search

kubernetes / cloud-provider-aws

Cloud provider for AWS
https://cloud-provider-aws.sigs.k8s.io/
Apache License 2.0
391 stars 302 forks source link

Enable Authenticated ECR Public Repo #602

Closed TebogoAWS closed 1 year ago

TebogoAWS commented 1 year ago

What would you like to be added:

Enhance ecr-credential-provider to authenticate to ECR Public repositories. Currently we only looking at the private repository pattern

var ecrPattern = regexp.MustCompile(^(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov)$)

Why is this needed:

Customers who are doing numerous anonymous pull requests from ECR Public repositories will hit the data transfer limit of 500 GB. Thereafter, they would need to authenticate before they would be able to do any further pulls.

Data transferred from public repositories:

Data Transfer OUT *** |   -- | -- Without using an AWS Account |   500 GB / month | $0.00 per GB When using an AWS Account |   5 TB / month

On k8s this means implementing a process where nodes would have to authenticate manually i.e. CronJob and scheduling it to reauthenticate within 12 hours to get a new token.

A seamless approach would be to add the public repository pattern and update the match image pattern in kubelet configuration

/kind feature

k8s-ci-robot commented 1 year ago

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
mmerkes commented 1 year ago

I'm looking at putting up a PR for this. We get the region from the ECR URL, which won't work for a public repository, so we'll need an alternate mechanism to get the region.

mmerkes commented 1 year ago

It will actually be a little different still. Public ECR registries require you to authenticate in us-east-1 and require different tokens from the private repositories, so we'll have to use two different credential providers and tokens based on the registry. This will only work in commercial regions, so non-commercial regions, people will not want to enable this.