There are several ways to set up the auth credential in Kubernetes to pull image from ACR. For example, you can use admin user or repository scoped access token to configure pod imagePullSecrets.
While imagePullSecrets is commonly used, it brings the challenge and overhead to manage the corresponding secret. On Azure, you can set up AKS cluster with a service principal credential which allows you securely pull the image from ACR without additional imagePullSecrets setting on each pod.
Sometimes, you may have your AKS and ACR in different Azure Active Directories (Tenants). This document will walk your through the steps to enable cross tenant authentication using service principal credential.
In this example, the AKS cluster is in Tenant A and the ACR is in Tenant B.
Tenant A is also the service principal home tenant.
You will need the contributor role of AKS subscription and the owner role of ACR subscription.
-
Login Azure portal in
Tenant Aand go to Azure Active DirectoryApp registrationsblade to find the service principal application object. -
Remember the
Application (client) ID(it will be used instep 2andstep 4)
-
Choose multitenant account type as the following screenshot and also remember the
redirect url(it will be used in step 2).
-
Create a client secret if not exist (It is IMPORTANT to make sure you use this client secret to update AKS in
step 4).
-
Open the following link with the Tenant B admin account and accept the permission request.
https://login.microsoftonline.com/<ACR Tenant ID (Tenant B)>/oauth2/authorize?client_id=<Application (client) ID>&response_type=code&redirect_uri=<redirect url>
-
Assign AcrPull role to the service principal
- Use the
Application (client) IDandclient secretcollected instep 1to update AKS service principal credential.