fix pull image error from multiple ACRs using azure managed identity #96355
Conversation
k8s-ci-robot
added
do-not-merge/hold
|
/kind bug |
k8s-ci-robot
added
kind/bug
|
/test pull-kubernetes-bazel-test |
|
/retest |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/retest |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
/test pull-kubernetes-e2e-aks-engine-azure |
andyzhangx
force-pushed
the
acr-mi-fix2
branch
from
abee8b3
to
848516c
Compare
fix comments fix comment fix comments fix comments fix comments fix comments fix bazel
andyzhangx
force-pushed
the
acr-mi-fix2
branch
from
275d7ad
to
48ba883
Compare
|
/retest |
1 similar comment
|
/retest |
|
/test pull-kubernetes-e2e-azure-disk-windows |
k8s-ci-robot
added
do-not-merge/hold
|
/retest |
|
/retest |
| // add ACR anonymous repo support: use empty username and password for anonymous access | ||
| defaultConfigEntry := credentialprovider.DockerConfigEntry{ | ||
| Username: "", | ||
| Password: "", | ||
| Email: dummyRegistryEmail, | ||
| } | ||
| cfg["*.azurecr.*"] = defaultConfigEntry |
There was a problem hiding this comment.
in the case where we're returning a cache entry, this is modifying the shared cache object that was previously returned and can cause a data race.
Suggest making an addAnonymousCredentials(cfg) method and calling it from getFromACR when we're constructing a new cached credential set, and from the else block in Provide() when we're not using UseManagedIdentityExtension. That ensures we never modify a config after we've returned it from Provide()
There was a problem hiding this comment.
hi @liggitt there is no shared cache object anymore, cfg is a newly constructed object every time in Provide() func, see line 253, I have removed the cacheDockerConfig field in this PR.
| // add ACR anonymous repo support: use empty username and password for anonymous access | ||
| defaultConfigEntry := credentialprovider.DockerConfigEntry{ | ||
| Username: "", | ||
| Password: "", | ||
| Email: dummyRegistryEmail, | ||
| } | ||
| cfg["*.azurecr.*"] = defaultConfigEntry |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andyzhangx, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/hold cancel |
…6355-upstream-release-1.19 Automated cherry pick of #96355: fix pull image error from multiple ACRs using azure managed
…6355-upstream-release-1.17 Automated cherry pick of #96355: fix pull image error from multiple ACRs using azure managed
…6355-upstream-release-1.18 Automated cherry pick of #96355: fix pull image error from multiple ACRs using azure managed
@porrascarlos802018 this fix "pull image auth error from multiple(>1) ACRs using azure managed identity" has been merged in 1.17.14, 1.18.12, 1.19.4, for existing clusters with MSI, wait for a few more tries or using single ACR could workaround |
liggitt
added
kind/regression
What type of PR is this?
/kind bug
What this PR does / why we need it:
fix pull image error from multiple ACRs using azure managed identity
This PR continues with PR(#92330), fixed the pull image error with azure managed identity.
This PR is using per-registry cache (also with cache expiration), pls note that per-registry cache is only for managed identity, and for service principal(account name & password), it's not necessary since password is supposed to be the same in whole kubelet life time.
Which issue(s) this PR fixes:
Fixes #92326
Special notes for your reviewer:
With this fix, there is no authentication error when pulling images from two ACRs using managed identity:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/priority important-soon
/sig cloud-provider
/area provider/azure
/triage accepted
/assign @feiskyer