I try to pull image from an ACR using a secret and I can't do it.
I created resources using azure cli commands:
az login
az provider register -n Microsoft.Network
az provider register -n Microsoft.Storage
az provider register -n Microsoft.Compute
az provider register -n Microsoft.ContainerService
az group create --name aksGroup --location westeurope
az aks create --resource-group aksGroup --name aksCluster --node-count 1 --generate-ssh-keys -k 1.9.2
az aks get-credentials --resource-group aksGroup --name aksCluster
az acr create --resource-group aksGroup --name aksClusterRegistry --sku Basic --admin-enabled true
After that I logged in and pushed image successfully to created ACR from local machine.
docker login aksclusterregistry.azurecr.io
docker tag jetty aksclusterregistry.azurecr.io/jetty
docker push aksclusterregistry.azurecr.io/jetty
The next step was creating a secret:
kubectl create secret docker-registry secret --docker-server=aksclusterregistry.azurecr.io --docker-username=aksClusterRegistry --docker-password=<Password from tab ACR/Access Keys> --docker-email=some#email.com
And eventually I tried to create pod with image from the ACR:
#pod.yml
apiVersion: v1
kind: Pod
metadata:
name: jetty
spec:
containers:
- name: jetty
image: aksclusterregistry.azurecr.io/jetty
imagePullSecrets:
- name: secret
kubectl create -f pod.yml
In result I have a pod with status ImagePullBackOff:
>kubectl get pods
NAME READY STATUS RESTARTS AGE
jetty 0/1 ImagePullBackOff 0 1m
> kubectl describe pod jetty
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m default-scheduler Successfully assigned jetty to aks-nodepool1-62963605-0
Normal SuccessfulMountVolume 2m kubelet, aks-nodepool1-62963605-0 MountVolume.SetUp succeeded for volume "default-token-w8png"
Normal Pulling 2m (x2 over 2m) kubelet, aks-nodepool1-62963605-0 pulling image "aksclusterregistry.azurecr.io/jetty"
Warning Failed 2m (x2 over 2m) kubelet, aks-nodepool1-62963605-0 Failed to pull image "aksclusterregistry.azurecr.io/jetty": rpc error: code = Unknown desc = Error response from daemon: Get https://aksclusterregistry.azurecr.io/v2/jetty/manifests/latest: unauthorized: authentication required
Warning Failed 2m (x2 over 2m) kubelet, aks-nodepool1-62963605-0 Error: ErrImagePull
Normal BackOff 2m (x5 over 2m) kubelet, aks-nodepool1-62963605-0 Back-off pulling image "aksclusterregistry.azurecr.io/jetty"
Normal SandboxChanged 2m (x7 over 2m) kubelet, aks-nodepool1-62963605-0 Pod sandbox changed, it will be killed and re-created.
Warning Failed 2m (x6 over 2m) kubelet, aks-nodepool1-62963605-0 Error: ImagePullBackOff
What's wrong? Why does approach with secret not work?
Please don't advice me approach with service principal, because I would like to understand why this aproach doesn't work. I think it must be working.
The "old" way with AKS was to do create secret as you mentioned. That is no longer recommended.
The "new" way is to attach the container registry. This article explains the "new" way to attach ACR, and also provides a link to the old way to clear up confusion. When you create your cluster, attach with:
az aks create -n myAKSCluster -g myResourceGroup --attach-acr $MYACR
Or if you've already created your cluster, update it with:
az aks update -n myAKSCluster -g myResourceGroup --attach-acr $MYACR
Notes:
$MYACR is just the name of your registry without the .azurecr.io. Ex: MYACR=foobar not MYACR=foobar.azurecr.io.
After you attach your ACR, it will take a few minutes for the ImagePullBackOff to transition to Running.
This looks good to me as well. That said, the recommendation is not to use the admin account, rather a service principle. With the SP you gain some granular control over access rights to the ACR instance (read, contributor, owner).
