拉取镜像 "myregistry.azurecr.io/myapp:latest" 失败:rpc 错误:代码 = Unknown 描述 = 来自守护进程的错误响应:未找到 myregistry.azurecr.io/myapp:latest 的清单:清单未知
Failed to pull image "myregistry.azurecr.io/myapp:latest": rpc error: code = Unknown desc = Error response from daemon: manifest for myregistry.azurecr.io/myapp:latest not found: manifest unknown
ID: cloud/azure-aks-pod-stuck-containercreating-imagepullbackoff
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Azure Kubernetes Service (AKS) 1.28 | active | — | — | — |
| Azure Container Registry (ACR) SKU: Standard | active | — | — | — |
| kubectl v1.29.0 | active | — | — | — |
根因分析
容器镜像标签 'latest' 在 Azure 容器注册表 (ACR) 中不存在,因为 CI/CD 管道推送了特定版本标签(例如 'v1.2.3'),但 Kubernetes 部署清单引用了 'latest',或者镜像已被删除。
English
The container image tag 'latest' does not exist in the Azure Container Registry (ACR) because the CI/CD pipeline pushed a specific version tag (e.g., 'v1.2.3') but the Kubernetes deployment manifest references 'latest', or the image was deleted.
官方文档
https://docs.microsoft.com/en-us/azure/aks/cluster-container-registry-integration解决方案
-
Update the Kubernetes deployment manifest to use the correct image tag that exists in ACR: `kubectl set image deployment/myapp myapp=myregistry.azurecr.io/myapp:v1.2.3`
-
If 'latest' is required, retag the existing image in ACR: `az acr import --name myregistry --source myregistry.azurecr.io/myapp:v1.2.3 --image myapp:latest`
无效尝试
常见但无效的做法:
-
70% 失败
ACR anonymous pull is disabled by default; even if the image exists, AKS needs authentication to pull from ACR.
-
95% 失败
Restarting pods does not fix the missing image; it will only cause the same error again.
-
60% 失败
The pull secret may be valid but the image tag simply doesn't exist; the error is about the manifest, not authentication.