Seeing this ECR pull issue despite the nodes havin...
# rke2p
purple-match-66532
02/07/2025, 2:14 AMSeeing this ECR pull issue despite the nodes having the correct instance profile with the correct permissions:
Failed to pull image "****.dkr.ecr.us-east-1.amazonaws.com/****/image_name:tag-0": failed to pull and unpack image "****.dkr.ecr.us-east-1.amazonaws.com/****/image_name:tag-0": failed to resolve reference "****.dkr.ecr.us-east-1.amazonaws.com/****/image_name:tag-0": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials
c
creamy-pencil-82913
02/07/2025, 2:18 AMInstance profile is not used by Kubernetes without installing additional plugins
https://github.com/rancher/rke2/discussions/7691
p
purple-match-66532
02/07/2025, 2:29 AMAwesome! Thank you so much! Created a temporary static credential and it worked! Will move to the mentioned plugins when I'm up e2e.
This may be a dumb question - but do I need the AWS Cloud Controller and the AWS Load Balancer Controller? Or is there some duplication there?
purple-match-66532
02/07/2025, 2:49 AMAh, the ALB Controller seems to now have issues getting to the Metadata service for similar reasons as above. 🤔
purple-match-66532
02/07/2025, 3:35 AMIs there an equivalent credentials provider for the ALB Load Balancer controller to avoid this when I'm trying to deploy an ingress:
Failed build model due to operation error EC2: DescribeSubnets, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found
purple-match-66532
02/07/2025, 3:35 PMI can't get this right. Is there any documentation on how to create a cluster so that it can pull from ECR? Bummer that this went from out-of-the-box to undocumented and quite the headache. 😞
purple-match-66532
02/07/2025, 5:43 PMHappy to write the doc if I get it to work though!
c
creamy-pencil-82913
02/07/2025, 5:48 PMyou need to deploy the ecr credential provider plugin on nodes if you want to pull from private ECR repos.
creamy-pencil-82913
02/07/2025, 5:49 PMthe credential provider plugin has nothing to do with cloud provider or lb controller. they are all completely separate components.
p
purple-match-66532
02/07/2025, 5:54 PMDo you happen to know if there are any docs for getting the ecr credential provider plugin working?
purple-match-66532
02/07/2025, 5:57 PMThe reason the issues are coupled for me is because the old provider (very old so def my fault for not keeping up!) used to enable the images to be pulled using the node instance profile (thus having ECR perms). The AWS Load Balancer Controller (which spun up ALBs) defaulted to that instance profile too.
c
creamy-pencil-82913
02/07/2025, 6:02 PMI linked you to a discussion thread up above that has pointers on how to do that
7 Views