创建启用了私有DNS名称的ECR vpc端点后,来自公共Fargate服务的CannotPullContainerError
[英]CannotPullContainerError from public fargate service after creating ECR vpc endpoint with private dns names enabled
问题描述
In order to get Fargate services in private subnets to work, I created an ECR vpc endpoint, a S3 gateway endpoint and a logs vpc endpoint. 
为了使私有子网中的Fargate服务正常工作,我创建了一个ECR vpc端点,一个S3网关端点和一个日志vpc端点。
However, after creating the ECR endpoint my service in the public subnet could no longer pull containers: CannotPullContainerError: Error response from daemon 但是,在创建ECR终结点之后,我在公共子网中的服务不再能够拉出容器: CannotPullContainerError: Error response from daemon
The service in the public subnet has Auto-assign public IP ENABLED. 公共子网中的服务具有“自动分配公共IP已启用”。
If I turn private dns names enabled off for the ECR endpoint, the public service will run again, but now the services in the private subnet can't pull their container... 如果我关闭了为ECR终结点启用的专用dns名称,则公共服务将再次运行,但是现在专用子网中的服务无法拉出其容器...
What am I missing? 我想念什么?
1 个解决方案
解决方案1
0 2019-11-27 13:42:01
I managed to solve this by implementing it as follows: 我设法通过如下实现来解决此问题:
vpc.tf vpc.tf
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
create_vpc = var.create_vpc
// other config ...
enable_s3_endpoint = true
enable_ecr_dkr_endpoint = true
ecr_dkr_endpoint_private_dns_enabled = true
ecr_dkr_endpoint_security_group_ids = aws_security_group.vpc_endpoints.*.id
}
resource "aws_security_group" "vpc_endpoints" {
count = var.create_vpc ? 1 : 0
name = "PrivateLink endpoints security group"
vpc_id = module.vpc.vpc_id
}
resource "aws_security_group_rule" "ingress_https" {
count = var.create_vpc ? 1 : 0
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [module.vpc.private_subnets_cidr_blocks]
description = "HTTPS access to VPC Endpoints"
security_group_id = aws_security_group.vpc_endpoints[0].id
}
ecs-security-groups.tf ecs-security-groups.tf
variable "private_subnets_cidr_blocks" {}
resource "aws_security_group" "ecs" {
count = var.create ? 1 : 0
name = "${var.name}-ecs"
vpc_id = var.vpc_id
}
resource "aws_security_group_rule" "egress_https_vpc" {
count = var.create ? 1 : 0
type = "egress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = var.private_subnets_cidr_blocks
description = "HTTPS access to VPC Endpoints"
security_group_id = aws_security_group.ecs[0].id
}
For reference, I got the CannotPullContainerError: Error response from daemon you mentioned above when my security groups on both the Endpoints and the ECS Service were not configured to allow HTTPS traffic between them 作为参考,当端点和ECS服务上的我的安全组未配置为允许它们之间的HTTPS流量时,我CannotPullContainerError: Error response from daemon上面提到的CannotPullContainerError: Error response from daemon收到CannotPullContainerError: Error response from daemon
HTH 高温超导
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.