Closed piontec closed 1 month ago
The tokens belong to giantswarmpull
docker hub account. YOu can disable / enable the tokens at will without deleting them. That is how I tested the scenario.
This is the manifest I tested with:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
spec:
selector:
matchLabels:
app: nginx
replicas: 2 # tells deployment to run 2 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: docker.io/nginx:1.14.2
imagePullPolicy: Always
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
On CAPx MCs the docker.io creds are distributed to the nodes containerd
. On snail
I turned off the token and the pods failed with:
Normal Pulling 13s kubelet Pulling image "docker.io/nginx:1.14.2"
Warning Failed 11s kubelet Failed to pull image "docker.io/nginx:1.14.2": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/nginx:1.14.2": failed to resolve reference "docker.io/library/nginx:1.14.2": failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Alibrary%2Fnginx%3Apull&service=registry.docker.io: 401 Unauthorized
Warning Failed 11s kubelet Error: ErrImagePull
Normal BackOff 11s kubelet Back-off pulling image "docker.io/nginx:1.14.2"
For vintage MC I tested on gaia
. The MC dont have authentication, the containred
configs dont have the creds. Turning off the token did not affect the pulls.
Vintage MC /etc/containerd/config.toml
, comes from: https://github.com/giantswarm/giantnetes-terraform/blob/master/templates/files/conf/containerd-config.toml
There does not seem to be any auth token here.
For vintage WC I created one on gaia
. The pulls failed on disabling the token.
Vintage WC /etc/containerd/config.toml
: https://github.com/giantswarm/k8scloudconfig/blob/master/files/conf/containerd-config.toml
Value comes from config repo https://github.com/giantswarm/giantswarm-configs/blob/main/installations/gaia/apps/aws-operator/secret-values.yaml.patch#L3
Currently, all our vintage clusters have containerd configuration that is using our access credentials to connect to docker hub. We assume that when we stop paying docker, nothing changes, but just in case let's see what happens when we have to invalidate/remove these access tokens.