问题
I'm new to Kubernetes and as a tutorial for myself I've been working on deploying a basic project to Kubernetes with helm (v3). I have an image in AWS's ECR as well as a local helm chart for this project. However, I am struggling to run my image with Kubernetes.
My image is set up correctly. If I try something like docker run my_image_in_ecr
locally it behaves as expected (after configuring my IAM access credentials locally).
My helm chart is properly linted and in my image map, it specifies:
image:
repository: my_image_in_ecr
tag: latest
pullPolicy: IfNotPresent
When I try to use helm to deploy though, I'm running into issues. My understanding is to run my program with helm, I should:
Run helm install on my chart
Run the image inside my new kubernetes pod
But when I look at my kubernetes pods, it looks like they never get up and running.
hello-test1-hello-world-54465c788c-dxrc7 0/1 ImagePullBackOff 0 49m
hello-test2-hello-world-8499ddfb76-6xn5q 0/1 ImagePullBackOff 0 2m45s
hello-test3-hello-world-84489658c4-ggs89 0/1 ErrImagePull 0 15s
The logs for these pods look like this:
Error from server (BadRequest): container "hello-world" in pod "hello-test3-hello-world-84489658c4-ggs89" is waiting to start: trying and failing to pull image
Since I don't know how to set up imagePullSecrets properly with Kubernetes I was expecting this to fail. But I was expecting a different error message such as bad auth credentials.
- How can I resolve the error in image pulling? Is this issue not even related to the fact that my image is in ecr?
- How can I properly set up credentials (such as imagePullSecrets) to authorize pulling the image from ecr? I have followed some guides such as this one and this one but am confused on how to tranlate this information into a proper authorization configuration for ecr.
回答1:
How can I properly set up credentials (such as imagePullSecrets) to authorize pulling the image from ecr?
The traditional way is to grant the Node an instance role that includes ecr:* IAM Permissions , ensure you have --cloud-provider=aws
set on apiserver
, controller-manager
, and kubelet
(which if you are doing anything with kubernetes inside AWS you will for sure want to enable and configure correctly), and kubelet
will then automatically coordinate with ECR to Just Work™
That information was present on the page you cited, under the heading Using Amazon Elastic Container Registry but it isn't clear if you read it and didn't understand, or read it and it doesn't apply to you, or didn't get that far down the page
来源:https://stackoverflow.com/questions/59148975/running-a-ecr-image-locally-with-helm-and-kubernetes