aws-efs-csi-driver icon indicating copy to clipboard operation
aws-efs-csi-driver copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Push images to public ECR and private ECR

Open wongma7 opened this issue 3 years ago • 16 comments

Similar to https://github.com/kubernetes-sigs/aws-ebs-csi-driver, community gcr k8s.gcr.io/provider-aws/aws-efs-csi-driver should be the canonical source of images. Docker Hub has throttling now.

Current push destinations:

  1. Docker Hub: amazon/aws-efs-csi-driver
  2. GitHub registry
  3. EKS private ECR: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver

Desired push destinations:

  1. ~~Community GCR: k8s.gcr.io/provider-aws/aws-efs-csi-driver~~
  2. ~~Docker Hub: amazon/aws-efs-csi-driver~~ deprecated
  • ~~GitHub registry~~ (remove because nobody uses it, plus a v2 GitHub registry is in beta that might see more use.)
  1. EKS private ECR: 602401143452.dkr.ecr.us-west-2.amazonaws.com/eks/aws-efs-csi-driver
    • also need the sidecars here otherwise users with air gapped clusters can't pull from eks-d
  2. EKS public ECR
    • currently rely on eks-d sidecar images but we also need to provide our own public ecr csi driver image

wongma7 avatar Jan 06 '21 21:01 wongma7

Given that this container is for use on AWS, I would say public ECR should be a definite yes!

tsarna avatar Jan 08 '21 13:01 tsarna

when can we expect that AWS publishes their images in their registry?

universam1 avatar Feb 12 '21 07:02 universam1

+1 for public ECR. An EKS deployment I'm working with is unable to pull the private images as the us-west-2 region is explicitly disabled for the AWS account:

$ aws ecr get-login-password --region us-west-2 An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::omitted is not authorized to perform: ecr:GetAuthorizationToken on resource: * with an explicit deny

Using the non-ECR version (kubectl apply -k "github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.1") avoids this problem for us but it took a while to debug as this guide uses the ECR version.

libcthorne avatar Mar 09 '21 16:03 libcthorne

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot avatar Jun 07 '21 17:06 fejta-bot

/remove-lifecycle stale

universam1 avatar Jun 07 '21 18:06 universam1

Can we also have the other side car images as part of EFS CSI driver kustomization.yaml the below ones, are also updated to point to ECR repo 602401143452.dkr.ecr.<region>.amazonaws.com/eks/aws-efs-csi-driver

images:
          - name: amazon/aws-efs-csi-driver
          - name: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
          - name: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
          - name: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner

gowthams316 avatar Jun 09 '21 11:06 gowthams316

@gowthams316 the ecr kustomize repo should already point to private 602401143452 ECR for the driver image and public eks-distro ECR for the sidecars. Do you mean that it should all point to either private ECr or all to public ECR?

Cleaning up the image and yaml distribution is on the roadmap but no ETA right now. Here is the current state, it is rather messy

Installation method Source of driver image Source of sidecar images
helm chart Docker Hub (official amazon org) Public ECR (owned by EKS-D)
kustomize stable overlay Docker Hub (official amazon org) Community GCR
kustomize stable ECR overlay Private ECR (owned by EKS) Public ECR (owned by EKS-D)

wongma7 avatar Jun 09 '21 18:06 wongma7

@wongma7 that's correct, it should be completely either point to public or point to private. Some images present in manifest to public and some in private is causing trouble in installation.

Here is the reason: For people using private(air gapped) eks clusters, when they try to use EFS CSI driver installation as per the documentation the installation will fail for private clusters due to the fact that only one image(driver image) inside the manifest can be pulled via ECR private endpoint all other eks-distro images need to be retrieved via internet for ecr public which is troublesome.

Currently the workaround for private clusters is to pull those eks-distro public sidecar images to customer owned private repos and maintain accordingly.

TheRealGoku avatar Jun 21 '21 14:06 TheRealGoku

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 29 '21 23:11 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Dec 29 '21 23:12 k8s-triage-robot

/remove-lifecycle rotten

universam1 avatar Dec 30 '21 07:12 universam1

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Mar 30 '22 07:03 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Apr 29 '22 08:04 k8s-triage-robot

/remove-lifecycle rotten

libcthorne avatar Apr 29 '22 08:04 libcthorne

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jul 28 '22 09:07 k8s-triage-robot

/remove-lifecycle stale

universam1 avatar Jul 28 '22 19:07 universam1

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Oct 26 '22 19:10 k8s-triage-robot

/remove-lifecycle stale

libcthorne avatar Oct 26 '22 20:10 libcthorne

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 24 '23 21:01 k8s-triage-robot

/remove-lifecycle stale

libcthorne avatar Jan 24 '23 21:01 libcthorne

Is there any plan to support adding the images to all regions for 602401143452.dkr.ecr.REGION.amazonaws.com?

When dealing with closed environments, this is a must to route traffic through one ECR directly rather than opening up firewall to many different locations. The other potential solution is to syncronize the public.ecr.aws images to our own ECR and maintain it, which is an overkill (and I guess the same issue affects others).

As of now, we are finding below versions available on 602401143452 for us-east-1, for example, which is quite confusing:

  • 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/aws-efs-csi-driver
    • v1.4.9 (latest)
  • 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/livenessprobe
  • v2.6.0 (not latest, current is 2.8.0)
  • 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/csi-node-driver-registrar
    • v2.4.0 (not latest, current is 2.6.2)
  • 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/csi-provisioner
    • v2.1.1 (not latest, current is 3.3.0)

Thanks!

falmada avatar Feb 22 '23 21:02 falmada

/kind feature

RyanStan avatar May 15 '23 15:05 RyanStan

Hi @wongma7, currently EFS CSI driver images are pushed to Public and Private ECR also. You can find the link below for public ECR. https://gallery.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver

mskanth972 avatar Jun 21 '23 18:06 mskanth972

/close closing the issue as the images are available in both public and private ECR repos

mskanth972 avatar Oct 06 '23 17:10 mskanth972

@mskanth972: Closing this issue.

In response to this:

/close closing the issue as the images are available in both public and private ECR repos

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Oct 06 '23 17:10 k8s-ci-robot