containers-roadmap icon indicating copy to clipboard operation
containers-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

[EKS][Feature Request]: Enable EKS Add-Ons to Reference Images from a Private Managed AWS ECR Instead of Public ECR

Open szeyit opened this issue 11 months ago • 8 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request What do you want us to build? I am requesting a feature update for EKS add-ons to enable the use of a private managed AWS ECR repository for ADOT (AWS Open Distro for OpenTelemetry) instead of the public ECR repositories currently in use. This change would facilitate smoother add-on enabling and version upgrading for users running their EKS clusters in environments without internet access.

Which service(s) is this request for? This request is primarily for AWS EKS, with a focus on the add-ons feature and the ECR service.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? We run our EKS clusters in an intranet environment without internet access, making it challenging to enable or upgrade EKS add-ons that reference images from public ECR repositories. The current process involves manually finding compatible versions and transferring them from the public repository to our private ECR repository, a labor-intensive and error-prone approach.

Are you currently working around this issue? How are you currently solving this problem? Yes, as a workaround, we are currently using the OpenTelemetry operator and collector from open source, which has fewer images to upload to the ECR. However, we believe that utilizing AWS EKS add-ons would be more beneficial in terms of future upgrade compatibility and would reduce the operational burden associated with manual updates. Thus, we strongly feel that a solution within the EKS add-ons would be more seamless and efficient.

Additional context Anything else we should know? Transitioning to a private managed AWS ECR repository would streamline operations for many organizations running EKS in environments without internet access, promoting enhanced security through facilitating timely updates. It would be greatly beneficial to establish a solution allowing users to reference a private ECR repository natively while interacting with EKS add-ons, thereby minimizing operational burdens and potential for errors.

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

szeyit avatar Sep 11 '23 06:09 szeyit

Any updates on this one. How do we get the addon enabled if you are using a IAC to setup your infrastructure. Can you prioritise this? Most enterprise apps as deployed in private network where there is no direct access to public images. How is open telemetry collector supposed to work in that environment

cloudbackenddev avatar Nov 14 '23 15:11 cloudbackenddev

Regarding updating the ADOT EKS add-on to use private ECR repositories for the OTEL images (e.g. xxxxx.dkr.ecr.us-east-1.amazonaws.com/eks/...).

I wanted to check if there were any updates on the status of this request. We are currently experiencing some issue after upgrading the OTEL Operator (Non ADOT) which may be due to incompatibility, as the operator is unable to create collector instances, which is hard to maintain as well.

I'd appreciate any information you may have on timeline for this request.

szeyit avatar Dec 22 '23 09:12 szeyit

Any update about issue?

0xmrt01 avatar Jan 02 '24 14:01 0xmrt01

any updates?

sbarhouche avatar Jan 26 '24 14:01 sbarhouche

The ADOT team is working on this. @mhausenblas could share further updates.

mikestef9 avatar Jan 26 '24 18:01 mikestef9

Thanks, it's WIP and we're tracking it in https://github.com/aws-observability/aws-otel-community/issues/541

mhausenblas avatar Jan 29 '24 06:01 mhausenblas

Will this apply to both the

Amazon CloudWatch Observability agent addon

as well as the

AWS Distro for OpenTelemetry addon?

At the moment I am unable to migrate to the Amazon CloudWatch Observability agent addon (for container insights) because of the use of the public ECR reference.

pfrydids avatar Feb 27 '24 15:02 pfrydids

The latest version of Amazon CloudWatch Observability EKS add-on has been updated to use private ECR repos. Amazon CloudWatch Observability EKS add-on now pulls images from the following container image registries:

https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html

kevin-aws avatar Apr 17 '24 17:04 kevin-aws