Issue encountered when deploying .NET applications to Azure Container Apps using GitHub Actions where the deployment succeeds but Kubernetes fails to pull the container image.
Error: ImagePullBackOff
Symptoms
GitHub Actions workflow completes successfully using azure/container-apps-deploy-action@v1, but the Container App shows:
1 | 1/1 Pending:ImagePullBackOff |
Container logs show:
1 | Connecting to stream... |
Root Cause
The Container App was created without registry authentication credentials configured. When checking the Container App configuration:
1 | az containerapp show --name my-app --resource-group my-rg --query "{registries:properties.configuration.registries, secrets:properties.configuration.secrets}" -o json |
Returns:
1 | { |
This means Kubernetes has no credentials to authenticate with the private Azure Container Registry (ACR) when pulling images, resulting in ImagePullBackOff.
What We Tried (That Didn’’t Work)
Added AcrPull role to Service Principal: Assigned the
AcrPullrole to the deployment service principal on the ACR1
az role assignment create --assignee SP_ID --role AcrPull --scope /subscriptions/.../Microsoft.ContainerRegistry/registries/myacr
- Result: Still failed. The role is needed but not sufficient.
Hardcoded image name and tag: Removed all variables to eliminate any interpolation issues
1
imageToDeploy: myregistry.azurecr.io/myapp:d989965
- Result: Still failed. Image path was correct.
Added
acrUsernameandacrPasswordto GitHub Action: Provided explicit credentials to the deploy action1
2
3
4with:
acrName: myregistry
acrUsername: ${{ secrets.ACR_USER }}
acrPassword: ${{ secrets.ACR_PASSWORD }}- Result: Still failed. The action didn’’t properly configure these on the Container App.
The Solution
The Container App itself needs registry credentials configured. This must be done manually using Azure CLI:
1 | az containerapp registry set ` |
Important: Use single quotes around the password to preserve special characters like /, +, !.
After running this command, verify the configuration:
1 | az containerapp show --name my-app --resource-group my-rg --query "properties.configuration.registries" -o json |
Should return:
1 | [ |
Now the Container App can successfully pull images from the private ACR.
Why This Happens
The azure/container-apps-deploy-action@v1 GitHub Action has a bug or limitation where it doesn’’t properly configure registry credentials on the Container App, even when acrUsername and acrPassword parameters are provided.
The action successfully:
- Authenticates with Azure
- Updates the Container App definition
- Sets the new image path
But it fails to:
- Create the registry credential secret
- Configure the registry authentication in the Container App
Comparison with Working Configuration
A working Container App deployed through other means shows:
1 | { |
Prevention
Always verify registry configuration after first deployment:
1
az containerapp show --name my-app --resource-group my-rg --query "properties.configuration.registries"
Keep
acrUsernameandacrPasswordin your workflow: While the initial deployment might not configure them, subsequent deployments may maintain the configuration once it’’s set manually.Consider using Managed Identity: For production, configure the Container App to use managed identity for ACR authentication instead of username/password:
1
2
3
4
5
6{
"registries": [{
"server": "myregistry.azurecr.io",
"identity": "system"
}]
}
Key Takeaway
GitHub Action success Deployment success. The action updates the Container App definition, but Kubernetes pulls the image after the action completes. Always check:
- GitHub Action completed
- Container App revision status
- Container logs for pull errors
The ImagePullBackOff error specifically means authentication failed between Kubernetes and your private registry.