public_git
/
kaniko
mirror of https://github.com/GoogleContainerTools/kaniko
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #930 from carlossg/ecr 

Push to ECR using instance roles
This commit is contained in:
Cole Wippern 2019-12-22 10:56:09 -08:00 committed by GitHub
parent 8154046e12 16aff6a974
commit 732b270035
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 38 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
README.md
View File

@ -346,14 +346,10 @@ Run kaniko with the `config.json` inside `/kaniko/.docker/config.json`
The Amazon ECR [credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) is built into the kaniko executor image. The Amazon ECR [credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) is built into the kaniko executor image.
To configure credentials, you will need to do the following: To configure credentials, you will need to do the following:
1. Update the `credHelpers` section of [config.json](https://github.com/awslabs/amazon-ecr-credential-helper#configuration) with the specific URI of your ECR registry: 1. Update the `credsStore` section of [config.json](https://github.com/awslabs/amazon-ecr-credential-helper#configuration):
```json ```json
{ { "credsStore": "ecr-login" }
"credHelpers": {
"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
}
}
``` ```
You can mount in the new config as a configMap: You can mount in the new config as a configMap:
@ -362,22 +358,25 @@ To configure credentials, you will need to do the following:
kubectl create configmap docker-config --from-file=<path to config.json> kubectl create configmap docker-config --from-file=<path to config.json>
``` ```
2. Create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster. 2. Configure credentials
1. You can use instance roles when pushing to ECR from a EC2 instance or from EKS, by [configuring the instance role permissions](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html).
2. Or you can create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster.
To create the secret, run: To create the secret, run:
```shell ```shell
kubectl create secret generic aws-secret --from-file=<path to .aws/credentials> kubectl create secret generic aws-secret --from-file=<path to .aws/credentials>
``` ```
The Kubernetes Pod spec should look similar to this, with the args parameters filled in: The Kubernetes Pod spec should look similar to this, with the args parameters filled in.
Note that `aws-secret` volume mount and volume are only needed when using AWS credentials from a secret, not when using instance roles.
```yaml ```yaml
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: kaniko name: kaniko
spec: spec:
containers: containers:
- name: kaniko - name: kaniko
image: gcr.io/kaniko-project/executor:latest image: gcr.io/kaniko-project/executor:latest
@ -385,19 +384,21 @@ To configure credentials, you will need to do the following:
"--context=s3://<bucket name>/<path to .tar.gz>", "--context=s3://<bucket name>/<path to .tar.gz>",
"--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"] "--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"]
volumeMounts: volumeMounts:
- name: aws-secret
mountPath: /root/.aws/
- name: docker-config - name: docker-config
mountPath: /kaniko/.docker/ mountPath: /kaniko/.docker/
# when not using instance role
- name: aws-secret
mountPath: /root/.aws/
restartPolicy: Never restartPolicy: Never
volumes: volumes:
- name: aws-secret
secret:
secretName: aws-secret
- name: docker-config - name: docker-config
configMap: configMap:
name: docker-config name: docker-config
``` # when not using instance role
- name: aws-secret
secret:
secretName: aws-secret
```
### Additional Flags ### Additional Flags