Configuring a ROSA cluster to pull images from AWS Elastic Container Registry (ECR)
This content is authored by Red Hat experts, but has not yet been tested on every supported configuration. This guide has been validated on OpenShift 4.20. Operator CRD names, API versions, and console paths may differ on other versions.
Prerequisites
Background
Quick Introduction by Ryan Niksch & Charlotte Fung on YouTube .
There are two options to use to authenticate wth Amazon ECR to pull images.
The traditional method is to create a pull secret for ecr.
Example:
However Amazon ECR tokens expire every 12 hours which will mean you will need to re-authenticate every 12 hours either through scripting or do so manually.
A second, and preferred method, is to attach an ECR Policy to your cluster’s worker machine profiles which this guide will walk you through.
ROSA worker nodes are provisioned with predefined IAM roles ( ManagedOpenShift-HCP-ROSA-Worker-Role for ROSA HCP and ManagedOpenShift-Worker-Role for ROSA Classic) which can be updated with an Amazon ECR policy to allow the cluster to pull images from your registries.
Configure ECR with ROSA
-
Set ENV variables
-
Create an ECR repository
-
Create the IAM policy with ECR permissions.
-
Create the Customer Managed Policy
-
Attach policy to the worker IAM role.
-
Log into ECR
-
Pull an image
-
Tag the image for ecr
-
Push the image to ECR
-
Create a new project
-
Create a new app using the image on ECR
-
View a list of pods in the namespace you created:
Expected output:
If you see the hello-ecr pod running … congratulations! You can now pull images from your ECR repository.
Clean up
-
Simply delete the project you created to test pulling images:
-
Detach and delete the IAM policy
-
Remove local files and ECR repository
