Integrate with cloud provider (see here)
Weak access control to Azure Container Registry (ACR) may allow malicious users to replace built images with vulnerable containers.
Restrict user access to Azure Container Registry (ACR), limiting interaction with build images to only authorized personnel and service accounts.
Azure Container Registry
If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. Currently, the recommended configuration is to use the az aks create or az aks update command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes Service.
To avoid needing an Owner or Azure account administrator role, you can configure a service principal manually or use an existing service principal to authenticate ACR from AKS. For more information, see ACR authentication with service principals or Authenticate from Kubernetes with a pull secret.
Care should be taken not to remove access to Azure ACR for accounts that require this for their operation.
Updated 6 days ago