Running a ECR image locally with helm and Kubernetes

12/3/2019

I'm new to Kubernetes and as a tutorial for myself I've been working on deploying a basic project to Kubernetes with helm (v3). I have an image in AWS's ECR as well as a local helm chart for this project. However, I am struggling to run my image with Kubernetes.

My image is set up correctly. If I try something like docker run my_image_in_ecr locally it behaves as expected (after configuring my IAM access credentials locally). My helm chart is properly linted and in my image map, it specifies:

image:
  repository: my_image_in_ecr
  tag: latest
  pullPolicy: IfNotPresent

When I try to use helm to deploy though, I'm running into issues. My understanding is to run my program with helm, I should:

  1. Run helm install on my chart

  2. Run the image inside my new kubernetes pod

But when I look at my kubernetes pods, it looks like they never get up and running.

hello-test1-hello-world-54465c788c-dxrc7           0/1     ImagePullBackOff    0          49m
hello-test2-hello-world-8499ddfb76-6xn5q           0/1     ImagePullBackOff    0          2m45s
hello-test3-hello-world-84489658c4-ggs89           0/1     ErrImagePull        0          15s

The logs for these pods look like this:

Error from server (BadRequest): container "hello-world" in pod "hello-test3-hello-world-84489658c4-ggs89" is waiting to start: trying and failing to pull image

Since I don't know how to set up imagePullSecrets properly with Kubernetes I was expecting this to fail. But I was expecting a different error message such as bad auth credentials.

  1. How can I resolve the error in image pulling? Is this issue not even related to the fact that my image is in ecr?
  2. How can I properly set up credentials (such as imagePullSecrets) to authorize pulling the image from ecr? I have followed some guides such as this one and this one but am confused on how to tranlate this information into a proper authorization configuration for ecr.
-- Thomas Scruggs
amazon-web-services
docker
kubectl
kubernetes
kubernetes-helm

1 Answer

12/3/2019

How can I properly set up credentials (such as imagePullSecrets) to authorize pulling the image from ecr?

The traditional way is to grant the Node an instance role that includes ecr:* IAM Permissions , ensure you have --cloud-provider=aws set on apiserver, controller-manager, and kubelet (which if you are doing anything with kubernetes inside AWS you will for sure want to enable and configure correctly), and kubelet will then automatically coordinate with ECR to Just Work™

That information was present on the page you cited, under the heading Using Amazon Elastic Container Registry but it isn't clear if you read it and didn't understand, or read it and it doesn't apply to you, or didn't get that far down the page

-- mdaniel
Source: StackOverflow