C-0251 - Minimize user access to Azure Container Registry (ACR)

Prerequisites

Integrate with cloud provider (see here)

Framework

cis-aks-t1.2.0

Severity

Medium

Description of the the issue

Weak access control to Azure Container Registry (ACR) may allow malicious users to replace built images with vulnerable containers.

Related resources

What does this control test

Restrict user access to Azure Container Registry (ACR), limiting interaction with build images to only authorized personnel and service accounts.

How to check it manually

Remediation

Azure Container Registry
If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. Currently, the recommended configuration is to use the az aks create or az aks update command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see Authenticate with Azure Container Registry from Azure Kubernetes Service.

To avoid needing an Owner or Azure account administrator role, you can configure a service principal manually or use an existing service principal to authenticate ACR from AKS. For more information, see ACR authentication with service principals or Authenticate from Kubernetes with a pull secret.

Impact Statement

Care should be taken not to remove access to Azure ACR for accounts that require this for their operation.

Default Value

Example

No example