Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article is part of a series. Start with the overview.
To successfully deploy containerized applications in your Azure Kubernetes Service (AKS) cluster, verify the connectivity between the cluster and the container registry. This step ensures that your worker nodes have the necessary permissions to pull the required container images from the registry.
Identify symptoms
When the kubelet that runs on an agent node creates the containers for a pod, one or more containers might end up in the waiting state because of an ImagePullBackOff or ErrImagePull error.
ImagePullBackOff is an error message in Kubernetes that indicates a failure to pull the required container image from a public or private registry. The
BackOffpart of the status signifies that Kubernetes continuously attempts to pull the image, with an increasing delay between each attempt. The delay gradually increases until it reaches a predetermined limit, which is typically set to 300 seconds in Kubernetes.ErrImagePulloften precedesImagePullBackOffand indicates that the initial pull attempt failed.
Various factors can cause these errors, including network connectivity problems, an incorrect image name or tag, insufficient permissions, or missing credentials. Verify the registry URL, image name, and tag, and confirm that the cluster identity has the necessary permissions to pull from the registry.
Role assignments
When you attach a container registry to an existing AKS cluster, the AcrPull role is automatically assigned to the Microsoft Entra managed identity that's associated with the agent pools in your cluster. For more information, see Authenticate with Container Registry from AKS.
Run the following command to retrieve the kubelet managed identity of a Kubernetes cluster and its current role assignments:
# Get the kubelet managed identity.
ASSIGNEE=$(az aks show -g $RESOURCE_GROUP -n $NAME --query identityProfile.kubeletidentity.clientId -o tsv)
az role assignment list --assignee $ASSIGNEE --all -o table
Run the following command to assign the AcrPull role to the kubelet managed identity:
AZURE_CONTAINER_REGISTRY_ID=$(az acr show --name <container-registry-name> --query id --output tsv)
az role assignment create --assignee $ASSIGNEE --scope $AZURE_CONTAINER_REGISTRY_ID --role acrpull
ABAC-enabled registries
If your Container Registry uses Azure attribute-based access control (ABAC) repository permissions, it doesn't honor the classic AcrPull role. ABAC-enabled registries also don't support the az aks create --attach-acr and az aks update --attach-acr integrations. Instead, you must manually assign the Container Registry Repository Reader role to the kubelet managed identity. For more information, see Azure ABAC repository permissions.
If you recently migrated your registry to ABAC-enabled mode and image pulls fail, verify that the kubelet identity is assigned an ABAC-compatible role.
Validate connectivity
To check if your AKS cluster can reach the container registry, run the following command:
az aks check-acr --name $NAME --resource-group $RESOURCE_GROUP --acr <container-registry-name>.azurecr.io
This command checks Domain Name System (DNS) resolution, network routing, and authentication between the AKS cluster and the registry. Use it as a first diagnostic step when you suspect connectivity or permission problems.
Troubleshoot Container Registry problems
Use the following guidance to diagnose networking, sign-in, and performance problems.
Troubleshoot networking problems
If you encounter problems accessing Container Registry because of virtual network restrictions, firewall rules, or proxy server configurations, consider the following solutions:
- Configure client firewall access
- Configure public access to the registry
- Configure virtual network access
- Configure service access
Troubleshoot sign-in problems
If you encounter authentication and authorization problems when you sign in to Container Registry, consider the following solutions:
- Check the Docker configuration in your environment
- Specify the correct registry name
- Confirm the credentials to access the registry
- Configure public access to the registry
- Troubleshoot registry sign-in problems
- Check that credentials aren't expired
Troubleshoot performance problems
If you encounter performance problems with a container registry, consider the following solutions:
- Optimize image pulls with artifact cache
- Check the network connection speed
- Inspect client hardware that might affect image layer compression or extraction speed
- Review configured limits in the registry service tier or environment
- Configure the geo-replicated registry for optimal performance with replicas in nearby regions
- Optimize DNS configuration for pulling from a geographically distant registry replica
If pull latency increases suddenly on a geo-replicated registry without any AKS configuration changes, check Azure Resource Health for the registry. When a regional replica degrades, Container Registry failover automatically reroutes traffic from that replica to a healthy replica through the global endpoint (<registry>.azurecr.io). The global endpoint can route AKS nodes to a replica in a more distant region. Pull latency returns to baseline after the local replica recovers.
Integrate a non-Microsoft container registry
When you use a non-Microsoft container registry, you need to create the appropriate ImagePullSecret credentials for the registry so your AKS cluster can securely access the container images. For more information, see Create an image pull secret.
Ensure that you set up the correct permissions and credentials so that you can verify the connection to the container registry and your AKS cluster can successfully pull the required container images during deployments.
Contributors
Microsoft maintains this article. The following contributors wrote this article.
Principal authors:
- Paolo Salvatori | Principal Customer Engineer
- Francis Simy Nazareth | Senior Technical Specialist
Other contributor:
- Sam Cogan | Senior Cloud Solution Architect
To see nonpublic LinkedIn profiles, sign in to LinkedIn.