Azure 容器实例 - 连接到不公开访问的 ACR
[英]Azure Container Instances - Connection to ACR that does not public access
问题描述
We need to have ACR exposed only to selected.networks (not All.networks).
我们需要将 ACR 仅公开给 selected.networks(而不是 All.networks)。 How should container instance be configured in order to be able to pull images from ACR?应该如何配置容器实例以便能够从 ACR 中提取图像? We deploy ACI using ARM template.我们使用 ARM 模板部署 ACI。
Full context:完整上下文:
We are building image in Azure DevOps (using microsoft-hosted agent, calling az acr build.. --agent-pool <agentpool-name> . The build is successful, however when we want to create the container instance (using Azure Powershell and ARM template) we get an error that the image is not accessible in the container group.我们正在 Azure DevOps 中构建图像(使用微软托管的代理,调用az acr build.. --agent-pool <agentpool-name> 。构建成功,但是当我们想要创建容器实例时(使用 Azure Powershell 和ARM 模板)我们收到一个错误,指出在容器组中无法访问该图像。
However, when I make ACR accessible by all.networks, everything works, so I guess there must be some ACR setting that would allow to pull image from ACR to ACI using microsoft-agent.但是,当我让 all.networks 可以访问 ACR 时,一切正常,所以我想一定有一些 ACR 设置允许使用 Microsoft 代理将图像从 ACR 拉到 ACI。
1 个解决方案
解决方案1
0 2022-06-20 15:46:25
You can make deploy to Azure Container Instances from Azure Container Registry using a managed identity or service principal您可以使用托管身份或服务主体从 Azure 容器注册表部署到 Azure 容器实例
Only an Azure Kube.netes Service cluster or Azure virtual machine can be used as a host to access a container registry using a service endpoint.只有 Azure Kube.netes 服务集群或 Azure 虚拟机可以作为主机使用服务端点访问容器注册表。 Other Azure services including Azure Container Instances aren't supported.不支持其他 Azure 服务,包括 Azure 容器实例。
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-.net#preview-limitations https://learn.microsoft.com/en-us/azure/container-registry/container-registry-.net#preview-limitations
Other Azure Container Instances limitations:其他 Azure 容器实例限制:
- Currently, only Linux containers are supported in a container group deployed to a virtual.network.目前,部署到 virtual.network 的容器组中仅支持 Linux 个容器。
- To deploy container groups to a su.net, the su.net can't contain other resource types.要将容器组部署到 su.net,su.net 不能包含其他资源类型。 Remove all existing resources from an existing su.net prior to deploying container groups to it, or create a new su.net.在将容器组部署到现有 su.net 之前,从现有 su.net 中删除所有现有资源,或者创建一个新的 su.net。
- You can't use a managed identity in a container group deployed to a virtual.network.您不能在部署到 virtual.network 的容器组中使用托管标识。
- You can't enable a liveness probe or readiness probe in a container group deployed to a virtual.network.您不能在部署到 virtual.network 的容器组中启用活性探测或就绪探测。
- Due to the additional.networking resources involved, deployments to a virtual.network are typically slower than deploying a standard container instance.由于涉及额外的网络资源,部署到虚拟网络通常比部署标准容器实例慢。
- Outbound connection to port 25 is not supported at this time.目前不支持到端口 25 的出站连接。
- If you are connecting your container group to an Azure Storage Account, you must add a service endpoint to that resource.如果要将容器组连接到 Azure 存储帐户,则必须向该资源添加服务终结点。
- IPv6 addresses are not supported at this time.目前不支持 IPv6 地址。
https://learn.microsoft.com/en-us/azure/container-instances/container-instances-virtual.network-concepts#other-limitations https://learn.microsoft.com/en-us/azure/container-instances/container-instances-virtual.network-concepts#other-limitations
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.