AKS and ACR integration error

Question

Hi Team, I created azure kubernetes cluster(AKS) and integrated wirh azure container registry(ACR) but AKS not able to pull docker image from ACR, throwing Kubernetes backrestart conatiner error, so similar to AWS Elastic kubernetes service (EKS) node group, need to assign various IAM role and policies like EKS policy, CNI policy, Ec2containerregistry policy to node group ec2 instance here, please check and provide assistance steps for attaching roles and policies to Azure agent pool and Node pool, so that AKS cluster talks to ACR registry.

Answer 1

Hello, I understand you are facing an issue where your Azure Kubernetes Service (AKS) cluster is unable to pull images from Azure Container Registry (ACR), and you are looking for guidance on how to assign roles and policies similar to what is done in AWS EKS. In Azure, the integration between AKS and ACR is handled differently compared to AWS. Here are the steps you can follow to ensure your AKS cluster can communicate with ACR:

1. Verify AKS Service Identity: Ensure your AKS cluster is configured with a service identity (either a system-assigned managed identity or a user-assigned managed identity). This identity will be used to authenticate against ACR.
2. Assign the ACRPull Role: The AcrPull role allows the AKS service identity to pull images from ACR. You can assign this role using the Azure CLI or through the Azure portal. The command might look something like this:

      az role assignment create --assignee <app-id> --role acrpull --scope <acr-resource-id>
   

   Here, <app-id> is the application ID of the AKS service identity, and <acr-resource-id> is the resource ID of your ACR.
3. Setup Secret in AKS for ACR: If you prefer to use a secret for authenticating to ACR instead of the service identity, you can create a Kubernetes secret containing the ACR credentials and use it in your pods.
4. Check Network Configuration: Ensure there are no network restrictions preventing communication between AKS and ACR.
5. Review Kubernetes Logs and Events: To better understand the specific error you are encountering, check the Kubernetes logs and events. This can give you more clues about the cause of the issue.

If after following these steps the problem persists, it would be helpful to have more specific details about the error you are seeing and about the configuration of your cluster and ACR.

Remember, if you find this information helpful, please accept the answer. And if you need further assistance, feel free to ask.

Answer 2

Please find below AKS Pod events and Pod description.

shyam_pendyala [ ~ ]$ kubectl create --dry-run=client
Error: must specify one of -f and -k

Create a resource from a file or from stdin.

 JSON and YAML formats are accepted.

Examples:
  # Create a pod using the data in pod.json
  kubectl create -f ./pod.json

  # Create a pod based on the JSON passed into stdin
  cat pod.json | kubectl create -f -

  # Edit the data in registry.yaml in JSON then create the resource using the edited data
  kubectl create -f registry.yaml --edit -o json

Available Commands:
  clusterrole           Create a cluster role
  clusterrolebinding    Create a cluster role binding for a particular cluster role
  configmap             Create a config map from a local file, directory or literal value
  cronjob               Create a cron job with the specified name
  deployment            Create a deployment with the specified name
  ingress               Create an ingress with the specified name
  job                   Create a job with the specified name
  namespace             Create a namespace with the specified name
  poddisruptionbudget   Create a pod disruption budget with the specified name
  priorityclass         Create a priority class with the specified name
  quota                 Create a quota with the specified name
  role                  Create a role with single rule
  rolebinding           Create a role binding for a particular role or cluster role
  secret                Create a secret using a specified subcommand
  service               Create a service using a specified subcommand
  serviceaccount        Create a service account with the specified name
  token                 Request a service account token

Options
    --allow-missing-template-keys=true
        If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to
        golang and jsonpath output formats.

    --dry-run='none':
        Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without
        sending it. If server strategy, submit server-side request without persisting the resource.

    --edit=false:
        Edit the API resource before creating

    --field-lidate='strict':
        Must be one of: strict (or true), warn, ignore (or false)              "true" or "strict" will use a schema to validate
        the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation
        is enabled on the api-server, but will fall back to less reliable client-side validation if not.                "warn" will
        warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled
        on the API server, and behave as "ignore" otherwise.            "false" or "ignore" will not perform any schema
        validation, silently dropping any unknown or duplicate fields

    --windows-line-endings=false
        Only relevant if --edit=true. Defaults to the line ending native to your platform

Usage:
  kubectl create -f FILENAME [options]

Use "kubectl create <command> --help" for more information about a given command
Use "kubectl options" for a list of global command-line options (applies to all commands)