fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon rancher

Why is imagescan not using my instance profile?

Open mmclane opened this issue 3 years ago • 3 comments

I have rancher 2.6.3 installed on an EKS cluster. I assigned the AWS managed policy AmazonECSContainerRegistryReadOnly. I also have tried attaching the AmazonECSContainerRegistryFullAccess policy. I would expect that would give me the permissions needed for ImageScan to look up the tags ECR but I was getting auth errors. I was able to get past those errors by creating a docker-registry secret with ECR token and specifying that with secretRef in my fleet.yaml and that got imagescan working but the token expires after several hours.

I am going to try to create an automated process to renew that token but I don't think it should be needed. I believe it should get those rights through the instance profile.

mmclane avatar Feb 10 '22 15:02 mmclane

This may be team/area1 We'll refine this soon and decide.

MKlimuszka avatar Feb 22 '22 17:02 MKlimuszka

@MKlimuszka any update ?

kkaempf avatar Dec 06 '22 14:12 kkaempf

Hello team, are there any plans to ever implement this?

It would be nice if the fleet-controller pod was able to assume cloud identities based on IRSA/workload identity. It would make the integration of imagescan with EKS/AKS/GKE much easier

SamuZad avatar Sep 28 '24 10:09 SamuZad