fix: network isolated cluster incorrect credential provider config for soverign clouds by fseldow · Pull Request #8709 · Azure/AgentBaker

fseldow · 2026-06-15T10:36:10Z

network isolated cluster incorrect credential provider config for soverign clouds
it hardcoded mcr.microsoft.com for all clouds

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

…r sovereign cloud

Copilot

Pull request overview

This PR updates the Linux CSE credential provider config generation for network-isolated clusters so the MCR registry domain is not hardcoded to mcr.microsoft.com, enabling correct behavior in sovereign/custom cloud environments.

Changes:

Use MCR_REPOSITORY_BASE in the credential provider matchImages list for network-isolated clusters.
Use MCR_REPOSITORY_BASE in the --registry-mirror= argument mapping for network-isolated clusters.

aks-node-assistant · 2026-06-15T12:31:39Z

🕵️ AgentBaker Linux Gate Detective — Build 168052408 (Run AgentBaker E2E) FAILED — known shared-cluster infra outage, not caused by this PR.

TL;DR

Matches existing wiki signature kubenet-v5-node-not-ready-scriptless on shared cluster abe2e-kubenet-v5-150ee (westus3). Repair item #38403603 is already tracking. The cluster is partially recovering — failure count is down to 39/469 (vs 200+ during peak burst). This PR touches NetworkIsolated sovereign-cloud credential provider config; the failed scenarios visible in the log (Test_Ubuntu2204_ContainerdURL_IMDSRestrictionFilterTable_Scriptless, Test_Ubuntu2204_ANCHotfix_BinarySelection, etc.) don't exercise that code path.

3-level RCA

1. Surface symptom — 39 of 469 tests failed (97 skipped); all visible failures are on shared cluster abe2e-kubenet-v5-150ee with VMSS scenarios that never reach node-ready (kube.go:195 pre-kubelet-registration timeout pattern, same as the ongoing infra signature). panic.go:694: ✗ preparing AKS node failed.

2. Corroboration — Adjacent build 168051200 on PR #8659 (renovate/patch-nvidia-dcgm) running ~12 minutes earlier on the same cluster has the identical signature (40/469 failures) — same infra fingerprint, independent unrelated PR. The kubenet-v5-node-not-ready-scriptless signature has now hit 26 distinct builds across 10+ PRs over the past 72h.

3. Root-cause challenge — Strongest alternative: PR-caused regression via the sovereign-cloud credential provider config fix. Why less likely: the failing test names (ContainerdURL_IMDSRestrictionFilterTable_Scriptless, ANCHotfix_BinarySelection) are not the NetworkIsolated_NonAnonymousACR / sovereign-cloud scenarios that would exercise the PR's MCRSov code path. Failure point is pre-kubelet-registration on a known-unhealthy shared cluster, matching the cross-PR infra pattern.

Classification

Test infrastructure / shared-cluster fleet stress (not PR-caused)
Wiki signature: kubenet-v5-node-not-ready-scriptless (Count → 27 distinct builds incl. this one)
Confidence: High infra outage; High PR is unrelated.

Recommended next action

For this PR: safe to rerun the gate; no code change required. Once cluster fully recovers, the NetworkIsolated_NonAnonymousACR scenarios should exercise your sovereign-cloud fix path.
Owner of the underlying issue: AgentBaker E2E test-infra (repair item #38403603 — Active, persists past 72h).

Evidence

Failed run: https://msazure.visualstudio.com/CloudNativeCompute/_build/results?buildId=168052408
Failed job: Run AgentBaker E2E (e2e stage)
Test summary: 469 tests, 97 skipped, 39 failures in 1695s
Teams escalation thread: WS - CI - CD - E2E - CVE

Posted by Clawpilot AgentBaker Linux Gate Detective Watcher.

fseldow · 2026-06-15T16:53:42Z

/azp run

azure-pipelines · 2026-06-15T16:53:55Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-15T18:51:16Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-15T18:51:29Z

Azure Pipelines successfully started running 1 pipeline(s).

aks-node-assistant · 2026-06-15T19:02:08Z

🕵️ AgentBaker Linux Gate Detective — Build 168091386 (Run AgentBaker E2E) FAILED — 2nd recurrence of kubenet-v5-node-not-ready-scriptless on this PR — known infra outage tracked under #38403603, not caused by this PR.

