Azure 容器注册表角色和权限Azure Container Registry roles and permissions

Azure 容器注册表服务支持一组 Azure 角色,这些角色提供访问 Azure 容器注册表所需的不同级别的权限。The Azure Container Registry service supports a set of Azure roles that provide different levels of permissions to an Azure container registry. 使用 Azure 基于角色的访问控制 (RBAC),为需要与注册表交互的用户或服务主体分配特定的权限。Use Azure role-based access control (RBAC) to assign specific permissions to users or service principals that need to interact with a registry.

角色/权限Role/Permission 访问资源管理器Access Resource Manager 创建/删除注册表Create/delete registry 推送映像Push image 拉取映像Pull image 删除映像数据Delete image data 更改策略Change policies 对映像签名Sign images
“所有者”Owner XX XX XX XX XX XX
参与者Contributor XX XX XX XX XX XX
读取器Reader XX XX
AcrPushAcrPush XX XX
AcrPullAcrPull XX
AcrDeleteAcrDelete XX
AcrImageSignerAcrImageSigner XX

区分用户和服务Differentiate users and services

应用权限时,最佳做法是为需要完成某个任务的用户或服务提供一组最受限的权限。Any time permissions are applied, a best practice is to provide the most limited set of permissions for a person, or service, to accomplish a task. 以下权限集代表一组可供用户和无外设服务使用的功能。The following permission sets represent a set of capabilities that may be used by humans and headless services.

CI/CD 解决方案CI/CD solutions

通过 CI/CD 解决方案自动执行 docker build 命令时,需要 docker push 功能。When automating docker build commands from CI/CD solutions, you need docker push capabilities. 对于这些无外设服务方案,建议分配 AcrPush 角色。For these headless service scenarios, we suggest assigning the AcrPush role. 该角色不同于权限范围更大的“参与者”角色, 可以防止帐户执行其他注册表操作或访问 Azure 资源管理器。This role, unlike the broader Contributor role, prevents the account from performing other registry operations or accessing Azure Resource Manager.

容器主机节点Container host nodes

同样,运行容器的节点需要 AcrPull 角色,但不应该需要“读者”功能。 Likewise, nodes running your containers need the AcrPull role, but shouldn't require Reader capabilities.

Visual Studio Code Docker 扩展Visual Studio Code Docker extension

对于 Visual Studio Code Docker 扩展这样的工具,需要其他资源提供程序访问权限才能列出可用的 Azure 容器注册表。For tools like the Visual Studio Code Docker extension, additional resource provider access is required to list the available Azure container registries. 在这种情况下,请为用户提供对“读者”或“参与者”角色的访问权限。 In this case, provide your users access to the Reader or Contributor role. 这些角色允许 docker pulldocker pushaz acr listaz acr build 等功能。These roles allow docker pull, docker push, az acr list, az acr build, and other capabilities.

访问资源管理器Access Resource Manager

Azure 资源管理器访问权限是 Azure 门户和使用 Azure CLI 进行注册表管理所需的。Azure Resource Manager access is required for the Azure portal and registry management with the Azure CLI. 例如,若要通过 az acr list 命令获取一系列注册表,需要此权限集。For example, to get a list of registries by using the az acr list command, you need this permission set.

创建和删除注册表Create and delete registry

创建和删除 Azure 容器注册表的功能。The ability to create and delete Azure container registries.

推送映像Push image

通过 docker push 将映像推送到注册表的功能,或者将其他受支持的项目(例如 Helm 图表)推送到注册表的功能。The ability to docker push an image, or push another supported artifact such as a Helm chart, to a registry. 要求使用授权的标识通过注册表进行身份验证Requires authentication with the registry using the authorized identity.

拉取映像Pull image

通过 docker pull 从注册表拉取非隔离映像的功能,或者从注册表拉取其他受支持的项目(例如 Helm 图表)的功能。The ability to docker pull a non-quarantined image, or pull another supported artifact such as a Helm chart, from a registry. 要求使用授权的标识通过注册表进行身份验证Requires authentication with the registry using the authorized identity.

删除映像数据Delete image data

能够从注册表中删除容器映像或者删除其他受支持的项目,例如 Helm 图表。The ability to delete container images, or delete other supported artifacts such as Helm charts, from a registry.

更改策略Change policies

在注册表上配置策略的功能。The ability to configure policies on a registry. 策略包括映像清除、启用隔离和映像签名。Policies include image purging, enabling quarantine, and image signing.

对映像签名Sign images

对映像签名的功能,通常分配给某个自动化过程,该过程会使用服务主体。The ability to sign images, usually assigned to an automated process, which would use a service principal. 此权限通常与推送映像功能配合使用,以便将受信任的映像推送到注册表。This permission is typically combined with push image to allow pushing a trusted image to a registry.

后续步骤Next steps