we have to use sealed secrets in our project in TSP Cloud at AWS China.
This is the link to the Helm Chart for further information, just in case:
https://github.com/helm/charts/tree/master/stable/sealed-secrets

The image is not mirrored yet and the Pod failed in ImagePullBackOff state:

 Warning  Failed     16m (x4 over 17m)     kubelet, ip-<SUPPRESSED>.cn-north-1.compute.internal  Failed to pull image "048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/quay/bitnami/sealed-secrets-controller:v0.12.4": rpc error: code = Unknown desc = Error response from daemon: manifest for 048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/quay/bitnami/sealed-secrets-controller:v0.12.4 not found: manifest unknown: Requested image not found

Thank you in advance for a quick action

缺少csi-resizer:v1.1.0和aws-ebs-csi-driver:v1.4.0
由于要测试eks升级，必须这个版本的ebs driver。麻烦将csi-resizer:v1.1.0和aws-ebs-csi-driver:v1.4.0同步到048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn

When I try to pull the image follow the example from EC2 in ZHY, it fails.
image: k8s.gcr.io/coredns:1.3.1

error message as blow.
6m9s Warning Failed pod/test-dcf996db6-5f855 Failed to pull image "048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/google-containers/coredns:1.3.1": rpc error: code = Unknown desc = Error response from daemon: pull access denied for 048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/google-containers/coredns, repository does not exist or may require 'docker login'

We have a fluentd deamonset as log scraper to push our log entries into an ElasticSearch cluster.
For this purpose we use the following specialized/pre-configured docker image:
fluent/fluentd-kubernetes-daemonset:v1.1-debian-elasticsearch

Let us add this docker image to the mirrored images.

请问新拉取的镜像，下面的地址正确吗？
048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/gcr/arrikto/jupyter-kale:v0.5.0-47-g2427cc9
048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/gcr/arrikto/rok-tools:l0-release-v1.0-rc6

$ docker pull 048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/gcr/google_containers/ingress-nginx/controller:v1.2.1@sha256:5516d103a9c2ecc4f026efbd4b40662ce22dc1f824fb129ed121460aaa5c47f8
048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/gcr/google_containers/ingress-nginx/controller@sha256:5516d103a9c2ecc4f026efbd4b40662ce22dc1f824fb129ed121460aaa5c47f8: Pulling from gcr/google_containers/ingress-nginx/controller
455c02918c45: Pulling fs layer
def20be812d2: Pulling fs layer
ce5661884629: Pulling fs layer
678e424763a4: Waiting
7ead3e106685: Waiting
cd244451095b: Waiting
4f4fb700ef54: Waiting
f6ea01d28a17: Waiting
d3be42a364a9: Waiting
041e9420e258: Waiting
4bc068c20ea4: Waiting
b97555290c31: Waiting
8e7e86f147ef: Waiting
58079bced8cb: Waiting
6d2419008fa9: Waiting
error pulling image configuration: download failed after attempts=1: unknown blob

例如 golang的1.14-alpine

docker pull 048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/dockerhub/golang:1.14-alpine
1.14-alpine: Pulling from dockerhub/golang
Digest: sha256:b0678825431fd5e27a211e0d7581d5f24cede6b4d25ac1411416fa8044fa6c51
Status: Downloaded newer image for 048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/dockerhub/golang:1.14-alpine
048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/dockerhub/golang:1.14-alpine

这个image的digest对应的其实是golang:1.14.2-alpine，

在版本1.14.2之后，golang又有发布1.14.3, 1.14.4，在docker hub，1.14-alpine已经被更新到指向到当前最新的版本1.14.4-alpine。

需求背景

更方便地部署mutation webhook with AWS CDK， 參考 #31

• CDK to deploy mutation webhook integration with a new Amazon EKS cluster
• CDK to deploy mutation webhook integration with any existing Amazon EKS cluster

could you please add the following images to the mirror:

quay.io/digital_ecosystems/kubernetes-agent:1.3.0
quay.io/digital_ecosystems/mendix-operator:1.4.0
quay.io/digital_ecosystems/mx-m2ee-sidecar:1.3.0
quay.io/digital_ecosystems/mx-m2ee-metrics:1.1.0
quay.io/digital_ecosystems/image-builder:ingvar-rhel

kubernetes 1.16, 1.17, 1.18 使用kops更新的时候需要对应的AMI列表：

    - name: kope.io/k8s-1.16-debian-stretch-amd64-hvm-ebs-2020-07-20
      providerID: aws
      kubernetesVersion: ">=1.16.0 <1.17.0"
    - name: kope.io/k8s-1.17-debian-stretch-amd64-hvm-ebs-2020-07-20
      providerID: aws
      kubernetesVersion: ">=1.17.0 <1.18.0"
    - name: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200907
      providerID: aws
      kubernetesVersion: ">=1.18.0"

相关链接：
https://github.com/kubernetes/kops/blob/master/channels/stable#L47-L49
镜像AMI在aws 全球个region的id：
https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch

Background

我們需要最大程度簡化onboarding這套solution的體驗，用戶需求場景可能有：

1. 無既有的EKS集群，希望起集群的時候自帶mutation webhook集成並且盡可能減少手動配置

2. 已經有一個既有的EKS集群可能是console/eksctl/terraform/CDK等工具provision起來的，但不具有mutation webhook能力，需要單獨起一個mutation webhook跟這個集群對接

Solutions to Explore

One-Click SAR button

這部分 @walkley 的上游repo已經有了，我們需要在這個repo裡面寫一個簡單的中文walkthrough 指導怎麼操作，但這只能解決已有EKS集群的需求（上面第二點）

AWS CDK deployment

分成兩個場景:

1. CDK一次起EKS+mutation webhook
2. CDK指定既有的EKS cluster，單獨起mutation webhook

CDK的實作這部分參考 #26

需要提供一個kustomize範例，例如

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-nginx
spec:
  selector:
    matchLabels:
      run: my-nginx
  replicas: 2
  template:
    metadata:
      labels:
        run: my-nginx
    spec:
      containers:
      - name: my-nginx
        image: nginx:alpine
        ports:
        - containerPort: 80

如何透過kubectl kustomize生成指向新的image路徑的yaml

Image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.19.0

hope to add cvallance/mongo-k8s-sidecar mirror

Warning Failed 13m (x6 over 14m) kubelet, ip-10-20-193-142.cn-northwest-1.compute.internal Error: ImagePullBackOff
Normal Pulling 13m (x4 over 14m) kubelet, ip-10-20-193-142.cn-northwest-1.compute.internal Pulling image "048912060910.dkr.ecr.cn-northwest-1.amazonaws.com.cn/dockerhub/cvallance/mongo-k8s-sidecar"

gcr.io google-containers裡面有481個public container images，每個image有各自不同數量的tags，如果可以全部mirror回來應該可以節省很多後面遇到的問題。

我想先開一個issue，大家可以討論看看是否有這個需求，使用場景是什麼，歡迎comments

https://console.cloud.google.com/gcr/images/google-containers/GLOBAL