Add the container registry certs to AKS nodes

Question

Add the container registry certs to AKS nodes

AKS-User 31

I have the AKS cluster and the container registry. I'm unable to pull the images from the kubernetes manifests. This is due to the certificates unavailability on AKS nodes. How to add the certificates to the AKS nodes and also how to update the /etc/hosts entries?

AKS Version: v1.21.7
KERNEL-VERSION: 5.4.0-1067-azure
CONTAINER-RUNTIME: containerd://1.4.9+azure

Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2022-03-18T15:50:35.543+00:00

Applying the docker images from container registry to a k8s cluster doesn't need a certificate unless you have some special settings applied to the cluster. So, let's know the special settings you have as well as the complete error message details, screenshots etc.
Answer to the next question on editing /etc/hosts entries is possible by logging in to the pods. The following example shows how to access bash prompt of the pod

kubectl exec -it <pod name> /bin/bash
AKS-User 31 Reputation points

2022-03-18T18:26:12.44+00:00

In our case, certificates are required for the container registry authentication. And we had to update the /etc/hosts for resolving the registry from the local machine. As these 2 things are missing we are facing "Image Pull errors".

Could you advise appropriately on how to make these 2 changes on AKS nodes? Let me know if you still have any further queries.
Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2022-03-18T20:05:44.54+00:00

I am afraid to say that certificate based authentication is not available as of now for ACR. Check the authentication methods supported here: container-registry-authentication
AKS-User 31 Reputation points

2022-03-19T02:50:51.583+00:00

Here, Container registry is not Azure container registry.

This question can be answered in a generic way though. To rephrase this question in a generic way, "How to update the certificates & /etc/hosts path on AKS nodes?"

Let me know if you still have any issue in understanding the question.
Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2022-03-19T06:38:42.803+00:00

II think, the approach explained here is helpful for establishing an SSL authentication with container registry when deploying images in AKS
For adding hosts entries refer the kuberenetes document here
AKS-User 31 Reputation points

2022-03-21T05:35:01.533+00:00

As I already mentioned the container registry is not ACR (Harbor registry). Your documentation reference is not a right one. And also about host entries it will only work at pod level and not node level.

You are completely misleading with inappropriate answers and just responding blindly. Its ok if you don't have the solution or if you don't know the answer or if you don't understand the question but don't respond like this and waste users time.

Accepted answer

0 additional answers

Your answer

Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2022-03-18T15:50:35.543+00:00

Applying the docker images from container registry to a k8s cluster doesn't need a certificate unless you have some special settings applied to the cluster. So, let's know the special settings you have as well as the complete error message details, screenshots etc.
Answer to the next question on editing /etc/hosts entries is possible by logging in to the pods. The following example shows how to access bash prompt of the pod

kubectl exec -it <pod name> /bin/bash
AKS-User 31 Reputation points

2022-03-18T18:26:12.44+00:00

In our case, certificates are required for the container registry authentication. And we had to update the /etc/hosts for resolving the registry from the local machine. As these 2 things are missing we are facing "Image Pull errors".

Could you advise appropriately on how to make these 2 changes on AKS nodes? Let me know if you still have any further queries.
Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2022-03-18T20:05:44.54+00:00

I am afraid to say that certificate based authentication is not available as of now for ACR. Check the authentication methods supported here: container-registry-authentication
AKS-User 31 Reputation points

2022-03-19T02:50:51.583+00:00

Here, Container registry is not Azure container registry.

This question can be answered in a generic way though. To rephrase this question in a generic way, "How to update the certificates & /etc/hosts path on AKS nodes?"

Let me know if you still have any issue in understanding the question.
Manu Philip 20,206 Reputation points MVP Volunteer Moderator

2022-03-19T06:38:42.803+00:00

II think, the approach explained here is helpful for establishing an SSL authentication with container registry when deploying images in AKS
For adding hosts entries refer the kuberenetes document here
AKS-User 31 Reputation points

2022-03-21T05:35:01.533+00:00

As I already mentioned the container registry is not ACR (Harbor registry). Your documentation reference is not a right one. And also about host entries it will only work at pod level and not node level.

You are completely misleading with inappropriate answers and just responding blindly. Its ok if you don't have the solution or if you don't know the answer or if you don't understand the question but don't respond like this and waste users time.

Answer 1

Prrudram-MSFT 28,201 Moderator

Hello @AKS-User ,

I understand you are using Harbor registry https://github.com/goharbor/harbor
After a thorough research, I find daemonsets to be the way here because we don't provide OOB solutions for 3rd party CRs (except for docker hub I think).
This is a Kubernetes DaemonSet definition that will install a custom certificate on the nodes and restart containerd. This is useful if your private registry is protected using a self-signed certificate. Not tested in production. · GitHub
Example for hosts file: KQ - How to update worker nodes /etc/hosts file in GKE (kubernetesquestions.com)

Let me know if you have any queries around this, if this doesn't work, please respond back on this answer by adding a new comment.

AKS-User 31 Reputation points

2022-03-21T11:36:06.427+00:00

Thanks for the appropriate answer. Will try it.
Prrudram-MSFT 28,201 Reputation points Moderator

2022-03-21T15:37:07.347+00:00

@AKS-User

You are welcome! I have also confirmed with our internal teams, running a TrustedCA daemonset is the only way. We are working on a TrustedCA feature that will be available in coming months to support this feature set.
Keep me posted on your progress.
AKS-User 31 Reputation points

2022-03-21T17:07:28.16+00:00

Its working. Thanks!

Could you elaborate more on the TrustedCA feature?
Prrudram-MSFT 28,201 Reputation points Moderator

2022-03-23T19:17:51.14+00:00

Hello @AKS-User ,

TrustedCA (which will be renamed to Custom CA Trust) is gonna enable customers to add multiple CAs they want to trust and it's gonna work per nodepool. Example use case is where customers are behind a proxy firewall and they need access to their private registries to deploy their clusters. This is gonna be achieved with a k8s daemonset which will be handling both initial creation case and periodic updates afterwards.

We don't have a document explaining the exact details yet, as the implementation and testing is still ongoing as per the internal teams

Share via

Add the container registry certs to AKS nodes

0 additional answers

Your answer