I could use some help with Azure AKS and ACR Integration.
I create a ACR container and attach this container to the AKS cluster. I enable managed identity when creating AKS and I was hoping that ACR also uses managed identity
Here is the script I am using..
az group create --name $RESOURCEGROUP --location eastus
az acr create -n $REGISTRYNAME -g $RESOURCEGROUP --sku Basic
az aks create -n $CLUSTERNAME -g $RESOURCEGROUP --node-count $NODECOUNT --enable-addons monitoring --generate-ssh-keys --enable-managed-identity --attach-acr $REGISTRYNAME
az aks get-credentials -g $RESOURCEGROUP -n $CLUSTERNAME
On AKS, when I get pods, I have a Image Pull error
I see that AKS is using managed identity and ACR is using a Principal ID. How do I fix this issue
Getting the simillar issue once i tried with same cmdlet which you given.
you need to try setting imagePullPolicy to Never and it just worked.
As kubectl describe pod mypd, Kubectl was trying to pull the image, and of course this image doesn't exis on remote server, hence the failure.
Above property will avoid connecting to registry and will use image from docker local images cache.
For Working with ACR & AKS
Import an image into your ACR
Import an image from docker hub into your ACR by running the following:
az acr import -n <acr-name> --source docker.io/library/nginx:latest --image nginx:v1
Would suggest to you follow this Microsoft document Deploy the sample image from ACR to AKS
spec:
containers:
- name: nginx
image: <acr-name>.azurecr.io/nginx:v1
imagePullPolicy: Never
ports:
- containerPort: 80
Refernce : Why am I getting an ErrImagePull error in this Kubernetes deployment?
The ErrImageNeverPull error suggests that your pod spec lists imagePullPolicy: Never, meaning that the kubelet will only look in the node's own cache and not try to pull from ACR. If you remove that, it should work.
Related
I want to deploy a image from docker hub to Azure Container Instance.How can we do this.Is it mandatory to push the image first to Azure Container Registry?
All solutions I am getting shows that we need to push the image first to Azure Container Registry.
No, you need not push the image to ACR first, just let the image stay in the docker hub. For example, deploy the Nginx docker image to ACI, the Azure CLI command like below:
az container create -g resourceGroup -n aciName --image nginx --ports 80
As the command shows, you can use the docker image. Actually, the docker hub is the default registry. When you use another registry, you need to add the parameters --registry-login-server, --registry-username and --registry-password. For more details, see az container create.
It also shows clearly in the Azure portal, when you create ACI in the portal, you can see it like below:
You can use docker image directly with the container as follows,
az container create --resource-group myResourceGroup --name mycontainer --image docker image url
going through tutorial https://learn.microsoft.com/en-us/azure/app-service/containers/tutorial-custom-docker-image
Is it possible to switch docker image on already running appservice?
using this command:
az webapp config container set --name <app-name> --resource-group myResourceGroup --docker-custom-image-name <azure-container-registry-name>.azurecr.io/mydockerimage:v1.0.0 --docker-registry-server-url https://<azure-container-registry-name>.azurecr.io --docker-registry-server-user <registry-username> --docker-registry-server-password <password>
az webapp config container
You should go on deployment center.
I'm still new to the Azure Container Instance scene. I have managed to complete the container instance tutorial. However, I've noticed that the tutorial does not show the reader how to stop a running container instance. The nearest command that gaurantees the container instance is indeed stopped / terminated, is by deleting the Resource Group which created the container.
az group delete -n <ResourceGroupNameThatCreatedContainerInstance>
Is this the correct approach?
The Azure CLI updated and now its possible.
Stop
az container stop --name
--resource-group
[--subscription]
Restart
az container restart --name
--resource-group
[--subscription]
You can use az container delete
az container delete -g MyResourceGroup --name mynginx
I try to pull image from an ACR using a secret and I can't do it.
I created resources using azure cli commands:
az login
az provider register -n Microsoft.Network
az provider register -n Microsoft.Storage
az provider register -n Microsoft.Compute
az provider register -n Microsoft.ContainerService
az group create --name aksGroup --location westeurope
az aks create --resource-group aksGroup --name aksCluster --node-count 1 --generate-ssh-keys -k 1.9.2
az aks get-credentials --resource-group aksGroup --name aksCluster
az acr create --resource-group aksGroup --name aksClusterRegistry --sku Basic --admin-enabled true
After that I logged in and pushed image successfully to created ACR from local machine.
