-1

I have an issue with the AKS, Kubernetes cannot pull the image from the ACR, It show the message "unauthorized: authentication required" I already set permissions on the ACR to the AKS Service Principal. It had worked fine until today when I proced to update the pod with a new container from the ACR.

micahmckittrick
  • 1,476
  • 8
  • 11
Jesús A. Odreman
  • 1
  • 3

3 Answers3

0

According to the message you provided, the possible reason that I can think of is the Authorization expiry. You can take a check for your service principal if it's Authorization expiry.

Other than this, I recommend you can also check if all other things are OK, the authentication with ACR for AKS here. This can avoid the wrong action.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Thanks. The SP automatically created by Azure to the AKS already has AcrPull role in the ACR. In other hand, checking the AKS SP in the AD, it has nothing set in Certificates & secrets, can be it a reason of the non unauthorization? – Jesús A. Odreman Sep 18 '19 at 16:29
  • I added a secret to the SP of AKS, then I deleted the pod to force pulling the image from the ACR, the message is the same... "Failed to pull image ....unauthorized: authentication required" – Jesús A. Odreman Sep 18 '19 at 18:45
  • I followed both configurations recommended by [here](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-aks?toc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Faks%2FTOC.json&bc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Fbread%2Ftoc.json) and still the issue persist. – Jesús A. Odreman Sep 18 '19 at 23:29
  • By the way, the AKS version is 1.12.6. – Jesús A. Odreman Sep 18 '19 at 23:33
  • @JesúsA.Odreman Do you create the role assignment for the SP of AKS? When the AKS is created, it's SP does not have the permission of the ACR. So you need to assign the role yourself. – Charles Xu Sep 19 '19 at 07:05
  • Hi @Charles Xu, Yes I did it, but still not working. – Jesús A. Odreman Sep 19 '19 at 15:37
  • I find this message in Kubernetes dashboard in the Deployment that cannot pull the image from ACR:: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/xxxx-xx/resourceGroups/MC_nevula-kuber-cluster-02_nevula-kuber-cluster-02_centralus/providers/Microsoft.Network/loadBalancers?api-version=2017-09-01: StatusCode=401 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: {"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired.\r\n – Jesús A. Odreman Sep 19 '19 at 15:41
0

The SP already has authorization to pull images from the ACR.

I followed the post here and now the AKS is able to pull images from ACR. When I created the AKS its SP didn't have secrets nor certificates setted, but it had working fine since 12 months ago, suddenly AKS now needs to have a secret in its SP to authenticate over the ACR.

Thanks...

Jesús A. Odreman
  • 1
  • 3
0

using this workaround it did the job:

az role assignment create --assignee <servicePrincipalID> --scope <registryID> --role acrpull
KristofMols
  • 3,487
  • 2
  • 38
  • 48
Volodymyr
  • 1