Add IAM policy allowing authenticated pull from ECR #364
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
We may want to make this configurable for clusters that are not using ECR. But this can be done as a later change. |
rossf7
approved these changes
Aug 1, 2017
|
I'd say having it in without using ECR is not a problem, configuration would be rather if only certain clusters should have access to ECR and others not, but yeah, I'll create an issue for that for later. |
|
closes #363 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add an IAM policy on the master and workers to allow image pulling from ECR as implemented in kubernetes/kubernetes#19447 and kubernetes/kubernetes#24369
As noted in kubernetes/kubernetes#19447 (comment) it might be possible to reduce the permission set, but this is the policy implemented upstream.