Merge pull request #90534 from dlepow/authaks

American-Dipper · web-flow · commit 306e23c8daca · 2019-10-10T14:53:04.000-07:00
[ACR] Retire and redirect auth-aks article
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
@@ -9,7 +9,12 @@
       "source_path": "articles/azure-government/documentation-government-get-started-connect-with-vs.md",
       "redirect_url": "/azure/azure-government/documentation-government-welcome",
       "redirect_document_id": false
-    },
+    },    
+    {
+      "source_path": "articles/container-registry/container-registry-auth-aks.md",
+      "redirect_url": "/azure/aks/cluster-container-registry-integration",
+      "redirect_document_id": true
+    },    
     {
       "source_path": "articles/security/develop/security-code-analysis-install.md",
       "redirect_url": "/azure/security/develop/security-code-analysis-onboard",
diff --git a/articles/aks/TOC.yml b/articles/aks/TOC.yml
@@ -215,8 +215,6 @@
           href: azure-ad-integration.md
     - name: Use Kubernetes RBAC with Azure AD integration
       href: azure-ad-rbac.md
-    - name: Authenticate with ACR
-      href: ../container-registry/container-registry-auth-aks.md
       maintainContext: true
   - name: Monitoring and logging
     items:
diff --git a/articles/aks/jenkins-continuous-deployment.md b/articles/aks/jenkins-continuous-deployment.md
@@ -336,7 +336,7 @@ In this article, you learned how to use Jenkins as part of a CI/CD solution. AKS
 
 <!-- LINKS - internal -->
 [az-acr-list]: /cli/azure/acr#az-acr-list
-[acr-authentication]: ../container-registry/container-registry-auth-aks.md#grant-aks-access-to-acr
+[acr-authentication]: cluster-container-registry-integration.md
 [acr-quickstart]: ../container-registry/container-registry-get-started-azure-cli.md
 [aks-credentials]: /cli/azure/aks#az-aks-get-credentials
 [aks-quickstart]: kubernetes-walkthrough.md
diff --git a/articles/aks/kubernetes-service-principal.md b/articles/aks/kubernetes-service-principal.md
@@ -91,7 +91,7 @@ The following sections detail common delegations that you may need to make.
 
 ### Azure Container Registry
 
-If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions for your AKS cluster to read and pull images. The service principal of the AKS cluster must be delegated the *Reader* role on the registry. For detailed steps, see [Grant AKS access to ACR][aks-to-acr].
+If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. Currently, the recommended configuration is to use the [az aks create][az-aks-create] or [az aks update][az-aks-update] command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-to-acr].
 
 ### Networking
 
@@ -175,6 +175,6 @@ For information on how to update the credentials, see [Update or rotate the cred
 [rbac-custom-role]: ../role-based-access-control/custom-roles.md
 [rbac-storage-contributor]: ../role-based-access-control/built-in-roles.md#storage-account-contributor
 [az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create
-[aks-to-acr]: ../container-registry/container-registry-auth-aks.md?toc=%2fazure%2faks%2ftoc.json#grant-aks-access-to-acr
+[aks-to-acr]: cluster-container-registry-integration.md
 [update-credentials]: update-credentials.md
 [azure-ad-permissions]: ../active-directory/fundamentals/users-default-permissions.md
diff --git a/articles/aks/spark-job.md b/articles/aks/spark-job.md
@@ -329,7 +329,7 @@ Check out Spark documentation for more details.
 
