-
Kubernetes Secret
-
ACR_NAME=youracrname.azurecr.io ACR_UNAME=$() ARC_MAIL=$() RG_NAME=your_resource_group_name ACR_PASSWD=$()
- differents parraments
-
ACR_NAME=youruniquename.azurecr.io # assumes ACR Admin Account is enabled ACR_UNAME=$(az acr credential show -n $ACR_NAME --query="username" -o tsv) ACR_PASSWD=$(az acr credential show -n $ACR_NAME --query="passwords[0].value" -o tsv) kubectl create secret docker-registry acr-secret \ --docker-server=$ACR_NAME \ --docker-username=$ACR_UNAME \ --docker-password=$ACR_PASSWD \ --docker-email=$ARC_MAIL
-
- in one secret .dockerconfigjson
-
kubectl create secret docker-registry acr-secret \
--.dockerconfigjson="\
{"auths":{"https://$ACR_NAME.azurecr.io":{"username":"$ACR_UNAME","password":"$ACR_PASSWD","email":"$ARC_MAIL","auth":"$ACR_AUTH"}}}"\
-n dops-production-it-test
-
-
User secret
-
apiVersion: v1 kind: Pod metadata: name: sample-pod spec: containers: - name: sample-pod-container image: youruniquename.azurecr.io/sample-container:0.0.1 imagePullSecrets: - name: acr-secret
-
-
Although integration is fairly easy, developers have to specify the
imagePullSecret
property explicitly.
-
-
Service Account
-
kubectl create secret docker-registry acr-secret \ --docker-server=$ACR_NAME \ --docker-username=$ACR_UNAME \ --docker-password=$ACR_PASSWD \ --docker-email=Адрес электронной почты защищен от спам-ботов. Для просмотра адреса в вашем браузере должен быть включен Javascript.
-
The
ServiceAccount
references theSecret
by its name:apiVersion: v1 kind: ServiceAccount metadata: name: SampleAccount namespace: default imagePullSecrets: - name: acr-secret
-
Developers specify their
Pod
to run in the context of the previously generatedServiceAccount
. Kubernetes will readimagePullSecret
configuration from the underlyingServiceAccountSpec
.apiVersion: v1 kind: Pod metadata: name: sample-pod spec: containers: - name: sample-pod-container image: youracrname.azurecr.io/sample-container:0.0.1 serviceAccountName: SampleAccount
-
-
Azure Active Directory Service Principa
Last but not least, you can leverage the Azure Active Directory to integrate both services. When using this strategy, integration happens outside of Kubernetes itself. Azure will assign required access policies to the underlying Service Principal (SP) to pull images from the specified instance of Azure Container Registry.
az aks update -n $AKS_NAME -g $RG_NAME \
--attach-acr $(az acr show -n $ACR_NAME --query "id" -o tsv)
or for new AKS cluster
az aks create -n $AKS_NAME -g $RG_NAME \
--generate-ssh-keys \
--attach-acr $(az acr show -n $ACR_NAME --query "id" -o tsv)