docker login aksclusterregistry.azurecr.io
docker tag jetty aksclusterregistry.azurecr.io/jetty
docker push aksclusterregistry.azurecr.io/jetty
The next step was creating a secret:
kubectl create secret docker-registry secret --docker-server=aksclusterregistry.azurecr.io --docker-username=aksClusterRegistry --docker-password=<Password from tab ACR/Access Keys> --docker-email=some#email.com
And eventually I tried to create pod with image from the ACR:
#pod.yml
apiVersion: v1
kind: Pod
metadata:
name: jetty
spec:
containers:
- name: jetty
image: aksclusterregistry.azurecr.io/jetty
imagePullSecrets:
- name: secret
kubectl create -f pod.yml
In result I have a pod with status ImagePullBackOff:
>kubectl get pods
NAME READY STATUS RESTARTS AGE
jetty 0/1 ImagePullBackOff 0 1m
> kubectl describe pod jetty
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m default-scheduler Successfully assigned jetty to aks-nodepool1-62963605-0
Normal SuccessfulMountVolume 2m kubelet, aks-nodepool1-62963605-0 MountVolume.SetUp succeeded for volume "default-token-w8png"
Normal Pulling 2m (x2 over 2m) kubelet, aks-nodepool1-62963605-0 pulling image "aksclusterregistry.azurecr.io/jetty"
Warning Failed 2m (x2 over 2m) kubelet, aks-nodepool1-62963605-0 Failed to pull image "aksclusterregistry.azurecr.io/jetty": rpc error: code = Unknown desc = Error response from daemon: Get https://aksclusterregistry.azurecr.io/v2/jetty/manifests/latest: unauthorized: authentication required
Warning Failed 2m (x2 over 2m) kubelet, aks-nodepool1-62963605-0 Error: ErrImagePull
Normal BackOff 2m (x5 over 2m) kubelet, aks-nodepool1-62963605-0 Back-off pulling image "aksclusterregistry.azurecr.io/jetty"
Normal SandboxChanged 2m (x7 over 2m) kubelet, aks-nodepool1-62963605-0 Pod sandbox changed, it will be killed and re-created.
Warning Failed 2m (x6 over 2m) kubelet, aks-nodepool1-62963605-0 Error: ImagePullBackOff
What's wrong? Why does approach with secret not work?
Please don't advice me approach with service principal, because I would like to understand why this aproach doesn't work. I think it must be working.
The "old" way with AKS was to do create secret as you mentioned. That is no longer recommended.
The "new" way is to attach the container registry. This article explains the "new" way to attach ACR, and also provides a link to the old way to clear up confusion. When you create your cluster, attach with:
az aks create -n myAKSCluster -g myResourceGroup --attach-acr $MYACR
Or if you've already created your cluster, update it with:
az aks update -n myAKSCluster -g myResourceGroup --attach-acr $MYACR
Notes:
$MYACR is just the name of your registry without the .azurecr.io. Ex: MYACR=foobar not MYACR=foobar.azurecr.io.
After you attach your ACR, it will take a few minutes for the ImagePullBackOff to transition to Running.
This looks good to me as well. That said, the recommendation is not to use the admin account, rather a service principle. With the SP you gain some granular control over access rights to the ACR instance (read, contributor, owner).
This doc includes two methods for authentication between AKS and ACR using service principles.
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-aks
It's not exactly the question case. But I was having similar issue with utilization of Attach ACR approach. My problem was with Upper case characters in the registry name. Below warning was being generated by az cli.
Uppercase characters are detected in the registry name. When using its server url in docker commands, to avoid authentication errors, use all lowercase
So ensure to use all lowercases in ACR urls on Docker commands.
First i have created the docker image and created kubernetes cluster in azure container service.
Then tag and push the image to my repository, but while pulling my image from azure container registry to kubernetes cluster the pod are created but in status it shows imagepullback off
The yaml file for basic api image
**apiVersion: v1
kind: Pod
metadata:
name: myapis
spec:
containers:
- name: myapis
image: ciqsample.azurecr.io/myapis
imagePullSecrets:
- name: samplekey**
You might need to attach with container registry itself.
az aks update -n myAKSCluster -g myResourceGroup --attach-acr $MYACR
$MYACR -> name of the container registry without ".azurecr.io" postfix
This error means we use wrong key and password to pull image.
Can you run this command to check secret exist or not?kubectl get secret
root#k8s-master-BBF71727-0:~# kubectl get secret
NAME TYPE DATA AGE
azurecr kubernetes.io/dockercfg 1 57m
default-token-clm2d kubernetes.io/service-account-token 3 2h
Then check the secret.
root#k8s-master-BBF71727-0:~# kubectl get secret azurecr --output=yaml
We can use this command script to create secret:
kubectl create secret docker-register yoursecretname --docker-server=jason.azurecr.io/xxxx/test --docker-username={UserName} --docker-password={Password} --docker-email=team#domain.com
By the way, for test please login Azure container registry with your registry credentials, then try to pull image from Azure container registry.
Login
docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword
Pull the image from your registry
docker pull myregistry.azurecr.io/samples/nginx