本文介绍如何在Azure Kubernetes Service (AKS) 中使用AWS的ECR镜像仓库。由于ECR凭证的有效期仅为12小时,文章提供了一种通过创建服务帐户和服务作业来定期刷新凭证的方法。
AWS 的 ECR服务真的很讨厌. docoker login 的密码必须用 AWS的客户端去获取, 并且有效期只有12小时.
因为有效期的限制.
K8S官网的方案似乎不太可行.
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
在Azure中使用ECR 我参考了这篇文章(需要FQ):
https://briankeating.net/post/Pulling-ECR-images-into-AKS
如果你访问困难, 我发下机翻内容在下面
AKS中使用ECR的镜像
最近我发现自己在使用 Azure 管理的 Kubernetes (AKS),但是我想要提取的镜像在 AWS ECR 中。ECR 的密钥会在 12 小时后过期,所以我们需要不断刷新。
下面我介绍了一种可以使用的方法,它创建了一个服务帐户(注意我将权限应用于默认帐户,因为我的一些部署还没有引用这个服务帐户)用于拉取镜像,有一个将立即执行的 kubernetes 作业和此后每 8 小时执行一次的 cronjob
需要配置imagePullSecrets
spec:
imagePullSecrets:
- name: dg-ecr-pull
dg-ecr-pull的内容如下:
记得更新那些 “TODO” 部分!
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ecr-cred-updater
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "delete"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "patch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ecr-cred-updater
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-cred-updater
subjects:
- kind: ServiceAccount
name: ecr-cred-updater
roleRef:
kind: Role
name: ecr-cred-updater
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
name: ecr-cred-updater
spec:
backoffLimit: 4
template:
spec:
serviceAccountName: ecr-cred-updater
terminationGracePeriodSeconds: 0
restartPolicy: Never
containers:
- name: kubectl
image: xynova/aws-kubectl
command:
- "/bin/sh"
- "-c"
- |
AWS_ACCOUNT=<TODO>
export AWS_ACCESS_KEY_ID=<TODO>
export AWS_SECRET_ACCESS_KEY=<TODO>
export AWS_REGION=<TODO>
DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
DOCKER_USER=AWS
DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6`
kubectl delete secret dg-ecr-pull || true
kubectl create secret docker-registry dg-ecr-pull \
--docker-server=$DOCKER_REGISTRY_SERVER \
--docker-username=$DOCKER_USER \
--docker-password=$DOCKER_PASSWORD \
--docker-email=no@email.local
kubectl patch serviceaccount ecr-cred-updater -p '{"imagePullSecrets":[{"name":"dg-ecr-pull"}]}'
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"dg-ecr-pull"}]}'
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: ecr-cred-updater
spec:
schedule: "* */8 * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 4
template:
spec:
serviceAccountName: ecr-cred-updater
terminationGracePeriodSeconds: 0
restartPolicy: Never
containers:
- name: kubectl
image: xynova/aws-kubectl
command:
- "/bin/sh"
- "-c"
- |
AWS_ACCOUNT=<TODO>
export AWS_ACCESS_KEY_ID=<TODO>
export AWS_SECRET_ACCESS_KEY=<TODO>
export AWS_REGION=<TODO>
DOCKER_REGISTRY_SERVER=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
DOCKER_USER=AWS
DOCKER_PASSWORD=`aws ecr get-login --region ${AWS_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6`
kubectl delete secret dg-ecr-pull || true
kubectl create secret docker-registry dg-ecr-pull \
--docker-server=$DOCKER_REGISTRY_SERVER \
--docker-username=$DOCKER_USER \
--docker-password=$DOCKER_PASSWORD \
--docker-email=no@email.local
kubectl patch serviceaccount ecr-cred-updater -p '{"imagePullSecrets":[{"name":"dg-ecr-pull"}]}'
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"dg-ecr-pull"}]}'
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
