stackoom
  简体   繁体   中英

Refer the docker image from another azure container repository (ACR) of different subscription

 原文  2020-08-14 11:41:57       azure/ docker/ kubernetes-pod/ acr

Question

I am trying to pull the docker image in (QA-ACR) of subscription (QA-Subscription) from another Azure Container Registry (DEV-ACR) in subscription (DEV-Subscription).

Below are the steps in detail.

  1. Created the docker image (example: docker-image-sample) in Subscription DEV-Subscription

  2. Created the secret file by using the following command in Subscription DEV-Subscption

    kubectl create secret docker-registry test-secret --docker-server=devsample.azurecr.io --docker-username=**** --docker-password=****

  3. Pod is running in DEV-subscription by referring this secret. below is deployment file

     apiVersion: apps/v1beta1 kind: Deployment metadata: name: test spec: replicas: 2 template: metadata: labels: app: test spec: containers: - image: devsample.azurecr.io/test_msdi:latest imagePullPolicy: Always name: test ports: - containerPort: 443 env: - name: ASPNETCORE_ENVIRONMENT value: dev imagePullSecrets: - name: test-secret

  4. I am trying to pull the docker image from another ACR in different subscription.

  5. Created the same secret here also like above.

  6. Below is the content of the kubernetes deployment file

     apiVersion: apps/v1beta1 kind: Deployment metadata: name: test spec: replicas: 2 template: metadata: labels: app: test spec: containers: - image: devsample.azurecr.io/test_msdi:latest imagePullPolicy: Always name: test ports: - containerPort: 443 env: - name: ASPNETCORE_ENVIRONMENT value: qa imagePullSecrets: - name: test-secret

  7. Pod is failing from another ACR of different subscription. Issue is "Back off pulling the image..."

1 answers

solution1
 0  2020-08-15 16:23:28

Since your using an Azure Container Registry you might find it easier to assign the AKS Service Principal permissions on the container registry rather than rely on passing in credentials using a Kubernetes secret.

$Aks = Get-AzAks -ResourceGroupName QaSubscriptionAksResourceGroup -Name QaSubscriptionAks
New-AzRoleAssignment -ApplicationId $Aks.ServicePrincipalProfile.ClientId -RoleDefinitionName AcrPull -ResourceGroupName DevSubscriptionAcrResourceGroup

You might need to run Select-AzSubscription between the two commands to change from the QA subscription to the DEV subscription. Once that's set up remove

imagePullSecrets:
- name: test-secret

from your deployment file and rerun it.

Depending on how your AKS instances were deployed you might find that the AKS Service Principals already have the AcrPull role assigned within their own subscriptions, if that's the case you can remove imagePullSecrets completely.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to pull docker image available in ACR from different subscription and tenant id in Azure Azure ACR task not able to pull the docker image from Azure container registry How can I deploy image to Azure App Service from an ACR which is located in different subscription? Azure Kubernetes cannot pull a image from ACR container How to import all images from an ACR repository to another ACR in different tenant Create Azure container registry to save the docker images and defined the mechanism to remove the older docker images from the ACR Azure App Service Container Images force pulled from Docker Hub instead of ACR Push docker image into azure container registries repository using powershell Azure ACR Tasks API? Have an application running in docker container that needs to to build and push images to ACR Attach Azure Kubernetes Service (AKS) to Azure Container Registry (ACR) without being Subscription Owner
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM