OCPCLOUD-2434: EWSECRLegacyCredProvider: Detect actual ECR usage from pullspecs #4580
Conversation
Joel Speed says: > Looking into the fix for this, I found sources saying that ECR creds should be used for any image matching the following globs > - "*.dkr.ecr.*.amazonaws.com" > - "*.dkr.ecr.*.amazonaws.com.cn" > - "*.dkr.ecr-fips.*.amazonaws.com" > - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov" > - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov" We can use the `kube_pod_container_info` metric that is labeled with an `image` label that contains pullspec, so we can regex-match over these and detect that a cluster is actually using ECR from the presence of a pod containing a container using an image from ECR. The regex is a bit hairy so I added a comment. [PromQL is using RE2 syntax](https://prometheus.io/docs/prometheus/latest/querying/basics/): > All regular expressions in Prometheus use [RE2 syntax](https://github.com/google/re2/wiki/Syntax) Here is the regex101.com session for toying with the regex: https://regex101.com/r/OIjQoS/1 I have used the PromQL conceptually on b01 and b03, testing for the usage of a CoreDNS image coming from the CI registry: ```promql topk(1, cluster_infrastructure_provider{_id="",type="AWS"} or 0 * cluster_infrastructure_provider{_id=""} ) * on () group_left() (topk(1, group(kube_pod_container_info{_id="",image=~"registry[.]ci[.]openshift[.]org/ci/coredns:.*"}) or on () 0 * group(kube_pod_container_info{_id=""}) )) ``` Build01 uses it and I get a metric with value 1, Build03 does not and I get a metric with value 0. I modified one of the YAML files manually and then I used my IDE's search-and-replace feature to modify all others.
openshift-ci
bot
added
the
approved
|
Linking to the relevant impact statement: /retitle OCPCLOUD-2434: EWSECRLegacyCredProvider: Detect actual ECR usage from pullspecs |
openshift-ci
bot
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@petr-muller: This pull request references OCPCLOUD-2434 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: LalatenduMohanty, petr-muller, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 7404a64
into
openshift:master
Joel Speed says:
We can use the
kube_pod_container_infometric that is labeled with animagelabel that contains pullspec, so we can regex-match over these and detect that a cluster is actually using ECR from the presence of a pod containing a container using an image from ECR.The regex is a bit hairy so I added a comment. PromQL is using RE2 syntax:
Here is the regex101.com session for toying with the regex: https://regex101.com/r/OIjQoS/1
I have used the PromQL conceptually on b01 and b03, testing for the usage of a CoreDNS image coming from the CI registry:
Build01 uses it and I get a metric with value 1:
Build03 does not and I get a metric with value 0:
I modified one of the YAML files manually and then I used my IDE's search-and-replace feature to modify all others.