amazon-web-services - Pulling docker image from private github package using AWS EKS with AWS Fargate
问题描述
I wish to deploy a dockerized service with kubernetes on aws. To do so I'm using the recently released AWS EKS with AWS Fargate feature. The service's docker image is stored in a private package on github.
To deploy my service I'm using a kubernetes manifest file containing a secret, a deployment and a service.
When locally deploying with kubectl on minikube, the deployment pods successfully pull the image from the private github package. I successfully reproduced the process for accessing a private dockerhub registry.
I then configured kubectl to connect to my eks cluster. When applying the manifest file I'm getting an ImagePullBackOff status for the deployment pods when pulling form github packages while it is working fine when pulling from dockerhub. The differences in the manifest file are as follow:
Generating secret for github packages:
kubectl create secret docker-registry mySecret --dry-run=true --docker-server=https://docker.pkg.github.com --docker-username=myGithubUsername --docker-password=myGithubAccessToken -o yaml
Generating secret for dockerhub:
kubectl create secret docker-registry mySecret --dry-run=true --docker-server=https://index.docker.io/v1/ --docker-username=myDockerhubUsername --docker-password=myDockerhubPassword -o yaml
The deployment spec is referenced as follow:
spec:
containers:
# when pulling from github packages
- image: docker.pkg.github.com/myGithubUsername/myRepo/myPackage:tag
# when pulling from dockerhub
- image: myDockerhubUsername/repository:tag
...
imagePullSecrets:
- name: mySecret
Trying to make this work specifically with github packages I had a try with AWS Secrets Manager.
I created a secret "mySecret" as follows :
{
"username" : "myGithubUsername",
"password" : "myGithubAccessToken"
}
I then created a policy to access this secret:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:eu-west-1:myAWSAccountId:secret:mySecret"
]
}
]
}
I then attached the policy to both the Cluster IAM Role of my eks cluster and the Pod Execution Role referenced in its fargate profile "fp-default". I'm only working in the default kubernetes namespace. My secret and cluster are both in the eu-west-1 region.
Still, I'm getting the ImagePullBackOff status when deploying.
I'm having a hard time finding anything tackling this issue using AWS Fargate with AWS EKS, and would love some insight on this :)
Edit: The question was edited in order to present in a clearer maner that the issue is mainly related to using github packages as a registry provider.
解决方案
我认为您需要在与部署相同的命名空间中创建您的秘密。我能够通过创建一个秘密来完成这项工作
kubectl create secret docker-registry mySecret --dry-run=true --docker-server=https://docker.pkg.github.com --docker-username=myGithubUsername --docker-password=myGithubAccessToken --namespace=my-api -o yaml
在我的 deployment.yaml 中,我引用它就像
spec:
containers:
- name: my-api
image: docker.pkg.github.com/doc-api:0.0.0
ports:
- containerPort: 5000
resources: {}
imagePullSecrets:
- name: mySecret
推荐阅读
- javascript - 我应该使用 CSS 还是 Javascript 来显示取决于屏幕大小的信息?重要吗?
- jenkins - 为什么这个 groovy 代码在詹金斯管道脚本中的工作方式不同
- spring - Spring Kafka Stream 没有被写入
- testing - 试图用 jest 测试我的巢 api,返回未定义
- css - Ionic 3 中的背景图像绑定不起作用,无论我如何通过它
- angular - 子组件的 routerLink 重定向到 Page Not Found 有效
- c# - 无法使用 C# Rest Sharp 反序列化 Json
- python - 为什么我的 pip3 Ansible 安装失败?在 /tmp/pip_build_root/cryptography 中失败,错误代码为 1
- regex - 用这些特殊字符(例如方括号 [] 和破折号 / \)分割字符串的正则表达式是什么?
- tcl - 如何制作文本掩码底层小部件?