Azure Configure ACR Integration for Existing AKS Cluster

Yst@IT
3 min readJan 1, 2021

--

In previous, I wrote about Methods to Login Azure Container Registry. Today I am continuing to write about integration of Azure AKS and ACR.

ACR can be integrated with AKS by two ways:

  1. During AKS creation
  2. Using Azure Cli command

Let’s start with first option since it is relatively easy. During AKS creation, you have to choose System-assigned managed identity at Authentication stage in order to integrate ACR with AKS.

ACR AKS integration

As shown in above image, you have to choose the method show below.

ACR AKS integration

More about service principal or system-assigned managed identity.

It is weird that I cannot find any place both from ACR or AKS to integrate them together from console. I wonder if Azure Cli is the only way to integrate them when any of them is existed. Nevertheless, the commands are as below.

az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>

ACR AKS integration

Verify to create pod from ACR.

ACR AKS integration

Detach ACR from AKS and verify again.

az aks update -n myAKSCluster -g myResourceGroup --detach-acr <acr-name>

ACR AKS integration

kb run test --image ystakslab.azurecr.io/nginx:v1 --image-pull-policy=’Always’

ACR AKS integration

Here we can see that AKS is not able to pull image from ACR. Let’s describe the pod and look for more information.

ACR AKS integration

And there you go, AKS cannot pull from ACR.

Action behind the scene:

When we attach ACR to AKS, it actually grant the ‘acrpull’ role assignment to ACR specified by name or resource ID. We can verify as below:

ACR AKS integration

Managed identity can be found here.

ACR AKS integration

We can see the identity is assigned AcrPull role.

ACR AKS integration

Reference:

Authenticate with Azure Container Registry from Azure Kubernetes Service

--

--

Yst@IT
Yst@IT

Written by Yst@IT

Cloud Solution Architect, focusing on Oracle Cloud Infrastructure currently.

No responses yet