 
 <!-- LINKS - internal -->
-[acr-aks]: https://docs.microsoft.com/azure/container-registry/container-registry-auth-aks
+[acr-aks]: cluster-container-registry-integration.md
 [acr-create]: https://docs.microsoft.com/azure/container-registry/container-registry-get-started-azure-cli
 [aks-quickstart]: https://docs.microsoft.com/azure/aks/
 [azure-cli]: https://docs.microsoft.com/cli/azure/?view=azure-cli-latest
diff --git a/articles/aks/tutorial-kubernetes-deploy-application.md b/articles/aks/tutorial-kubernetes-deploy-application.md
@@ -113,7 +113,7 @@ To see the application in action, open a web browser to the external IP address
 
 ![Image of Kubernetes cluster on Azure](media/container-service-kubernetes-tutorials/azure-vote.png)
 
-If the application didn't load, it might be due to an authorization problem with your image registry. To view the status of your containers, use the `kubectl get pods` command. If the container images can't be pulled, see [allow access to Container Registry with a Kubernetes secret](https://docs.microsoft.com/azure/container-registry/container-registry-auth-aks#access-with-kubernetes-secret).
+If the application didn't load, it might be due to an authorization problem with your image registry. To view the status of your containers, use the `kubectl get pods` command. If the container images can't be pulled, see [Authenticate with Azure Container Registry from Azure Kubernetes Service](cluster-container-registry-integration.md).
 
 ## Next steps
 
diff --git a/articles/aks/tutorial-kubernetes-deploy-cluster.md b/articles/aks/tutorial-kubernetes-deploy-cluster.md
@@ -18,8 +18,7 @@ ms.custom: mvc
 Kubernetes provides a distributed platform for containerized applications. With AKS, you can quickly create a production ready Kubernetes cluster. In this tutorial, part three of seven, a Kubernetes cluster is deployed in AKS. You learn how to:
 
 > [!div class="checklist"]
-> * Create a service principal for resource interactions
-> * Deploy a Kubernetes AKS cluster
+> * Deploy a Kubernetes AKS cluster that can authenticate to an Azure container registry
 > * Install the Kubernetes CLI (kubectl)
 > * Configure kubectl to connect to your AKS cluster
 
@@ -31,60 +30,19 @@ In previous tutorials, a container image was created and uploaded to an Azure Co
 
 This tutorial requires that you're running the Azure CLI version 2.0.53 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
 
-## Create a service principal
-
-To allow an AKS cluster to interact with other Azure resources, an Azure Active Directory service principal is used. This service principal can be automatically created by the Azure CLI or portal, or you can pre-create one and assign additional permissions. In this tutorial, you create a service principal, grant access to the Azure Container Registry (ACR) instance created in the previous tutorial, then create an AKS cluster.
-
-Create a service principal using the [az ad sp create-for-rbac][] command. The `--skip-assignment` parameter limits any additional permissions from being assigned. By default, this service principal is valid for one year.
-
-```azurecli
-az ad sp create-for-rbac --skip-assignment
-```
-
-The output is similar to the following example:
-
-```
-{
-  "appId": "e7596ae3-6864-4cb8-94fc-20164b1588a9",
-  "displayName": "azure-cli-2018-06-29-19-14-37",
-  "name": "http://azure-cli-2018-06-29-19-14-37",
-  "password": "52c95f25-bd1e-4314-bd31-d8112b293521",
-  "tenant": "72f988bf-86f1-41af-91ab-2d7cd011db48"
-}
-```
-
-Make a note of the *appId* and *password*. These values are used in the following steps.
-
-## Configure ACR authentication
-
-To access images stored in ACR, you must grant the AKS service principal the correct rights to pull images from ACR.
-
-First, get the ACR resource ID using [az acr show][]. Update the `<acrName>` registry name to that of your ACR instance and the resource group where the ACR instance is located.
-
-```azurecli
-az acr show --resource-group myResourceGroup --name <acrName> --query "id" --output tsv
-```
-
-To grant the correct access for the AKS cluster to pull images stored in ACR, assign the `AcrPull` role using the [az role assignment create][] command. Replace `<appId`> and `<acrId>` with the values gathered in the previous two steps.
-
-```azurecli
-az role assignment create --assignee <appId> --scope <acrId> --role acrpull
-```
-
 ## Create a Kubernetes cluster
 
 AKS clusters can use Kubernetes role-based access controls (RBAC). These controls let you define access to resources based on roles assigned to users. Permissions are combined if a user is assigned multiple roles, and permissions can be scoped to either a single namespace or across the whole cluster. By default, the Azure CLI automatically enables RBAC when you create an AKS cluster.
 
