search

jetstack / version-checker

Kubernetes utility for exposing image versions in use, compared to latest available upstream, as metrics.
https://jetstack.io
Apache License 2.0
696 stars 79 forks source link

does not seem to support kube2iam for ECR access #66

Open yogeek opened 3 years ago

yogeek commented 3 years ago

Hello,

I have a K8S cluster deployed in AWS with kubeadm. Some of my images comes from the ECR of the K8S AWS account and I wanted to use kube2iam annotation on version-checker pod to allow it to check for image tags but it does not seem to work :

version-checker pod :

apiVersion: v1
kind: Pod
metadata:
  annotations:
    enable.version-checker.io/version-checker: "true"
    iam.amazonaws.com/role: ecr-read-profile
[...]

version-checker logs :

time="2020-12-07T14:47:39Z" level=error msg="error syncing 'checkoutservice-78b576896d-9pk6z/microdemo': failed to sync pod checkoutservice-78b576896d-9pk6z/microdemo: failed to check container image \"server\": failed to get tags from remote registry for \"<AWS_ACCOUNT_ID>.dkr.ecr.eu-central-1.amazonaws.com/google-samples/microservices-demo/checkoutservice\": failed to describe images: EmptyStaticCreds: static credentials are empty, requeuing" module=controller

Does the ECR authent only work with static credentials ? Would it be possible to support kube2iam to avoid giving the pod static key and password ? Thanks

james-gonzalez commented 3 years ago

Something like this would also be useful for us. We could use the service-account with the annotation "eks.amazonaws.com/role-arn" : role-arn so that we don't have to hard-code keys anywhere.