Kubernetes拉私有的外部亚马逊ECR图像 [英] Kubernetes pull private external amazon ECR images

问题描述

我有一个具有K8S集群的Amazon帐户，该帐户能够从同一帐户的ECR存储库中提取图像.

I have an Amazon account with a K8S cluster which is able to pull images from the same account's ECR repository.

但是，我的公司在另一个ECR存储库中拥有另一个帐户.如何从外部" ECR存储库中提取图像?

But, my company have another account with another ECR repository. How can I pull image from this "external" ECR repository ?

我也是Rancher用户，我曾经通过安装特殊容器来做到这一点( https://github.com/rancher/rancher-ecr-credentials )来完成这项工作.

I'am also a Rancher user and I used to do this by installing a special container (https://github.com/rancher/rancher-ecr-credentials) which does the job.

Kubernetes是否有等同的东西?

Is there something equivalent for Kubernetes?

感谢您的宝贵帮助

推荐答案

由于您已经具有从同一帐户提取图像的此设置，因此可以在其他AWS账户设置中使用IAM策略级别或ECR权限进行此操作.指定可以提取图像的AWS帐号(k8是)的政策

Since you already have this setup for pulling images from the same account, you can do this with IAM policy level or ECR permissions, in your other AWS account set up a policy specifying the AWS account number (where k8s is) that will be able to pull images

例如，在"ECR权限"选项卡中授予拉取权限

For example grant pull permissions in the ECR Permissions tab

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "k8s-aws-permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::aws_account_number:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}

这篇关于Kubernetes拉私有的外部亚马逊ECR图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！