# Pod 卡在 ContainerCreating 状态：从 ACR 拉取镜像失败

- **ID:** `cloud/azure-aks-pod-stuck-containercreating`
- **领域:** cloud
- **类别:** config_error
- **错误码:** `ImagePullBackOff`
- **验证级别:** ai_generated
- **修复率:** 83%

## 根因

Azure Kubernetes Service (AKS) Pod 无法从 Azure 容器注册表 (ACR) 拉取容器镜像，因为 AKS 集群的服务主体或托管标识缺少对 ACR 的 AcrPull 角色分配，或镜像标签不存在。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AKS 1.28 | active | — | — |
| Azure CLI 2.58.0 | active | — | — |
| ACR Premium | active | — | — |

## 解决方案

1. ```
   Assign the AcrPull role to the AKS cluster's managed identity: `az role assignment create --assignee <aks-cluster-identity-client-id> --role AcrPull --scope /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<acr-name>`. Get the AKS identity via `az aks show -g <rg> -n <cluster-name> --query identityProfile.kubeletidentity.clientId`.
   ```
2. ```
   If using a service principal, create a Kubernetes secret with ACR credentials and reference it in the pod spec: `kubectl create secret docker-registry acr-secret --docker-server=<acr-name>.azurecr.io --docker-username=<app-id> --docker-password=<password>`. Then add `imagePullSecrets: - name: acr-secret` to the deployment YAML.
   ```

## 无效尝试

- **** — The same image pull configuration is used; the new pod will fail with the same error. (95% 失败率)
- **** — The kubelet uses the cluster's credential provider (e.g., acr-credential-provider), not the user's Docker config. (85% 失败率)