-Create an AKS cluster using [az aks create][]. The following example creates a cluster named *myAKSCluster* in the resource group named *myResourceGroup*. This resource group was created in the [previous tutorial][aks-tutorial-prepare-acr]. Provide your own `<appId>` and `<password>` from the previous step where the service principal was created.
+Create an AKS cluster using [az aks create][]. The following example creates a cluster named *myAKSCluster* in the resource group named *myResourceGroup*. This resource group was created in the [previous tutorial][aks-tutorial-prepare-acr]. To allow an AKS cluster to interact with other Azure resources, an Azure Active Directory service principal is automatically created, since you did not specify one. Here, this service principal is [granted the right to pull images][container-registry-integration] from the Azure Container Registry (ACR) instance you created in the previous tutorial.
 
 ```azurecli
 az aks create \
     --resource-group myResourceGroup \
     --name myAKSCluster \
     --node-count 2 \
-    --service-principal <appId> \
-    --client-secret <password> \
-    --generate-ssh-keys
+    --generate-ssh-keys \
+    --attach-acr <acrName>
 ```
 
 After a few minutes, the deployment completes, and returns JSON-formatted information about the AKS deployment.
@@ -124,8 +82,7 @@ aks-nodepool1-12345678-0   Ready    agent   32m   v1.13.10
 In this tutorial, a Kubernetes cluster was deployed in AKS, and you configured `kubectl` to connect to it. You learned how to:
 
 > [!div class="checklist"]
-> * Create a service principal for resource interactions
-> * Deploy a Kubernetes AKS cluster
+> * Deploy a Kubernetes AKS cluster that can authenticate to an Azure container registry
 > * Install the Kubernetes CLI (kubectl)
 > * Configure kubectl to connect to your AKS cluster
 
@@ -149,3 +106,4 @@ Advance to the next tutorial to learn how to deploy an application to the cluste
 [az aks install-cli]: /cli/azure/aks#az-aks-install-cli
 [az aks get-credentials]: /cli/azure/aks#az-aks-get-credentials
 [azure-cli-install]: /cli/azure/install-azure-cli
+[container-registry-integration]: ./cluster-container-registry-integration.md
diff --git a/articles/aks/virtual-nodes-cli.md b/articles/aks/virtual-nodes-cli.md
@@ -63,7 +63,7 @@ Virtual Nodes functionality is heavily dependent on ACI's feature set. The follo
 * Init containers
 * [Host aliases](https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/)
 * [Arguments](../container-instances/container-instances-exec.md#restrictions) for exec in ACI
-* [Daemonsets](concepts-clusters-workloads.md#statefulsets-and-daemonsets) will not deploy pods to the virtual node
+* [DaemonSets](concepts-clusters-workloads.md#statefulsets-and-daemonsets) will not deploy pods to the virtual node
 * [Windows Server nodes (currently in preview in AKS)](windows-container-cli.md) are not supported alongside virtual nodes. You can use virtual nodes to schedule Windows Server containers without the need for Windows Server nodes in an AKS cluster.
 
