-
Notifications
You must be signed in to change notification settings - Fork 463
Enable Kubernetes native support for AWS ECR container registries when using kube-aws #518
Comments
@whereisaaron we have recently merged a PR (#384) which adds the ECR actions to the worker's IAM role. Kubernetes ECR integration should currently be working on master, though we have not cut it into a release yet. |
Good news. I also see from this patch that obtaining ECR credentials no longer relies on '--cloud-provider=aws' as the region info is taken from the ECR pull URL rather than the AWS instance info at http://169.254.169.254 |
It appears the vital patch #24369 to enable cross-region ECR is committed to the k8s master branch but not yet in a release version. Using v1.2.3 on worker nodes the '--cloud-provider=aws' option is specified (why not the controller too?) and so the 'aws-ecr-key' credential provider plug-in is loaded. However the plugin appears to be the old version that works for the local region only. There is an error showing it is accessing the local region (ap-southeast-2) rather than the region of the pull URL (us-west-2).
cat /etc/systemd/system/kubelet.service
|
The AWS cross-region ECR support is included in 1.3.0, currently at alpha 5. |
While we are waiting for 1.3.0 to hit kube-aws here is a script that you can schedule that will create an K8s registry secret that you can use with imagePullSecret in pod definitions. |
Is there any work to be done here, or is this just waiting on v1.3? |
@aaronlevy yep, we're waiting on v1.3 before we expose |
Kubernetes is up to v1.3.5 now, has there been any progress on this? |
This is required to run daemonsets with images from the ECR. Fixing this is very easy when done upstream. Please do so. I just had to do this. And I don't think you don't need to expose anything. Just add the required policies to the IAM role's inline policy and add that flag to the kubelet systemd unit. |
can you please explain what flag should be added to the kubelet systemd. sample would be helpfull |
The kubelet systemd service file just needs The IAM policy looks like that:
|
I believe this issue has been resolved as noted in #620 -- I'm going to close the issue as resolved, but please let me know if it needs to be re-opened |
This is still broke, why was is closed out w/o being fixed? |
kube-aws development has moved to https://github.com/kubernetes-incubator/kube-aws |
TL;DR ECR cross-domain support is coming when k8s 1.3.0 releases and whichever version of kube-aws supports 1.3.0, provided by kube-aws patch #384 and k8s patch #24369. In the meantime you can use imagePullSecrets with a scheduled script like this one:
https://github.com/whereisaaron/kubernetes-aws-scripts/blob/master/create-ecr-imagepullsecret.sh
Kubernetes provides native support for AWS ECR container registries, including cross-region ECR support. The particular ECR features are that kubelets automatically obtains and regularly updates ECR login credentials (AWS ECR login credentials only last 12 hours), and uses those credentials when you specify an ECR repository for your image. Relevant Kurbernetes references below.
http://kubernetes.io/docs/user-guide/images/#using-aws-ec2-container-registry
kubernetes/kubernetes#19447
kubernetes/kubernetes#23298
However, this excellent feature is only activated if the kublet is started with the '--cloud-provider=aws' option and it appears the controller nodes generated by kube-aws do not have that option enabled (using kube-aws 0.7.0), CORRECTION: worker nodes do have this option.
/etc/systemd/system/kubelet.service
The second requirement for this feature to work is the node AWS IAM roles also need ECR ReadOnly permissions added. The IAM 'AmazonEC2ContainerRegistryReadOnly' managed policy is exactly what is needed. Or the following actions could be added to the kube-aws generated role definition.
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
The text was updated successfully, but these errors were encountered: