0

I am trying to pull images from my azure container registry

 sudo microk8s ctr --debug images pull redacted.azurecr.io/acs/service:2.24.2

but I keep getting this error:

ctr: failed to resolve reference "redacted.azurecr.io/acs/service:2.24.2": failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized

Here's my containerd-template.toml config:

version = 2

[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
    endpoint = ["https://registry-1.docker.io", ]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:32000"]
    endpoint = ["http://localhost:32000"]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."redacted.azurecr.io"]
    endpoint = ["https://redacted.azurecr.io"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
  [plugins."io.containerd.grpc.v1.cri".registry.configs."redacted.azurecr.io".auth]
    username = "redacted"
    password = "redacted"

By adding the username:password to the terminal command I am able to download the image so I am sure user name and password are correct. It looks like the configration from the config file is not being picked up (I did do microk8s stop and microk8s start afer editing the config file)

sudo microk8s ctr --debug images pull redacted.azurecr.io/acs/service:2.24.2 -u redacted:redacted
brechtvhb
  • 1,029
  • 2
  • 13
  • 26

2 Answers2

0

Please ensure that microk8s was restarted after changing the containerd-template.toml.

MicroK8s v1.14 and onwards uses containerd. As described here, users should be aware of the secure registry and the credentials needed to access it. As shown above, configuring containerd involves editing /var/snap/microk8s/current/args/containerd-template.toml and reloading the new configuration via a microk8s stop, microk8s start cycle.

[Reference]

You can review the following for similar issues:
https://github.com/containerd/cri/issues/1482
https://github.com/ubuntu/microk8s/issues/990
https://github.com/containerd/containerd/issues/4920

Dharman
  • 30,962
  • 25
  • 85
  • 135
Srijit_Bose-MSFT
  • 1,010
  • 4
  • 13
0

In the end I solved it by adding a docker secret and patching the service account to use the pull secret as default

microk8s kubectl create secret docker-registry acr-token --docker-server=**redacted** --docker-username="**redacted**" --docker-password="**redacted**" --namespace **redacted**

microk8s kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "acr-token"}]}' --namespace **redacted**
brechtvhb
  • 1,029
  • 2
  • 13
  • 26