[Question] Private AKS and anonymous-pull-enabled set to False

[mrfmendonca]

Describe scenario
I need to use an AKS cluster in a project in my company. However, there are some security measures in my company that doesn't allow me to create any resources with a public IP. Therefore, to avoid my AKS from creating any public IPs, we decided to create a private AKS cluster following some of the guidelines of this Private AKS tutorial. This allowed us to get rid of public IP, but then I got a security warning from my company saying that I needed to disable anonymous access to any container registry. However, this conflicts with what is being said in the tutorial I mentioned before, where it states that "Anonymous pull access must be enabled for the ACR.". Therefore, I'm in a situation where both approaches (AKS with a public IP or a private AKS) raise security warnings.

Question
I would like to better understand why it is needed for the ACR being used by the AKS to have anonymous-pull-enabled set to True. Is there any way around this restriction, that is, is there a way to have a private AKS that uses an ACR with anonymous-pull-enabled set to False?

What I tried
I tried setting anonymous-pull-enabled to False for my ACR, and the result was that I wasn't able to create new nodes in my node pools. However, if a node was already running, I was still able to create new pods using the existing images in my ACR. I would like to better understand why this happens when anonymous-pull-enabled is set to False.

[sjwaight]

@shashankbarsin contributed to the linked documentation and may be able to comment here.