Kubernetes pod gives image pull error despite docker login to ACR
I have an AKS deployed in Azure and my pod is not able to pull the images from the ACR, the error is ImagePullBackOff, The error is failed to resolve reference "//:": failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://riotintoazureregistry.azurecr.io/oauth2/token?scope=repository%3A%3Apull&service=reponame.azurecr.io: 401 Unauthorized
I have tried to do az login, docker login and az acr login from my mac, but this still fails.
Your error indicates an issue with authorization when attempting to pull images from your Azure Container Registry (ACR) Below are few basic checks that you must verify from your end.
- Ensure that you have logged into your ACR
- Make sure you are using the complete ACR path - .azurecr.io/:
- Ensure that there are no network policies or firewall rules preventing your AKS cluster from accessing the ACR.
In-order to push an image to your ACR and then deploy the same to your AKS cluster without any error follow the below steps-:
Obviously you will need an ACR and an AKS cluster , so create one using portal or CLI
az acr create -n <your-prefered-ACR-name> -g <your-resource-group> --sku basic
az aks create -n <your-prefered-AKS-name> -g <your-resource-group> --generate-ssh-keys --attach-acr <the-acr-name-which-you-created-above> #this attaches your acr with your aks
Output:
Once these two things are ready. you can verify the same from portal under your resource group tab:
Now time to import an image inside the ACR: Example:
az acr import -n <the-ACR-name> --source docker.io/library/nginx:latest --image nginx:v1
or docker pull <your-ACR-name>.azurecr.io/samples/nginx
and then tag and push
docker tag mcr.microsoft.com/samples/nginx <your-ACR-name>.azurecr.io/nginx
docker push <your-ACR-name>.azurecr.io/nginx
output:
Now will deploy the same image on the AKS cluster with 2 replicas: verify your aks creds:
az aks get-credentials -g <your-resource-group> -n <your-aks-cluster-name>
Now that you are connected to the cluster, verified the nodes are up and no pods are available at present:
Now I will deploy 2 replicas of this nginx image present in my ACR. For this I will create a yaml file called asen-nginx.yaml and modify the parameters accordingly
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx0-deployment
labels:
app: nginx0-deployment
spec:
replicas: 2 #your choice of replica
selector:
matchLabels:
app: nginx0
template:
metadata:
labels:
app: nginx0
spec:
containers:
- name: nginx
image: <your-acr-name>.azurecr.io/nginx:v1
ports:
- containerPort: 80
and apply the same:
kubectl apply -f <whatever-file-name-you-gave>.yaml
Now when you do kubectl get pods, your pods are running without any image pull error:
Reference document:
MS tutorial to deploy app from acr to aks
MS troubleshooting steps for can't pull images from acr to aks
- Can't access public IP of AKS ingress
- Azure CLI aks install cli permission denied and sudo does not work
- Can I access a container in a pod in an AKS cluster as root?
- Unable to push image to ACR from terraform - could not get auth config (the credentialhelper did not work or was not found):
- Create kubernetes secret for docker registry - Terraform
- No Frameworks Were Found When Deploying Background Service in AKS
- How to execute kubectl commands in HCP?
- How to connect HCP to authenticate to AKS cluster for deploying Helm and K8 resources?
- AKS with application gateway - always 502
- How to set pod system time in the Rancher Edit Yaml setting?
- terraform helm release resource fails but Helm command works
- How to restrict access to Keycloak admin console to a specific IP/IP range?
- Access Forbidden while accessing log in airflow with CeleryExecutor
- AGIC associating rules with defaultaddresspool instead of the newly created pool
- startup exception for aspnet core worker docker container attempting to set secret from env variable in Kubernetes
- AKS Network Policy Manager vs Azure Cilium Network Policies
- Ingress controller does not allow snippets
- AKS - Error from server (Forbidden): User cannot create resource "namespaces" in API group "" at the cluster scope
- Changing Prometheus job label in scraper for cAdvisor breaks Grafana dashboards
- How to disable port probes for AKS LoadBalancer?
- Airflow ERROR - Error authorizing OAuth access token: Invalid JSON Web Key Set. [The request to sign in was denied.]
- build docker image in M1 to deploy in aks cluster
- How do we Look up service-cluster-ip-range in Azure AKS Cluster
- Qdrant Azure private cloud API KEY setup setting not found
- Kubernetes namespace "aks-command"
- During uvicorn startup, child process dies in a Kubernetes cluster
- AKS CrashLoopBackOff for an image working without problem in docker host: logs: error: container containerd://x is not valid for pod flask-app
- secret-inject@azurekeyvault waiting forever
- ActiveMQ Artemis master (primary) pod goes to restart loop after change to shared-store HA option
- MIME type of .mjs files is "text/html" when deploying React (ViteJS) app to Azure Kubernetes