Reputation: 720
Private aks and acr in different resource group
I want to have a zero-trust infrastructure, so I need to have aks and acr completely independent and just have a connection for pulling the images. I created a private aks through the azure portal(assign specific vnet to it), and create a private acr too(without principal service). Then I add acrPull role for aks in acr access roles, and after that I add private access through the networking part of acr between them. Unfortunately, when I try az aks check-acr command it returns:
Validating image pull permission: FAILED
[2022-01-19T14:00:37Z] ACR containerregistrymaryam.azurecr.io rejected token exchange: ACR token exchange endpoint returned error status: 403. body:
The current state of permissions and connection is as below:
If you have any clue for me please let me know, thanks!
Upvotes: 0
Views: 1588
Answers (1)
Reputation: 2817
You need the assign the role AcrPull to the Kubelet Identity of your node pool and not to the AKS Identity:
export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export ACR_ID=$(az acr show -g <resource group> -n <acr name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "AcrPull" --scope $ACR_ID
Upvotes: 1
Related Questions
- Azure Kubernetes subnet and network security groups
- How to give permissions to AKS to access ACR via terraform?
- Private Endpoint between AKS and ACR
- What is the expected way to integrate ACR to AKS?
- Setup AKS Private Cluster with different API Server IP Address
- How to attach a second ACR to my AKS cluster?
- Terraform allow AKS to use ACR
- How to put different aks deployment within the same resource group/cluster?
- Kubernetes service connections in azure devops w/ AAD bound AKS cluster
- Two resource groups created for an ACS cluster