Merge pull request #219063 from CocoWang-wql/patch-24

Update cluster-container-registry-integration.md

Author: prmerger-automator[bot]

articles/aks/cluster-container-registry-integration.md

@@ -14,6 +14,9 @@ You need to establish an authentication mechanism when using [Azure Container Re
 
 You can set up the AKS to ACR integration using the Azure CLI or Azure PowerShell. The AKS to ACR integration assigns the [**AcrPull** role][acr-pull] to the [Azure Active Directory (Azure AD) **managed identity**][aad-identity] associated with your AKS cluster.
 
+> [!IMPORTANT]
+> There is a latency issue with Azure Active Directory groups when attaching ACR. If the AcrPull role is granted to an Azure AD group and the kubelet identity is added to the group to complete the RBAC configuration, there might be up to a one-hour delay before the RBAC group takes effect. We recommended you to use the [Bring your own kubelet identity][byo-kubelet-identity] as a workaround. You can pre-create a user-assigned identity, add it to the Azure AD group, then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is added to the Azure AD group before a token is generated by kubelet, which avoids the latency issue.
+
 > [!NOTE]
 > This article covers automatic authentication between AKS and ACR. If you need to pull an image from a private external registry, use an [image pull secret][image-pull-secret].
 
@@ -258,3 +261,4 @@ nginx0-deployment-669dfc4d4b-xdpd6   1/1     Running   0          20s
 [ps-detach]: /powershell/module/az.aks/set-azakscluster#-acrnametodetach
 [cli-param]: /cli/azure/aks#az-aks-update-optional-parameters
 [ps-attach]: /powershell/module/az.aks/set-azakscluster#-acrnametoattach
+[byo-kubelet-identity]: use-managed-identity.md#use-a-pre-created-kubelet-managed-identity