Scenarios to authenticate with Azure Container Registry from Kubernetes
You can use an Azure container registry as a source of container images for Kubernetes, including clusters you manage, managed clusters hosted in Azure Kubernetes Service (AKS) or other clouds, and "local" Kubernetes configurations such as minikube and kind.
To pull images to your Kubernetes cluster from an Azure container registry, an authentication and authorization mechanism needs to be established. Depending on your cluster environment, choose one of the following methods:
Scenarios
Kubernetes cluster | Authentication method | Description | Example |
---|---|---|---|
AKS cluster | AKS managed identity | Enable the AKS kubelet managed identity to pull images from an attached Azure container registry. Registry and cluster must be in same Active Directory tenant but can be in the same or a different Azure subscription. |
Authenticate with Azure Container Registry from Azure Kubernetes Service |
AKS cluster | AKS service principal | Enable the AKS service principal with permissions to a target Azure container registry. Registry and cluster can be in the same or a different Azure subscription or Microsoft Entra tenant. |
Pull images from an Azure container registry to an AKS cluster in a different AD tenant |
Kubernetes cluster other than AKS | Pod imagePullSecrets | Use general Kubernetes mechanism to manage registry credentials for pod deployments. Configure AD service principal, repository-scoped token, or other supported registry credentials. |
Pull images from an Azure container registry to a Kubernetes cluster using a pull secret |
Next steps
- Learn more about how to authenticate with an Azure container registry