Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to pull images when using kubelet.config.k8s.io/v1 #616

Open
dntosas opened this issue Sep 15, 2023 · 8 comments
Open

Unable to pull images when using kubelet.config.k8s.io/v1 #616

dntosas opened this issue Sep 15, 2023 · 8 comments

Comments

@dntosas
Copy link

dntosas commented Sep 15, 2023

Hey team 👋

Trying to make a k8s cluster v1.27 work with Kubelet alongside with ecr-creds-helper following this guide https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/

Using IAM attached on node, both IMDSv1/v2 allowed.

This is my configuration:

apiVersion: kubelet.config.k8s.io/v1beta1
kind: CredentialProviderConfig
providers:
  - name: docker-credential-ecr-login
    matchImages:
      - "*.dkr.ecr.*.amazonaws.com"
      - "public.ecr.aws"
    defaultCacheDuration: "12h"
    args:
    - get
    apiVersion: credentialprovider.kubelet.k8s.io/v1

Getting always this error, tried multiple configs/args etc. Any clues?

Error:

level=error msg="Error parsing the serverURL" error="parse \"https://{\\\"kind\\\":\\\"CredentialProviderRequest\\\",\\\"apiVersion\\\":\\\"credentialprovider.kubelet.k8s.io/v1beta1\\\",\\\"image\\\":\\\"XXXX.dkr.ecr.eu-west-1.amazonaws.com/XXXX\\\"}\": invalid port \":\\\"credentialprovider.kubelet.k8s.io\" after host" serverURL="{\"kind\":\"CredentialProviderRequest\",\"apiVersion\":\"credentialprovider.kubelet.k8s.io/v1beta1\",\"image\":\"XXX.dkr.ecr.eu-west-1.amazonaws.com/XXX\"}"

Error parsing the serverURL invalid port

@dntosas
Copy link
Author

dntosas commented Sep 15, 2023

@MadJlzz
Copy link

MadJlzz commented Mar 25, 2024

I am facing the same issue. It's because the kubelet is sending a more complex request than just the registry URL.

image

(described here)

I am not sure how the implement this since it needs to solve both Docker credentials plugin / Kubelet credentials plugin.

I just found another implementation that looks suitable for the Kubelet in the cloud-provider repo.
https://github.com/kubernetes/cloud-provider-aws/blob/master/cmd/ecr-credential-provider/main.go

@MadJlzz
Copy link

MadJlzz commented Mar 25, 2024

I just tested what I mentioned above (using the ecr-credential-provider) from the cloud-provider-aws repository and I can confirm it works.

I suggest to add few lines redirecting Kubernetes users to the correct project to avoid confusion.
WDYT?

@ryparker
Copy link

@MadJlzz Testing with the cloud-provider-aws provider you suggest and still getting

pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials

what does your credential-provider-config.yaml look like?

@MadJlzz
Copy link

MadJlzz commented Mar 29, 2024

Something like this

{
    "providers": [
        {
            "name": "ecr-credential-provider",
            "matchImages" : [
                "<account_number>.dkr.ecr.*.amazonaws.com",
            ],
            "apiVersion": "credentialprovider.kubelet.k8s.io/v1",
            "defaultCacheDuration": "0"
        }
    ]
}

Dont forget to pass --image-credential-provider-bin-dir and --image-credential-provider-config to the kubelet.

Also, the above name property should match the name of the binary on your filesystem.

Finally, make sure you have the correct IAM permissions set on the role that makes the call.

@ryparker
Copy link

ryparker commented Mar 30, 2024

Getting the following error with k8s 1.25

no kind \"CredentialProviderConfig\" is registered for version \"kubelet.config.k8s.io/v1\" in scheme \"pkg/credentialprovider/plugin/plugin.go:56\""

Looks like I have to use v1beta1 but then I get an error from ecr-credential-provider

E0330 15:58:32.678269   60816 main.go:267] Error running credential provider plugin: group version credentialprovider.kubelet.k8s.io/v1beta1 is not supported

Only fix was to upgrade to k8s 1.29

@MadJlzz
Copy link

MadJlzz commented Apr 2, 2024

Indeed, I tested on a Kubernetes 1.29 but it is stable from 1.26 onward.
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/

@dntosas
Copy link
Author

dntosas commented Apr 16, 2024

for anyone landed in here, with same issue --> https://github.com/dntosas/ecr-credential-provider

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants