search

jetstack / version-checker

Kubernetes utility for exposing image versions in use, compared to latest available upstream, as metrics.
https://jetstack.io
Apache License 2.0
665 stars 76 forks source link

Not able to list tags from Amazon container image registries (602401143452.dkr.ecr.us-east-1.amazonaws.com) #167

Closed pbc0810 closed 2 months ago

pbc0810 commented 4 months ago

Version checker is deployed on EKS with IAM role attached to service account with read only access to ECR. Getting AccessDeniedException for image 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/aws-ebs-csi-driver As per document https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html Read only access to ecr is already given.

time="2024-03-20T09:55:03Z" level=error msg="error syncing 'ebs-csi-node-dvwxj/kube-system': failed to sync pod ebs-csi-node-dvwxj/kube-system: 
  failed to check container image \"ebs-plugin\": failed to get tags from remote registry for \"602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/aws-ebs-csi-driver\": 
  failed to describe images: AccessDeniedException: User: arn:aws:sts::xxxxxxx:assumed-role/version-checker-role/1710928471956841718 is not authorized 
  to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-east-1:602401143452:repository/eks/aws-ebs-csi-driver because no resource-based policy allows 
  the ecr:DescribeImages action\n\tstatus code: 400, request id: 4698a080-c6ec-4869-b17e-d67b0aaedfc4,failed to check container image \"node-driver-registrar\":
  failed to get tags from remote registry for \"602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/csi-node-driver-registrar\": failed to describe images:
  AccessDeniedException: User: arn:aws:sts::xxxxxxxx:assumed-role/version-checker-role/1710928471956841718 is not authorized to perform: ecr:DescribeImages 
  on resource: arn:aws:ecr:us-east-1:602401143452:repository/eks/csi-node-driver-registrar because no resource-based policy allows the ecr:DescribeImages 
  action\n\tstatus code: 400, request id: d619d42a-360e-4e44-b027-d64ddc84db43,failed to check container image \"liveness-probe\": failed to get tags from remote 
  registry for \"602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/livenessprobe\": failed to describe images: AccessDeniedException: User: arn:aws:sts::xxxxxxx:assumed-role/version-checker-role/1710928471956841718 
  is not authorized to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-east-1:602401143452:repository/eks/livenessprobe because no resource-based policy allows the ecr:DescribeImages action\n\tstatus code: 
  400, request id: 090fc9fb-4b95-40ec-9d2a-bd31323beb52, requeuing" module=controller
davidcollom commented 3 months ago

I think this is a duplicate of #146