Make Azure Container Registry and Azure Kubernetes Service instance talk to each other secure.
We need to grant permission to our Kubernetes cluster service principal to be able to pull docker images from our private container registry.
In order to grant acrpull
permission to AKS service principal, we need :
- AKS server principal ID
az aks show --name myaks --resource-group myrg --query "servicePrincipalProfile.clientId" --output=tsv
- Resource ID of the Azure container registry
az acr show --name myregistry --resource-group myrg --query "id" --output=tsv
Finally, we are going to grant the acrpull
permission to SERVER_PRINCIPLE_ID
on ACR_RESOURCE_ID
az role assignment create --role acrpull --assignee <SERVER_PRINCIPAL_ID> --scope <ACR_RESOURCE_ID>
{
"canDelegate": null,
"id": "/subscriptions/<redacted>/resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry/providers/Microsoft.Authorization/roleAssignments/<redacted>",
"name": "<redacted>",
"principalId": "<redacted>",
"resourceGroup": "kube-demo-group",
"roleDefinitionId": "/subscriptions/<redacted>/providers/Microsoft.Authorization/roleDefinitions/<redacted>",
"scope": "/subscriptions/<redacted>/resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry",
"type": "Microsoft.Authorization/roleAssignments"
}