I did a very simple Kubernetes walkthrough on Windows using Docker Desktop running the local Kubernetes cluster and was successful in a few minutes.
I am now trying to do the same thing, except using my own image from AWS ECR. I cannot get Kubernetes authorization to access my private repo.
I have an AWS ECR repository created. I use Okta SSO, have AWS CLI installed, and can execute commands fine. I pushed my image to my private repo and can view it on the CLI. I have verified docker can get my private image and run the container: > docker run MY_ECR_ADDRESS.dkr.ecr.MY_REGION.amazonaws.com/MY_REPO_NAME:latest
I then tried to authorize Kubernetes to access my private repo using the kubernetes documentation, but this is where I have issues.
After trying this with and without the > docker login step, I then
> aws ecr get-login-password --region MY_REGION | docker login --username AWS --password-stdin MY_ECR_ADDRESS.dkr.ecr.MY_REGION.amazonaws.com
> Login Succeeded
> kubectl create secret generic regcred --from-file=.dockerconfigjson=<path/to/.docker/config.json> --type=kubernetes.io/dockerconfigjson
> secret/regcred created
I can view the .docker/config.json file on both windows and wsl2, but it does not have the assumed base64 encoded auth the Kubernetes documentation says should be there. The page says I should see something like this:
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "c3R...zE2"
}
}
}
But I see something like this:
{
"auths": {
"MYECRADDRESS.dkr.ecr.MYREGION.amazonaws.com": {}
},
"credsStore": "desktop",
"stackOrchestrator": "swarm",
"currentContext": "default"
}
I already figured I needed that base64 encoded auth string in the file and that everything hinges on that, but I tried to deploy anyway:
> kubectl create deployment test --image=MY_ECR_ADDRESS.dkr.ecr.MY_CORRECT_REGION.amazonaws.com/MY_REPO_NAME:latest
> kubectl get deploy
> NAME READY UP-TO-DATE AVAILABLE AGE
> test 0/1 1 0 2m10s
> > kubectl get pods -l app=test
NAME READY STATUS RESTARTS AGE
test-b4d8dccfc-9ttzb 0/1 ImagePullBackOff 0 2m41s
As expected, you’ll see that I get the ImagePullBackOff, meaning my local cluster cannot access my private repo.
Can someone please help me get the auth string from the docker creds store and authorize Kubernetes to pull from my private repo?
2
Answers
The quick explanation to this is:
Details for those that want the solution:
Make sure you have auth in kubernetes by naming the credential whatever you want and using the get-login-password:
> kubectl create secret docker-registry myAwsCred --docker-server=MY_ECR_ADDRESS.dkr.ecr.MY_REGION.amazonaws.com --docker-username=AWS --docker-password=$(aws ecr get-login-password --region MY_REGION)Create a chart for deployment that specifies whatever you named your secret:
Then, create a deployment based on your chart that uses the properly named secret:
> kubectl apply -f c:mylocaltestdeploy.yamlDocker desktop using own credential store:
"credsStore": "desktop". So here is no"auth"key:Anyway, you may try to use second way to create credentials directly without generating
.docker/config.json:Also don’t forget to set
imagePullSecretsparameter inside deployment description file. In other way you may send secret name parameter directly by using command lineoverrideparameter.The third way how to solve problem is to generate
authblock manually.According to this and this articles
authis just theusername:passwordbase64 encoded line. You may generate it by usingTHE_AUTH="$(echo 'AWS:'$(aws ecr get-login-password --region aws_region) | base64)"; echo $THE_AUTH