 ## Launch Azure Cloud Shell
@@ -359,6 +359,7 @@ Virtual nodes are often one component of a scaling solution in AKS. For more inf
 [aks-github]: https://github.com/azure/aks/issues
 [virtual-node-autoscale]: https://github.com/Azure-Samples/virtual-node-autoscale
 [virtual-kubelet-repo]: https://github.com/virtual-kubelet/virtual-kubelet
+[acr-aks-secrets]: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 
 <!-- LINKS - internal -->
 [azure-cli-install]: /cli/azure/install-azure-cli
@@ -379,4 +380,3 @@ Virtual nodes are often one component of a scaling solution in AKS. For more inf
 [aks-basic-ingress]: ingress-basic.md
 [az-provider-list]: /cli/azure/provider#az-provider-list
 [az-provider-register]: /cli/azure/provider#az-provider-register
-[acr-aks-secrets]: ../container-registry/container-registry-auth-aks.md#access-with-kubernetes-secret
diff --git a/articles/aks/virtual-nodes-portal.md b/articles/aks/virtual-nodes-portal.md
@@ -63,7 +63,7 @@ Virtual Nodes functionality is heavily dependent on ACI's feature set. The follo
 * Init containers
 * [Host aliases](https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/)
 * [Arguments](../container-instances/container-instances-exec.md#restrictions) for exec in ACI
-* [Daemonsets](concepts-clusters-workloads.md#statefulsets-and-daemonsets) will not deploy pods to the virtual node
+* [DaemonSets](concepts-clusters-workloads.md#statefulsets-and-daemonsets) will not deploy pods to the virtual node
 * [Windows Server nodes (currently in preview in AKS)](windows-container-cli.md) are not supported alongside virtual nodes. You can use virtual nodes to schedule Windows Server containers without the need for Windows Server nodes in an AKS cluster.
 
 ## Sign in to Azure
@@ -233,12 +233,12 @@ Virtual nodes are one component of a scaling solution in AKS. For more informati
 [aks-github]: https://github.com/azure/aks/issues]
 [virtual-node-autoscale]: https://github.com/Azure-Samples/virtual-node-autoscale
 [virtual-kubelet-repo]: https://github.com/virtual-kubelet/virtual-kubelet
+[acr-aks-secrets]: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 
 <!-- LINKS - internal -->
 [aks-network]: ./networking-overview.md
 [az-aks-get-credentials]: /cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials
 [aks-hpa]: tutorial-kubernetes-scale.md
 [aks-cluster-autoscaler]: cluster-autoscaler.md
 [aks-basic-ingress]: ingress-basic.md
-[acr-aks-secrets]: ../container-registry/container-registry-auth-aks.md#access-with-kubernetes-secret
 [az-provider-list]: /cli/azure/provider#az-provider-list
diff --git a/articles/container-registry/TOC.yml b/articles/container-registry/TOC.yml
@@ -98,7 +98,7 @@
       - name: Authenticate from Azure Container Instances
         href: container-registry-auth-aci.md
       - name: Authenticate from Azure Kubernetes Service (AKS)
-        href: container-registry-auth-aks.md
+        href: ../aks/cluster-container-registry-integration.md
     - name: Roles and permissions
       href: container-registry-roles.md
     - name: Content trust
diff --git a/articles/container-registry/container-registry-auth-aci.md b/articles/container-registry/container-registry-auth-aci.md
@@ -53,7 +53,7 @@ You can find the preceding sample scripts for Azure CLI on GitHub, as well versi
 The following articles contain additional details on working with service principals and ACR:
 
 * [Azure Container Registry authentication with service principals](container-registry-auth-service-principal.md)
-* [Authenticate with Azure Container Registry from Azure Kubernetes Service (AKS)](container-registry-auth-aks.md)
+* [Authenticate with Azure Container Registry from Azure Kubernetes Service (AKS)](../aks/cluster-container-registry-integration.md)
 
 <!-- IMAGES -->
 
diff --git a/articles/container-registry/container-registry-auth-aks.md b/articles/container-registry/container-registry-auth-aks.md
diff --git a/articles/container-registry/container-registry-auth-service-principal.md b/articles/container-registry/container-registry-auth-service-principal.md
diff --git a/articles/container-registry/container-registry-faq.md b/articles/container-registry/container-registry-faq.md
diff --git a/articles/dev-spaces/how-to/setup-cicd.md b/articles/dev-spaces/how-to/setup-cicd.md
