Comments (11)
Small summary from slack:
- The AWS-Cloud-Provider-Manager can handle IAM-Role-Credentials at the kubelet (but not accessible from the API): https://cloud-provider-aws.sigs.k8s.io/#aws-credential-provider https://github.com/kubernetes/enhancements/tree/master/keps/sig-cloud-provider/2133-out-of-tree-credential-provider
- Operator doesn't know anything about that, only respecting
imagePullSecrets
on pod-level right now. - Solution: Adding a new cli-flag
--fallback-image-pull-secret
which is used by the operator, when noimagePullSecrets
are set on pod-level. In the future this simple fallback could be improved with constraints if needed (e.g. only apply on specific pod-labels, ...)
Alternative: Login to ECR ourselves via http://169.254.169.254/latest/meta-data/iam/
to fetch the needed token. This would result in a deeper integration with different cloud-vendors which is (currently) not scope of this project.
from sbom-operator.
Awesome work! I ran a dev build last week and that was working fine already. I will upgrade asap.
Thanks again and please tell me how we can send you a beer/coffee.
from sbom-operator.
Great, thanks for your quick positive feedback, I really appreciate that!! 🎉
There's a Github Sponsor button, if you want to send me a beer or coffe 😉
from sbom-operator.
Tested the 0.12.0 release this morning; it seems to work great!
from sbom-operator.
Hi @sbkg0002,
is the auth-token still valid? So can Kubernetes still pull images with this token or are the containers of these images already created some time ago?
I know that ECR-Tokens have a short lifetime (I think a day or so) and have to be renewed periodically.
/kind question
from sbom-operator.
Hi @ckotzbauer, thanks for the quick reponse.
How can I verify that without logging into the node?
Starting a pod and pulling the instance metadata, everything seems fine.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<rolename> | jq .Expiration
"2022-04-20T18:42:46Z"
bash-4.2# date
Wed Apr 20 12:30:12 UTC 2022
Starting new pods with images in ECR are just fine. 🤔
EDIT:
From within a simple alpine pod, running aws ecr describe-images --repository-name <repo> --registry-id <accountid> --region eu-west-1
on one of the failing repos, works just fine.
from sbom-operator.
hm, okay. You have to decode the content from the Kubernetes-Secret which is referenced as imagePullSecret
from a container-image which could not be analyzed from this operator.
The secret-content should be usable as docker's config.json
which is stored at ~/.docker/config.json
on your local machine. So you can try to save the file and than do a docker pull
for the image of the container. If this works, the token is valid.
This ECR repo is provided by AWS and should be available for everyone.
But it's still a private image-repository right? If it's public then the token should be irrelevant. If that's the case, are there pullSecrets configured for this pod anyway?
from sbom-operator.
hm, okay. You have to decode the content from the Kubernetes-Secret which is referenced as imagePullSecret from a container-image which could not be analyzed from this operator.
The secret-content should be usable as docker's config.json which is stored at ~/.docker/config.json on your local machine. So you can try to save the file and than do a docker pull for the image of the container. If this works, the token is valid.
There are no imagePullSecret
s defined since the instance roles have access to read from the ECR repositories. The kubelet also pulls all the images this way. I guess google/go-containerregistry doesn't support this?
EDIT: Adding a valid (fresh) imagePullSecret
to the serviceaccount of the operator - and restarting it - doesn't change anything.
But it's still a private image-repository right? If it's public then the token should be irrelevant. If that's the case, are there pullSecrets configured for this pod anyway?
You are completely correct; you still need to be AWS authenticated in order to pull from it.
from sbom-operator.
I think this doc covers this auth-behaviour: https://github.com/kubernetes/kops/blob/master/docs/iam_roles.md#access-to-aws-ec2-container-registry-ecr (I personally don't know much about ECR and EKS)
No, instance-roles which are respected from the kubelet are not supported. The operator uses the imagePullSecrets
of a pod to authenticate against the registry. If there are no credentials, the operator will pull the image without auth.
I don't know if its easy possible to add this feature (as the operator-pod is not running on the ec2-host which has the role assigned).
EDIT: Adding a valid (fresh) imagePullSecret to the serviceaccount of the operator - and restarting it - doesn't change anything.
The imagePullSecret
has to be defined at pod-level from the pods you want to analyze.
from sbom-operator.
Do you know, if this eks-auth-feature with Instance-Roles is a native Kubernetes-Feature or a EKS-Addon?
from sbom-operator.
@sbkg0002 Can you please update to 0.12.0 and add the --fallback-image-pull-secret
parameter? The secret has to exist in the namespace of the operator.
From this release on, all imagePullSecrets
configured for a pod are used for authentication. If none of them succeeds, the optional fallback-secret is tried.
from sbom-operator.
Related Issues (20)
- Clone fails with status 400 when trying to clone a private Azure DevOps repo HOT 6
- Feature request: Map k8s pod labels as project tags HOT 5
- Cloning with git-fallback-clone seems to fail HOT 12
- Deleting project from DependencyTrack fails when deleting pod HOT 4
- Adding pod label as tags fails because ctx.Pod.Labels is always empty HOT 1
- default cron job time ? HOT 1
- Mirror configuration for registries HOT 5
- Use with proxy registry may lead to "weird" behavior HOT 3
- Dependency Track project names HOT 2
- [FEATURE] Add more providers / other orchestrators HOT 10
- dtrack Base-URL HOT 3
- [FEATURE] - Image Name as Project Name in DTrack Integration HOT 2
- [Question] - Exclude certain images from scanning HOT 2
- The clusterrole is missing a confimag rule HOT 1
- New patch release HOT 2
- Private registry authentication error HOT 12
- Cleanup /tmp during realtime scanning HOT 2
- A cluster behind a http proxy: "connect: connection timed out" when getting the image HOT 2
- [FEATURE] Allow include/exclude of Labels that should be converted to Tags as a regular expression HOT 2
- question/feature: determining if image has already been scanned HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbom-operator.