search

Azure / AKS

Azure Kubernetes Service
https://azure.github.io/AKS/
1.96k stars 306 forks source link

[BUG] Support for registries with 'AADAuthenticationAsArmPolicy' property set to 'disabled' (Conditional Access) #4560

Open cegraybl opened 2 weeks ago

cegraybl commented 2 weeks ago

Describe the bug AKS does not handle ACR scope tokens when property AADAuthenticationAsArmPolicy is set to disabled

To Reproduce Steps to reproduce the behavior:

  1. disable AADAuthenticationAsArmPolicy in the target registry: az acr config authentication-as-arm update -r --status disabled
  2. run az aks check-acr (or any other attempt to authenticate the cluster to the registry) PS C:\Users\ext.tmanriquev.nttda> az aks check-acr --name aks-eu1-integra-multicanal-desa --resource-group rg-eu1-plat-integra-desa --acr acrseu1integradesa.azurecr.io Merged "aks-eu1-integra-multicanal-desa" as current context in C:\Users\EXTTMA~1.NTT\AppData\Local\Temp\12\tmp8mzt5rds [2024-09-23T19:49:18Z] Checking host name resolution (acrseu1integradesa.azurecr.io): SUCCEEDED [2024-09-23T19:49:18Z] Canonical name for ACR (acrseu1integradesa.azurecr.io): acrseu1integradesa.privatelink.azurecr.io. [2024-09-23T19:49:18Z] Checking managed identity... [2024-09-23T19:49:18Z] Kubelet managed identity client ID: 17e464cb-e6b1-4d5c-be73-98884b0ad911 [2024-09-23T19:49:18Z] Validating managed identity existance: SUCCEEDED [2024-09-23T19:49:18Z] Validating image pull permission: FAILED [2024-09-23T19:49:18Z] ACR acrseu1integradesa.azurecr.io rejected token exchange: ACR token exchange endpoint returned error status: 401. body: {"errors":[{"code":"UNAUTHORIZED","message":"arm aad token disallowed: registry has AADAuthenticationAsArmPolicy disabled"}]}

Expected behavior AKS needs to be able to support requesting ACR scope tokens in order to support conditional access with a container registry https://learn.microsoft.com/en-us/azure/container-registry/container-registry-configure-conditional-access

AZ CLI (acr modules) already supports the required change for the scope (here) ACR's scope is https://containerregistry.azure.net

Screenshots If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

Additional context Add any other context about the problem here.

microsoft-github-policy-service[bot] commented 18 hours ago

@mangalorereshmi would you be able to assist?