I have an issue with the AKS, Kubernetes cannot pull the image from the ACR, It show the message "unauthorized: authentication required" I already set permissions on the ACR to the AKS Service Principal. It had worked fine until today when I proced to update the pod with a new container from the ACR.
According to the message you provided, the possible reason that I can think of is the Authorization expiry. You can take a check for your service principal if it's Authorization expiry.
Other than this, I recommend you can also check if all other things are OK, the authentication with ACR for AKS here. This can avoid the wrong action.
The SP already has authorization to pull images from the ACR.
I followed the post here and now the AKS is able to pull images from ACR. When I created the AKS its SP didn't have secrets nor certificates setted, but it had working fine since 12 months ago, suddenly AKS now needs to have a secret in its SP to authenticate over the ACR.
Thanks...
using this workaround it did the job:
az role assignment create --assignee <servicePrincipalID> --scope <registryID> --role acrpull
Related
As said in title I'm facing a permission/privilege issue.
I've logged to az-cli using a service principle I created with Contributor role.
Now, this SP is used in a pipeline, where it needs to edit access policies of a KeyVault for another SP (that has no roles).
I'm using
az keyvault set-policy -n testserviceprincipal --secret-permissions list --spn <id>
but i get Insufficient privileges to complete the operation.
I tried to add keyvault prmissions but still missing something.
Did someone had the same issue and managed to resolve?
I'm somehow sure I'm missing some permissions like user.read cause if I use --object-id and the ObjectId of SP all works fine.
Thanks in advance!
I working on AKS shared cluster, where have multiple teams are working on the same cluster and have their own ACR for each team.
I want to find ways to allow ACR to pull from specified namespace only.
Currently that I have though is an expensive way by
Using ACR premium tier to enable the scope-map feature, and create the token for authentication on pull secret.
Or someone did know how to pull an image from the service principal with the AcrPull role.
please tell me.
thank you.
I have found the solution without changing the ACR pricing tier, by using only the service principal to access the target ACR.
Solution
Create the service principal and assign AcrPull role.
After that, Create kubernetes secret into your namespace to pull image by ImagePullSecrets
kubectl create secret docker-registry <secret-name> \
--namespace <namespace> \
--docker-server=<container-registry-name>.azurecr.io \
--docker-username=<service-principal-ID> \
--docker-password=<service-principal-password>
reference
Azure Admins created a cluster for us.
On VM I installed "az cli" and "kubectl".
With my account from Azure Portal I can see that Kubernetes Service and Resource Group to which it belongs.
From the level of that cluster in Azure Portal I can see that I have a role:
"AKS Cluster Admin Operator"
I am logged on VM with kubectl with my account. I need to config my kubectl to work with our cluster.
When I try to execute:
az aks get-credentials --resource-group FRONT-AKS-NA2 --name front-aks
I am getting error:
ForbiddenError: The client 'my_name#my_comp.COM' with object id
'4ea46ad637c6' does not have authorization to perform action
'Microsoft.ContainerService/managedClusters/listClusterUserCredential/action'
over scope
'/subscriptions/89e05d73-8862-4007-a700-0f895fc0f7ea/resourceGroups/FRONT-AKS-NA2/providers/Microsoft.ContainerService/managedClusters/front-aks'
or the scope is invalid. If access was recently granted, please
refresh your credentials.
In my case to refresh recently granted credentials helped this one:
az account set --subscription "your current subscription name"
It led to re-login and fix the issue.
Well, I see the comment, and you already get the solution. So I just can explain the difference to you. Hope it will help you!
When you use the command az aks get-credentials without parameter --admin, it means the CLI command uses the default value: Cluster user. And when you use the cluster user, it just works if you integrate AKS with the AAD. But you said you just have the AKS Cluster Admin Operator role, so the appropriate parameter is --admin. You can get more details here.
And on my side, it's a little dangerous. If the AKS cluster is just for the test, there is no problem. But if it's for production, I recommend you integrate with the AAD, and then give the appropriate permissions to the user. Because the admin user means you have all the permissions, you know, it's not safe.
A few weeks ago, I was able to use the Azure CLI to create my Container Registry (ACR) and Kubernetes (AKS) cluster. I could push images to my ACR and have AKS pull images successfully - everything worked great. Every now and then, I would have to refresh my login with az acr login --name <acrName>, but not a big deal.
Today, I found that when I go to deploy an updated image to my AKS cluster, I got a status of ImagePullBackOff:
Failed to pull image "MY_ACR.azurecr.io/MY_IMAGE:v1": rpc error: code = Unknown desc = Error response from daemon: Get https://MY_ACR.azurecr.io/v2/MY_IMAGE/manifests/v1: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.
I couldn't remember what I needed to do to make this work, so I went through my original steps and created an entirely new resource group, ACR, AKS cluster, and service principal connecting them. I pushed images to my ACR and was able to apply my Kubernetes manifest, and everything worked again.
A couple hours later, when I applied an updated manifest, I again got the same error message. As part of my setup, I created a service principal:
az ad sp create-for-rbac --skip-assignment
az role assignment create --assignee <principal's appId> --scope <my ACR's id> --role Reader
I also used --role acrpull. It seems like the authentication has timed out, and the documentation for Authenticate with an Azure container registry says that individual AD identities will time out after 3 hours, but even after running az acr login --name <acrName>, I'm not able to fix the issue.
What are the required steps to get my AKS cluster to be able to authenticate again to my ACR?
I'll note that I also attached the ACR according to the documentation at Authenticate with Azure Container Registry from Azure Kubernetes Service by running:
az aks update -n cluster_name -g resource_group --attach-acr acr_name
I also tried using the ACR id instead of the name. After a minute or so, the command completed, and even a half hour+ later, I get the same permissions issue.
The easiest way to integrate AKS with ACR is to leverage the --attach-acr option during cluster creation. This will have AKS manage the service principal for your and handle the token refresh's
https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration#create-a-new-aks-cluster-with-acr-integration
I was following the steps in this Microsoft tutorial:
https://learn.microsoft.com/en-us/azure/aks/tutorial-kubernetes-prepare-acr#container-registry-login
I've created a resource group, and then an azure container registry with "az acr create". The next step is to login to the registry, but I keep getting this error:
Error response from daemon: Get https://azurereg.azurecr.io/v2/: Service Unavailable
Any ideas?
In order to access ACR from AKS, you can use the underlying service principal. That said, you've to create a role assignment for the Service Principal as mentioned in this paragraph https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-aks?toc=%2fazure%2faks%2ftoc.json#grant-aks-access-to-acr
Creating a role assignment for role Reader currently doesn't work. You've to create the assignment for the Owner role. (described in https://github.com/Azure/AKS/issues/76).
Keep in mind that K8s caches the token for a couple of minutes. It took 3-5 minutes on my cluster to work.