Closed TebogoAWS closed 1 year ago
This issue is currently awaiting triage.
If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
I'm looking at putting up a PR for this. We get the region from the ECR URL, which won't work for a public repository, so we'll need an alternate mechanism to get the region.
It will actually be a little different still. Public ECR registries require you to authenticate in us-east-1 and require different tokens from the private repositories, so we'll have to use two different credential providers and tokens based on the registry. This will only work in commercial regions, so non-commercial regions, people will not want to enable this.
What would you like to be added:
Enhance ecr-credential-provider to authenticate to ECR Public repositories. Currently we only looking at the private repository pattern
Why is this needed:
Customers who are doing numerous anonymous pull requests from ECR Public repositories will hit the data transfer limit of 500 GB. Thereafter, they would need to authenticate before they would be able to do any further pulls.
Data transferred from public repositories:
Data Transfer OUT *** | -- | -- Without using an AWS Account | 500 GB / month | $0.00 per GB When using an AWS Account | 5 TB / monthOn k8s this means implementing a process where nodes would have to authenticate manually i.e. CronJob and scheduling it to reauthenticate within 12 hours to get a new token.
A seamless approach would be to add the public repository pattern and update the match image pattern in kubelet configuration
/kind feature