if you try to run the image from AKR(Azure Kubernetes Registry) with the following command in the Azure CLI
kubectl run nodeapp \
--image=mydanaksacr.azurecr.io/node:v1 \
--port=8080
the output indicate that the pod was create. however when you check the pod. the result is below
danny@Azure:~/clouddrive$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nodeapp 0/1 ErrImagePull 0 36s
after I check the log with kubectl logs on the pod
danny@Azure:~/clouddrive$ kubectl logs nodeapp
Error from server (BadRequest): container "nodeapp" in pod "nodeapp" is waiting to start: image can't be pulled
the message indicates that the service principal does not have the right to pull the image from AKR
here is the solution to solve the issue. run the following command in the cli to grant the service principal to the acrpull role.
az role assignment create --assignee "<<service principal ID>>" --role acrpull --scope "<<AKR resource ID>>"
this is the specific example running in the development environment
az role assignment create --assignee "34d6880e-bc51-416f-b250-b87904390d0c" --role acrpull --scope "/subscriptions/3f2c3687-9d93-45be-a8e0-b8ca6e4f5944/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerRegistry/registries/myDanAksAcr"
No comments:
Post a Comment