New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 backend prioritizes node role over service account #3275
Comments
#3245 should fix this |
Was this fixed by #3245? I'm running a registry in EKS now and not seeing it take on the IRSA role. |
I'm also facing the same issue. |
As far as I can tell, Getting this error trying to use a registry pod in a cluster configured for IRSA using
|
Having built off |
Also having the same issue running inside k8s. I would like move away from using static credentials and use IRSA. |
For anyone reading this after the 2.8.0 release, it still doesn't support IRSA based on my testing. |
initially was getting this error in
@switchboardOp did you infer that building the dockerfile from master/main branch and using it instead of published image worked for you? |
Build of |
I can confirm, 2.8.1 is not working with IRSA 😔 |
🎯 Yes. That's what is working for me. Built from the main branch about 2 months ago. |
@switchboardOp for the image you built could you push/tag it somewhere for others to try? |
This is an older build, but comes directly from the source distribution/distribution@sha256:79dfd00f73f4c258c38457dd0364fd31f80e996713286cb9ab601206de6085fb This kustomize will work with irsa from the default helm chart:
|
I'm also experiencing the problem that registry 2.8.1 is incompatible with authentication supplied through an EKS service account. Note that IAM roles attached to service accounts via OIDC is the recommended best practice for Kubernetes security. It avoids issues of needing to manually rotate long-lived access keys supplied to pods (or else of granting too much access to other processes on the same node). As a test, I started a pod using the dockerhub golang container and the service account (with attached IAM policy) intended for my registry, and ran a short script to test the same AWS SDK functions that the registry uses. I manually set the environment variables package main
import ("github.com/aws/aws-sdk-go/aws/session"; "github.com/aws/aws-sdk-go/service/s3"; "fmt"; "os"; "strings"; "io")
func main() {
bucket := os.Getenv("REGISTRY_STORAGE_S3_BUCKET")
filename := "foo.txt"
sess, err := session.NewSession(); if err != nil { fmt.Println(err); return }
svc := s3.New(sess)
_, err = svc.PutObject(&s3.PutObjectInput{Bucket: &bucket, Key: &filename, Body: strings.NewReader("Sample content")})
if err != nil { fmt.Println(err) }
list, err := svc.ListObjectsV2(&s3.ListObjectsV2Input{Bucket: &bucket})
if err != nil { fmt.Println(err) } else { for _, item := range list.Contents { fmt.Println(*item.Key, *item.Size) } }
get, err := svc.GetObject(&s3.GetObjectInput{Bucket: &bucket, Key: &filename})
if err != nil { fmt.Println(err) } else { content, _ := io.ReadAll(get.Body); fmt.Println(string(content)) }
_, err = svc.DeleteObject(&s3.DeleteObjectInput{Bucket: &bucket, Key: &filename})
if err != nil { fmt.Println(err) }
} I tested my script using golang 1.19.2 and aws-sdk-go v1.44.126. Registry 2.8.1 appears to be using golang 1.16.15 and aws-sdk-go 1.43.16, but my script still worked ok when I tried to use these older versions. Note if I used I'm suspicious that the problem could be the way the registry tries to impose its own configuration scheme (which did not anticipate any web tokens) rather than just letting the AWS SDK configure itself. |
I just locally built the docker image for the latest commit (3b8fbf9), pushed the image to cesiumfrog/registry and tested it (in a kubernetes deployment using a service account with an IAM policy granting S3 access) and it worked (with the registry running as a pull-through mirror, I can set up a port-forward and check e.g. Hopefully this means the problem has been fixed, and all we need is to wait for the maintainers to tag a 2.8.2 release. |
Note that you don't need to build the registry instance yourself if you want the latest commit. We push the latest builds to Docker Hub tagged with |
Leaving this note for other people trying to use this workaround. |
@mikecook That was on the main branch which currently hasn't been released. That is why this issue is still open, since with the current releases this problem still exists. |
Ah! I see. Thanks, I missed that. |
To add weightage, |
What's ETA to make it a stable release? |
There (sadly) is not ETA for the v3 release. There is a milestone for it. However, some of the issues/PRs in that milestone are very old and could possibly be pushed or dropped. The main word that’s blocking the v3 release is regarding the OCI compliance for the upcoming OCI release. See the following PRs for reference: |
Could it be ported to v2? |
That's what my PR #3921 does. But as it stands it will not get merged as all effort is being put into release v3 and the current release branch is only accepting security fixes. |
I am receiving this error too, but I discovered it happens because I deployed it in Kubernetes with Istio sidecars. Istio redirect all network traffic to its sidecar. Sometimes, on startup, Registry starts before Istio and in that time, there isn't network, so Registry triggers a panic error informing the credentials are unavailable. I think it happens because Registry tries to retrieve credentials from IAM via HTTP. As it receives a network failure, no credentials are available, triggering the panic error. Disabling sidecar resolves the problem. |
I think native sidecar containers are the right solution for network startup issues: https://kubernetes.io/blog/2023/08/25/native-sidecar-containers/ |
With the new release out https://github.com/distribution/distribution/releases/tag/v3.0.0-alpha.1 I'm inclined to close this issue. Do you mind testing the new release and closing this @innovate-invent thanks |
This is great to see but I have moved on from the position that required this and won't be able to test it. |
Closing. If the issues persists, we will reopen. |
I am attempting to set up a pull through proxy for my AWS EKS cluster.
AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are set for the container and AWS_ROLE_ARN is the service account role with S3 permissions via IRSA.
Bashing in and running
wget -qO- http://169.254.169.254/latest/meta-data/iam/security-credentials/
returns the node role (expectedly).registry fails to start with "Access denied" and S3 access logs report the node role.
The registry should prioritize the service account role over the node role.
This is likely an issue with the underlying awsgo library but I am opening an issue here to start.
Related: #2172
The text was updated successfully, but these errors were encountered: