Refer the docker image from another azure container repository (ACR) of different subscription

0
votes

I am trying to pull the docker image in (QA-ACR) of subscription (QA-Subscription) from another Azure Container Registry (DEV-ACR) in subscription (DEV-Subscription).

Below are the steps in detail.

  1. Created the docker image (example: docker-image-sample) in Subscription DEV-Subscription

  2. Created the secret file by using the following command in Subscription DEV-Subscption

    kubectl create secret docker-registry test-secret --docker-server=devsample.azurecr.io --docker-username=**** --docker-password=****

  3. Pod is running in DEV-subscription by referring this secret. below is deployment file

     apiVersion: apps/v1beta1
 kind: Deployment
 metadata:
   name: test  
 spec:
   replicas: 2
   template:
     metadata:
       labels:
         app: test
     spec:
       containers:
       - image: devsample.azurecr.io/test_msdi:latest
         imagePullPolicy: Always
         name: test
         ports:
         - containerPort: 443
         env:
         - name: ASPNETCORE_ENVIRONMENT
           value: dev
       imagePullSecrets:
       - name: test-secret

  4. I am trying to pull the docker image from another ACR in different subscription.

  5. Created the same secret here also like above.

  6. Below is the content of the kubernetes deployment file

     apiVersion: apps/v1beta1
 kind: Deployment
 metadata:
   name: test  
 spec:
   replicas: 2
   template:
     metadata:
       labels:
         app: test
     spec:
       containers:
       - image: devsample.azurecr.io/test_msdi:latest
         imagePullPolicy: Always
         name: test
         ports:
         - containerPort: 443
         env:
         - name: ASPNETCORE_ENVIRONMENT
           value: qa
       imagePullSecrets:
       - name: test-secret

  7. Pod is failing from another ACR of different subscription. Issue is "Back off pulling the image ..."

1
azuredockerkubernetes-podacr

1 Answers

0
votes

Since your using an Azure Container Registry you might find it easier to assign the AKS Service Principal permissions on the container registry rather than rely on passing in credentials using a Kubernetes secret.

$Aks = Get-AzAks -ResourceGroupName QaSubscriptionAksResourceGroup -Name QaSubscriptionAks
New-AzRoleAssignment -ApplicationId $Aks.ServicePrincipalProfile.ClientId -RoleDefinitionName AcrPull -ResourceGroupName DevSubscriptionAcrResourceGroup

You might need to run Select-AzSubscription between the two commands to change from the QA subscription to the DEV subscription. Once that's set up remove

imagePullSecrets:
- name: test-secret

from your deployment file and rerun it.

Depending on how your AKS instances were deployed you might find that the AKS Service Principals already have the AcrPull role assigned within their own subscriptions, if that's the case you can remove imagePullSecrets completely.