With Kubernetes 1.27 the support for AWS kubelet credential provider was removed, support for ecr-credential-provider is required

[epDHowwD]

How to categorize this issue?

/area control-plane os security /kind enhancement

What would you like to be added: We would like to request to have the binary ecr-credential-provider added to each node and configured to be used in kubelet in AWS.

Background is CHANGELOG-1.27.md:

Removed AWS kubelet credential provider. Please use the external kubelet credential provider binary named ecr-credential-provider instead. (#116329, @dims) [SIG Node, Storage and Testing]

Why is this needed: When clusters use AWS kubelet credential provider to authenticate towards ECR on Gardener, an update to Kubernetes 1.27 is currently not possible without transferring the entire setup to a dockersecret based authentication model where a cron job resets the image pull secret token on daily basis. We would like to continue the account based authentication and authorization to ECR that is much more easy to handle.

[kon-angelo]

From the provider-aws perspective, configuring the kubelet to use a credential helper is not hard. The question would be how to get https://github.com/kubernetes/cloud-provider-aws/blob/ca6c03d852a0a2823281add3c302d57bc3e293d6/cmd/ecr-credential-provider/main.go safely into the node.

[timuthy]

/cc @oliver-goetz

[kon-angelo]

/assign

[epDHowwD]

Hi @kon-angelo,

I see https://github.com/gardener/gardener-extension-provider-aws/pull/854 is merged. Was this the only required change?

Thanks Gordon

[kon-angelo]

@epDHowwD Yes, just this change. Just a note that is requires the gardener node agent to be enabled on the gardenlet.

[kon-angelo]

completed with https://github.com/gardener/gardener-extension-provider-aws/pull/854