如何在 Kubernetes Yaml 中驗證 AWS ECR

Question

我有以下pod.yaml文件，它簡單地描述了 Kubernetes pod 的創建：

apiVersion: v1
kind: Pod
metadata:
  name: dotnet-console-producer-poc.pod
  labels:
    app: helloworld
spec:
  containers:
  - name: dotnet-console-producer-pod
    image: 442285873998.dkr.ecr.us-east-1.amazonaws.com/dotnet-console-producer-benchmark-docker:latest
    ports:
    - containerPort: 8001

引用的圖像位於 AWS ECR ( 442285873998.dkr.ecr.us-east-1.amazonaws.com/dotnet-console-producer-benchmark-docker:latest ) 中。

運行創建資源命令 ( kubectl create -f pod.yaml ) 時，pod 已創建，但由於無法從 AWS ECR 訪問映像而崩潰。 Kubernetes錯誤如下圖所示：

Failed to pull image "442285873998.dkr.ecr.us-east-1.amazonaws.com/mcflow-dotnet-console-producer-benchmark-docker:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for 442285873998.dkr.ecr.us-east-1.amazonaws.com/mcflow-dotnet-console-producer-benchmark-docker, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::607546651489:assumed-role/nodes.dev.vet-dev.digitalecp.mcd.com/i-055276c817ba7a096 is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-1:442285873998:repository/mcflow-dotnet-console-producer-benchmark-docker

我的 Kubernetes 實例正在 EC2 實例上運行。 如何在 ECR 中進行身份驗證，以便 Kubernetes 可以檢索圖像並在 pod 中運行它？

Answer 1

我們創建了一個 Helm 圖表來解決這個問題，希望對您有所幫助 - https://github.com/relizaio/helm-charts/#1-ecr-regcred