How can we bind AKS cluster to our own Azure Container Registry?
We wanted to make sure an adversary cannot spin-off a rogue pod in our cluster.
How can we bind AKS cluster to our own Azure Container Registry?
We wanted to make sure an adversary cannot spin-off a rogue pod in our cluster.
@PorscheMe-6235 , Thank you for your question.
Assuming that you want to integrate your AKS cluster with your own Azure Container Registry and ensure that images from this registry only can be used to create pods on the aforementioned AKS cluster, you can:
Use the built-in Azure Policy for Kubernetes Kubernetes cluster containers should only use allowed images. You can find the policy json (GitHub version 6.1.0) here.
Description: Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.
Effects: audit, deny, disabled
For more information please check this document. For how-to on enforcing Azure Policy for Kubernetes please check out this document.
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.
10 people are following this question.
AKS in free account - compute instance not able to select nodes size more than 4 vCPU in all regions
I want shell access of container registry which is used in kubernetes service.
Azure K8S and Container registry not appearing in azure portal
Could not create a role assignment for ACR. Are you an Owner on this subscription?