[英]How to pull a docker image from AWS ECR to Minikube Kubernetes cluster with MFA enabled
I have a docker image in AWS ECR which is in my secondary account.我在我的辅助账户中的 AWS ECR 中有一个 docker 图像。 I want to pull that image to the Minikube Kube.netes cluster using AWS IAM Role ARN where MFA is enabled on it.
我想使用启用了 MFA 的 AWS IAM 角色 ARN 将该图像拉到 Minikube Kube.netes 集群。 Due to this, my deployment failed while pulling the Image.
因此,我的部署在拉取图像时失败了。
I enabled the registry-creds addon to access ECR Image but didn't work out.我启用了 registry-creds 插件来访问 ECR Image,但没有成功。
May I know any other way to access AWS ECR of AWS Account B via AWS IAM Role ARN with MFA enabled using the credential of the AWS Account A?我是否可以知道使用 AWS 账户 A 的凭据启用 MFA 并通过 AWS IAM 角色 ARN 访问 AWS 账户 B 的 AWS ECR 的任何其他方式?
For example, I provided details like this例如,我提供了这样的详细信息
ERROR MESSAGE: Warning Failed 2s (x3 over 42s) kubelet Failed to pull image "XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/sample-dev:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/v2/sample-dev/manifests/latest": no basic auth credentials
错误消息:
Warning Failed 2s (x3 over 42s) kubelet Failed to pull image "XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/sample-dev:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/v2/sample-dev/manifests/latest": no basic auth credentials
Warning Failed 2s (x3 over 42s) kubelet Error: ErrImagePull
While the minikube addons
based solution shown by @DavidMaze is probably cleaner and generally preferable, I wasn't able to get it to work.虽然
minikube addons
的解决方案可能更干净并且通常更可取,但我无法让它工作。
Instead, I found out it is possible to give the service account of the pod a copy of the docker login tokens in the local home.相反,我发现可以为 pod 的服务帐户提供本地主页中 docker 登录令牌的副本。 If you haven't set a serviceaccount, it's
default
:如果您还没有设置 serviceaccount,它是
default
的:
# Log in with aws ecr get-login or however
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred"}]}'
This will work fine in a bind.这将在绑定中正常工作。
Minikube doesn't have a way to provide the MFA token. Minikube 无法提供 MFA 令牌。 You need to create temporary credentials somehow and provide those credentials to
minikube addons configure registry-creds
.您需要以某种方式创建临时凭证并将这些凭证提供给
minikube addons configure registry-creds
。
My day job uses aws-vault and so my typical sequence for setting this up involves running我的日常工作使用aws-vault ,因此我设置它的典型顺序包括运行
aws-vault exec some-profile -- env | grep AWS
minikube addons configure registry-creds
and then copying the temporary access key (starts with ASIA...
), secret, and session token into the Minikube configuration.然后将临时访问密钥(以
ASIA...
开头)、秘密和 session 令牌复制到 Minikube 配置中。 I do not enter a role ARN in the final prompt;我没有在最终提示中输入角色 ARN; the temporary credentials are already associated with the right AWS role.
临时凭证已与正确的 AWS 角色相关联。
The same restrictions and workaround would apply if you were using the Kube.netes-level imagePullSecrets
.如果您使用的是 Kube.netes 级别的
imagePullSecrets
,则同样的限制和解决方法也适用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.