search

giantswarm / roadmap

Giant Swarm Product Roadmap
https://github.com/orgs/giantswarm/projects/273
Apache License 2.0
3 stars 0 forks source link

Test what happens if we run a cluster that uses docker hub access credentials that become invalid #3409

Closed piontec closed 1 month ago

piontec commented 1 month ago

Currently, all our vintage clusters have containerd configuration that is using our access credentials to connect to docker hub. We assume that when we stop paying docker, nothing changes, but just in case let's see what happens when we have to invalidate/remove these access tokens.

uvegla commented 1 month ago

The tokens belong to giantswarmpull docker hub account. YOu can disable / enable the tokens at will without deleting them. That is how I tested the scenario.

This is the manifest I tested with:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: default
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2 # tells deployment to run 2 pods matching the template
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: docker.io/nginx:1.14.2
        imagePullPolicy: Always
        ports:
        - containerPort: 80
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          privileged: false
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault

On CAPx MCs the docker.io creds are distributed to the nodes containerd. On snail I turned off the token and the pods failed with:

  Normal   Pulling          13s   kubelet            Pulling image "docker.io/nginx:1.14.2"
  Warning  Failed           11s   kubelet            Failed to pull image "docker.io/nginx:1.14.2": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/nginx:1.14.2": failed to resolve reference "docker.io/library/nginx:1.14.2": failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://auth.docker.io/token?scope=repository%3Alibrary%2Fnginx%3Apull&service=registry.docker.io: 401 Unauthorized
  Warning  Failed           11s   kubelet            Error: ErrImagePull
  Normal   BackOff          11s   kubelet            Back-off pulling image "docker.io/nginx:1.14.2"

For vintage MC I tested on gaia. The MC dont have authentication, the containred configs dont have the creds. Turning off the token did not affect the pulls.

Vintage MC /etc/containerd/config.toml, comes from: https://github.com/giantswarm/giantnetes-terraform/blob/master/templates/files/conf/containerd-config.toml

There does not seem to be any auth token here.

For vintage WC I created one on gaia. The pulls failed on disabling the token.

Vintage WC /etc/containerd/config.toml: https://github.com/giantswarm/k8scloudconfig/blob/master/files/conf/containerd-config.toml

Value comes from config repo https://github.com/giantswarm/giantswarm-configs/blob/main/installations/gaia/apps/aws-operator/secret-values.yaml.patch#L3