'ImagePullBackOff with "rpc error: code = Unknown desc = failed to pull and unpack image" from AKS when pulling from ACR

When pulling a service-jenkins custom image from ACR, AKS gives the following error:

Warning Failed 0s (x2 over 31s) kubelet Failed to pull image "XXX.azurecr.io/service-jenkins:latest": [rpc error: code = Unknown desc = failed to pull and unpack image "XXX.azurecr.io/service-jenkins:latest": failed to extract layer sha256:XXX: unexpected EOF: unknown, rpc error: code = Unknown desc = failed to pull and unpack image "XXX.azurecr.io/service-jenkins:latest": failed to resolve reference "XXX.azurecr.io/service-jenkins:latest": failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized]

We have taken the following steps in an attempt to resolve the issue:

  1. Connected AKS with ACR using SP instead of using secret stored in the same namespace
  2. Uploaded a sample hello-world image which gets pulled successfully by the AKS
  3. Verified the image secret matches with the ACR keys

We pulled and executed the service-jenkins image using local docker engine to check if there is some issue with image building, but the container is executing normally.

We are unable to pinpoint the exact issue. Any help is appreciated!

jenkinsazure-aksacr


Solution 1:[1]

It turns out this specific issue occurs when

  1. AKS K8 version > 1.18.xx
  2. Ubuntu 20.10 docker base image is used

On deep diving into the issue, it seems like Ubuntu 20.10 has some layer duplication which doesn't fare well with MSFT's implementation of K8 containerd runtime.

I'm no expert but this is the only difference I noticed on Azure since we also tried the same deployments with IBM Cloud and that seems to function per expectation.

Simply uprading the Ubuntu base to 21.04 fixed the issue for me :)

Solution 2:[2]

If in your error there is wording like "anonymous access token" then run below command on azure cloud shell

follow below steps:-

  1. Go to azure portal
  2. Login into aks cluster using cloudshell
  3. Run below command :

az acr update --anonymous-pull-enabled

Note that this will make your acr publicly available.

By default, access to pull or push content from an Azure container registry is only available to authenticated users. Enabling anonymous (unauthenticated) pull access makes all registry content publicly available for read (pull) actions. Anonymous pull access can be used in scenarios that do not require user authentication such as distributing public container images.

Solution 3:[3]

How did you connect the AKS with the ACR?

You can do so by using the Azure CLI (details here) or by creating a role assignment on your own (details here).

For the latter, you will have to assign the acrpull Role to the Managed Identity (or Service Principal) of the AKS node pool.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 span
Solution 3 Nico Meisenzahl

Related Questions

Jenkins Content Security Policy

setUp method: Failed to connect to binary FirefoxBinary(/usr/bin/firefox) on port 7055; process output follows:

SonarQube 3.7 with maven and Jenkins - Maven session does not declare a top level project

How can I pass variables to post-build actions in Jenkins?

How to add a timeout step to Jenkins Pipeline

Jenkins not building docker image, can't find the docker command

compare 2 variables in jelly script

Jenkins Ambiguous Permission

Error - Jenkins detected running multiple instances

How to get child job logs in parent job on child job failure?

create jenkins ssh username with private key credential via rest xml api

How to stop build from executing from the pipeline script?

How to prevent Jenkins SCM polling from triggering a build on branch creation

jenkins builds filtering based on build description

Jenkins shell script returned exit code 1 when the searched string isn't exsist