如何在启用 MFA 的情况下将 docker 图像从 AWS ECR 拉到 Minikube Kube.netes 集群
[英]How to pull a docker image from AWS ECR to Minikube Kubernetes cluster with MFA enabled
问题描述
I have a docker image in AWS ECR which is in my secondary account.
我在我的辅助账户中的 AWS ECR 中有一个 docker 图像。 I want to pull that image to the Minikube Kube.netes cluster using AWS IAM Role ARN where MFA is enabled on it.我想使用启用了 MFA 的 AWS IAM 角色 ARN 将该图像拉到 Minikube Kube.netes 集群。 Due to this, my deployment failed while pulling the Image.因此,我的部署在拉取图像时失败了。
I enabled the registry-creds addon to access ECR Image but didn't work out.我启用了 registry-creds 插件来访问 ECR Image,但没有成功。
May I know any other way to access AWS ECR of AWS Account B via AWS IAM Role ARN with MFA enabled using the credential of the AWS Account A?我是否可以知道使用 AWS 账户 A 的凭据启用 MFA 并通过 AWS IAM 角色 ARN 访问 AWS 账户 B 的 AWS ECR 的任何其他方式?
For example, I provided details like this例如,我提供了这样的详细信息
- Enter AWS Access Key ID: Access key of Account A输入AWS Access Key ID:账户A的访问密钥
- Enter AWS Secret Access Key: Secret key of Account A输入 AWS Secret Access Key:账户 A 的密钥
- (Optional) Enter AWS Session Token: (可选)输入 AWS Session 令牌:
- Enter AWS Region: us-west-2输入 AWS 区域: us-west-2
- Enter 12 digit AWS Account ID (Comma separated list): [ AccountA, AccountB ]输入 12 位 AWS 账户 ID(逗号分隔列表):[ AccountA, AccountB ]
- (Optional) Enter ARN of AWS role to assume: < role_arn of AccountB > (可选)输入要承担的 AWS 角色的 ARN:< AccountB 的 role_arn >
ERROR MESSAGE: Warning Failed 2s (x3 over 42s) kubelet Failed to pull image "XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/sample-dev:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/v2/sample-dev/manifests/latest": no basic auth credentials错误消息: Warning Failed 2s (x3 over 42s) kubelet Failed to pull image "XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/sample-dev:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/v2/sample-dev/manifests/latest": no basic auth credentials
Warning Failed 2s (x3 over 42s) kubelet Error: ErrImagePull
2 个解决方案
解决方案1
2 2022-03-15 12:37:19
While the minikube addons based solution shown by @DavidMaze is probably cleaner and generally preferable, I wasn't able to get it to work.虽然minikube addons的解决方案可能更干净并且通常更可取,但我无法让它工作。
Instead, I found out it is possible to give the service account of the pod a copy of the docker login tokens in the local home.相反,我发现可以为 pod 的服务帐户提供本地主页中 docker 登录令牌的副本。 If you haven't set a serviceaccount, it's default :如果您还没有设置 serviceaccount,它是default的:
# Log in with aws ecr get-login or however
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred"}]}'
This will work fine in a bind.这将在绑定中正常工作。
解决方案2
1 2022-02-14 12:01:34
Minikube doesn't have a way to provide the MFA token. Minikube 无法提供 MFA 令牌。 You need to create temporary credentials somehow and provide those credentials to minikube addons configure registry-creds .您需要以某种方式创建临时凭证并将这些凭证提供给minikube addons configure registry-creds 。
My day job uses aws-vault and so my typical sequence for setting this up involves running我的日常工作使用aws-vault ,因此我设置它的典型顺序包括运行
aws-vault exec some-profile -- env | grep AWS
minikube addons configure registry-creds
and then copying the temporary access key (starts with ASIA... ), secret, and session token into the Minikube configuration.然后将临时访问密钥(以ASIA...开头)、秘密和 session 令牌复制到 Minikube 配置中。 I do not enter a role ARN in the final prompt;我没有在最终提示中输入角色 ARN; the temporary credentials are already associated with the right AWS role.临时凭证已与正确的 AWS 角色相关联。
The same restrictions and workaround would apply if you were using the Kube.netes-level imagePullSecrets .如果您使用的是 Kube.netes 级别的imagePullSecrets ,则同样的限制和解决方法也适用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.