-
Notifications
You must be signed in to change notification settings - Fork 739
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ImagePullJob Support ECR (STS tokens) Repositories #866
Comments
IMHO, Kruise should not care about cloud providers. It just works on pure Kubernetes API.
I think EKS should the ability to manage and renew the secret for its users. |
Workloads on EKS does not need secrets by default, they just work as long as the nodes have proper IAM policies. EKS already takes care of the same i.e. whenever we have a docker image (like As I said earlier, I already have created a workaround which is to populate and renew the secret at regular intervals. |
I'm not sure how it works... Maybe they have modified the code of EKS kubelet, which can pull images from ECR with IAM Roles configured somewhere. Does it have some documentations of this? |
Hi all. Is there something that I can do to help push this along? |
Can you help us identify how EKS inject tokens into the pod? For example , can you check created pod yaml and check if pull secrets are injected by some webhook automatically. |
@furykerry I can definitely help with that! The native way that EKS supports pod identity is with a feature that they call IAM roles for service accounts. The way this works is that you add an annotation to a The EKS control plane then implements the webhook injection with this aws/amazon-eks-pod-identity project, which will inject a All AWS SDKs for every programming language looks to see if certain environment variables exist, and if they do, they will use the service account token and the identity of the pod to fetch AWS credentials which can then be used to call the AWS API. Please let me know if any part of that doesn't make sense! |
To anyone who comes across this topic, here's the terraform that I wrote to automate fetching an ECR token that OpenKruise can use for things like an https://gist.github.com/abatilo/d9234c85c420d08688fd353c591fef6d |
aliyun also have similar technology: |
What would you like to be added:
I am trying to use an ECR Image in PumagePullJob which fails with these errors
My EKS nodes have IAM Roles configured to pull images from the ECR repositories, it looks like the go library(ies) is unable to use AWS STS tokens.
Why is this needed:
The workaround is to have a kubernetes docker secret with the token and then keep on renewing it, but it would be better to use the IAM roles and use STS tokens (just like native EKS workloads)
The text was updated successfully, but these errors were encountered: