-
Notifications
You must be signed in to change notification settings - Fork 217
Description
Not really a bug, but something to be (or make users) aware of, if running on AWS EKS and using AWS ECR:
Until now, eksctl
added a full ReadOnly AWS Policy to all nodes, thus also inherited by source-controller
, that among others grants ecr:ListImages
permissions.
Recently, they changed it to a more narrow "PullOnly" policy, that lacks this ListImages permission: eksctl-io/eksctl#8386
Thus source-controller
no longer can discover versions of Helm charts in AWS ECR OCI HelmRepositories (and just logs a 403 Permission Denied)
That change is a good thing, but users now have to give the flux-system/source-controller
that permission "back" by making it an IAM ServiceAccount.
Example for eksctl ClusterConfig
(that policy is the same as the new PullOnly policy, just with added ecr:ListImages
):
...
- metadata:
name: "source-controller"
namespace: "flux-system"
attachPolicy: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchGetImage",
"ecr:ListImages",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchImportUpstreamImage"
],
"Resource": "*"
}
]
}
...
With that, it seems to work again for me.