AKS is unable to pull from ACR even after granting permissions

8/31/2019

I have followed this documentation on providing ACR access to AKS : https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-aks but still i'm getting the authentication failed error. Can someone help me with this?

env:
- name: no_cpu
  valueFrom:
    resourceFieldRef:
      containerName: proxy
      resource: requests.cpu
imagePullSecrets:
- name: acr-auth
-- Sai Prasanth
azure
azure-aks
docker
kubernetes

2 Answers

8/31/2019

Make sure you have the acrpull role assigned to the AKS SP on the ACR resource (from the portal, on the IAM tab, or using the script:

#!/bin/bash

AKS_RESOURCE_GROUP=myAKSResourceGroup
AKS_CLUSTER_NAME=myAKSCluster
ACR_RESOURCE_GROUP=myACRResourceGroup
ACR_NAME=myACRRegistry

# Get the id of the service principal configured for AKS
CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)

# Get the ACR registry resource id
ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)

# Create role assignment
az role assignment create --assignee $CLIENT_ID --role acrpull --scope $ACR_ID

).

Then create pull secret via command line:

kubectl create secret docker-registry acr-auth --docker-server <acr-login-server> --docker-username <service-principal-ID> --docker-password <service-principal-password> --docker-email <email-address>

or

apiVersion: v1
kind: Secret
metadata:
  name: acr-auth
type: docker-registry
data:
  username: <base64encoded username>
  password: <base64encoded password> 

Both are equivalent.

-- Alessandro Vozza
Source: StackOverflow

8/31/2019

you need to remove imagepullsecrets property from the pod\deployment definition. that way you will instruct kubernetes to use internal aks\acr auth

-- 4c74356b41
Source: StackOverflow