Pushing Image to ACR

A container registry is a service for storing and distributing container images and related artifacts. While Docker Hub is a popular public registry, Azure Container Registry (ACR) offers a fully managed, private registry with advanced features like geo-replication, content trust, and virtual network integration.

Azure Container Registry SKUs

ACR comes in three SKUs—Basic, Standard, and Premium—each varying by storage capacity, daily operations, and outbound bandwidth. As you move from Basic → Standard → Premium, quotas increase and additional features are unlocked.

You can upgrade or downgrade between SKUs as long as your storage usage stays within the target tier’s quota.

Downgrading from Premium (200 GB) to Standard (100 GB) will fail if your registry exceeds 100 GB of stored artifacts.

The image is a table comparing the features of different Azure Container Registry (ACR) tiers: Basic, Standard, and Premium, detailing resources like storage, operations, and bandwidth.

For full details, see Azure Container Registry SKUs & pricing.

Provisioning and Access Control

When you create an AKS cluster with the Azure CLI or Portal, you can automatically provision an ACR instance and grant the cluster’s managed identity the AcrPull role. If you create your registry separately, assign roles as follows:

In the Azure Portal, navigate to your Container Registry.
Open Access Control (IAM) → Role assignments.
Filter by “ACR” to see built-in roles: AcrPull, AcrPush, Owner.
Click Add role assignment, select the appropriate role, and assign it to your AKS managed identity or service principal.

The image shows a Microsoft Azure portal interface displaying a container registry named "crkodekloud" with no repositories listed. The left sidebar includes various settings and services options.

The image shows the Microsoft Azure portal, specifically the Access Control (IAM) section for a container registry. It lists role assignments, including an "AcrPull" role for a managed identity and an "Owner" role for a user.

The image shows a Microsoft Azure portal interface for adding a role assignment, specifically highlighting the "AcrPull" role, which allows pulling images from a container registry.

Built-in ACR Roles

Role	Permissions	Description
AcrPull	`registries/pull/read`	Read-only access for pulling images
AcrPush	`registries/push/write` `registries/pull/read`	Push and pull access
Owner	All container registry operations	Full control over the registry

Here’s the JSON definition of the AcrPush role:

{
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "properties": {
    "roleName": "AcrPush",
    "description": "Allows push and pull operations in Azure Container Registry",
    "assignableScopes": [ "/" ],
    "permissions": [
      {
        "actions": [
          "Microsoft.ContainerRegistry/registries/pull/read",
          "Microsoft.ContainerRegistry/registries/push/write"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

Tagging and Pushing Images to ACR

List your local Docker images:
```
PS C:\> docker image ls
```

Tag each image for your ACR:

PS C:\> docker tag kodekloudappcs:v1 crkodekloud.azurecr.io/kodekloudappcs:v1
PS C:\> docker tag kodekloudappcs:v2 crkodekloud.azurecr.io/kodekloudappcs:v2

Verify the new tags:
```
PS C:\> docker image ls
```

Authenticate with your registry:

PS C:\> az acr login --name crkodekloud
Login Succeeded

Push both tags:

PS C:\> docker push crkodekloud.azurecr.io/kodekloudappcs:v1
PS C:\> docker push crkodekloud.azurecr.io/kodekloudappcs:v2

In the Azure Portal, go to your registry’s Repositories blade to confirm the image tags.

Deploying to Azure Kubernetes Service (AKS)

Deploy version v1 of your application directly from ACR:

kubectl create deployment kodekloudapp \
  --image=crkodekloud.azurecr.io/kodekloudappcs:v1 \
  --replicas=1
kubectl get deployment kodekloudapp

Expose the deployment via an Azure Load Balancer:

kubectl expose deployment kodekloudapp \
  --type=LoadBalancer \
  --port=80 \
  --target-port=80
kubectl get service

Example output:

NAME            TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)        AGE
kodekloudapp    LoadBalancer   10.0.199.121   20.247.251.108   80:30895/TCP   2m
kubernetes      ClusterIP      10.0.0.1       <none>           443/TCP        2d

Open the EXTERNAL-IP in your browser to verify the application is running.

Introduction

AKS Security

Building and containerizing sample application

CICD Workflow for AKS

Close out

Just Enough Azure for AKS

Networking in AKS

Observability

Working with AKS

Pushing Image to ACR

Azure Container Registry SKUs

Provisioning and Access Control

Built-in ACR Roles

Tagging and Pushing Images to ACR

Deploying to Azure Kubernetes Service (AKS)

Links and References

Watch Video

Introduction

AKS Security

Building and containerizing sample application

CICD Workflow for AKS

Close out

Just Enough Azure for AKS

Networking in AKS

Observability

Working with AKS

​Azure Container Registry SKUs

​Provisioning and Access Control

​Built-in ACR Roles

​Tagging and Pushing Images to ACR

​Deploying to Azure Kubernetes Service (AKS)

​Links and References

Watch Video

Azure Container Registry SKUs

Provisioning and Access Control

Built-in ACR Roles

Tagging and Pushing Images to ACR

Deploying to Azure Kubernetes Service (AKS)

Links and References