1

I'm using Minikube for development and I need to build a k8s app that pull all images from ACR, all images stored already on ACR.

To pull images from azure what I need to is to create secret with user&pass of the azure account and pass this secret to every image that I want to pull using imagePullSecrets (documentation here)

There is a way to add this registry as a global setting for namespace, or the project? I don't understand why every image needs to get the secret implicitly in the spec.

Edit: Thanks for the comments I'll check them later, for now I resolve this problem at minikube level. there is a way to set a private registry in minikube (doc here)

In my version this bug exists, and this answer resolve the problem.

m_g
  • 61
  • 1
  • 6
  • I guess this shall help https://stackoverflow.com/questions/58448317/unable-to-pull-new-image-with-aks-and-acr/58449054#58449054 – Tushar Mahajan Dec 07 '20 at 05:52
  • Do you still work on it? Any more updates on this question? Does it solve your problem? – Charles Xu Dec 22 '20 at 01:56
  • I edit my post, it's done by minikube registry addone – m_g Dec 22 '20 at 13:16
  • According to the link you provide, it also uses the secret to pull the image, the difference is that the minikube set it for you. In fact, nothing is different. – Charles Xu Dec 29 '20 at 07:29

3 Answers3

0

As I know, if you do not use the K8s in Azure, I mean the Azure Kubernetes Service, then there are two ways I know the pull the images from ACR. One is the way you know that using the secrets. And another is to use the service account, but you also need to configure it in each deployment or the pods the same way as the secrets.

If you use the Azure Kubernetes Service, then you just need to assign the AcrPull role to the service principal of the AKS, and then you need to set nothing for each image.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
0

You can add imagePullSecrets to a service account (e.g. to the default serviceaccout).

It will automatically add imagePullSecrets to the pod spec that has assigned this specific (e.g. default) serviceaccount, so you don't have to do it explicitly.

You can do it running:

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "myregistrykey"}]}'

You can verify it with:

$ kubectl run nginx --image=nginx --restart=Never
$ kubectl get pod nginx -o=jsonpath='{.spec.imagePullSecrets[0].name}{"\n"}'

myregistrykey

Also checkout the k8s docs add-image-pull-secret-to-service-account.

Matt
  • 7,419
  • 1
  • 11
  • 22
0

In my case, I had a local Minikube installed in order to test locally my charts and my code. I tried most of the solutions suggested here and in other Stack Overflow posts and the following are the options I found out :

  1. Move the image from the local Docker registry to Minikube's registry and set the pullPolicy to Never or IfNotPresent in your chart.
    docker build . -t my-docker-image:v1
    
    minikube image load my-docker-image:v1
    
    $ minikube image list
    rscoreacr.azurecr.io/decibel:0.0.1
    k8s.gcr.io/pause:3.5
    k8s.gcr.io/kube-scheduler:v1.22.3
    k8s.gcr.io/kube-proxy:v1.22.3
    ...

    ##Now edit your chart and change the `pullPolicy`.
    helm install my_name chart/ ## should work.

I think that the main disadvantage of this option is that you need to change your chart and remember to change the values to their previous value.

  1. Create a secret that holds the credentials to the acr.

First login to the acr via :

az acr login --name my-registry.azurecr.io --expose-token

The output of the command should show you a user and an access token.

Now you should create a Kubernetes secret (make sure that you are on the right Kubernetes context - Minikube) :

kubectl create secret docker-registry my-azure-secret --docker-server=my-registry.azurecr.io  --docker-username=<my-user> --docker-password=<access-token>

Now, if your chart uses the default service account (When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace) you should edit the service account via the following command :

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "my-azure-secret"}]}'

I didn't like this option because if I have a different secret provider for every helm chart I need to overwrite the yaml with the imagePullSecrets.

  1. Another alternative you have is using Minikube's registry creds

Personally, the solution I went for is the first solution with a tweak, instead of adding the pullPolicy in the yaml itself, I overwrite it when I install the chart :

$ helm install --set image.pullPolicy=IfNotPresent <name> charts/
halfer
  • 19,824
  • 17
  • 99
  • 186
JeyJ
  • 3,582
  • 4
  • 35
  • 83