Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Unable to download from anonymous Azure Container Registry with containerd #82043

New issue
New issue
Closed
Closed
Unable to download from anonymous Azure Container Registry with containerd#82043
Assignees
awesomenix
Labels
area/provider/azureIssues or PRs related to azure providerkind/bugCategorizes issue or PR as related to a bug.sig/cloud-providerCategorizes an issue or PR as relevant to SIG Cloud Provider.
@awesomenix

Description

@awesomenix
awesomenix
opened on Aug 27, 2019

What happened:

Problem is that

kubernetes/pkg/credentialprovider/azure/azure_credentials.go

Line 209 in bfd8610

cfg["*.azurecr.*"] = credentialprovider.DockerConfigEntry{

Seems like an empty username and password for AuthConfig is update for azurecr instead do not have an entry to keep a nil auth context.

But according to the code

kubernetes/pkg/kubelet/kuberuntime/kuberuntime_image.go

Line 44 in bfd8610

creds, withCredentials := keyring.Lookup(repoToPull)
this sends an empty AuthConfig since we update the structure with empty creds, which containerd doesn’t like

So instead of sending this

imageRef, err := m.imageService.PullImage(imgSpec, nil, podSandboxConfig)

we end up sending this

imageRef, err := m.imageService.PullImage(imgSpec, auth, podSandboxConfig)

with an empty auth context.

https://github.com/containerd/cri/blob/6dc2a874470f7489217a7c757da258356b92bfdb/pkg/server/image_pull.go#L190

which matches this error

Aug 27 16:39:37 containerd[4953]: time="2019-08-27T16:39:37.609386516Z" level=error msg="PullImage "repos.azurecr.io/mirror/download-amd64:v1" failed" error="failed to resolve image "repos.azurecr.io/mirror/download-amd64:v1": no available registry endpoint: invalid auth config"

What you expected to happen:

Containerd should successfully download from anonymous ACR

How to reproduce it (as minimally and precisely as possible):

use kubelet to download pod from anonymous ACR with containerd CRI

Anything else we need to know?:

ideally the check should be made if the repo is anonymous, do not add to the config, which is done in MSI case. Worst case atleast add this to Service Principal case, but that would still be a hack

else {
               // Add our entry for each of the supported container registry URLs
               for _, url := range containerRegistryUrls {
                       cred := &credentialprovider.DockerConfigEntry{
                               Username: a.config.AADClientID,
                               Password: a.config.AADClientSecret,
                               Email:    dummyRegistryEmail,
                       }
                       cfg[url] = *cred
               }
               // add ACR anonymous repo support: use empty username and password for anonymous access
                cfg["*.azurecr.*"] = credentialprovider.DockerConfigEntry{
                        Username: "",
                       Password: "",
                       Email:    dummyRegistryEmail,
                }
 
        }

Environment:

  • Kubernetes version (use kubectl version): 1.14.6
  • Cloud provider or hardware configuration:
  • OS (e.g: cat /etc/os-release): ubuntu
  • Kernel (e.g. uname -a):
  • Install tools:
  • Network plugin and version (if this is a network-related bug):
  • Others:

Metadata

Metadata

Assignees

Labels

area/provider/azureIssues or PRs related to azure providerkind/bugCategorizes issue or PR as related to a bug.sig/cloud-providerCategorizes an issue or PR as relevant to SIG Cloud Provider.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions