Use Azure Container Registry with Azure Red Hat OpenShift (ARO)

Azure Container Registry (ACR) is a managed container registry service that you can use to store private Docker container images with enterprise capabilities such as geo-replication. To access the ACR from an ARO cluster, the cluster can authenticate with ACR by storing Docker login credentials in a Kubernetes secret. Likewise, an ARO cluster can use an imagePullSecret in the pod spec to authenticate against the registry when pulling the image. In this article, you'll learn how to set up an Azure Container Registry with an Azure Red Hat OpenShift cluster to store and pull private Docker container images.


This guide assumes that you have an existing Azure Container Registry. If you do not, use the Azure portal or Azure CLI instructions to create a container registry.

This article also assumes that you have an existing Azure Red Hat OpenShift cluster and have the oc CLI installed. If not, follow instructions in the Create ARO cluster tutorial.

Get a pull secret

You'll need a pull secret from ACR to access the registry from your ARO cluster.

To get your pull secret credentials, you can use either the Azure portal or the Azure CLI.

If using the Azure portal, navigate to your ACR instance, and select Access Keys. Your docker-username is the name of your container registry, use either password or password2 for docker-password.

Access Keys

Instead, you can use the Azure CLI to get these credentials:

az acr credential show -n <your registry name>

Create the Kubernetes secret

Now, we'll use these credentials to create a Kubernetes secret. Execute the following command with your ACR credentials:

oc create secret docker-registry \
    --docker-server=<your registry name> \
    --docker-username=<your registry name> \
    --docker-password=******** \
    --docker-email=unused \


This secret will be stored in the current OpenShift Project (Kubernetes Namespace) and will only be referenceable by pods created in that Project. See this document for further instructions on creating a cluster wide pull secret.

Next, link the secret to the service account that will be used by the pod, so the pod can reach the container registry. The name of the service account should match the name of the service account used by the pod. default is the default service account:

oc secrets link default <pull_secret_name> --for=pull

Create a pod using a private registry image

Now that we've connected your ARO cluster to your ACR, let's pull an image from your ACR to create a pod.

Start with a podSpec and specify the secret you created as an imagePullSecret:

apiVersion: v1
kind: Pod
  name: hello-world
  - name: hello-world
    image: <your registry name>
  - name: acr-secret

To test that your pod is up and running, execute this command and wait until the status is Running:

$ oc get pods --watch
hello-world  1/1     Running   0          30s

Next steps