Integrating Azure Container Registry with Azure Kubernetes Service Securely

Integrating Azure Container Registry with Azure Kubernetes Service Securely

Overview

In this guide, we will explore how to integrate a private Azure Container Registry (ACR) with Azure Kubernetes Service (AKS).

Azure Container Registry allows you to build, store, and manage container images and artifacts in a private registry for all types of container deployments.

Azure Kubernetes Service allows you to quickly deploy a production ready Kubernetes cluster in Azure

Objectives

When you are finished, you will accomplish the following objectives:

  • Create an Azure Container Registry
  • Push images to Azure Container Registry
  • Create an Azure Kubernetes Service Cluster
  • Deploy A Sample Service

Prerequisites

  • Azure account with an active subscription. You can create a Free Azure Account if not available.

Task 1 - Create an Azure Container Registry

  1. Sign-in to the Azure portal.
  2. Open Cloud Shell from the top menu bar. If prompted, select Bash and Create Storrage.
  3. Run the following to create the Resource Group:
1rg_name="secured-rg"
2rg_location="eastus"
3az group create --name $rg_name --location $rg_location
  1. Run the following to create Azure Container Registry (ACR) instance. ACR needs to be globally unique.
1acr_name="securedacr$RANDOM"
2az acr create --resource-group $rg_name --name $acr_name --sku Basic
  1. Verify ACR is created:
1az acr list --resource-group $rg_name -o table

Task 2 - Push images to Azure Container Registry

  1. In the Cloud Shell, run the following command to create Dockerfile to build the image.
1echo "FROM nginx:alpine" | tee Dockerfile
  1. Create the image and push to ACR created in Task 1.
1az acr build --image web/nginx:v1 --registry $acr_name --file Dockerfile .
  1. Close the Cloud Shell. On the Azure Portal, go to secured-rg resource group.
  2. Select the ACR instance. On the container registry blade, click Repositories in the Services section.
  3. You will see the repository named web/nginx. Click on the repository.
  4. v1 image tag identifies the image version. Click on v1 to see the manifest.

Task 3 - Create an Azure Kubernetes Service Cluster

  1. On the Azure Portal, in the top search bar, look for Kubernetes Service.
  2. Click on + Add, in the drop-down select + Add Kubernetes cluster.
  3. On the Basics tab, specify the following setting, for others keep the defaults:
SettingValue
Subscriptionthe name of the Azure subscription
Resource groupsecured-rg
Kubernetes cluster namesecured-aks
Region(US) East US
Availability zonesNone
Node count1
  1. Click on Next: Node Pools, specify the following setting, for others keep the defaults:
SettingValue
Enable virtual nodesfalse
VM scale setsfalse
  1. On the Networking tab, specify the following setting, for others keep the defaults:
SettingValue
Network configurationAzure CNI
DNS name prefixany valid, globally unique DNS host name
  1. On the Integrations tab, set Container monitoring to Disabled.
  2. Click Review + Create and then click Create.
  3. Open a Bash session in the Cloud Shell, run the following to get the AKS cluster credentials. (Variables are of the resource group and AKS cluster created earlier)
1rg_name="secured-rg"
2aks_name="secured-aks"
3az aks get-credentials --resource-group $rg_name --name $aks_name
  1. Get the list of the nodes:
1kubectl get nodes

Task 4 - Grant AKS Access to ACR & Manage Virtual Network

  1. Open a Bash session in the Cloud Shell. Run the following commands to grant AKS permission to ACR
1rg_name="secured-rg"
2acr_name="$(az acr list --resource-group $rg_name --query '[].{Name:name}' --output tsv)"
3aks_name="secured-aks"
4az aks update -n $aks_name -g $rg_name --attach-acr $acr_name

aks update grants the ‘acrpull’ role assignment to the ACR.

  1. Assign AKS Contributor role to its virtual network. Run the following command:
1# These values can be taken from the resource group
2rg_name="secured-rg"
3aks_name="secured-aks"
4vnet_name="secured-rg-vnet"
5  
6vnet_id=$(az network vnet show --name $vnet_name --resource-group $rg_name --query id -o tsv)
7aks_managed_id=$(az aks show --name $aks_name --resource-group $rg_name --query identity.principalId -o tsv)
8az role assignment create --assignee $aks_managed_id --role "Contributor" --scope $vnet_id

Task 5 - Deploy A Sample Service

  1. In the Bash session of the Cloud Shell. Open the integrated VSCode editor:
1code nginx.yaml
  1. In the editor, put the manifest. Make sure to update the image property in the deployment with the name of the ACR instance. Replace the <ACRName> in the manifest with the correct name.
 1apiVersion: apps/v1
 2kind: Deployment
 3metadata:
 4  name: nginx
 5spec:
 6  replicas: 1
 7  selector:
 8    matchLabels:
 9    app: nginx
10  strategy:
11    rollingUpdate:
12      maxSurge: 1
13      maxUnavailable: 1
14  minReadySeconds: 5 
15  template:
16    metadata:
17      labels:
18        app: nginx
19    spec:
20      nodeSelector:
21        "kubernetes.io/os": linux
22      containers:
23      - name: nginx
24        image: <ACRName>.azurecr.io/web/nginx:v1 # Put the ACR name
25        ports:
26        - containerPort: 80
27        resources:
28          requests:
29            cpu: 250m
30          limits:
31            cpu: 500m
32---
33apiVersion: v1
34kind: Service
35metadata:
36  name: nginx
37spec:
38  type: LoadBalancer
39  ports:
40  - port: 80
41  selector:
42    app: nginx
  1. Apply the manifest to deploy external nginx service:
1kubectl apply -f nginx.yaml
  1. Verify the nginx deployment is successful:
1kubectl get deployment
2kubectl get pods
  1. Get the information of the external service:
1kubectl get service nginx
  1. Take the value from the EXTERNAL-IP column shown by the above output. Enter the IP address to your browser.
  2. Ensure the Welcome to nginx! page displays.

Clean Up

Remove unwanted resource to not get billed by unexpected resource usage.

  1. Open the Cloud Shell and choose Powershell. Run the command:
1rg_name="secured-rg"
2az group delete --name $rg_name --yes --no-wait

Conclusion

You learned how to integrate a private Azure Container Registry securely with Azure Kubernetes Service. A sample application was deployed to validate the integration works as expected and AKS is able to pull the image from the ACR instance.