-
Bug
-
Resolution: Done-Errata
-
Major
-
4.14.z
-
None
Description of problem:
There is a regression from OCP 4.13, where kubelet is no longer able to pull images from private ECR registries.
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Create a private ECR repository
2. Push a Windows image to the repo
3. Give the worker node IAM role permissions to pull from ECR
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
4. Create a deployment using the image
Actual results:
The image is not pullable.
Expected results:
The deployment becomes ready
Additional info:
https://cloud-provider-aws.sigs.k8s.io/credential_provider/
[ecr-credential-provider|https://github.com/kubernetes/cloud-provider-aws/blob/master/cmd/ecr-credential-provider/main.go] needs to be present on each AWS Windows node.
This needs to be pointed to via the kubelet flag --image-credential-provider-bin-dir. Kubelet will run the binary by itself.
Because this bug involves a Dockerfile change, the midstream dockerfile needs to be changed before a build is given to QE
- blocks
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- relates to
-
-
- Closed
-
- links to
-
RHBA-2023:125706
Red Hat OpenShift for Windows Containers 10.16.0 product release