Search code examples
azureazure-aksazure-container-registry

How to pull image only from specify namespace by using ACR basic

I working on AKS shared cluster, where have multiple teams are working on the same cluster and have their own ACR for each team.

I want to find ways to allow ACR to pull from specified namespace only.

Currently that I have though is an expensive way by

  • Using ACR premium tier to enable the scope-map feature, and create the token for authentication on pull secret.

Or someone did know how to pull an image from the service principal with the AcrPull role. please tell me.

thank you.

Solution

  • I have found the solution without changing the ACR pricing tier, by using only the service principal to access the target ACR.

    Solution

    1. Create the service principal and assign AcrPull role.

    2. After that, Create kubernetes secret into your namespace to pull image by ImagePullSecrets

      kubectl create secret docker-registry <secret-name> \
    --namespace <namespace> \
    --docker-server=<container-registry-name>.azurecr.io \
    --docker-username=<service-principal-ID> \
    --docker-password=<service-principal-password>

    reference