Enabling Azure Container Registry (ACR)#

ACR can be used to store container images within Azure and accessed within your Azure-based Data Plane.

Union leverages Azure Kubernetes Service (AKS) managed identities to authenticate with ACR.

Refer to Azure documentation for more details

Creating a container registry#

Creating a container registry outside of Union#

ACR instances that allow anonymous (I.E., public) access doesn’t require additional configuration. Otherwise, the underlying AKS cluster must be granted permissions to pull from the container registry.

Private ACR for Union images is only supported for ACRs within the same tenant as the Union data plane. Refer to Azure documentation for creating Container Registries.

Creating a Union-managed container registry#

Upon request, Union can create a container registry within your data plane.

By default this Union-managed ACR instance:

  • Will be created within the same subscription and resource group of the Azure Kubernetes cluster instance.

  • Union will create necessary permissions for the Azure Kubernetes cluster to pull images from the container registry.

  • Container registry will be created with Basic service tier.

  • In order to mitigate excessive storage costs, Union creates a weekly scheduled container registry task to purge all images with last modified dates older then 7 days. As a symptom, some 7 day old images will be rebuilt.

Upon request, Union can:

  • Configure the Container Registry service tier.

  • Disable the purge task to prevent automated image delettion.

  • Configure the purge task to run daily, weekly, and monthly deleting tasks with last modified dates older then 1, 7, and 30 days respectively.

  • Configure a regexp2 with RE2 compatiblity regular expression to filter for which repository to purge. For example, ^(?!keep-repo).* will keep all images with repositories prefixed with keep-repo, E.G., <CONTAINER_REGISTRY_NAME>/keep-repo/my-image:my-tag>.

Union will provide the created container registry Name and Login server for Docker authentication.

Enable access to ACR in a different subscription within the same Azure tenant#

Union data plane resources will require permissions to pull images from your container registry.

Allow Union to manage permissions#

The simplest, most flexible approach is to provide Union the ability to add roles assignments against the container registry. Create a role assignment to allow Union to assign roles to the container registry. These permissions should be scoped to the target container registry. Follow these steps to set up the required access:

  1. Navigate to the Azure portal and locate the target container registry.

  2. In the container registry’s access control (IAM) section, create a new role assignment.

  3. For the ‘Assigned to’ field, select the Union application’s service principal.

  4. For the ‘Role’ field, you have two options:

    • Simplest approach: Assign the built-in Azure role User Access Administrator.

    • Advanced approach: Create a custom role with the following specific permissions:

      • Microsoft.Authorization/roleAssignments/write

      • Microsoft.Authorization/roleAssignments/delete

      • Microsoft.Authorization/roleAssignments/read

      • Microsoft.Authorization/roleDefinitions/read

  5. Ensure the ‘Scope’ is set to the target container registry.

  6. Complete the role assignment process.

  7. Provide the container registry resource ID to Union support.

Manage permissions directly#

Managing permissions directly is required if it is not desirable to grant role assigning permissions to Union. Create a role assignment assigning the AcrPull role to the underlying AKS cluster kubelet service principal ID. The service principal ID can be provided by Union support.

Note, this process needs to be repeated every time the underlying Kubernetes cluster is changed or a new cluster is added.

Enable access to ACR in a different Azure tenant#

Please contact and work directly with Union support.

References#