Skip to content

Commit dfdd900

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #218379 from CocoWang-wql/patch-20
Update cluster-container-registry-integration.md
2 parents c4156c9 + 43f31ad commit dfdd900

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

articles/aks/cluster-container-registry-integration.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ You can set up the AKS to ACR integration using the Azure CLI or Azure PowerShel
1717
> [!IMPORTANT]
1818
> There is a latency issue with Azure Active Directory groups when attaching ACR. If the AcrPull role is granted to an Azure AD group and the kubelet identity is added to the group to complete the RBAC configuration, there might be up to a one-hour delay before the RBAC group takes effect. We recommended you to use the [Bring your own kubelet identity][byo-kubelet-identity] as a workaround. You can pre-create a user-assigned identity, add it to the Azure AD group, then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is added to the Azure AD group before a token is generated by kubelet, which avoids the latency issue.
1919
20+
> [!IMPORTANT]
21+
> There is a latency issue with Azure Active Directory groups when attaching ACR. If the AcrPull role is granted to an Azure AD group and the kubelet identity is added to the group to complete the RBAC configuration, there might be up to a one-hour delay before the RBAC group update takes effect. We recommended you use the [Bring your own kubelet identity][byo-kubelet-identity] in the meantime. You can pre-create a user-assigned identity, add it to the Azure AD group, and then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is first added to the Azure AD group and then a token is generated by kubelet, which works around the latency issue.
22+
2023
> [!NOTE]
2124
> This article covers automatic authentication between AKS and ACR. If you need to pull an image from a private external registry, use an [image pull secret][image-pull-secret].
2225
@@ -247,7 +250,8 @@ nginx0-deployment-669dfc4d4b-xdpd6 1/1 Running 0 20s
247250
* Learn more about [ACR health](../container-registry/container-registry-check-health.md).
248251

249252
<!-- LINKS - external -->
250-
253+
[AKS AKS CLI]: /cli/azure/aks#az_aks_create
254+
[byo-kubelet-identity]: use-managed-identity.md#use-a-pre-created-kubelet-managed-identity
251255
[image-pull-secret]: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
252256
[summary-msi]: use-managed-identity.md#summary-of-managed-identities
253257
[acr-pull]: ../role-based-access-control/built-in-roles.md#acrpull

0 commit comments

Comments
 (0)