This message was deleted.
# generala
adamant-kite-43734
09/02/2022, 8:55 PMThis message was deleted.
c
creamy-pencil-82913
09/02/2022, 9:02 PMDid you think that things in secrets weren’t just like, there in the cluster?
creamy-pencil-82913
09/02/2022, 9:02 PMthey’re just a configmap with a different name and RBAC
b
bored-postman-37838
09/06/2022, 5:07 PM@creamy-pencil-82913 If people use their account to login to a docker registry, they will expose their credential to everyone. Is there any way they can login to the docker registry without the leak?
c
creamy-pencil-82913
09/06/2022, 5:16 PMwhat do you mean leak? You mean you have users putting their credentials in secrets?
creamy-pencil-82913
09/06/2022, 5:17 PMAnything you put in a secret can be read by anyone with access to read secrets. That is how Kubernetes works.
b
bored-postman-37838
09/06/2022, 5:20 PMOK. Thanks for clarification. In that case, how do we enable users to pull a docker image?
c
creamy-pencil-82913
09/06/2022, 5:31 PMis making the images pullable without authentication not an option?
creamy-pencil-82913
09/06/2022, 5:32 PMIn RKE2 or K3s you can can also configure auth at the container runtime level by placing the registry credentials in registries.yaml
b
bored-postman-37838
09/06/2022, 5:34 PMHmmm we need a credential to pull from our private registry. We are using k8s on aws (EKS) in our cluster
c
creamy-pencil-82913
09/06/2022, 5:39 PMHave you considered using IAM node roles on your EC2 instances to grant access to ECR?
creamy-pencil-82913
09/06/2022, 5:40 PMThis doesn’t really sound like a Rancher problem though…
b
bored-postman-37838
09/06/2022, 5:44 PMWe don’t use ECR but Artifactory so we cannot use IAM to access it. Is it possible to have a global registry credential that everyone in the cluster can share?
4 Views