-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.22
-
None
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When using an ImageMirrorDigestSet to define mirrors of repos in AWS ECR, unless you put static AWS ECR auth credentials in /var/lib/kubelet/config.json, the kubelet fails to authenticate and pull from the mirror.
Version-Release number of selected component (if applicable):
All?
How reproducible:
Very
Steps to Reproduce:
1.Create an ImageDigestMirrorSet that maps quay.io/openshift-release-dev/ocp-v4.0-art-dev to an ECR repo like 1234567.dkr.ecr.us-west-2.amazonaws.com/ocp-mirror
2. Configure the kubelet with the flags --image-credential-provider-bin-dir=/usr/libexec/kubelet-image-credential-provider-plugins --image-credential-provider-config=/etc/kubernetes/credential-providers/ecr-credential-provider.yaml
3. Configure the ecr-credential-provider.yaml. note this and the above step should be done for you in OpenShift afaict.
4. Ensure you have no authentication in /var/lib/kubelet/config.json for the sample ECR repo or quay.io
5. Create a pod with ImagePullPolicy: Always pointed to quay.io/openshift-release-dev/ocp-v4.0-art-dev
Actual results:
The kubelet fails to pull the image, stating it has no authentication to the ECR repo, and does not invoke the credential helper.
Expected results:
The kubelet invokes the ecr-credential-helper since the image is supposed to be re-written from quay.io to match the ecr-credential-provider.yamlspec
Additional info:
