public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-19 11:25:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added ECR plugin private registry info

Browse Source
This commit is contained in:
Jennifer Travinski
2021-09-02 12:39:31 -04:00
parent 040cb9646c
commit 6e6eb6811f
2 changed files with 36 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.6/en/cluster-admin/editing-clusters/rke-config-reference/_index.md
+1 -1
View File
@@ -127,7 +127,7 @@ The private registry configuration option tells Rancher where to pull the [syste
- **System images** are components needed to maintain the Kubernetes cluster.
- **Add-ons** are used to deploy several cluster components, including network plug-ins, the ingress controller, the DNS provider, or the metrics server.
See the [RKE documentation on private registries]({{<baseurl>}}/rke/latest/en/config-options/private-registries/) for more information on the private registry for components applied during the provisioning of the cluster.
To learn how to set up an **ECR private registry** and for more information on the private registry for components applied during the provisioning of the cluster, see the [RKE documentation on private registries]({{<baseurl>}}/rke/latest/en/config-options/private-registries/).
### Authorized Cluster Endpoint
content/rke/latest/en/config-options/private-registries/_index.md
+35
View File
@@ -48,3 +48,38 @@ As of v0.1.10, you have to configure your private registry credentials, but you
Before v0.1.10, you had to configure your private registry credentials **and** update the names of all the [system images]({{<baseurl>}}/rke/latest/en/config-options/system-images/) in the `cluster.yml` so that the image names would have the private registry URL appended before each image name.
### ECR Private Registry Setup
There are two ways in which to provide ECR credentials to set up your ECR private registry: using an instance profile or adding a configuration snippet, which are hard-coded credentials in environment variables for the `kubelet` and credentials under the`credentialPlugin`.
- **Instance Profile**: An instance profile is the preferred and more secure approach to provide ECR credentials (when running in EC2, etc.). The instance profile will be autodetected and use these credentials by default (using the Go AWS SDK credential lookup process).
- **Configuration Snippet**: You will use the configuration snippet below rather than an instance profile only if the following conditions exist in your node:
- Node is not an EC2 instance
- Node is an EC2 instance but does not have an instance profile configured
- Node is an EC2 instance and has an instance profile configured but has no permissions for ECR
> **Note:** The ECR credentials are only used in the `kubelet` and `credentialPlugin` areas. This is important to remember if you have issues while creating a new cluster or when pulling images during reconcile/upgrades.
>
> - Kubelet: For add-ons, custom workloads, etc., the instance profile or credentials are used by the
> downstream cluster nodes
> - Pulling system images (directly via Docker): For bootstrap, upgrades, reconcile, etc., the instance profile
> or credentials are used by nodes running RKE or running the Rancher pods.
```
# Configuration snippet to be used when the instance profile is unavailable.
services:
kubelet:
extra_env:
- "AWS_ACCESS_KEY_ID=ACCESSKEY"
- "AWS_SECRET_ACCESS_KEY=SECRETKEY"
private_registries:
- url: ACCOUNTID.dkr.ecr.ap-southeast-2.amazonaws.com
is_default: true
ecrCredentialPlugin:
aws_access_key_id: "ACCESSKEY"
aws_secret_access_key: "SECRETKEY"
```