C-0251 - Minimize user access to Azure Container Registry (ACR)
Prerequisites
Integrate with cloud provider (see here)
Framework
cis-aks-t1.2.0
Severity
Medium
Description of the the issue
Weak access control to Azure Container Registry (ACR) may allow malicious users to replace built images with vulnerable containers.
Related resources
What does this control test
Restrict user access to Azure Container Registry (ACR), limiting interaction with build images to only authorized personnel and service accounts.
How to check it manually
Remediation
Azure Container Registry
If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. Currently, the recommended configuration is to use the az aks create or az aks update command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes Service.
To avoid needing an Owner or Azure account administrator role, you can configure a service principal manually or use an existing service principal to authenticate ACR from AKS. For more information, see ACR authentication with service principals or Authenticate from Kubernetes with a pull secret.
Impact Statement
Care should be taken not to remove access to Azure ACR for accounts that require this for their operation.
Default Value
Example
No example
Updated 11 days ago