Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Authenticated ECR Public Repo #602

Closed
TebogoAWS opened this issue Apr 28, 2023 · 3 comments · Fixed by #603
Closed

Enable Authenticated ECR Public Repo #602

TebogoAWS opened this issue Apr 28, 2023 · 3 comments · Fixed by #603
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@TebogoAWS
Copy link

What would you like to be added:

Enhance ecr-credential-provider to authenticate to ECR Public repositories.
Currently we only looking at the private repository pattern

var ecrPattern = regexp.MustCompile(^(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov)$)

Why is this needed:

Customers who are doing numerous anonymous pull requests from ECR Public repositories will hit the data transfer limit of 500 GB.
Thereafter, they would need to authenticate before they would be able to do any further pulls.

Data transferred from public repositories:

Data Transfer OUT ***  
Without using an AWS Account  
500 GB / month $0.00 per GB
When using an AWS Account  
5 TB / month

On k8s this means implementing a process where nodes would have to authenticate manually i.e. CronJob and scheduling it to reauthenticate within 12 hours to get a new token.

A seamless approach would be to add the public repository pattern and update the match image pattern in kubelet configuration

/kind feature
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 28, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mmerkes
Copy link
Contributor

mmerkes commented Apr 28, 2023

I'm looking at putting up a PR for this. We get the region from the ECR URL, which won't work for a public repository, so we'll need an alternate mechanism to get the region.

@mmerkes
Copy link
Contributor

mmerkes commented Apr 28, 2023
edited

It will actually be a little different still. Public ECR registries require you to authenticate in us-east-1 and require different tokens from the private repositories, so we'll have to use two different credential providers and tokens based on the registry. This will only work in commercial regions, so non-commercial regions, people will not want to enable this.

@mmerkes mmerkes mentioned this issue May 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[feat] ecr-credential-provider support to authenticate public registries mmerkes/cloud-provider-aws
3 participants
@mmerkes @k8s-ci-robot @TebogoAWS