Integrate with cloud provider (see here)
The Cluster Service Account does not require administrative access to Azure ACR, only requiring pull access to containers to deploy onto Azure AKS. Restricting permissions follows the principles of least privilege and prevents credentials from being abused beyond the required role.
Configure the Cluster Service Account with Storage Object Viewer Role to only allow read-only access to Azure Container Registry (ACR)
A separate dedicated service account may be required for use by build servers and other robot users pushing or managing container images.
Updated 6 days ago