Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-26602

Windows Nodes unable to pull from ECR


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • 4.16.0
    • 4.14.z
    • Windows Containers
    • None
    • Important
    • No
    • 3
    • WINC - Sprint 249, WINC - Sprint 250, WINC - Sprint 251
    • 3
    • False
    • Hide


    • Fixes a regression that caused the kubelet to be unable to authenticate with ECR registries.
    • Bug Fix
    • In Progress

      Description of problem:

      There is a regression from OCP 4.13, where kubelet is no longer able to pull images from private ECR registries. 

      Version-Release number of selected component (if applicable):


      How reproducible:


      Steps to Reproduce:

          1. Create a private ECR repository
          2. Push a Windows image to the repo
          3. Give the worker node IAM role permissions to pull from ECR
          "Version": "2012-10-17",
          "Statement": [
                  "Effect": "Allow",
                  "Action": [
                  "Resource": "*"
          4. Create a deployment using the image

      Actual results:

      The image is not pullable.

      Expected results:

      The deployment becomes ready

      Additional info:

      [ecr-credential-provider|https://github.com/kubernetes/cloud-provider-aws/blob/master/cmd/ecr-credential-provider/main.go] needs to be present on each AWS Windows node.
      This needs to be pointed to via the kubelet flag --image-credential-provider-bin-dir. Kubelet will run the binary by itself.
      Because this bug involves a Dockerfile change, the midstream dockerfile needs to be changed before a build is given to QE

            rh-ee-ssoto Sebastian Soto
            rh-ee-ssoto Sebastian Soto
            Aharon Rasouli Aharon Rasouli
            0 Vote for this issue
            7 Start watching this issue