使用eks node iam解决 ecr相关使用问题
权限示例 关键字AmazonEC2Container 官方托管策略选择合适即可
示例:AmazonEC2ContainerRegistryReadOnly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}此策略无创建权限,只能pull 所以需要找台机器授权 一般用CICD机器的来做 (jenkins)
参考link:https://docs.aws.amazon.com/zh_cn/AmazonECR/latest/userguide/getting-started-cli.html 两种方式:
1. jenkins 机器配置aws cli 认证 配置ecr令牌有效期为 12 小时 ,所以使用计划任务来实现 (推荐)
2. jenkins 插件实现 link: https://plugins.jenkins.io/amazon-ecr/ (如果想权限最小化管理时推荐)
测试效果
推送成功后 docker push xxxxxxx.dkr.ecr.xxxx.amazonaws.com/nginx1:latest
测试pod 拉起镜像 kubectl apply -f pod1.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: xxxxxxx.dkr.ecr.xxxxx.amazonaws.com/nginx1:latest
ports:
- containerPort: 80