I created Azure Container Registry (ACR) and now need to create Managed Cluster (AKS). When we use Azure Portal or Azure CLI, we can integrate existing ACR. In Pulumi Azure Native, ManagedClusterArgs
does not have any property to accept existing ACR.
How to attach already created ACR when creating Managed Cluster?
Or assigning AcrPull
role to the automatically created User Assigned Managed Identity (<clsuter-name>-agentpool
) will achieve the same?
CodePudding user response:
Yes, you need to assign AcrPull
role to the cluster. Here is an example using a system-assigned managed identity:
const cluster = new containerservice.ManagedCluster("managedCluster", {
// ...
identity: {
type: "SystemAssigned",
},
});
const creds = containerservice.listManagedClusterUserCredentialsOutput({
resourceGroupName: resourceGroup.name,
resourceName: cluster.name,
});
const principalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);
// const registry = ...
// const subscriptionId = ...
const roleDefinitionId = `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d`;
const assignment = new azure_native.authorization.RoleAssignment("acr-pull", {
properties: {
principalId: principalId,
roleDefinitionId: roleDefinitionId,
},
scope: registry.id,
});