azure-key-vault-to-kubernetes: [BUG] when using aad-pod-identity, env-injector fail to pull image from ACR
Note: Make sure to check out known issues (https://github.com/sparebankenvest/azure-key-vault-to-kubernetes#known-issues) before submitting
Your question Does the env-injector use some custom mechanism to authenticate with a private docker registry to inspect the image in order to overwrite the entrypoint or cmd? I’m having some issues where the env-injector container is showing logs where it attempts to pull the image from ACR but it fails.
To Reproduce If question relates to a certain behavior, describe steps to reproduce: I’m using AKS + Azure Container Registry with a service principle authentication mechanism that allows me to spin up containers in AKS available in my private registry (ACR). The original pod itself was deployed successfully and i can verify that the AKS cluster has the necessary permission to pull images from ACR. However, I’ve noticed that not env-injector debug logs were showing up in my container so i poked around the env-injector container and noticed some error messages related to it’s inability to pull docker images from ACR
Logs
Here is the command I am running to find that information:
$ kubectl logs -n akv2k8s azure-key-vault-env-injector-5458b4bc9d-njxrz -c azure-key-vault-env-injector
Here are the logs indicating the problem mentioned:
time="2020-03-27T19:43:58Z" level=info msg="found pod to mutate in namespace 'argo'"
time="2020-03-27T19:43:58Z" level=info msg="found container 'api-test' to mutate"
time="2020-03-27T19:43:58Z" level=info msg="checking for env vars containing '@azurekeyvault' in container api-test"
time="2020-03-27T19:43:58Z" level=info msg="found env var: db-connection-string@azurekeyvault"
time="2020-03-27T19:43:58Z" level=info msg="did not find credentials to use with registry '****.azurecr.io' - getting default credentials"
time="2020-03-27T19:43:58Z" level=info msg="failed to read azure.json to get default credentials, error: open /etc/kubernetes/azure.json: no such file or directory"
time="2020-03-27T19:43:58Z" level=info msg="pulling docker image ***.azurecr.io/***:latest to get entrypoint and cmd, timeout is 120 seconds"
2020/03/27 19:43:59 [ERROR] admission webhook error: failed to get auto cmd, error: failed to pull docker image '****.azurecr.io/***:latest', error: Error response from daemon: Get https://****.azurecr.io/v2/***/manifests/latest: unauthorized: authentication required
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 89 (7 by maintainers)
Commits related to this issue
- fixed issue #55 where auth with acs was not working — committed to SparebankenVest/azure-key-vault-to-kubernetes by torresdal 4 years ago
looks like it works 😃 … I have not done anything really other than reinstallng injectior and my sample app. And I have done this at least 5 times yesterday 😃. Ok, now, I was using version 1.6
@torresdal I’ve tried the second option you’ve mentioned but doesn’t seem to work.
Here are the steps I took:
akv2k8snamespace.azure-key-vault-env-injectorservice account to inject theimagePullSecretsin every pod.env-injectorpods and verified that theimagePullSecretsinformation was correct.env-injectorpod for logs.I got the same error I was getting before.
I think the reason why this doesn’t work is because the env-injector pod is trying to pull the image from within application code ? Therefore the
imagePullSecretsthat i’ve configured does not take effect on that request to the private registry.I might just use the controller sync mechanism for now until we fix this.
I’m not sure on the effort to fix this but if you have any ideas how to easily fix this I might be able to convince some of the Go devs on our team to help you get that done.
I can confirm that the latest beta works for me as well 👍
We’ve removed explicit support for aad-pod-identity (the
podIdentitySelectionoption no longer exist), meaning you should just use labels, as you do with any other pod.autoInjectdoes not exist either, as there is no longer any need for it (longer story).But even if you set all this correctly, I think it will fail, because it will still try to use the authservice, but you don’t want in your case… I’ll look at this shortly and provide an option for not using the authservice.
Long story short: we need to provide you with an option to not use the authservice.
I will try it later today. I have a question - do I need to do any extra configuration for ACR other than creating AcrPull role assignment. And maybe some extra specific config for AKS other than creating it using managed identity
The official version with this fix is image
1.1.6the latest helm charts are also updated.I’m sorry, it did actually work!
Here is last part of the log:
Why I thought it didn’t work was because there was ErrImagePull error some time, and I checked the events and I read it carelessly that it fetched the image from the spvest registry after failing, but that is the initContainer!
and events said:
Great work, thank you so much!
and this is what I get in \etc\kubernetes\azure.json on the node
@VpavlovLumedic I believe this should now work in v1.1.0
Thanks @pvmraghunandan. The bug is still there though, when not using
imagePullSecrets, so I’m working on fixing that before releasing…Thanks for taking the time to test @pvmraghunandan. I looked through the code once more, and there is an issue indeed. When looking for credentials to use for image registries, it does not take into account using custom auth. I’ll patch this asap and get the 1.1.0 version out the door. Thanks.