when importing a cluster and provides steps to troubleshoot them.
+
+=== AKS
+
+The following error may occur if local accounts are disabled in your cluster:
+
+[,shell]
+----
+Error: Getting static credential is not allowed because this cluster is set to disable local accounts. 
+----
+
+To resolve this issue, enable local accounts before attempting to xref:register-existing-clusters.adoc#_注册集群[import the cluster] again:
+
+[,shell]
+----
+az aks update --resource-group <resource-group> --name <cluster-name> --enable-local-accounts
+----
@@ -2,7 +2,7 @@
 
 == Role-based Access Control
 
-When provisioning an AKS cluster in the Rancher UI, RBAC cannot be disabled. If role-based access control is disabled for the cluster in AKS, the cluster cannot be registered or imported into Rancher.
+When provisioning an AKS cluster in the Rancher UI, RBAC cannot be disabled. If role-based access control is disabled for the cluster in AKS, the cluster cannot be registered or imported into Rancher. In practice, this means that local accounts must be enabled in order to register an AKS cluster.
 
 Rancher can configure member roles for AKS clusters in the same way as any other cluster. For more information, see the section on xref:rancher-admin/users/authn-and-authz/manage-role-based-access-control-rbac/manage-role-based-access-control-rbac.adoc[role-based access control.]
 

@@ -29,6 +29,8 @@ Since, by default, Google Kubernetes Engine (GKE) doesn't grant the `cluster-adm
 
 To successfully import or provision EKS, AKS, and GKE clusters from Rancher, the cluster must have at least one managed node group.
 
+AKS clusters can be imported only if local accounts are enabled. If a cluster is configured to use Microsoft Entra ID for authentication, then Rancher will not be able to import it and report an error.
+
 EKS Anywhere clusters can be imported/registered into Rancher with an API address and credentials, as with any downstream cluster. EKS Anywhere clusters are treated as imported clusters and do not have full lifecycle support from Rancher.
 
 GKE Autopilot clusters aren't supported. See https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-standard-feature-comparison[Compare GKE Autopilot and Standard] for more information about the differences between GKE modes.
@@ -293,3 +295,23 @@ To annotate a registered cluster,
 . Click *Save*.
 
 *Result:* The annotation does not give the capabilities to the cluster, but it does indicate to Rancher that the cluster has those capabilities.
+
+== Troubleshooting
+
+This section lists some of the most common errors that may occur when importing a cluster and provides steps to troubleshoot them.
+
+=== AKS
+
+The following error may occur if local accounts are disabled in your cluster:
+
+[,shell]
+----
+Error: Getting static credential is not allowed because this cluster is set to disable local accounts. 
+----
+
+To resolve this issue, enable local accounts before attempting to xref:register-existing-clusters.adoc#_registering_a_cluster[import the cluster] again:
+
+[,shell]
+----
+az aks update --resource-group <resource-group> --name <cluster-name> --enable-local-accounts
+----
@@ -9,7 +9,7 @@
 
 == RBAC
 
-在 Rancher UI 中配置 AKS 集群时，无法禁用 RBAC。如果在 AKS 中为集群禁用了 RBAC，则无法在 Rancher 中注册或导入集群。
+在 Rancher UI 中配置 AKS 集群时，无法禁用 RBAC。如果在 AKS 中为集群禁用了 RBAC，则无法在 Rancher 中注册或导入集群。In practice, this means that local accounts must be enabled in order to register an AKS cluster.
 
 Rancher 可以使用与其他集群一样的方式为 AKS 集群配置成员角色。有关详细信息，请参阅 xref:rancher-admin/users/authn-and-authz/manage-role-based-access-control-rbac/manage-role-based-access-control-rbac.adoc[RBAC]。
 

@@ -27,6 +27,8 @@ kubectl create clusterrolebinding cluster-admin-binding \
 
 === EKS、AKS 和 GKE 集群
 
+AKS clusters can be imported only if local accounts are enabled. If a cluster is configured to use Microsoft Entra ID for authentication, then Rancher will not be able to import it and report an error.
+
 要成功将这些集群导入 Rancher 或从 Rancher 中配置它们，Elastic Kubernetes Service (EKS)、Azure Kubernetes Service (AKS) 和 Google Kubernetes Engine (GKE) 集群必须至少有一个托管节点组。此外，不支持 GKE Autopilot 集群。有关 GKE 模式之间差异，请参阅link:https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-standard-feature-comparison[比较 GKE Autopilot 和 Standard]。
 
 == 注册集群
@@ -291,3 +293,23 @@ Rancher 没有注册的 Kubernetes 集群（除了 RKE2 和 K3s Kubernetes 集
 . 单击**保存**。
 
 *结果*：注释并不是给集群提供功能，而是告知 Rancher 集群具有这些功能。
+
+== Troubleshooting
+
+This section lists some of the most common errors that may occur when importing a cluster and provides steps to troubleshoot them.
+
+=== AKS
+
+The following error may occur if local accounts are disabled in your cluster:
+
+[,shell]
+----
+Error: Getting static credential is not allowed because this cluster is set to disable local accounts. 
+----
+
+To resolve this issue, enable local accounts before attempting to xref:register-existing-clusters.adoc#_注册集群[import the cluster] again:
+
+[,shell]
+----
+az aks update --resource-group <resource-group> --name <cluster-name> --enable-local-accounts
+----
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,7 +9,7 @@ @@
     == RBAC
-    在 Rancher UI 中配置 AKS 集群时，无法禁用 RBAC。如果在 AKS 中为集群禁用了 RBAC，则无法在 Rancher 中注册或导入集群。
+    在 Rancher UI 中配置 AKS 集群时，无法禁用 RBAC。如果在 AKS 中为集群禁用了 RBAC，则无法在 Rancher 中注册或导入集群。In practice, this means that local accounts must be enabled in order to register an AKS cluster.
     Rancher 可以使用与其他集群一样的方式为 AKS 集群配置成员角色。有关详细信息，请参阅 xref:rancher-admin/users/authn-and-authz/manage-role-based-access-control-rbac/manage-role-based-access-control-rbac.adoc[RBAC]。
@@ Expand Down @@