| title | description | ms.topic | author | ms.author | ms.date |
|---|---|---|---|---|---|
Scenarios to authenticate with Azure Container Registry from Kubernetes |
Overview of options and scenarios to authenticate to an Azure container registry from a Kubernetes cluster to pull container images |
article |
dlepow |
danlep |
09/20/2021 |
You can use an Azure container registry as a source of container images for Kubernetes, including clusters you manage, managed clusters hosted in Azure Kubernetes Service (AKS) or other clouds, and "local" Kubernetes configurations such as minikube and kind.
To pull images to your Kuberentes cluster from an Azure container registry, an authentication and authorization mechanism needs to be established. Depending on your cluster environment, choose one of the following methods:
| Kubernetes cluster | Authentication method | Description | Example |
|---|---|---|---|
| AKS cluster | AKS managed identity | Enable the AKS kubelet managed identity to pull images from an attached Azure container registry. Registry and cluster must be in same Active Directory tenant but can be in the same or a different Azure subscription. |
Authenticate with Azure Container Registry from Azure Kubernetes Service |
| AKS cluster | AKS service principal | Enable the AKS service principal with permissions to a target Azure container registry. Registry and cluster can be in the same or a different Azure subscription or Azure Active Directory tenant. |
Pull images from an Azure container registry to an AKS cluster in a different AD tenant |
| Kubernetes cluster other than AKS | Pod imagePullSecrets | Use general Kubernetes mechanism to manage registry credentials for pod deployments. Configure AD service principal, repository-scoped token, or other supported registry credentials. |
Pull images from an Azure container registry to a Kubernetes cluster using a pull secret |
- Learn more about how to authenticate with an Azure container registry