Reputation: 131
Refer the docker image from another azure container repository (ACR) of different subscription
I am trying to pull the docker image in (QA-ACR) of subscription (QA-Subscription) from another Azure Container Registry (DEV-ACR) in subscription (DEV-Subscription).
Below are the steps in detail.
Created the docker image (example: docker-image-sample) in Subscription DEV-Subscription
Created the secret file by using the following command in Subscription DEV-Subscption
kubectl create secret docker-registry test-secret --docker-server=devsample.azurecr.io --docker-username=**** --docker-password=****Pod is running in DEV-subscription by referring this secret. below is deployment file
apiVersion: apps/v1beta1 kind: Deployment metadata: name: test spec: replicas: 2 template: metadata: labels: app: test spec: containers: - image: devsample.azurecr.io/test_msdi:latest imagePullPolicy: Always name: test ports: - containerPort: 443 env: - name: ASPNETCORE_ENVIRONMENT value: dev imagePullSecrets: - name: test-secretI am trying to pull the docker image from another ACR in different subscription.
Created the same secret here also like above.
Below is the content of the kubernetes deployment file
apiVersion: apps/v1beta1 kind: Deployment metadata: name: test spec: replicas: 2 template: metadata: labels: app: test spec: containers: - image: devsample.azurecr.io/test_msdi:latest imagePullPolicy: Always name: test ports: - containerPort: 443 env: - name: ASPNETCORE_ENVIRONMENT value: qa imagePullSecrets: - name: test-secretPod is failing from another ACR of different subscription. Issue is "Back off pulling the image ..."
Upvotes: 0
Views: 371
Answers (1)
Reputation: 1469
Since your using an Azure Container Registry you might find it easier to assign the AKS Service Principal permissions on the container registry rather than rely on passing in credentials using a Kubernetes secret.
$Aks = Get-AzAks -ResourceGroupName QaSubscriptionAksResourceGroup -Name QaSubscriptionAks
New-AzRoleAssignment -ApplicationId $Aks.ServicePrincipalProfile.ClientId -RoleDefinitionName AcrPull -ResourceGroupName DevSubscriptionAcrResourceGroup
You might need to run Select-AzSubscription between the two commands to change from the QA subscription to the DEV subscription. Once that's set up remove
imagePullSecrets:
- name: test-secret
from your deployment file and rerun it.
Depending on how your AKS instances were deployed you might find that the AKS Service Principals already have the AcrPull role assigned within their own subscriptions, if that's the case you can remove imagePullSecrets completely.
Upvotes: 0
Related Questions
- AKS. Can't pull image from an acr
- How to import all images from an ACR repository to another ACR in different tenant
- Getting "unauthorized: authentication required" when pulling ACR images from Azure Kubernetes Service
- Do multiple pods in Kubernetes pull the same image
- Azure DevOps yaml: push docker image to different ACRs
- Pulling docker images from gov cloud when we are working in commercial cloud in Azure and vice-versa
- How to pull ACR image from k3s pods
- How can I deploy image to Azure App Service from an ACR which is located in different subscription?
- I can't make Kubernetes in AKS to pull the images from a private docker registry in Azure
- Not able to container images from ACR to Minikube vm