Verify the connection to the container registry

Make sure that the worker nodes have the correct permission to pull the necessary container images from the container registry.

This article is part of a series. Read the introduction here.

A common symptom of this issue is receiving ImagePullBackoff errors when getting or describing a pod. Be sure that the registry and image name are correct. Also, the cluster has permissions to pull from the appropriate container registry.

If you are using Azure Container Registry (ACR), the cluster service principal or managed identity should be granted AcrPull permissions against the registry.

One way is to run this command using the managed identity of the AKS cluster node pool. This command gets a list of its permissions.

# Get Kubelet Identity (Nodepool MSI)
ASSIGNEE=$(az aks show -g $RESOURCE_GROUP -n $NAME --query identityProfile.kubeletidentity.clientId -o tsv)
az role assignment list --assignee $ASSIGNEE --all -o table
# Expected Output
...
e5615a90-1767-4a4f-83b6-cecfa0675970  AcrPull  /subscriptions/.../providers/Microsoft.ContainerRegistry/registries/akskhacr
...

If you're using another container registry, check the appropriate ImagePullSecret credentials for the registry.

Import container images to a container registry

AKS Roadmap