-
Bug
-
Resolution: Done-Errata
-
Major
-
4.14.z
-
None
Description of problem:
There is a regression from OCP 4.13, where kubelet is no longer able to pull images from private ECR registries.
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Create a private ECR repository 2. Push a Windows image to the repo 3. Give the worker node IAM role permissions to pull from ECR { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings" ], "Resource": "*" } ] } 4. Create a deployment using the image
Actual results:
The image is not pullable.
Expected results:
The deployment becomes ready
Additional info:
https://cloud-provider-aws.sigs.k8s.io/credential_provider/ [ecr-credential-provider|https://github.com/kubernetes/cloud-provider-aws/blob/master/cmd/ecr-credential-provider/main.go] needs to be present on each AWS Windows node. This needs to be pointed to via the kubelet flag --image-credential-provider-bin-dir. Kubelet will run the binary by itself. Because this bug involves a Dockerfile change, the midstream dockerfile needs to be changed before a build is given to QE
- blocks
-
OCPBUGS-31635 Windows Nodes unable to pull from ECR
- Closed
- is cloned by
-
OCPBUGS-31635 Windows Nodes unable to pull from ECR
- Closed
- relates to
-
OCPBUGS-25662 ECR Image pull fails in-spite of attaching AmazonEC2ContainerRegistryReadOnly policy to the worker nodes.
- Closed
- links to
-
RHBA-2023:125706 Red Hat OpenShift for Windows Containers 10.16.0 product release