From 6e6eb6811fcf4a31a2decc76d37039778ae1d09f Mon Sep 17 00:00:00 2001 From: Jennifer Travinski Date: Thu, 2 Sep 2021 12:39:31 -0400 Subject: [PATCH 1/4] Added ECR plugin private registry info --- .../rke-config-reference/_index.md | 2 +- .../private-registries/_index.md | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/cluster-admin/editing-clusters/rke-config-reference/_index.md b/content/rancher/v2.6/en/cluster-admin/editing-clusters/rke-config-reference/_index.md index 7fce0b1bf2f..a5dcb2060e3 100644 --- a/content/rancher/v2.6/en/cluster-admin/editing-clusters/rke-config-reference/_index.md +++ b/content/rancher/v2.6/en/cluster-admin/editing-clusters/rke-config-reference/_index.md @@ -127,7 +127,7 @@ The private registry configuration option tells Rancher where to pull the [syste - **System images** are components needed to maintain the Kubernetes cluster. - **Add-ons** are used to deploy several cluster components, including network plug-ins, the ingress controller, the DNS provider, or the metrics server. -See the [RKE documentation on private registries]({{}}/rke/latest/en/config-options/private-registries/) for more information on the private registry for components applied during the provisioning of the cluster. +To learn how to set up an **ECR private registry** and for more information on the private registry for components applied during the provisioning of the cluster, see the [RKE documentation on private registries]({{}}/rke/latest/en/config-options/private-registries/). ### Authorized Cluster Endpoint diff --git a/content/rke/latest/en/config-options/private-registries/_index.md b/content/rke/latest/en/config-options/private-registries/_index.md index 1d3226826ba..a0932eb75d0 100644 --- a/content/rke/latest/en/config-options/private-registries/_index.md +++ b/content/rke/latest/en/config-options/private-registries/_index.md @@ -48,3 +48,38 @@ As of v0.1.10, you have to configure your private registry credentials, but you Before v0.1.10, you had to configure your private registry credentials **and** update the names of all the [system images]({{}}/rke/latest/en/config-options/system-images/) in the `cluster.yml` so that the image names would have the private registry URL appended before each image name. + +### ECR Private Registry Setup + +There are two ways in which to provide ECR credentials to set up your ECR private registry: using an instance profile or adding a configuration snippet, which are hard-coded credentials in environment variables for the `kubelet` and credentials under the`credentialPlugin`. + + - **Instance Profile**: An instance profile is the preferred and more secure approach to provide ECR credentials (when running in EC2, etc.). The instance profile will be autodetected and use these credentials by default (using the Go AWS SDK credential lookup process). + + - **Configuration Snippet**: You will use the configuration snippet below rather than an instance profile only if the following conditions exist in your node: + + - Node is not an EC2 instance + - Node is an EC2 instance but does not have an instance profile configured + - Node is an EC2 instance and has an instance profile configured but has no permissions for ECR + +> **Note:** The ECR credentials are only used in the `kubelet` and `credentialPlugin` areas. This is important to remember if you have issues while creating a new cluster or when pulling images during reconcile/upgrades. +> +> - Kubelet: For add-ons, custom workloads, etc., the instance profile or credentials are used by the +> downstream cluster nodes +> - Pulling system images (directly via Docker): For bootstrap, upgrades, reconcile, etc., the instance profile +> or credentials are used by nodes running RKE or running the Rancher pods. + +``` + # Configuration snippet to be used when the instance profile is unavailable. + services: + kubelet: + extra_env: + - "AWS_ACCESS_KEY_ID=ACCESSKEY" + - "AWS_SECRET_ACCESS_KEY=SECRETKEY" + private_registries: + - url: ACCOUNTID.dkr.ecr.ap-southeast-2.amazonaws.com + is_default: true + ecrCredentialPlugin: + aws_access_key_id: "ACCESSKEY" + aws_secret_access_key: "SECRETKEY" +``` + \ No newline at end of file From 5fd87d531ad60a5ef462754857ccd22700b065da Mon Sep 17 00:00:00 2001 From: Jennifer Travinski Date: Thu, 2 Sep 2021 16:45:20 -0400 Subject: [PATCH 2/4] Updated RKE page for ECR plugin fixes --- .../en/config-options/private-registries/_index.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/content/rke/latest/en/config-options/private-registries/_index.md b/content/rke/latest/en/config-options/private-registries/_index.md index a0932eb75d0..b1dcdab23b9 100644 --- a/content/rke/latest/en/config-options/private-registries/_index.md +++ b/content/rke/latest/en/config-options/private-registries/_index.md @@ -49,11 +49,11 @@ As of v0.1.10, you have to configure your private registry credentials, but you Before v0.1.10, you had to configure your private registry credentials **and** update the names of all the [system images]({{}}/rke/latest/en/config-options/system-images/) in the `cluster.yml` so that the image names would have the private registry URL appended before each image name. -### ECR Private Registry Setup +### Amazon Elastic Container Registry (ECR) Private Registry Setup -There are two ways in which to provide ECR