[Question] Private AKS and anonymous-pull-enabled set to False #4764
Labels
Comments
mrfmendonca
changed the title
|
@shashankbarsin contributed to the linked documentation and may be able to comment here. |
microsoft-github-policy-service
bot
added
the
Needs Attention 👋
|
We are still waiting for an answer, please don't close this issue. Thanks |
|
We are still waiting for an answer, please don't close this issue. Thanks |
|
Issue needing attention of @Azure/aks-leads |
|
This issue has been automatically marked as stale because it has not had any activity for 14 days. It will be closed if no further activity occurs within 7 days of this comment. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe scenario
I need to use an AKS cluster in a project in my company. However, there are some security measures in my company that doesn't allow me to create any resources with a public IP. Therefore, to avoid my AKS from creating any public IPs, we decided to create a private AKS cluster following some of the guidelines of this Private AKS tutorial. This allowed us to get rid of public IP, but then I got a security warning from my company saying that I needed to disable anonymous access to any container registry. However, this conflicts with what is being said in the tutorial I mentioned before, where it states that "Anonymous pull access must be enabled for the ACR.". Therefore, I'm in a situation where both approaches (AKS with a public IP or a private AKS) raise security warnings.
Question
I would like to better understand why it is needed for the ACR being used by the AKS to have
anonymous-pull-enabledset to True. Is there any way around this restriction, that is, is there a way to have a private AKS that uses an ACR withanonymous-pull-enabledset to False?What I tried
I tried setting
anonymous-pull-enabledto False for my ACR, and the result was that I wasn't able to create new nodes in my node pools. However, if a node was already running, I was still able to create new pods using the existing images in my ACR. I would like to better understand why this happens whenanonymous-pull-enabledis set to False.The text was updated successfully, but these errors were encountered: