Using Amazon's EC2 Container Registry (ECR) from outside of the AWS cloud requires regular re-authentication (currently every 12 hours). This poses problems for automated builds and deployments. This container is an as-simple-as-possible solution to that problem. In Kubernetes, there are other solutions (i.e., using ServiceAccounts, ImagePullSecrets or waiting for this to be built in). This solution uses an AWS token with permissions to log in to ECR and refreshed the login credentials at a given interval.
WARNING: This has only been tested using CoreOS hosts. Since there is some volume-mount trickery and use of the
docker binary from the host _in_ the container, you mileage may vary. For this same reason, you should evaluate the security readiness of this solution for you environment.
Using the image with Kubernetes
- Create an AWS user with only the
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnlypolicy applied. Create an Access Key pair for this user.
k8s/ecr-credentials-fetcher-daemonset.ymlcan be customized to create a DaemonSet that will keep all nodes in a cluster capable of working with ECR. If you are using the repo/Makefile, it is capable of doing this customization.
Set up a Secret named
ecr-credentials-fetcher-secret. Update the
k8s/create_secretscript with the AWS credentials obtained in the first step and use it to create the secret.
Create the DaemonSet.
kubectl apply -f k8s-rendered/ecr-credentials-fetcher-daemonset.yml
- Verify that you can pull (or push) images to ECR as needed.
- The following
awscli-required variables are passed in. In Kubernetes, these are assumed to be part of the Secret used by the pod.
- The user running the container has the appropriate
.docker/config.jsondirectory mounted from the host (i.e.,
/var/lib/kubelet/). This should be mounted into the the container at
dockerclient binary from the host is volume mounted into the container and runnable there.