Pull image from private docker registry in AWS EKS Autoscaler worker nodes

1/21/2020

I'm using AWS EKS with Auto Scaler for the worker nodes. I've private Artifactory docker registry.

Now in order to download docker images from private registry, I've read many documents including kubernetes docs for - how to pull docker image from private docker registry.

There are three steps in the solution:

  • Create kubectl secret which contains docker registry credentials
  • Add "insecure-registries":["privateRegistryAddress:port"] in /etc/docker/daemon.json
  • Restart docker service

I've manually SSH into worker nodes and ran 2nd and 3rd step which works for temporary but as EKS Auto Scaler finds if that worker nodes is not in use then kill it and create new one as needed, where in this new worker node "insecure-registries":["privateRegistryAddress:port"] in /etc/docker/daemon.json is not added, and due to which pod scheduling fails.

There are two solutions I can think of here -

  • Configure AWS EC2 AMI which contains "insecure-registries":["privateRegistryAddress:port"] in /etc/docker/daemon.json default and use that image in auto scaler configuration
  • Create pod which has node level permission to edit the mentioned file and restart docker service - but I doubt if docker service restarted then that pod itself would go down and if that works or not

Please advise. Thanks.

-- Jaydeep Soni
amazon-eks
aws-eks
docker-registry
eks
kubernetes

1 Answer

1/22/2020

Solved this from first approach I mentioned in question.

  • First of course created kubectl secret to login to private registry
  • SSHed into kubernetes worker nodes and added ["privateRegistryAddress:port"] in /etc/docker/daemon.json
  • Created AMI image out of that node
  • Updated EC2 launch template with the new AMI and set new template version as default
  • Updated Ec2 Auto scaling group with new launch template version
  • Killed previous worker nodes and let auto scaling group created new nodes

and voila!! :)

Now whenever EKS using Auto Scaling group increase/decrease EC2 instances, they will be able to download docker images from private docker registry.

-- Jaydeep Soni
Source: StackOverflow