kubernetesazure-aksazure-container-registryazure-acr

What is the expected way to integrate ACR to AKS?


Looking for the best way to integrate ACR with AKS for Producation environment, Seems there are multiple ways like, during installation, and after installation, using service principala,a nd using image pull secret etc..

So for our production environment looking for most recommended option, where the requirement as follows.


Solution

  • IMHO the best way is Azure RBAC. You dont need to attach the ACR while creating the AKS. You can leverage Azure RBAC and assign the Role "AcrPull" to the Kubelet identity of your nodepool. This can be done for every ACR you have:

    export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
    export ACR_ID=$(az acr show -g <resource group> -n <acr name> --query id -o tsv)
    az role assignment create --assignee $KUBE_ID --role "AcrPull" --scope $ACR_ID
    

    Terraform:

      resource "azurerm_role_assignment" "example" {
        scope                            = azurerm_container_registry.acr.id
        role_definition_name             = "AcrPull"
        principal_id                     = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
      }