fix: match ACR regional (geo) login server endpoints in credential-provider config#8956
Open
lizMSFT wants to merge 1 commit into
Open
fix: match ACR regional (geo) login server endpoints in credential-provider config#8956lizMSFT wants to merge 1 commit into
lizMSFT wants to merge 1 commit into
Conversation
…ovider config AKS kubelet credential-provider matchImages only listed 3-label ACR hosts (*.azurecr.io/.cn/.de/.us). Kubernetes URLsMatch requires an equal dot-part count, so 5-label ACR regional (geo-replica) login servers of the form <registry>.<region>.geo.azurecr.io never matched: kubelet did not invoke acr-credential-provider, the pull fell back to anonymous, and it failed with 401 against a private registry. Add the four *.*.geo.azurecr.* patterns to the Linux and Windows credential provider generators and their golden test configs, and add a negative ShellSpec assertion that dedicated data endpoints (.data.azurecr) are never added to matchImages (they are 307 blob-download redirect targets, not login servers). Fixes Azure#8862 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lizMSFT
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
karenychen,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
runzhen,
sulixu,
surajssd,
timmy-wright,
titilambert,
xuexu6666 and
zachary-bailey
as code owners
July 15, 2026 17:31
lizMSFT
force-pushed
the
fix/acr-regional-geo-matchimages
branch
from
July 15, 2026 17:35
47bba73 to
c67b745
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the kubelet ACR credential-provider configuration to recognize Azure Container Registry regional/geo login server hostnames by adding additional matchImages patterns, so kubelet correctly invokes the ACR credential provider instead of falling back to anonymous pulls.
Changes:
- Added
*.*.geo.azurecr.{io,cn,de,us}patterns alongside existing*.azurecr.{io,cn,de,us}entries across Linux and Windows credential-provider config generation. - Updated Windows credential-provider config test suite YAMLs to include the new match patterns.
- Updated Linux ShellSpec golden expectations and added a negative test asserting
data.azurecrdoes not appear in the generated config.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| parts/linux/cloud-init/artifacts/cse_config.sh | Adds geo-regional ACR patterns to all credential-provider matchImages blocks (default, custom cloud, network isolated). |
| spec/parts/linux/cloud-init/artifacts/cse_config_spec.sh | Updates golden config expectations and adds a negative assertion that generated config does not include data.azurecr. |
| staging/cse/windows/configfunc.ps1 | Adds geo-regional ACR patterns to the Windows-generated credential-provider config (default + custom cloud cases). |
| staging/cse/windows/credentialProvider.tests.suites/credential-provider-config.yaml | Updates expected matchImages list to include geo-regional ACR patterns. |
| staging/cse/windows/credentialProvider.tests.suites/CustomCloudContainerRegistryDNSSuffixEmpty.config.yaml | Updates expected matchImages list to include geo-regional ACR patterns. |
| staging/cse/windows/credentialProvider.tests.suites/CustomCloudContainerRegistryDNSSuffixNotEmpty.config.yaml | Updates expected matchImages list to include geo-regional ACR patterns. |
| aks-node-controller/parser/testdata/Compatibility+EmptyConfig/generatedCSECommand | Regenerated parser golden output. |
| aks-node-controller/parser/testdata/AzureLinuxv2+Kata+DisableUnattendedUpgrades=false/generatedCSECommand | Regenerated parser golden output. |
| aks-node-controller/parser/testdata/AKSUbuntu2204+SSHStatusOn/generatedCSECommand | Regenerated parser golden output. |
| aks-node-controller/parser/testdata/AKSUbuntu2204+LocalDNS+HostsPlugin/generatedCSECommand | Regenerated parser golden output. |
| aks-node-controller/parser/testdata/AKSUbuntu2204+LocalDNS/generatedCSECommand | Regenerated parser golden output. |
| aks-node-controller/parser/testdata/AKSUbuntu2204+CustomOSConfig/generatedCSECommand | Regenerated parser golden output. |
| aks-node-controller/parser/testdata/AKSUbuntu2204+CustomCloud/generatedCSECommand | Regenerated parser golden output. |
| aks-node-controller/parser/testdata/AKSUbuntu2204+Containerd+MIG/generatedCSECommand | Regenerated parser golden output. |
| aks-node-controller/parser/testdata/AKSUbuntu2204+China/generatedCSECommand | Regenerated parser golden output. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Adds ACR regional (geo) login server patterns to the kubelet credential-provider
matchImagesconfig so kubelet invokes the ACR credential provider for regional endpoints.Fixes #8862.
Why
Kubernetes
URLsMatch(k8s.io/kubernetes/pkg/credentialprovider) requires thematchImagespattern and the image host to have an equal number of dot-separated parts. The existing 3-label patterns (*.azurecr.io,*.azurecr.cn,*.azurecr.de,*.azurecr.us) therefore never match a 5-label regional host such asmyregistry.eastus2.geo.azurecr.io. As a result kubelet skips the ACR credential provider and falls back to an anonymous pull, which fails with401 Unauthorized.Adding the 5-label wildcard
*.*.geo.azurecr.*restores the match for regional hosts.Change
Adds the following four entries next to every existing
*.azurecr.usline in eachmatchImagesblock:Dedicated data endpoints (
*.data.*) are intentionally excluded — they are 307 blob-redirect targets, never image/login hosts. A negative ShellSpec test assertsdata.azurecrnever appears in the generated config.Files:
parts/linux/cloud-init/artifacts/cse_config.sh(3 blocks)spec/parts/linux/cloud-init/artifacts/cse_config_spec.sh(11 golden blocks + negative test)staging/cse/windows/configfunc.ps1(2 blocks)staging/cse/windows/credentialProvider.tests.suites/*.yaml(3 files)Testing
pkg/agentsuite: 249 passed / 0 failed.cse_config_spec.shblocks updated, including a new negative test.Note
The head branch lives in a fork (
lizMSFT/AgentBaker) because the author does not currently have write access toAzure/AgentBaker. Thevalidate-pull-request-sourcegate will flag this — a maintainer may need to adopt the branch into upstream.