Push and pull an image from Amazon ECR

Amazon ECR has an authentication mechanism to provide access to your private repositories. AWS CLI has a functionality to generate an access token using the aws ecr get-login command:

$ aws ecr get-login --no-include-email

It outputs the docker login command with the ID and password:

docker login -u AWS -p eyJwYXlsb2FkIjoiNy(very long strings)... https://************.dkr.ecr.us-east-1.amazonaws.com

Therefore, just copy and paste to your terminal to acquire a token from AWS. Then try docker push to upload your Docker image to ECR:

$ docker tag nginx ************.dkr.ecr.us-east-1.amazonaws.com/my-nginx

$ docker push ************.dkr.ecr.us-east-1.amazonaws.com/my-nginx
The push refers to repository [************.dkr.ecr.us-east-1.amazonaws.com/my-nginx]
a103d141fc98: Pushed 
73e2bd445514: Pushing 8.783MB/53.23MB
2ec5c0a4cb57: Pushing 4.333MB/55.26MB

On the other hand, pulling an image from ECR to Kubernetes follows exactly the same steps as the private registry that uses a Kubernetes secret to store the token:

$ kubectl create secret docker-registry my-ecr-secret 
> --docker-server=https://************.dkr.ecr.us-east-1.amazonaws.com 
> [email protected] 
> --docker-username=AWS 
> --docker-password=eyJwYXlsb2FkIjoiS...
secret "my-ecr-secret" created


$ kubectl get secret my-ecr-secret
NAME            TYPE                             DATA      AGE
my-ecr-secret   kubernetes.io/dockerconfigjson   1         10s

Now, spec.imagePullSecrets needs to specify my-ecr-secret. As well as the image URL, it also specifies the ECR repository:

$ cat private-nginx-ecr.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: private-nginx-ecr
spec:
  containers:
  - name: private-nginx-ecr
    image: ************.dkr.ecr.us-east-1.amazonaws.com/my-nginx
  imagePullSecrets:
  - name: my-ecr-secret


$ kubectl create -f private-nginx-ecr.yaml 
pod "private-nginx-ecr" created


$ kubectl get pods private-nginx-ecr
NAME                READY     STATUS    RESTARTS   AGE
private-nginx-ecr   1/1       Running   0          1m

Note that this token is short-lived: it's valid up to 12 hours. So, 12 hours later, you need to run aws ecr get-login again to acquire a new token, then update the secret my-ecr-secret. It is absolutely not ideal to do this.

The good news is that Kubernetes supports the updating of the ECR token automatically via CloudProvider. However, it requires that your Kubernetes runs on an AWS environment such as EC2. In addition, the EC2 instance has to have an IAM role that is equivalent or higher than the AmazonEC2ContainerRegistryReadOnly policy. It will be described in Chapter 6, Building Kubernetes on AWS.

If you really want to use your Kubernetes cluster outside of AWS by pulling an image from the ECR repository, there is a challenge in that you need to update the ECR token every 12 hours. Maybe you can do this using a cron job or by adopting some automation tools. 

For more detail, please visit the AWS online document at https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.14.240.252