kube-ecr-refresher

command module

v0.0.1-0...-70061ec Latest Latest Go to latest Published: Jul 18, 2023 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/form3tech-oss/kube-ecr-refresher

Links

Open Source Insights

README ¶

kube-ecr-refresher

A helper tool for refreshing Amazon ECR credentials in Kubernetes clusters periodically.

Motivation

Authorization tokens for Amazon ECR expire every 12h. This makes it cumbersome to pull images from Amazon ECR outside Amazon EKS, as image pull secrets must be refreshed (in each required namespace) with the same frequency to ensure uninterrupted access. kube-ecr-refresher takes care of automating this task by periodically creating/updating secrets containing fresh credentials in all namespaces (or just a subset of them) based on a given set of AWS credentials.

Prerequisites

A set of AWS credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) having the AmazonEC2ContainerRegistryReadOnly policy attached to them.

Installing

To install kube-ecr-refresher, start by running

$ kubectl apply -f deploy/common.yaml
namespace/kube-ecr-refresher created
serviceaccount/kube-ecr-refresher created
clusterrole.rbac.authorization.k8s.io/kube-ecr-refresher created
clusterrolebinding.rbac.authorization.k8s.io/kube-ecr-refresher created

Then, edit deploy/secret.yaml in order to specify the aforementioned AWS credentials and run

$ kubectl apply -f deploy/secret.yaml
secret/kube-ecr-refresher created

Finally, run

$ kubectl apply -f deploy/deployment.yaml
deployment.apps/kube-ecr-refresher created

and make sure that kube-ecr-refresher is indeed running:

$ kubectl -n kube-ecr-refresher get pod -l app=kube-ecr-refresher
NAME                                  READY   STATUS    RESTARTS   AGE
kube-ecr-refresher-7dbcf68bc9-cn99c   1/1     Running   0          2s

Advanced

Customizing the target namespaces

By default, kube-ecr-refresher created/updates image pull secrets across all namespaces in the Kubernetes cluster. To create/update these secrets in just a subset of namespaces, add the --target-namespaces flag to the deployment and specify the desired namespaces as a comma-separated list.

Refreshing credentials for multiple Amazon ECR registries

By design, kube-ecr-refresher supports refreshing credentials for a single Amazon ECR registry (i.e. the one associated with the provided AWS credentials). If you need to pull images from multiple Amazon ECR registries in the same Kubernetes cluster, you must deploy an instance of kube-ecr-refresher per target Amazon ECR registry/set of AWS credentials.

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
internal
refresher

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL