question

AKS-User avatar image
0 Votes"
AKS-User asked Prrudram-MSFT edited

Add the container registry certs to AKS nodes

I have the AKS cluster and the container registry. I'm unable to pull the images from the kubernetes manifests. This is due to the certificates unavailability on AKS nodes. How to add the certificates to the AKS nodes and also how to update the /etc/hosts entries?

AKS Version: v1.21.7
KERNEL-VERSION: 5.4.0-1067-azure
CONTAINER-RUNTIME: containerd://1.4.9+azure

azure-kubernetes-service
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Applying the docker images from container registry to a k8s cluster doesn't need a certificate unless you have some special settings applied to the cluster. So, let's know the special settings you have as well as the complete error message details, screenshots etc.
Answer to the next question on editing /etc/hosts entries is possible by logging in to the pods. The following example shows how to access bash prompt of the pod

kubectl exec -it <pod name> /bin/bash

0 Votes 0 ·

In our case, certificates are required for the container registry authentication. And we had to update the /etc/hosts for resolving the registry from the local machine. As these 2 things are missing we are facing "Image Pull errors".

Could you advise appropriately on how to make these 2 changes on AKS nodes? Let me know if you still have any further queries.

0 Votes 0 ·

I am afraid to say that certificate based authentication is not available as of now for ACR. Check the authentication methods supported here: container-registry-authentication


0 Votes 0 ·
Show more comments

1 Answer

Prrudram-MSFT avatar image
1 Vote"
Prrudram-MSFT answered Prrudram-MSFT edited

Hello @AKS-User,

I understand you are using Harbor registry https://github.com/goharbor/harbor
After a thorough research, I find daemonsets to be the way here because we don't provide OOB solutions for 3rd party CRs (except for docker hub I think).
This is a Kubernetes DaemonSet definition that will install a custom certificate on the nodes and restart containerd. This is useful if your private registry is protected using a self-signed certificate. Not tested in production. · GitHub
Example for hosts file: KQ - How to update worker nodes /etc/hosts file in GKE (kubernetesquestions.com)

Let me know if you have any queries around this, if this doesn't work, please respond back on this answer by adding a new comment.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the appropriate answer. Will try it.

1 Vote 1 ·

@AKS-User

You are welcome! I have also confirmed with our internal teams, running a TrustedCA daemonset is the only way. We are working on a TrustedCA feature that will be available in coming months to support this feature set.
Keep me posted on your progress.

0 Votes 0 ·

Its working. Thanks!

Could you elaborate more on the TrustedCA feature?

1 Vote 1 ·
Show more comments