This doc includes two methods for authentication between AKS and ACR using service principles.
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-aks
It's not exactly the question case. But I was having similar issue with utilization of Attach ACR approach. My problem was with Upper case characters in the registry name. Below warning was being generated by az cli.
Uppercase characters are detected in the registry name. When using its server url in docker commands, to avoid authentication errors, use all lowercase
So ensure to use all lowercases in ACR urls on Docker commands.
Related
I could use some help with Azure AKS and ACR Integration.
I create a ACR container and attach this container to the AKS cluster. I enable managed identity when creating AKS and I was hoping that ACR also uses managed identity
Here is the script I am using..
az group create --name $RESOURCEGROUP --location eastus
az acr create -n $REGISTRYNAME -g $RESOURCEGROUP --sku Basic
az aks create -n $CLUSTERNAME -g $RESOURCEGROUP --node-count $NODECOUNT --enable-addons monitoring --generate-ssh-keys --enable-managed-identity --attach-acr $REGISTRYNAME
az aks get-credentials -g $RESOURCEGROUP -n $CLUSTERNAME
On AKS, when I get pods, I have a Image Pull error
I see that AKS is using managed identity and ACR is using a Principal ID. How do I fix this issue
Getting the simillar issue once i tried with same cmdlet which you given.
you need to try setting imagePullPolicy to Never and it just worked.
As kubectl describe pod mypd, Kubectl was trying to pull the image, and of course this image doesn't exis on remote server, hence the failure.
Above property will avoid connecting to registry and will use image from docker local images cache.
For Working with ACR & AKS
Import an image into your ACR
Import an image from docker hub into your ACR by running the following:
az acr import -n <acr-name> --source docker.io/library/nginx:latest --image nginx:v1
Would suggest to you follow this Microsoft document Deploy the sample image from ACR to AKS
spec:
containers:
- name: nginx
image: <acr-name>.azurecr.io/nginx:v1
imagePullPolicy: Never
ports:
- containerPort: 80
Refernce : Why am I getting an ErrImagePull error in this Kubernetes deployment?
The ErrImageNeverPull error suggests that your pod spec lists imagePullPolicy: Never, meaning that the kubelet will only look in the node's own cache and not try to pull from ACR. If you remove that, it should work.
I'm running az acr purge to retain old Docker Images in my ACR.
I can see in the output that tags are being deleted in repository and they are no longer visible in Azure Portal ACR repository explorer.
The problem I'm facing is the SKU usage is not decreasing.
This is one of the many operations that have deleted some docker images.
The command is visible in 2nd line.
Running command on Azure Container Registry
acr purge --filter 'my_docker_repository:(\d+\.\d+.\d+.\d+)-\S*' --ago 180d
2021/08/13 09:48:11 Alias support enabled for version >= 1.1.0, please see https://aka.ms/acr/tasks/task-aliases for more information.
2021/08/13 09:48:11 Creating Docker network: acb_default_network, driver: 'bridge'
2021/08/13 09:48:11 Successfully set up Docker network: acb_default_network
2021/08/13 09:48:11 Setting up Docker configuration...
