https://rancher.com/ logo
Join SlackCommunities
Powered by
This message was deleted.
# general
a
This message was deleted.
b
Open it in 
rancher/rancher
and they will get it where it needs to go
c
rancher itself does not pull images. Rancher is something that runs in a Kubernetes cluster. It is the kubelet that actually does the image pull, when a pod needs an image. Based on the ImagePullPolicy.
a
so its an rke2 issue then?
c
not really
its a Kubernetes thing
a
because we can set the flag 
http_token
in 
rancher2_machine_config_v2
won't make sense that we can activate IMDSv2 but then our cluster is not able to pull image
c
The RKE2 kubelet already has support for image credential providers. If you want to use instance creds to pull images, you need to install and configure a credential provider on your nodes.
a
I see, so I have to install the out of tree aws cloud provider to get the ecr credentials provider?
sounds like a pita
thanks for the clarification, I will stay with IMDSv2 disabled for now then
c
no, this is unrelated to the cloud provider. It is not deployed to the cluster, it is something that you install on each node.
It is a binary that the kubelet runs to get creds for the image pull operation. Think of it like on-demand 
docker login
a
yes, I know how ECR auth works and their short lived tokens, but I dont seem to find the binary, I am supposed to build it myself from the repo and then push it to the nodes?
c
I don’t know where Amazon publishes their binaries.
a
thanks
c
I’m just googling around here, this is all Amazon supported stuff, not anything we maintain.
a
yes, I know
that why I am going towards not using IMDSv2 and avoid all this
4 Views
Open in Slack
PreviousNext
Powered by