Describe the bug
AKS does not handle ACR scope tokens when property AADAuthenticationAsArmPolicy is set to disabled
To Reproduce
Steps to reproduce the behavior:
disable AADAuthenticationAsArmPolicy in the target registry:
az acr config authentication-as-arm update -r --status disabled
run az aks check-acr (or any other attempt to authenticate the cluster to the registry)
PS C:\Users\ext.tmanriquev.nttda> az aks check-acr --name aks-eu1-integra-multicanal-desa --resource-group rg-eu1-plat-integra-desa --acr acrseu1integradesa.azurecr.io Merged "aks-eu1-integra-multicanal-desa" as current context in C:\Users\EXTTMA~1.NTT\AppData\Local\Temp\12\tmp8mzt5rds [2024-09-23T19:49:18Z] Checking host name resolution (acrseu1integradesa.azurecr.io): SUCCEEDED [2024-09-23T19:49:18Z] Canonical name for ACR (acrseu1integradesa.azurecr.io): acrseu1integradesa.privatelink.azurecr.io. [2024-09-23T19:49:18Z] Checking managed identity... [2024-09-23T19:49:18Z] Kubelet managed identity client ID: 17e464cb-e6b1-4d5c-be73-98884b0ad911 [2024-09-23T19:49:18Z] Validating managed identity existance: SUCCEEDED [2024-09-23T19:49:18Z] Validating image pull permission: FAILED [2024-09-23T19:49:18Z] ACR acrseu1integradesa.azurecr.io rejected token exchange: ACR token exchange endpoint returned error status: 401. body: {"errors":[{"code":"UNAUTHORIZED","message":"arm aad token disallowed: registry has AADAuthenticationAsArmPolicy disabled"}]}
Describe the bug AKS does not handle ACR scope tokens when property
AADAuthenticationAsArmPolicy
is set todisabled
To Reproduce Steps to reproduce the behavior:
az aks check-acr
(or any other attempt to authenticate the cluster to the registry)PS C:\Users\ext.tmanriquev.nttda> az aks check-acr --name aks-eu1-integra-multicanal-desa --resource-group rg-eu1-plat-integra-desa --acr acrseu1integradesa.azurecr.io Merged "aks-eu1-integra-multicanal-desa" as current context in C:\Users\EXTTMA~1.NTT\AppData\Local\Temp\12\tmp8mzt5rds [2024-09-23T19:49:18Z] Checking host name resolution (acrseu1integradesa.azurecr.io): SUCCEEDED [2024-09-23T19:49:18Z] Canonical name for ACR (acrseu1integradesa.azurecr.io): acrseu1integradesa.privatelink.azurecr.io. [2024-09-23T19:49:18Z] Checking managed identity... [2024-09-23T19:49:18Z] Kubelet managed identity client ID: 17e464cb-e6b1-4d5c-be73-98884b0ad911 [2024-09-23T19:49:18Z] Validating managed identity existance: SUCCEEDED [2024-09-23T19:49:18Z] Validating image pull permission: FAILED [2024-09-23T19:49:18Z] ACR acrseu1integradesa.azurecr.io rejected token exchange: ACR token exchange endpoint returned error status: 401. body: {"errors":[{"code":"UNAUTHORIZED","message":"arm aad token disallowed: registry has AADAuthenticationAsArmPolicy disabled"}]}
Expected behavior AKS needs to be able to support requesting ACR scope tokens in order to support conditional access with a container registry https://learn.microsoft.com/en-us/azure/container-registry/container-registry-configure-conditional-access
AZ CLI (acr modules) already supports the required change for the scope (here) ACR's scope is
https://containerregistry.azure.net
Screenshots If applicable, add screenshots to help explain your problem.
Environment (please complete the following information):
Additional context Add any other context about the problem here.