[Feature]Network Isolated Cluster (Preview) improvements

[charleswool]

There are going to be two improvement changes to Network isolated Azure Kubernetes Service (AKS) clusters (Preview).

Starting from AKS Release 2025-03-16,

• [Az comms SN-44387] When creating ACR cache rule to cache MCR container images in the private ACR, the required cache rule should be changed to "aks-managed-repository/* " from "/* " .
• [Az comms SN-44381] When creating the private ACR, anonymous pull access for Azure Container Registry(ACR) should be set to false by default for newly enabled Network Isolated Cluster.

Note: You can always continue running your existing Network Isolated Cluster without migrating to the new behavior. If you would like to adopt these improvements, you need to follow the instructions below:

Action Required

First confirm that you are currently running an AKS Network Isolated Cluster. Check the cluster network outbound type by running the following command:

az aks show -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --query 'networkProfile.outboundType'

if the outbound type is none or block, then you are running a Network Isolated Cluster.

[For ACR cache rule change]

If you are using your own ACR, you should:

1. Create a new private ACR. _az acr create --resource-group ${RESOURCE_GROUP} --name ${REGISTRY_NAME} --sku Premium --public-network-enabled false

az acr update --resource-group ${RESOURCE_GROUP} --name ${REGISTRY_NAME} --anonymous-pull-enabled true

REGISTRY_ID=$(az acr show --name ${REGISTRY_NAME} -g ${RESOURCE_GROUP} --query 'id' --output tsv)_

2. Create the new cache rule to allow users to cache MCR container images in the new ACR. az acr cache create -n acr-cache-rule -r ${REGISTRY_NAME} -g ${RESOURCE_GROUP} --source-repo "mcr.microsoft.com/" --target-repo "aks-managed-repository/"

3. Update the ACR resource ID to the new ACR with your existing Network Isolated Cluster. az aks update --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME} --bootstrap-artifact-source Cache --bootstrap-container-registry-resource-id <New BYO ACR resource ID>

4. Reimage all existing nodes. az aks upgrade --resource-group ${RESOURCE_GROUP} --name ${AKS_NAME} --node-image-only

If you are using AKS managed ACR, there is no immediate action required.

[For Anonymous pull access change]

If you are using your own ACR, you should:

1. Grant AcrPull permissions to the kubelet identity. _export KUBELET_IDENTITY_PRINCIPAL_ID=$(az identity show --name ${KUBELET_IDENTITY_NAME} --resource-group ${RESOURCE_GROUP} --query 'principalId' -o tsv)

az role assignment create --role AcrPull --scope ${REGISTRY_ID} --assignee-object-id ${KUBELET_IDENTITY_PRINCIPAL_ID} --assignee-principal-type ServicePrincipal_

2. Check your cluster node image version. az aks nodepool list -g ${RESOURCE_GROUP} --cluster-name ${CLUSTER_NAME} --query '[].nodeImageVersion'

If the node image version is older than 20250302, please run the following command to upgrade the node image. az aks upgrade --resource-group ${RESOURCE_GROUP} --name ${CLUSTER_NAME} --node-image-only

3. Disable anonymous pull access for ACR. az acr update --resource-group $RESOURCE_GROUP --name ${REGISTRY_NAME} --anonymous-pull-enabled false

If you are using the AKS managed ACR, you should:

1. Check your cluster node image version. az aks nodepool list -g ${RESOURCE_GROUP} --cluster-name ${CLUSTER_NAME} --query '[].nodeImageVersion'

If the node image version is older than 20250302, please run the following command to upgrade the node image. az aks upgrade --resource-group ${RESOURCE_GROUP} --name ${CLUSTER_NAME} --node-image-only

2. Disable anonymous pull access for ACR. az acr update --resource-group $RESOURCE_GROUP --name ${REGISTRY_NAME} --anonymous-pull-enabled false

Why are we making this behavior change?

• The new ACR cache rule with AKS repo prefix allows repurpose existing BYO ACR for bootstrapping in Network Isolated Cluster and is going to help utilize your existing ACR resources.

• Anonymous pull access is an optional feature that allows any user with internet access to pull any content from the registry. There could be risks turning on this feature. Therefore, we decided to disable it by default in a Network Isolated Cluster. Do note you can always choose to turn on anonymous pull access with bringing your own ACR.

Support and Further Guidance If you encounter the deadlock issue or have any concerns on this issue, please contact support or reach out to us at: [email protected]

Reference Creating a Network Isolated Cluster(preview): Create a network isolated AKS cluster - Azure Kubernetes Service | Microsoft Learn ACR cache rule: Optimize image pulls with artifact cache in Azure Container Registry - Azure Container Registry | Microsoft Learn Anonymous pull access for ACR: Enable Anonymous Pull Access in Azure Container Registry - Azure Container Registry | Microsoft Learn