how to fix "Error from server (BadRequest): container "nodeapp" in pod "nodeapp" is waiting to start: trying and failing to pull image"?

 if you try to run the image from AKR(Azure Kubernetes Registry) with the following command in the Azure CLI

 kubectl run nodeapp \

  --image=mydanaksacr.azurecr.io/node:v1 \

  --port=8080

the output indicate that the pod was create. however when you check the pod. the result is below

danny@Azure:~/clouddrive$ kubectl get pods

NAME      READY   STATUS         RESTARTS   AGE

nodeapp   0/1     ErrImagePull   0          36s

after I check the log with kubectl logs on the pod 

danny@Azure:~/clouddrive$ kubectl logs nodeapp

Error from server (BadRequest): container "nodeapp" in pod "nodeapp" is waiting to start: image can't be pulled

the message indicates that the service principal does not have the right to pull the image from AKR

here is the solution to solve the issue. run the following command in the cli to grant the service principal to the acrpull role.

az role assignment create --assignee "<<service principal ID>>" --role acrpull --scope "<<AKR resource ID>>"

this is the specific example running in the development environment

 az role assignment create --assignee "34d6880e-bc51-416f-b250-b87904390d0c" --role acrpull --scope "/subscriptions/3f2c3687-9d93-45be-a8e0-b8ca6e4f5944/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerRegistry/registries/myDanAksAcr"

how to setup Azure Kubernetes Service cluster and configure Kubernetes dashboard with AZ CLI?

it is very easy to create and run a  AKS cluster with few AZ CLI commands.

1. create a resource group for AKS

az group create --name dan-aks-rg --location eastus

2. create an AKS cluster

az aks create --resource-group dan-aks-rg --name dan-cluster

3.get the credentials for the cluster, this will download the credetenials and store in the config file
under this path C:\Users\admin\.kube

az aks get-credentials --resource-group dan-aks-rg --name dan-cluster

4. install the Kubernetes cli utility

az ask install-cli

5. install Kubernetes dashboard

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml

6. Access the dashboard. there are two way to access the Kubernetes dashboard.
 from AZ CLI

az aks browse --resource-group dan-aks-rg --name dan-cluster

it will automatically lauch in the web browser

http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/


or we can use kubectl proxy to access the Kubernetes Dashboard UI. Type Kubectl proxy in the CMD windows, then hit enter and launch the web chrome and paste the following url in the url windows to launch the kubernetes dashboard.

kubectl proxy 

http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/overview?namespace=default

7. Trouble shot tips

if you see an empty kubernetes dashboard with warming message
"secrets is forbidden: User "clusterUser" cannot list resource "secrets" in API group "" in the namespace "default"

it is permission issue. you can resolve this following steps, you need to replace the clusterUser with specific name that was shown in your error message.

• kubectl delete clusterrolebinding kubernetes-dashboard
  
  kubectl delete clusterrolebinding kubernetes-dashboard -n kube-system
  
  kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard --user=clusterUser

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#-em-clusterrolebinding-em-

how to get an access token and use the token to access key vault to load secret from Azure CLI (Bash)?

first i create an azure key vault with the following az command

az keyvault create --resource-group myResource-rg --name mykeyvault 

second i can store the secret(for example password) in the key vault

az keyvault secrete create --name dbpassword --vault-name mykeyvault --description "database password" --value "mysecretpassord"


third step is generate the access token to access the key vault

access_token=(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata: true -r '.access_toekn')

final step is to use the token to load the password out of key vault
(dbpassword is name of the password set in the key vault secret, mykeyvault is the name of the key vault that i had setup in Azure)

 db_password=$(curl https://mykeyvault.vault.azure.net/secrets/dbpassword?api-version=2016-10-01 -H "Authorization: Bearer $access_token" --silent | jq -r '.value')

how to revoke the disk access in the Azure Replication?

after i complete a lab on  Site Recovery with Azure Replication, I encountered an error when i try clean up the resource.

 "There is an active shared access signature outstanding for disk molvm_disk1_6fd65a43abc14b58857b6beba271a17a-ASRReplica. Call EndGetAccess before attaching or deleting the disk. Learn more here: aka.ms/revokeaccessapi."


the error is stem from the disk had been enable the shared read access for replication

after i run the following command in Azure CLI, then i can successfully remove the resource.

az disk revoke-access --name MyManagedDisk --resource-group MyResourceGroup

for more information, please view the link below

https://docs.microsoft.com/de-de/cli/azure/disk?view=azure-cli-latest#az-disk-revoke-access

Azure CLI helpful tips

1. use -h in the az group to show all available options for the command.

C:\Users>az group -h

Group
    az group : Manage resource groups and template deployments.

Subgroups:
    deployment : Manage Azure Resource Manager deployments.
    lock       : Manage Azure resource group locks.

Commands:
    create     : Create a new resource group.
    delete     : Delete a resource group.
    exists     : Check if a resource group exists.
    export     : Captures a resource group as a template.
    list       : List resource groups.
    show       : Gets a resource group.
    update     : Update a resource group.
    wait       : Place the CLI in a waiting state until a condition of the resource group is met.


2. use az interactive to work in the interactive mode.

it is very cool feature to use. even though it is in preview mode. it supports the intelli-sense, it shows the autocomplete during your typing

3. use --output flag to format the output display
when you try to list all account using az account list, the output will be in json format

we can use tsv to show the result in table format.

az account list --output tsv