2021/08/13 09:48:12 Successfully set up Docker configuration
2021/08/13 09:48:12 Logging in to registry: my_very_secret_acr.azurecr.io
2021/08/13 09:48:13 Successfully logged into my_very_secret_acr.azurecr.io
2021/08/13 09:48:13 Executing step ID: acb_step_0. Timeout(sec): 600, Working directory: '', Network: 'acb_default_network'
2021/08/13 09:48:13 Launching container with name: acb_step_0
Deleting tags for repository: my_docker_repository
my_very_secret_acr.azurecr.io/my_docker_repository:2020.12.15.895-RefsPull13776Merge-f101d12
my_very_secret_acr.azurecr.io/my_docker_repository:2021.2.11.1478-IeltsResultsDevelop-0a6c82a
my_very_secret_acr.azurecr.io/my_docker_repository:2021.2.11.1478-RefsPull14181Merge-3c41e76
my_very_secret_acr.azurecr.io/my_docker_repository:2021.2.11.1473-IeltsResultsDevelop-b06f9a3
my_very_secret_acr.azurecr.io/my_docker_repository:2021.2.11.1473-RefsPull14168Merge-1fec456
my_very_secret_acr.azurecr.io/my_docker_repository:2021.2.11.1472-RefsPull14168Merge-0f61afd
my_very_secret_acr.azurecr.io/my_docker_repository:2021.2.11.1463-IeltsResultsDevelop-9a6c4b7
my_very_secret_acr.azurecr.io/my_docker_repository:2021.2.11.1461-RefsPull13734Merge-e0f2caa
my_very_secret_acr.azurecr.io/my_docker_repository:2021.2.11.1461-RefsPull14135Merge-ff95d1f
my_very_secret_acr.azurecr.io/my_docker_repository:2021.2.11.1434-RefsPull13734Merge-20af0dd
Number of deleted tags: 10
Number of deleted manifests: 0
2021/08/13 09:48:14 Successfully executed container: acb_step_0
2021/08/13 09:48:14 Step ID: acb_step_0 marked as successful (elapsed time in seconds: 1.172114)
Run ID: cb7f was successful after 5s
Update #1
Running
az acr repository delete
works like a charm, no modification must be done beforehand
I'm following these guides
Automatically purge images from an Azure container registry
Based on the filter command used ,only tag references are deleted, not the underlying manifests and layer data as it is Write enabled.
acr purge does not delete an image tag or repository where the write-enabled attribute is set to false
az acr repository show \
--name myregistry --image image:tag \
--output jsonc
az acr repository update \
--name myregistry --image myrepo/myimage:tag \
--delete-enabled true --write-enabled true
To delete the image, repository and manifest to free up SKU size . Please follow the link to delete the manifest and data.
Alternatively, if you want to delete the image, tags & manifest using the acr purge you need to pass the acr purge command as an environment variable as explained in the above documentation
I'm trying to deploy a Kubernetes Pod in AKS (I'm new to Kubernetes, so at this stage, I just want to create a container, deploy to Kubernetes and connect to it).
My Yaml file is as follows:
apiVersion: v1
kind: Pod
spec:
containers:
- name: dockertest20190205080020
image: dockertest20190205080020.azurecr.io
ports:
- containerPort: 443
metadata:
name: my-test
I've created the image in Azure Container Registry and, according to the CLI, successfully deployed it to Kubernetes.
After deploying, I used the following command:
kubectl get service
And it tells me there is no External IP to connect to. I then tried:
kubectl describe pod my-test
Which gave the following errors:
Events:
Warning Failed 4m (x2221 over 8h) kubelet, aks-nodepool1-27401563-2 Error: ImagePullBackOff
Normal BackOff 0s (x2242 over 8h) kubelet, aks-nodepool1-27401563-2 Back-off pulling image "dockertest20190205080020.azurecr.io"
I then tried editing the deployment:
kubectl edit pods my-test
Which game me the error:
message: 'containers with unready status: [dockertest20190205080020]'
I'm not a little unsure what my next diagnostic step would be. I get the impression there's an issue with the container or the container registry, but I'm unsure how to determine what that may be.
What happens here (most likely) - your AKS doesnt have permissions to pull images frmo you ACR (that's the default behaviour). You need to grant those (link):
#!/bin/bash
AKS_RESOURCE_GROUP=myAKSResourceGroup
AKS_CLUSTER_NAME=myAKSCluster
ACR_RESOURCE_GROUP=myACRResourceGroup
ACR_NAME=myACRRegistry
# Get the id of the service principal configured for AKS
CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
# Get the ACR registry resource id
ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)
# Create role assignment
az role assignment create --assignee $CLIENT_ID --role acrpull --scope $ACR_ID
Alternative is to just use a docker login secret (that article mentions that as well).
