Associate Azure Container Registry and Kubernetes Cluster

Make Azure Container Registry and Azure Kubernetes Service instance talk to each other secure.

We need to grant permission to our Kubernetes cluster service principal to be able to pull docker images from our private container registry.

In order to grant acrpull permission to AKS service principal, we need :

  • AKS server principal ID
az aks show --name myaks --resource-group myrg --query "servicePrincipalProfile.clientId" --output=tsv
  • Resource ID of the Azure container registry
az acr show --name myregistry --resource-group myrg --query "id" --output=tsv

Finally, we are going to grant the acrpull permission to SERVER_PRINCIPLE_ID on ACR_RESOURCE_ID

az role assignment create --role acrpull --assignee <SERVER_PRINCIPAL_ID> --scope <ACR_RESOURCE_ID>
  "canDelegate": null,
  "id": "/subscriptions/<redacted>/resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry/providers/Microsoft.Authorization/roleAssignments/<redacted>",
  "name": "<redacted>",
  "principalId": "<redacted>",
  "resourceGroup": "kube-demo-group",
  "roleDefinitionId": "/subscriptions/<redacted>/providers/Microsoft.Authorization/roleDefinitions/<redacted>",
  "scope": "/subscriptions/<redacted>/resourceGroups/kube-demo-group/providers/Microsoft.ContainerRegistry/registries/kubeDockerRegistry",
  "type": "Microsoft.Authorization/roleAssignments"