Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-26602

Windows Nodes unable to pull from ECR

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.16.0
    • 4.14.z
    • Windows Containers
    • None
    • Important
    • No
    • 3
    • WINC - Sprint 249, WINC - Sprint 250, WINC - Sprint 251
    • 3
    • False
    • Hide

      None

      Show
      None
    • Fixes a regression that caused the kubelet to be unable to authenticate with ECR registries.
    • Bug Fix
    • In Progress

      Description of problem:

      There is a regression from OCP 4.13, where kubelet is no longer able to pull images from private ECR registries. 
          

      Version-Release number of selected component (if applicable):

      
          

      How reproducible:

      Always
          

      Steps to Reproduce:

          1. Create a private ECR repository
          2. Push a Windows image to the repo
          3. Give the worker node IAM role permissions to pull from ECR
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "ecr:GetAuthorizationToken",
                      "ecr:BatchCheckLayerAvailability",
                      "ecr:GetDownloadUrlForLayer",
                      "ecr:GetRepositoryPolicy",
                      "ecr:DescribeRepositories",
                      "ecr:ListImages",
                      "ecr:DescribeImages",
                      "ecr:BatchGetImage",
                      "ecr:GetLifecyclePolicy",
                      "ecr:GetLifecyclePolicyPreview",
                      "ecr:ListTagsForResource",
                      "ecr:DescribeImageScanFindings"
                  ],
                  "Resource": "*"
              }
          ]
      } 
          4. Create a deployment using the image
          

      Actual results:

      The image is not pullable.
          

      Expected results:

      The deployment becomes ready
          

      Additional info:

      https://cloud-provider-aws.sigs.k8s.io/credential_provider/
      
      [ecr-credential-provider|https://github.com/kubernetes/cloud-provider-aws/blob/master/cmd/ecr-credential-provider/main.go] needs to be present on each AWS Windows node.
      
      This needs to be pointed to via the kubelet flag --image-credential-provider-bin-dir. Kubelet will run the binary by itself.
      
      Because this bug involves a Dockerfile change, the midstream dockerfile needs to be changed before a build is given to QE
          

              rh-ee-ssoto Sebastian Soto
              rh-ee-ssoto Sebastian Soto
              Aharon Rasouli Aharon Rasouli
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: