需求:在自己的k8s上通过cronjob管理aws ecr镜像登录信息
aws ecr官网,发现有下面这么一段:
使用授权令牌
授权令牌的权限范围与用于检索身份验证令牌的 IAM 委托人的权限范围相匹配。身份验证令牌用于访问您的 IAM 委托人有权访问且有效期为 12 小时的任何 Amazon ECR 注册表。要获得授权令牌,您必须使用 GetAuthorizationToken API 操作来检索包含用户名 AWS 和编码密码的 base64 编码授权令牌。该 Amazon CLI get-login-password 命令可以通过检索和解码授权令牌来简化此操作,然后您可以将授权令牌传送到 docker login 命令中进行身份验证。
参考:在k8s上使用ecr作为业务镜像库
https://www.sklinux.com/posts/k8s/k8s%E4%B8%8A%E4%BD%BF%E7%94%A8ecr/
应用如下配置即可,友情提示,cn区仓库地址是com.cn结尾
secret解密命令:echo “secret” | base64 -d
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: ecr-cred-rbac
subjects:
- kind: ServiceAccount
namespace: default
name: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
annotations:
name: ecr-cred-helper
spec:
concurrencyPolicy: Allow
failedJobsHistoryLimit: 1
jobTemplate:
metadata:
creationTimestamp: null
spec:
template:
metadata:
creationTimestamp: null
spec:
containers:
- image: odaniait/aws-kubectl:latest
imagePullPolicy: IfNotPresent
name: ecr-cred-helper
command:
- /bin/sh
- -c
- |-
ACCOUNT=xxxxxxxx
REGION=cn-northwest-1
SECRET_NAME=${REGION}-ecr-registry
EMAIL=xxxxx
TOKEN=`aws ecr get-login --region ${REGION} --registry-ids ${ACCOUNT} | cut -d' ' -f6`
#获取登录密码
echo "ENV variables setup done."
kubectl -n logging-operator delete secret --ignore-not-found $SECRET_NAME
kubectl -n logging-operator create secret docker-registry $SECRET_NAME \
--docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com.cn \
--docker-username=xxxxx \
--docker-password="${TOKEN}" \
--docker-email="${EMAIL}"
echo "Secret created by name. $SECRET_NAME"
kubectl -n logging-operator patch serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}'
echo "All done."
env:
- name: AWS_DEFAULT_REGION
value: cn-northwest-1
- name: AWS_SECRET_ACCESS_KEY
value: xxxxx
- name: AWS_ACCESS_KEY_ID
value: xxxxx
resources: {}
securityContext:
capabilities: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: Default
hostNetwork: true
restartPolicy: Never
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
schedule: "* */8 * * *"
successfulJobsHistoryLimit: 3
suspend: false