TL;DR

28/469 failures on shared cluster abe2e-kubenet-v5-150ee — same pattern as the prior build (168052408) on this PR. Cluster is still in partial-recovery mode (failure rate down from 200+ at peak, now hovering 24-40 across builds today). PR's NetworkIsolated sovereign-cloud credential-provider config change is unrelated to pre-kubelet-registration cluster timeouts.

Classification

Test infrastructure / shared-cluster fleet stress (not PR-caused), repair item #38403603 (Active)
Wiki signature: kubenet-v5-node-not-ready-scriptless (Count → 29 distinct builds)
Confidence: High

Recommended next action

Safe to rerun once cluster fully recovers. Prior comment: #issuecomment-4707948564.

Posted by Clawpilot AgentBaker Linux Gate Detective Watcher.

fseldow · 2026-06-15T20:51:43Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-15T20:51:55Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-15T23:52:20Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-15T23:52:31Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-16T01:52:49Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-16T01:53:01Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-16T03:53:20Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-16T03:53:31Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-16T06:54:06Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-16T06:54:19Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-16T08:54:37Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-16T08:54:50Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-16T09:54:59Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-16T09:55:11Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-16T11:55:32Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-16T11:55:45Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-16T13:56:05Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-16T13:56:19Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-16T15:56:43Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-16T15:56:56Z

Azure Pipelines successfully started running 1 pipeline(s).

fseldow · 2026-06-16T17:57:12Z

/azp run AKS Linux VHD Build - PR check-in gate

azure-pipelines · 2026-06-16T17:57:26Z

Azure Pipelines successfully started running 1 pipeline(s).

fix: network isolated cluster incorrect credential provider config fo…

0d0ef1b

…r sovereign cloud

Copilot AI review requested due to automatic review settings June 15, 2026 10:36

fseldow requested review from AbelHu, Devinwong, SriHarsha001, awesomenix, calvin197, cameronmeissner, djsly, ganeshkumarashok, lilypan26, mxj220, pdamianov-dev, phealy, r2k1, runzhen, sulixu, surajssd, timmy-wright and zachary-bailey as code owners June 15, 2026 10:36

Copilot started reviewing on behalf of fseldow June 15, 2026 10:36 View session

Copilot AI reviewed Jun 15, 2026

View reviewed changes

Comment thread parts/linux/cloud-init/artifacts/cse_config.sh

f

9cb7437

Conversation

fseldow commented Jun 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

aks-node-assistant Bot commented Jun 15, 2026

TL;DR

3-level RCA

Classification

Recommended next action

Evidence

Uh oh!

fseldow commented Jun 15, 2026

Uh oh!

azure-pipelines Bot commented Jun 15, 2026

Uh oh!

fseldow commented Jun 15, 2026

Uh oh!

azure-pipelines Bot commented Jun 15, 2026

Uh oh!

aks-node-assistant Bot commented Jun 15, 2026

TL;DR

Classification

Recommended next action

Uh oh!

fseldow commented Jun 15, 2026

Uh oh!

azure-pipelines Bot commented Jun 15, 2026

Uh oh!

fseldow commented Jun 15, 2026

Uh oh!

azure-pipelines Bot commented Jun 15, 2026

Uh oh!

fseldow commented Jun 16, 2026

Uh oh!

azure-pipelines Bot commented Jun 16, 2026

Uh oh!

fseldow commented Jun 16, 2026

Uh oh!

azure-pipelines Bot commented Jun 16, 2026

Uh oh!

fseldow commented Jun 16, 2026

Uh oh!

azure-pipelines Bot commented Jun 16, 2026

Uh oh!

fseldow commented Jun 16, 2026

Uh oh!

azure-pipelines Bot commented Jun 16, 2026

Uh oh!

fseldow commented Jun 16, 2026

Uh oh!

azure-pipelines Bot commented Jun 16, 2026

Uh oh!

fseldow commented Jun 16, 2026

Uh oh!

azure-pipelines Bot commented Jun 16, 2026

Uh oh!

fseldow commented Jun 16, 2026

Uh oh!

azure-pipelines Bot commented Jun 16, 2026

Uh oh!

fseldow commented Jun 16, 2026

Uh oh!

azure-pipelines Bot commented Jun 16, 2026

Uh oh!

fseldow commented Jun 16, 2026

Uh oh!

azure-pipelines Bot commented Jun 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

fseldow commented Jun 15, 2026 •

edited

Loading