Open wdonne opened 1 year ago
Note that for the cluster stack and the cluster store this works fine.
I have also tried an ECR policy with ecr:*
as the action, meaning it can do anything with the repository, but that doesn't change anything.
I forgot to mention that this is with version 0.10.1. I noticed that this release file uses the 0.10.1-rc.3 version of the images for the Deployment resources.
Huh, these all look correct to me. For sanity's sake, can you check that:
Can you also try using just the hostname in the dockerconfig? Something like:
"auths": {
"<account>.dkr.ecr.<region>.amazonaws.com": {
"username": "AWS",
"password": "XXXXX ECR Authorization Token XXXXX"
}
}
Hey @wdonne We are facing similar issues with ECR put permissions too. Did you find any workaround?
Hi @semmet95 ,
I haven't pursued this further yet, but the only possible thing I see is using the domain name instead of the URL in the dockerconfig.
@wdonne For me your approach worked when I created a secret using .docker/config json file after logging in to ecr with the IAM role with proper policies.
kubectl create secret generic regcred --from-file=.dockerconfigjson=/Users/amisingh/temp/.docker/config.json --type=kubernetes.io/dockerconfigjson
Hello,
With ECR you can use
AWS
as the username and an authentication token as the password. You can put this in a dockerconfigjson file like this:If you put that in a Kubernetes secret of type
kubernetes.io/dockerconfigjson
and attach it to the kpack service account as both a secret and an image pull secret, then theBuilder
that uses that service account will produce the following error:The logs in the kpack controller show this:
The AWS policy in the role I generated the authorization token from was the following: