How do I get an OCIRepository working with an EKS Auto Mode Cluster? #5250
-
|
I have an EKS Auto Mode cluster where the Node IAM role includes the following managed policies:
I have bootstrapped the cluster successfully with flux and have managed to get a simple nginx deployment up and running to verify it is working. I have a problem when it tries to get a Helm chart deployed from ECR. I'm using an OCIRepository and I have set the I've used some LLMs to suggest answers, but they seem a bit extreme in solving this. Have I missed something completely obvious as to why this is not working as expected? Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
It's your lucky day, I've been deploying several OCIRepositories in EKS auto mode :) Not that being auto mode or not makes a difference though. You should assign an IAM role to the source-controller Follow this guide: https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html And then you need a policy attached to the IAM role containing this statement: {
Sid: "AllowECRLogin",
Effect: "Allow",
Action: [
"ecr:GetAuthorizationToken",
],
Resource: "*",
}And this one: {
Sid: "AllowECRPull",
Effect: "Allow",
Action: [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:DescribeImages",
],
Resource: "<put here ARN of the ECR repository>",
}, |
Beta Was this translation helpful? Give feedback.
-
|
That's incredible, thank you so much. Just a few blocks of Terraform on my side and setting the role ARN in the service account and it worked first time! I was trying to get it work in relation to the docs where it says:
So thinking that the node IAM role having access to ECR was just enough to get it working. So the next paragraph was great in getting it working. Is it possible at all to make it work with just the node IAM role? Or is the only real way doing it via the ServiceAccount? But most importantly, thank you, that was such a quick turnaround. I'm really enjoying Flux! |
Beta Was this translation helpful? Give feedback.
-
|
I think it's possible but I wouldn't advise it. The atomic identity unit in a Kubernetes cluster is a ServiceAccount, you should be assigning permissions to ServiceAccounts like this, and not nodes. Kubelet downloads images to start containers but it runs outside the cluster, so it's an exception where it makes sense to give permissions to the nodes. But source-controller is a pod in the cluster, and it has a ServiceAccount, so you should use it. Even better, when we support this in the future, you should assign your IAM role to the ServiceAccount of the OCIRepository object! This field does not exist yet, but take a look at this: |
Beta Was this translation helpful? Give feedback.
It's your lucky day, I've been deploying several OCIRepositories in EKS auto mode :) Not that being auto mode or not makes a difference though.
You should assign an IAM role to the source-controller
ServiceAccount, and not to your nodes.Follow this guide:
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
And then you need a policy attached to the IAM role containing this statement:
{ Sid: "AllowECRLogin", Effect: "Allow", Action: [ "ecr:GetAuthorizationToken", ], Resource: "*", }And this one:
{ Sid: "AllowECRPull", Effect: "Allow", Action: [ "ecr:BatchGetImage", "ecr:BatchCheckL…