5

I have one GKE Cluster which uses the AWS ECR repo to pull the docker images. These are the steps that I followed.

Created a secret using this command

# cat > /tmp/image-pull-secret.yaml << EOF
apiVersion: v1
kind: Secret
metadata:
  name: myregistrykey
data:
  .dockerconfigjson: $(aws ecr get-authorization-token --output json | jq -n 'input.authorizationData | {auths: (reduce .[]  as $d ({}; . + {($d.proxyEndpoint|sub("https?://";"")): {auth:$d.authorizationToken}}))}' | (base64 -w0 2>/dev/null || base64) )
type: kubernetes.io/dockerconfigjson
EOF

# kubectl apply -f /tmp/image-pull-secret.yaml

Created a deployment but getting error

# cat abc_deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: abc-deployment
  labels:
    app: abc
    env: development
spec:
  replicas: 3
  selector:
    matchLabels:
      app: abc
      env: development
  template:
    metadata:
      labels:
        app: abc
        env: development
    spec:
      containers:
      - name: abc
        image: 34235354354.dkr.ecr.us-east-1.amazonaws.com/dev-abc:1.1.1
        ports:
        - containerPort: 8080
      imagePullSecrets:
        - name: myregistrykey

Error I am getting ++++++++++++++++++

  Normal   Pulling                1m (x2 over 1m)  kubelet, gke-puppy-default-pool-e701eb52-6gdp  pulling image "34235354354.dkr.ecr.us-east-1.amazonaws.com/dev-abc:1.1.1"
  Warning  Failed                 1m (x2 over 1m)  kubelet, gke-puppy-default-pool-e701eb52-6gdp  Failed to pull image "34235354354.dkr.ecr.us-east-1.amazonaws.com/dev-abc:1.1.1": rpc error: code = Unknown desc = unauthorized: authentication required
  Warning  Failed                 1m (x2 over 1m)  kubelet, gke-puppy-default-pool-e701eb52-6gdp  Error: ErrImagePull
  Normal   BackOff                1m (x6 over 1m)  kubelet, gke-puppy-default-pool-e701eb52-6gdp  Back-off pulling image "34235354354.dkr.ecr.us-east-1.amazonaws.com/dev-abc:1.1.1"
  Warning  Failed                 1m (x6 over 1m)  kubelet, gke-puppy-default-pool-e701eb52-6gdp  Error: ImagePullBackOff

How can we fix this error?

user3847894
  • 986
  • 4
  • 16
  • 37

1 Answers1

0

Technically your approach of putting the docker auth token into the imagePullSecret should work - it is what the Kubernetes documentation on integrating a private registry recommends as well.

The problem however is that the docker auth token for ECR is only valid for 12 hours. Maybe the authentication error only occurred after that period of time?

Instead what you could do, is to create a CronJob that refreshes the docker auth token and recreates the imagePullSecret (you can find more about it here, here, or here).

There are also pre-built docker images for that purpose, e.g. ecr-kube-helper or k8s-ecr-login-renew.

stackoverflowjakob
  • 99
  • 1
  • 1
  • 8