amazon-web-services - AWS 允许跨账户 EKS 集群从 ECR 拉取镜像

问题描述

概括：

我希望使 EKS 节点能够从不同 AWS 项目的 ECR 注册表中提取图像。我在所需的 ECR 存储库中创建了“AllowPull”策略，并将策略的主体设置为 EKS 集群角色的 ARN，但节点无法拉取映像。

应该如何制定策略以允许 EKS 集群中的所有节点从跨账户 ECR 存储库中提取？

尝试详情：

• ECR 注册表资源名称为：

  arn:aws:ecr:us-east-2:226427918358:repository/external-pull-test
  

• 需要拉取镜像的 EKS 集群附加了以下角色：

  arn:aws:iam::02182452XXXX:role/aws-dev-eks-cluster-crpiXXXX091410594876160000000c
  

• 外部 ECR 注册表具有以下策略 JSON：

  {
      "Version": "2008-10-17",
      "Statement": [
          {
              "Sid": "AllowPull",
              "Effect": "Allow",
              "Principal": {
                  "AWS": "arn:aws:iam::02182452XXXX:role/aws-dev-eks-cluster-crpiXXXX091410594876160000000c"
              },
              "Action": [
                  "ecr:BatchCheckLayerAvailability",
                  "ecr:BatchGetImage",
                  "ecr:DescribeImages",
                  "ecr:DescribeRepositories",
                  "ecr:GetDownloadUrlForLayer"
              ]
          }
      ]
  }
  

• podImagePullBackOff错误指定尝试向注册表进行身份验证的用户是以下假定角色：

  arn:aws:sts::02182452XXXX:assumed-role/aws-dev-eks-cluster-crpiXXXX091410594876160000000c/i-0ea4f53b6dfdcxxxx
  

环境：

• Kubernetes：v1.16.15-eks-e1a842

额外细节：

Using the ARN of my user principal (cross-account) in the policy did allow me to pull images using docker locally. Using the ARN of the assumed role did enable the node to pull the image, but my understanding is that configuring the policy with a particular assumed role won't guarentee that the cluster nodes can consistently pull from the registry.

标签： amazon-web-servicesdockeramazon-iamamazon-eksamazon-ecr