search

enix / kube-image-keeper

kuik is a container image caching system for Kubernetes
MIT License
431 stars 31 forks source link

ACR example to authenticate registry with private ACR #343

Open divyanshursahu opened 3 months ago

divyanshursahu commented 3 months ago

I have installed KUIK v1.8.0 in an AKS cluster but after kuik deployment when I am trying to pull the image from Azure ACR it is failing, and I am getting errors like below.

ACR is already linked with AKS cluster and was able to pull image from ACR and container was starting but post KUIK installation it is failing

$ kubectl describe pod div-redis-745cbd8d7d-tk8rm Normal Pulling 17m (x4 over 19m) kubelet Pulling image "localhost:7439/acr.azurecr.io/redis/div-redis:1.0" Warning Failed 17m (x4 over 19m) kubelet Failed to pull image "localhost:7439/acr.azurecr.io/redis/div-redis:1.0": failed to pull and unpack image "localhost:7439/acr.azurecr.io/redis/div-redis:1.0": failed to resolve reference "localhost:7439/acr.azurecr.io/redis/div-redis:1.0": unexpected status from HEAD request to http://localhost:7439/v2/acr.azurecr.io/redis/div-redis/manifests/1.0: 401 Unauthorized Warning Failed 17m (x4 over 19m) kubelet Error: ErrImagePull Warning Failed 17m (x6 over 19m) kubelet Error: ImagePullBackOff Normal BackOff 4m16s (x65 over 19m) kubelet Back-off pulling image "localhost:7439/acr.azurecr.io/redis/div-redis:1.0"

Cached image describe:


Name:         acr.azurecr.io-redis-div-redis-1.0
Namespace:
Labels:       kuik.enix.io/repository=acr.azurecr.io-redis-div-redis
Annotations:  <none>
API Version:  kuik.enix.io/v1alpha1
Kind:         CachedImage
Metadata:
  Creation Timestamp:  2024-06-03T08:19:14Z
  Finalizers:
    cachedimage.kuik.enix.io/finalizer
  Generation:  1
  Owner References:
    API Version:     kuik.enix.io/v1alpha1
    Kind:            Repository
    Name:            acr.azurecr.io-redis-div-redis
    UID:             b6e8e49c-e826-4031-8ad5-da1bedc74607
  Resource Version:  37683193
  UID:               183d68d5-34ce-48bf-b921-4bcdc8165194
Spec:
  Source Image:  acr.azurecr.io/redis/div-redis:1.0
Status:
  Last Sync:  2024-06-03T09:38:31Z
  Phase:      ErrImagePull
  Used By:
    Count:  3
    Pods:
      Namespaced Name:  default/div-redis-745cbd8d7d-tk8rm
      Namespaced Name:  default/div-redis-745cbd8d7d-nkdrh
      Namespaced Name:  default/div-redis-745cbd8d7d-pwt2g
Events:
  Type     Reason       Age                 From                    Message
  ----     ------       ----                ----                    -------
  Normal   Caching      13m (x23 over 86m)  cachedimage-controller  Start caching image acr.azurecr.io/redis/div-redis:1.0
  Warning  CacheFailed  13m (x23 over 86m)  cachedimage-controller  Failed to cache image acr.azurecr.io/redis/div-redis:1.0, reason: GET https://acr.azurecr.io/oauth2/token?scope=repository%3Aredis%2Fdiv-redis%3Apull&service=acr.azurecr.io: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.```
paullaffitte commented 3 months ago

Most probably it is for the same reason as for GCR (see https://github.com/enix/kube-image-keeper/issues/267#issuecomment-2042975871). However, the Azure officiel helper seems to be unmaintained: https://github.com/Azure/acr-docker-credential-helper

divyanshursahu commented 3 months ago

The Azure official helper is deprecated permanently: https://github.com/Azure/acr-docker-credential-helper as mentioned in the page. Although I tried it, but it was not working. They recommend using any other method mentioned on the page https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli.

We are already using managed identities to authenticate between AKS and ACR to pull images from ACR and it is working when we create a pod or do a simple deployment but when kuik is enabled for the namespace and we try to create the deployment or pod from the image in ACR we get the authentication error as mentioned above in the problem.