Example image in ACR:
image name would be
clrtacr.azurecr.io/dns:tag (or without tag for latest)
I'm not sure if you know there is something wrong in your yaml file, or it just shows as you want for security. But I would show you here:
apiVersion: v1
kind: Pod
spec:
containers:
- name: dockertest20190205080020
image: dockertest20190205080020.azurecr.io/image_name_and_version
ports:
- containerPort: 443
metadata:
name: my-test
Also, as the error that you got shows, you don't have the permission to pull the image from your ACR.
On my side, I would be better to use a secret for pulling all the image from the ACR. You can create a service principal to achieve it. The steps would be like here:
#!/bin/bash
ACR_NAME=myacrinstance
SERVICE_PRINCIPAL_NAME=acr-service-principal
# Populate the ACR login server and resource id.
ACR_LOGIN_SERVER=$(az acr show --name $ACR_NAME --query loginServer --output tsv)
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)
# Create acrpull role assignment with a scope of the ACR resource.
SP_PASSWD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --role acrpull --scopes $ACR_REGISTRY_ID --query password --output tsv)
# Get the service principal client id.
CLIENT_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)
# Output used when creating Kubernetes secret.
echo "Service principal ID: $CLIENT_ID"
echo "Service principal password: $SP_PASSWD"
# Create the secret
kubectl create secret docker-registry acr-auth --docker-server <acr-login-server> --docker-username <service-principal-ID> --docker-password <service-principal-password>
Then you can change your yaml file like this:
apiVersion: v1
kind: Pod
spec:
containers:
- name: dockertest20190205080020
image: dockertest20190205080020.azurecr.io/image_name_and_version
ports:
- containerPort: 443
imagePullSecrets:
- name: acr-auth
metadata:
name: my-test
I'm still new to the Azure Container Instance scene. I have managed to complete the container instance tutorial. However, I've noticed that the tutorial does not show the reader how to stop a running container instance. The nearest command that gaurantees the container instance is indeed stopped / terminated, is by deleting the Resource Group which created the container.
az group delete -n <ResourceGroupNameThatCreatedContainerInstance>
Is this the correct approach?
The Azure CLI updated and now its possible.
Stop
az container stop --name
--resource-group
[--subscription]
Restart
az container restart --name
--resource-group
[--subscription]
You can use az container delete
az container delete -g MyResourceGroup --name mynginx
First i have created the docker image and created kubernetes cluster in azure container service.
Then tag and push the image to my repository, but while pulling my image from azure container registry to kubernetes cluster the pod are created but in status it shows imagepullback off
The yaml file for basic api image
**apiVersion: v1
kind: Pod
metadata:
name: myapis
spec:
containers:
- name: myapis
image: ciqsample.azurecr.io/myapis
imagePullSecrets:
- name: samplekey**
You might need to attach with container registry itself.
az aks update -n myAKSCluster -g myResourceGroup --attach-acr $MYACR
$MYACR -> name of the container registry without ".azurecr.io" postfix
This error means we use wrong key and password to pull image.
Can you run this command to check secret exist or not?kubectl get secret
root#k8s-master-BBF71727-0:~# kubectl get secret
NAME TYPE DATA AGE
azurecr kubernetes.io/dockercfg 1 57m
default-token-clm2d kubernetes.io/service-account-token 3 2h
Then check the secret.
root#k8s-master-BBF71727-0:~# kubectl get secret azurecr --output=yaml
We can use this command script to create secret:
kubectl create secret docker-register yoursecretname --docker-server=jason.azurecr.io/xxxx/test --docker-username={UserName} --docker-password={Password} --docker-email=team#domain.com
By the way, for test please login Azure container registry with your registry credentials, then try to pull image from Azure container registry.
Login
docker login myregistry.azurecr.io -u xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -p myPassword
Pull the image from your registry
docker pull myregistry.azurecr.io/samples/nginx