参考来自不同订阅的另一个 azure 容器存储库 (ACR) 的 docker 映像
[英]Refer the docker image from another azure container repository (ACR) of different subscription
问题描述
I am trying to pull the docker image in (QA-ACR) of subscription (QA-Subscription) from another Azure Container Registry (DEV-ACR) in subscription (DEV-Subscription).
我正在尝试从订阅(DEV-Subscription)中的另一个 Azure 容器注册表(DEV-ACR)中提取订阅(QA-Subscription)的(QA-ACR)中的 docker 映像。
Below are the steps in detail.下面是详细的步骤。
Created the docker image (example: docker-image-sample) in Subscription DEV-Subscription
在 Subscription DEV-Subscription 中创建了 docker 镜像(例如:docker-image-sample)Created the secret file by using the following command in Subscription DEV-Subscption
在 Subscription DEV-Subscption 中使用以下命令创建了 secret 文件kubectl create secret docker-registry test-secret --docker-server=devsample.azurecr.io --docker-username=**** --docker-password=****Pod is running in DEV-subscription by referring this secret.
Pod 通过引用这个秘密在 DEV 订阅中运行。 below is deployment file下面是部署文件apiVersion: apps/v1beta1 kind: Deployment metadata: name: test spec: replicas: 2 template: metadata: labels: app: test spec: containers: - image: devsample.azurecr.io/test_msdi:latest imagePullPolicy: Always name: test ports: - containerPort: 443 env: - name: ASPNETCORE_ENVIRONMENT value: dev imagePullSecrets: - name: test-secretI am trying to pull the docker image from another ACR in different subscription.
我正在尝试从不同订阅的另一个 ACR 中提取 docker 图像。Created the same secret here also like above.
在这里也像上面一样创建了相同的秘密。Below is the content of the kubernetes deployment file
下面是kubernetes部署文件的内容apiVersion: apps/v1beta1 kind: Deployment metadata: name: test spec: replicas: 2 template: metadata: labels: app: test spec: containers: - image: devsample.azurecr.io/test_msdi:latest imagePullPolicy: Always name: test ports: - containerPort: 443 env: - name: ASPNETCORE_ENVIRONMENT value: qa imagePullSecrets: - name: test-secretPod is failing from another ACR of different subscription.
Pod 从不同订阅的另一个 ACR 失败。 Issue is "Back off pulling the image..."问题是“退出拉动图像......”
1 个解决方案
解决方案1
0 2020-08-15 16:23:28
Since your using an Azure Container Registry you might find it easier to assign the AKS Service Principal permissions on the container registry rather than rely on passing in credentials using a Kubernetes secret.由于您使用的是 Azure 容器注册表,因此您可能会发现在容器注册表上分配 AKS 服务主体权限比依靠使用 Kubernetes 机密传递凭据更容易。
$Aks = Get-AzAks -ResourceGroupName QaSubscriptionAksResourceGroup -Name QaSubscriptionAks
New-AzRoleAssignment -ApplicationId $Aks.ServicePrincipalProfile.ClientId -RoleDefinitionName AcrPull -ResourceGroupName DevSubscriptionAcrResourceGroup
You might need to run Select-AzSubscription between the two commands to change from the QA subscription to the DEV subscription.您可能需要在两个命令之间运行Select-AzSubscription以从 QA 订阅更改为 DEV 订阅。 Once that's set up remove一旦设置删除
imagePullSecrets:
- name: test-secret
from your deployment file and rerun it.从您的部署文件中重新运行它。
Depending on how your AKS instances were deployed you might find that the AKS Service Principals already have the AcrPull role assigned within their own subscriptions, if that's the case you can remove imagePullSecrets completely.根据 AKS 实例的部署方式,您可能会发现 AKS 服务主体已在其自己的订阅中分配了 AcrPull 角色,如果是这种情况,您可以完全删除imagePullSecrets 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.