In previous, I wrote about Methods to Login Azure Container Registry. Today I am continuing to write about integration of Azure AKS and ACR.
ACR can be integrated with AKS by two ways:
- During AKS creation
- Using Azure Cli command
Let’s start with first option since it is relatively easy. During AKS creation, you have to choose System-assigned managed identity at Authentication stage in order to integrate ACR with AKS.
As shown in above image, you have to choose the method show below.
More about service principal or system-assigned managed identity.
It is weird that I cannot find any place both from ACR or AKS to integrate them together from console. I wonder if Azure Cli is the only way to integrate them when any of them is existed. Nevertheless, the commands are as below.
az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>
Verify to create pod from ACR.
Detach ACR from AKS and verify again.
az aks update -n myAKSCluster -g myResourceGroup --detach-acr <acr-name>
kb run test --image ystakslab.azurecr.io/nginx:v1 --image-pull-policy=’Always’
Here we can see that AKS is not able to pull image from ACR. Let’s describe the pod and look for more information.
And there you go, AKS cannot pull from ACR.
Action behind the scene:
When we attach ACR to AKS, it actually grant the ‘acrpull’ role assignment to ACR specified by name or resource ID. We can verify as below:
Managed identity can be found here.
We can see the identity is assigned AcrPull role.
Reference:
Authenticate with Azure Container Registry from Azure Kubernetes Service
