ImagePullBackOff
cloud
config_error
ai_generated
true
Pod 卡在 ContainerCreating 状态:从 ACR 拉取镜像失败
Pod stuck in ContainerCreating status: failed to pull image from ACR
ID: cloud/azure-aks-pod-stuck-containercreating
83%修复率
86%置信度
1证据数
2024-05-18首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AKS 1.28 | active | — | — | — |
| Azure CLI 2.58.0 | active | — | — | — |
| ACR Premium | active | — | — | — |
根因分析
Azure Kubernetes Service (AKS) Pod 无法从 Azure 容器注册表 (ACR) 拉取容器镜像,因为 AKS 集群的服务主体或托管标识缺少对 ACR 的 AcrPull 角色分配,或镜像标签不存在。
English
Azure Kubernetes Service (AKS) pod cannot pull a container image from Azure Container Registry (ACR) because the AKS cluster's service principal or managed identity lacks AcrPull role assignment on the ACR, or the image tag does not exist.
官方文档
https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/troubleshoot-image-pull-issues解决方案
-
Assign the AcrPull role to the AKS cluster's managed identity: `az role assignment create --assignee <aks-cluster-identity-client-id> --role AcrPull --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<acr-name>`. Get the AKS identity via `az aks show -g <rg> -n <cluster-name> --query identityProfile.kubeletidentity.clientId`.
-
If using a service principal, create a Kubernetes secret with ACR credentials and reference it in the pod spec: `kubectl create secret docker-registry acr-secret --docker-server=<acr-name>.azurecr.io --docker-username=<app-id> --docker-password=<password>`. Then add `imagePullSecrets: - name: acr-secret` to the deployment YAML.
无效尝试
常见但无效的做法:
-
95% 失败
The same image pull configuration is used; the new pod will fail with the same error.
-
85% 失败
The kubelet uses the cluster's credential provider (e.g., acr-credential-provider), not the user's Docker config.