Open ATymus opened 2 weeks ago
@ATymus I recommend enabling the debug log level in Karpenter, redeploying and sharing more Resource Specs and Logs:
kubectl describe pod <pod-name> -n <namespace>
kubectl describe node <node-name>
az aks show --resource-group <resource-group> --name <aks-cluster> --query "identity"
az role assignment list --assignee <managed-identity-id> --scope <acr-id>
Also double-check the secret the pod is using to access the ACR.
Version
Karpenter Version: v0.5.0
Kubernetes Version: v1.29.4
Expected Behavior
The expected behavior is that the nodes can access the private ACR using the configured managed identity.
Actual Behavior
Nodes created by Karpenter and regular Kubernetes nodes both have the same managed identity configured. This managed identity has been granted both AcrPull and AcrPush roles on the ACR. However, while pods on regular Kubernetes nodes can successfully pull images from the private ACR, pods on nodes created by Karpenter fail with the following error: 401 Unauthorized![Screenshot 2024-06-19 at 12 57 59](https://github.com/Azure/karpenter-provider-azure/assets/88822016/1ce857f3-b758-47f3-a2b7-5858264e2b5c)
Steps to Reproduce the Problem
az aks update -n aks-dev -g rg-dev --attach-acr myregistry
Resource Specs and Logs
Community Note