What is the expected way to integrate ACR to AKS?

10/17/2021

Looking for the best way to integrate ACR with AKS for Producation environment, Seems there are multiple ways like, during installation, and after installation, using service principala,a nd using image pull secret etc..

So for our production environment looking for most recommended option, where the requirement as follows.

  • Is it mandatory to attach acr during aks creation itself
  • What will be the advantage if we are integrating ACR along with AKS instalation itself. (seems , we dont want to pass the image pull secret to the pod spec in that case and for other options we need to)
  • What is the another way to integrate ACR with AKS ( az aks update) command will help in this case? if yes, what will be the difference from the previous method where we integrated during AKS installation.
  • IF I want to setup a secodary AKS cluster in another region, but need to connect the ACR georeplicated instance of Primary instance of ACR , How i can get it done? In this case is it mandaory to attach tge ACR during AKS installation or later post installation also its good to go?
-- Vowneee
azure-acr
azure-aks
azure-container-registry
kubernetes

1 Answer

10/18/2021

IMHO the best way is Azure RBAC. You dont need to attach the ACR while creating the AKS. You can leverage Azure RBAC and assign the Role "AcrPull" to the Kubelet identity of your nodepool. This can be done for every ACR you have:

export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export ACR_ID=$(az acr show -g <resource group> -n <acr name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "AcrPull" --scope $ACR_ID

Terraform:

  resource "azurerm_role_assignment" "example" {
    scope                            = azurerm_container_registry.acr.id
    role_definition_name             = "AcrPull"
    principal_id                     = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
  }
-- Philip Welz
Source: StackOverflow