How to Use AKS with ACR: Simple Steps to Connect Azure Kubernetes Service with Azure Container Registry
To use
AKS with ACR, you must grant your AKS cluster permission to pull images from your ACR by attaching the ACR to the AKS service principal or managed identity. Then, configure your Kubernetes deployments to reference container images stored in your ACR using the full registry login server name.Syntax
Here is the basic syntax to connect AKS with ACR using Azure CLI commands:
az aks update --name <aks-cluster-name> --resource-group <resource-group> --attach-acr <acr-name>: Grants AKS permission to pull images from ACR.image: <acr-login-server>/<repository>:<tag>: Specifies the container image in Kubernetes manifests.
bash and yaml
az aks update --name myAKSCluster --resource-group myResourceGroup --attach-acr myACR # Kubernetes deployment snippet apiVersion: apps/v1 kind: Deployment metadata: name: myapp spec: replicas: 1 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp image: myacr.azurecr.io/myapp:v1 ports: - containerPort: 80
Example
This example shows how to connect an AKS cluster to an ACR and deploy a pod using an image from that ACR.
bash and yaml
# Step 1: Attach ACR to AKS az aks update --name myAKSCluster --resource-group myResourceGroup --attach-acr myACR # Step 2: Create a Kubernetes deployment YAML file (deployment.yaml) apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: myacr.azurecr.io/nginx:latest ports: - containerPort: 80 # Step 3: Apply the deployment kubectl apply -f deployment.yaml # Step 4: Verify the pod is running kubectl get pods
Output
deployment.apps/nginx-deployment created
NAME READY STATUS RESTARTS AGE
nginx-deployment-xxxxxxxxxx-xxxxx 1/1 Running 0 30s
Common Pitfalls
Common mistakes when using AKS with ACR include:
- Not attaching the ACR to the AKS cluster, causing image pull errors.
- Using the wrong ACR login server name in the image reference.
- Forgetting to update Kubernetes manifests after changing image tags.
- Not having proper Azure role assignments for AKS to access ACR.
Always verify the AKS cluster has the acrpull role on the ACR resource.
bash
## Wrong: Missing ACR attachment kubectl apply -f deployment.yaml # Error: ImagePullBackOff ## Right: Attach ACR before deployment az aks update --name myAKSCluster --resource-group myResourceGroup --attach-acr myACR kubectl apply -f deployment.yaml
Quick Reference
| Command / Concept | Description |
|---|---|
| az aks update --attach-acr | Grants AKS permission to pull images from ACR |
| ACR login server | Used in image references, e.g., myacr.azurecr.io/myimage:tag |
| kubectl apply -f | Deploys Kubernetes manifests using images from ACR |
| Role assignment | AKS needs 'acrpull' role on ACR for image access |
Key Takeaways
Attach your ACR to your AKS cluster using 'az aks update --attach-acr' to allow image pulls.
Use the full ACR login server name in your Kubernetes image references.
Verify AKS has the 'acrpull' role assigned on your ACR to avoid image pull errors.
Update Kubernetes manifests with correct image tags after pushing new images to ACR.
Check pod status with 'kubectl get pods' to confirm successful deployment.