Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to run with CredentialProvider in my EKS cluster? #1277

Closed
czhczh0123 opened this issue Apr 22, 2023 · 5 comments · Fixed by #1280
Closed

How to run with CredentialProvider in my EKS cluster? #1277

czhczh0123 opened this issue Apr 22, 2023 · 5 comments · Fixed by #1280

Comments

@czhczh0123
Copy link

Environment:

  • AWS Region: cn-northwest-1
  • Instance Type(s): t3.medium
  • EKS Platform version (use aws eks describe-cluster --name <name> --query cluster.platformVersion): eks.6
  • Kubernetes version (use aws eks describe-cluster --name <name> --query cluster.version): 1.23
  • AMI Version: ami-030d7615436dd9131
  • Kernel (e.g. uname -a): Linux ip-10-0-0-166.cn-northwest-1.compute.internal 5.4.231-137.341.amzn2.x86_64#1 SMP Tue Feb 14 21:50:55 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
  • Release information (run cat /etc/eks/release on a node):
BUILD_TIME="Sat Mar  4 23:57:55 UTC 2023"
BUILD_KERNEL="5.4.231-137.341.amzn2.x86_64"
ARCH="x86_64"

What happened:
tried to use CredentialProviderConfig in EKS 1.23 cluster in CN region. The result is I can pull image from my ecr repo, but found the following message in kubelet logs.

Apr 22 15:22:39 ip-10-0-0-89.cn-northwest-1.compute.internal kubelet[12449]: I0422 15:22:39.623119   12449 provider.go:102] Refreshing cache for provider: *credentialprovider.defaultDockerConfigProvider
Apr 22 15:22:39 ip-10-0-0-89.cn-northwest-1.compute.internal kubelet[12449]: E0422 15:22:39.749586   12449 plugin.go:233] Failed getting credential from external registry credential provider: error execing credential provider plugin ecr-credential-provider for image 3228xxxxxxxx.dkr.ecr.cn-northwest-1.amazonaws.com.cn/publicnginx: exit status 1

What you expected to happen:
We expected kubelet to run with "ecr-credential-provider" CredentialProvider.

Environment:
EKS cluster version 1.23
node image: ami-030d7615436dd9131

[root@ip-10-0-0-166 ~]# cat /etc/eks/ecr-credential-provider/ecr-credential-provider-config
apiVersion: kubelet.config.k8s.io/v1alpha1
kind: CredentialProviderConfig
providers:
  - name: ecr-credential-provider
    matchImages:
      - "*.dkr.ecr.*.amazonaws.com"
      - "*.dkr.ecr.*.amazonaws.cn"
      - "*.dkr.ecr-fips.*.amazonaws.com"
      - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
      - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
    defaultCacheDuration: "12h"
    apiVersion: credentialprovider.kubelet.k8s.io/v1alpha1
    args:
      - get-credentials

This is the default configuration file. Because my EKS cluster was launched in China region, so I added the following provider.
- "*.dkr.ecr.*.amazonaws.com.cn"

When I ran a new pod with the container image from my ECR repo, the pod could be launched without any issue.
But checking the kubelet log, I could find the logs above.

Actually, if I did not change the default config file, I will not see the second message related to my ecr repo credentials.

Anything else we need to know?:
I thought it might related to api version, and then I switch to EKS 1.26 cluster.
The apiversion in the default config file is kubelet.config.k8s.io/v1beta1 and credentialprovider.kubelet.k8s.io/v1beta1, and when I tested with a pod with ECR image, the result is identical.
node image: ami-028547407941241ec
@maximmold
Copy link

I'm seeing the same thing. Everything seems to be pulling fine despite the errors.

@cartermckinnon
Copy link
Member

The kubelet had an in-tree ECR credential provider that was removed in 1.27. On previous Kubernetes versions, issues with the external credential provider do not result in failures, because the in-tree provider will be used as a fallback (but you'll see these warnings in the logs).

We've fixed a configuration issue with the external credential provider that will be included in the next AMI release (#1269). This will make the warnings go away.

@cartermckinnon
Copy link
Member

cartermckinnon commented Apr 24, 2023
edited
Loading

However, before 1.27 launches; we do need to ensure that the external credential provider properly matches ECR patterns for China regions; thanks for pointing our that issue @czhczh0123 .

@cartermckinnon cartermckinnon mentioned this issue Apr 25, 2023
Merged
@czhczh0123
Copy link
Author

Hi, @cartermckinnon ,

Thank you for your response. Sorry I didn't reply in time.

But I am still confused of this message.
Refreshing cache for provider: *credentialprovider.defaultDockerConfigProvider

With in-tree ECR credential provider, kubelet will not auto-refresh the ECR token, right?
Because I can only view the GetAuthorizationToken API once via CloudTrail when I launched a pod with my ECR image.
After 12 hours, I did not see another GetAuthorizationToken API unless I pull another image for my repo.

Besides, I would like to ask whether kubelet will help refresh the token when we enable external credential provider in 1.27.

Thanks a lot.

@cartermckinnon
Copy link
Member

Kubelet will only refresh credentials if it needs to -- i.e. you actually pull an image that matches the credential provider's patterns. If you're not pulling images, it's not going to refresh the tokens.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix ECR pattern for aws-cn awslabs/amazon-eks-ami
3 participants
@maximmold @cartermckinnon @czhczh0123