I am trying to deploy keda on AKS cluster but it I can't pull images from ghcr.io even I can connect to that url through the cluster

Ahmed Elbendary 0 Reputation points
2023-04-06T06:46:06.61+00:00

LAST SEEN TYPE REASON OBJECT MESSAGE 4m32s Warning FailedCreate replicaset/keda-admission-webhooks-6cd9cdbff8 Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev2containerallowedimag-6b74f136ad831b3dc4cb] Container image ghcr.io/kedacore/keda-admission-webhooks:2.10.0 for container keda-admission-webhooks has not been allowed.

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,894 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
805 questions
{count} votes

1 answer

Sort by: Most helpful
  1. vipullag-MSFT 25,041 Reputation points
    2023-04-06T10:29:01.3266667+00:00

    Hello Ahmed Elbendary

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    It seems like the admission webhook "validation.gatekeeper.sh" is denying the request to pull the container image from ghcr.io. This could be due to the AKS cluster's network configuration or the policies set on the cluster.

    To troubleshoot this issue, you need to check the policy applied to your AKS cluster that is preventing the usage of the ghcr.io container registry. You can do this by checking the Azure Policy assigned to your AKS cluster.

    You can also try to pull the container image manually on one of the nodes of your AKS cluster to see if there is any issue with connectivity or authentication. You can use the following command to pull the image:
    docker pull ghcr.io/kedacore/keda-admission-webhooks:2.10.0
    If you are able to successfully pull the image, then the issue is likely related to the policy applied to your AKS cluster.

    If you are not able to pull the image, then there might be an issue with connectivity or authentication. You can check the logs of the container registry to see if there are any errors related to authentication or connectivity. You can also check if the node has access to the internet and if there are any firewall rules blocking outbound traffic.

    Hope this helps.

    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

    0 comments No comments