amazon-eks-ami icon indicating copy to clipboard operation
amazon-eks-ami copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Add PRIVATE_BIN_REPO support for pulling binaries

Open jnewblanc opened this issue 3 years ago • 3 comments

As a EKS ami builder, I want to be able to pull binaries from my own repo of cached artifacts so that I can ensure availability, reproducibility, and security.

In my particular case, the binaries are not currently available in s3://amazon-eks.s3.us-gov-west-1.amazonaws.com and egress rules are tightly controlled.

How to use:

  1. User caches/stages the binaries in their own artifact repo. At present, these are:

    • kubelet
    • aws-iam-authenticator
    • cni-plugins-linux

  2. User adds the PRIVATE_BIN_REPO variable to their custom eks-worker config

Given that this is an edge uncommon use case, the PRIVATE_BIN_REPO user variable has not been added to the eks-worker config. Users will continue to use the existing behavior by default.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

jnewblanc avatar Apr 16 '21 02:04 jnewblanc

You can already configured a private S3 bucket. Is there a reason that's insufficient for your use case?

mmerkes avatar Apr 29 '21 15:04 mmerkes

I'm trying to add additional flexibility. I'm in a tightly controlled environment where all external artifacts must enter through a series of artifact repositories and promotion pipelines. I've added this change to pull from the repository rather than me needing to have extra process/automation to manage redundant artifacts in a s3 bucket.

jnewblanc avatar May 03 '21 01:05 jnewblanc

must enter through a series of artifact repositories

IIUC, PRIVATE_BIN_REPO/"artifact repositories" are just file servers?

the binaries are not currently available in s3://amazon-eks.s3.us-gov-west-1.amazonaws.com

This is something we're planning to address! Because the aws-us-gov regions aren't airgapped, we haven't replicated binaries into that partition in the past; but we've heard from several customers that can't do cross-partition access for policy reasons. If the binaries were available in s3://amazon-eks in this partition, would that solve your problem?

cartermckinnon avatar Jul 28 '22 23:07 cartermckinnon

We still intend to replicate these binaries into the aws-us-gov partition; but I don't think this PR makes sense in its current form.

cartermckinnon avatar Nov 04 '22 19:11 cartermckinnon