Hello Andrei,
Thanks for getting back to me so quickly! Apologies for not replying sooner.
I'll do my best to answer your questions and clarify myself:
- What I mean by setting up the connection manually is creating managed identities and attaching them to the AKS cluster manually (I also tried the more "automatic" approach which in my case involved utilizing Terraform). This process fails even though I am following what is explicitly stated in the relevant documentation, indicating that assigning a user identity to the AKS cluster is "an invalid resource ID".
- Creating the cluster with a Kubelet identity in Terraform. According to the official Terraform documentation on the matter, it a managed identity should be created for the Kubelet identity automatically.
- The full error is "--assign-identity is not a valid resource ID" as well as "--assign-kubelet-identity is not a valid resource ID". This is done after creating managed identities and trying to assign them as per this documentation.
- I have no preferences. I just want it to work, which currently it doesn't.
- It is successful, but ACR points to a Service Principal that is inaccessible by me, called "msi". Even after trying to create a service principal myself manually, ACR still looks to the default "msi" service principal in order to configure the connection. So in reality, the cluster still isn't able to pull images from the repository.
- The output shows: "Merged "<CLUSTERNAME> as current context in /tmp/tmptz521qdj
Unable to connect to the server: dial tcp: lookup <CLUSTERDNS> <IP>: no such host". But it doesn't really matter because I created several test clusters just to try and configure that connection from scratch, and even though the output is valid, connection still fails because of "Kubelet Identity Authentication". - Output attached at the bottom of this message. Even though it has ACR pull permission, there is still an "ImagePullErr" when pods are trying to pull images from the repository.
- I have attempted that, but it fails on the same "Kubelet Identity Authentication" principle as detailed in answer no.6.
Output for Question 7:
"kubeletidentity": {
"resourceId": "/subscriptions/<SUBSCRIPTIONID>/resourcegroups/<CLUSTERRESOURCEGROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<CLUSTENAME>-agentpool"
"podIdentityProfile": null,