Associate Azure Container Registry and Kubernetes Cluster

Make Azure Container Registry and Azure Kubernetes Service instance talk to each other secure.

We need to grant permission to our Kubernetes cluster service principal to be able to pull docker images from our private container registry.

In order to grant acrpull permission to AKS service principal, we need :

AKS server principal ID

az aks show --name myaks --resource-group myrg --query "servicePrincipalProfile.clientId" --output=tsv

Resource ID of the Azure container registry

az acr show --name myregistry --resource-group myrg --query "id" --output=tsv

Finally, we are going to grant the acrpull permission to SERVER_PRINCIPLE_ID on ACR_RESOURCE_ID

az role assignment create --role acrpull --assignee <SERVER_PRINCIPAL_ID> --scope <ACR_RESOURCE_ID>
{
  "canDelegate": null,
  "id": "/subscriptions/<redacted>/resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry/providers/Microsoft.Authorization/roleAssignments/<redacted>",
  "name": "<redacted>",
  "principalId": "<redacted>",
  "resourceGroup": "kube-demo-group",
  "roleDefinitionId": "/subscriptions/<redacted>/providers/Microsoft.Authorization/roleDefinitions/<redacted>",
  "scope": "/subscriptions/<redacted>/resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry",
  "type": "Microsoft.Authorization/roleAssignments"
}

Michael Chudinov. My personal blog

from “if it ain’t broke, don’t fix it” to “if it ain’t perfect, keep improving”

Associate Azure Container Registry and Kubernetes Cluster

Share this: