How to validate if AKS pod pulled image from ACR using an MSI?

Shrutika Gamare 0 Reputation points Microsoft Employee
2024-04-08T22:06:52.14+00:00

I have to move away from using SPN to pull image from our private ACR and switch to MSI.

Our AKS cluster have the necessary MSIs and the AcrPull role assigned to the sub where the ACR lives.
How can I validate that the image pull happens using the MSI? and not the SPN that was previously set up?

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,107 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Adeboye Famurewa 0 Reputation points Microsoft Employee
    2024-04-09T00:55:50.91+00:00

    Hello @Shrutika Gamare

    1. Verify that the managed identity exists and is correctly configured for the resource you are trying to access.
    2. Ensure that the managed identity has the necessary permissions to access the requested resource. You may need to grant the appropriate role or access control permissions to the managed identity.
    3. To validate ACR is accessible to AKS.
    az aks check-acr --name MyManagedCluster --resource-group MyResourceGroup --acr myacr.azurecr.io 
    

    See image below.

    User's image

    Please let me know if this helps in anyway.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.