Make Azure Container Registry and Azure Kubernetes Service instance talk to each other secure.
We need to grant permission to our Kubernetes cluster service principal to be able to pull docker images from our private container registry.
In order to grant acrpull permission to AKS service principal, we need :
- AKS server principal ID
|
1 |
az aks show --name myaks --resource-group myrg --query "servicePrincipalProfile.clientId" --output=tsv |
- Resource ID of the Azure container registry
|
1 |
az acr show --name myregistry --resource-group myrg --query "id" --output=tsv |
Finally, we are going to grant the acrpull permission to SERVER_PRINCIPLE_ID on ACR_RESOURCE_ID
|
1 2 3 4 5 6 7 8 9 10 11 |
az role assignment create --role acrpull --assignee <SERVER_PRINCIPAL_ID> --scope <ACR_RESOURCE_ID> { "canDelegate": null, "id": "/subscriptions/<redacted>/resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry/providers/Microsoft.Authorization/roleAssignments/<redacted>", "name": "<redacted>", "principalId": "<redacted>", "resourceGroup": "kube-demo-group", "roleDefinitionId": "/subscriptions/<redacted>/providers/Microsoft.Authorization/roleDefinitions/<redacted>", "scope": "/subscriptions/<redacted>/resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry", "type": "Microsoft.Authorization/roleAssignments" } |