feat: Managed Identity support for Image Pull #240
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit e979e99.
helayoty
reviewed
Oct 4, 2023
|
@helayoty Is there any chance of getting this or a similar PR, which introduces managed identity support for pulling from ACRs, merged? |
Collaborator
Hi, Philip, we are very close to release Virtual Kubelet version 2 in AKS, which has resolved this problem. I don't think we will actively add new features to this repo anymore. VN2 has not been open sourced yet and it uses a completely different architecture in which a real kubelet is involved. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ability to use MI for image pulls
Overview:
Currently customers must pass in their ACR credentials to get container images pulled onto ACI. This introduces concerns from customers that the credentials may be compromised. Customers would like to be able to authenticate with ACR using an assigned managed identity.
ACI Support:
Specify the properties of Azure container registry by including the imageRegistryCredentials property in the container group definition.
ImageRegistryCredential
Prerequisites
• MI should have create resource permission on at least the Resource Group Level to be able to create an ACI Resource.
• MI should have “ACRPull” access on the ACR.
• Assign MI as Kubelet Identity on the AKS Cluster. Kubelet Identity is available on the nodepool VMSS as a user assigned identity, which is used for authorizing with ACI to create container groups.
Work Required
Validation
MI to authenticate image pull
Reference:
Deploy to ACR from ACR using MI: Deploy container image from Azure Container Registry using a managed identity - Azure Container Instances | Microsoft Docs
Attach ACR to AKS : Integrate Azure Container Registry with Azure Kubernetes Service - Azure Kubernetes Service | Microsoft Docs
MI with ACI: Enable managed identity in container group - Azure Container Instances | Microsoft Docs