credentials to set up your ECR private registry: using an instance profile or adding a configuration snippet, which are hard-coded credentials in environment variables for the `kubelet` and credentials under the`credentialPlugin`. +[Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) is an AWS managed container image registry service that is secure, scalable, and reliable. There are two ways in which to provide ECR credentials to set up your ECR private registry: using an instance profile or adding a configuration snippet, which are hard-coded credentials in environment variables for the `kubelet` and credentials under the `ecrCredentialPlugin`. - - **Instance Profile**: An instance profile is the preferred and more secure approach to provide ECR credentials (when running in EC2, etc.). The instance profile will be autodetected and use these credentials by default (using the Go AWS SDK credential lookup process). + - **Instance Profile**: An instance profile is the preferred and more secure approach to provide ECR credentials (when running in EC2, etc.). The instance profile will be autodetected and used by default. For more information on configuring an instance profile with ECR permissions, go [here](https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html). - **Configuration Snippet**: You will use the configuration snippet below rather than an instance profile only if the following conditions exist in your node: @@ -61,7 +61,7 @@ There are two ways in which to provide ECR credentials to set up your ECR privat - Node is an EC2 instance but does not have an instance profile configured - Node is an EC2 instance and has an instance profile configured but has no permissions for ECR -> **Note:** The ECR credentials are only used in the `kubelet` and `credentialPlugin` areas. This is important to remember if you have issues while creating a new cluster or when pulling images during reconcile/upgrades. +> **Note:** The ECR credentials are only used in the `kubelet` and `ecrCredentialPlugin` areas. This is important to remember if you have issues while creating a new cluster or when pulling images during reconcile/upgrades. > > - Kubelet: For add-ons, custom workloads, etc., the instance profile or credentials are used by the > downstream cluster nodes @@ -76,7 +76,7 @@ There are two ways in which to provide ECR credentials to set up your ECR privat - "AWS_ACCESS_KEY_ID=ACCESSKEY" - "AWS_SECRET_ACCESS_KEY=SECRETKEY" private_registries: - - url: ACCOUNTID.dkr.ecr.ap-southeast-2.amazonaws.com + - url: ACCOUNTID.dkr.ecr.region.amazonaws.com is_default: true ecrCredentialPlugin: aws_access_key_id: "ACCESSKEY" From 0c42bef53d847469ed490e00c41653f446edd449 Mon Sep 17 00:00:00 2001 From: Jennifer Travinski Date: Thu, 2 Sep 2021 17:28:01 -0400 Subject: [PATCH 3/4] Updated 2.6 with ECR reg link --- .../editing-clusters/rke-config-reference/_index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/cluster-admin/editing-clusters/rke-config-reference/_index.md b/content/rancher/v2.6/en/cluster-admin/editing-clusters/rke-config-reference/_index.md index a5dcb2060e3..2b9ca444871 100644 --- a/content/rancher/v2.6/en/cluster-admin/editing-clusters/rke-config-reference/_index.md +++ b/content/rancher/v2.6/en/cluster-admin/editing-clusters/rke-config-reference/_index.md @@ -127,7 +127,9 @@ The private registry configuration option tells Rancher where to pull the [syste - **System images** are components needed to maintain the Kubernetes cluster. - **Add-ons** are used to deploy several cluster components, including network plug-ins, the ingress controller, the DNS provider, or the metrics server. -To learn how to set up an **ECR private registry** and for more information on the private registry for components applied during the provisioning of the cluster, see the [RKE documentation on private registries]({{}}/rke/latest/en/config-options/private-registries/). +For more information on setting up a private registry for components applied during the provisioning of the cluster, see the [RKE documentation on private registries]({{}}/rke/latest/en/config-options/private-registries/). + +Rancher v2.6 introduced the ability to configure [ECR registries for RKE clusters]({{}}/rke/latest/en/config-options/private-registries/#amazon-elastic-container-registry-ecr-private-registry-setup). ### Authorized Cluster Endpoint From 4529663c29719792cc33bcb20267fd26d5039c0e Mon Sep 17 00:00:00 2001 From: Jennifer Travinski Date: Tue, 7 Sep 2021 16:44:05 -0400 Subject: [PATCH 4/4] Capped region for consistency --- .../rke/latest/en/config-options/private-registries/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rke/latest/en/config-options/private-registries/_index.md b/content/rke/latest/en/config-options/private-registries/_index.md index b1dcdab23b9..89453fe9511 100644 --- a/content/rke/latest/en/config-options/private-registries/_index.md +++ b/content/rke/latest/en/config-options/private-registries/_index.md @@ -76,7 +76,7 @@ Before v0.1.10, you had to configure your private registry credentials **and** u - "AWS_ACCESS_KEY_ID=ACCESSKEY" - "AWS_SECRET_ACCESS_KEY=SECRETKEY" private_registries: - - url: ACCOUNTID.dkr.ecr.region.amazonaws.com + - url: ACCOUNTID.dkr.ecr.REGION.amazonaws.com is_default: true ecrCredentialPlugin: aws_access_key_id: "ACCESSKEY"