-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ImagePullPolicy for private ECR repositories #1583
Comments
Thanks for reporting this issue.
I think you're right.
Thanks for trying the workaround.
Thanks for the suggestion.I'm trying to fix this at #1584 . |
that's great, thank you for the quick triage and even quicker solution proposal. I just wonder if the proposed solution takes in consideration pods that have the Being less verbose: doesn't this PR makes stargz to never check for image updates? |
Checking for image updates is handled by containerd's CRI plugin. Stargz-snapshotter checks registry connection when the same layer mount is reused by contained. #1584 changes stargz-snapshotter to avoid connection check when if the layer contents is fully cached on node. |
I was debugging an issue with using the project with ECR repositories. The nodes would start to work normally and new pods would start as expected. After a while, new pods wouldn't start on these nodes with the following errors:
These images are from a private ECR registry. I'm using the CRI-based authentication.
I was using
imagePullPolicy: IfNotPresent
in the pods.New nodes would correctly try to download new images and share the credentials with the snapshotter. Older nodes with pods already running started failing.
My hypothesis, since the node already has pods using that image and I see events in the failed pods as the following, is that the kubelet is no longer sharing the credentials with the snapshotter. The ECR credentials expire from time to time and have to be renewed.
For now I changed the
ImagePullPolicy
and will keep monitoring.I created this issue to understand a bit better why stargz snapshotter keeps trying to reach for the image even after successfull running pods even with
ImagePullPolicy
equals toIfNotPresent
, and most importantly to discuss adding some alert to the documentation about CRI-based authentication.The text was updated successfully, but these errors were encountered: