Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ECR lifecycle policy exception

In our ECR, we are pushing many images everyday with tag 16_XXXX. Some of the pushed images are not stable version of the application. When there is a stable version, we are retagging the image with tag 16.XXXX.

We have set up a lifecycle policy to clean up images with 16_XXXX tag at imageCountMoreThan (500). Since there are images with two tags (i.e. stable version) (e.g. 16_0715 and 16.0715), will they be cleaned up too?

We don't want to delete all the stable versions of images. Is there a way to retag the image and remove the old tag just to except it in ECR lifecycle policy?

Thanks!

like image 504
Ronnieeeone Avatar asked Jul 17 '18 07:07

Ronnieeeone


People also ask

What is lifecycle policy in ECR?

A lifecycle policy contains one or more rules, where each rule defines an action for Amazon ECR. This provides a way to automate the cleaning up of your container images by expiring images based on age or count. You should expect that after creating a lifecycle policy, the affected images are expired within 24 hours.

How to apply ECR lifecycle policy?

To create a lifecycle policy (AWS Management Console)Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories . From the navigation bar, choose the Region that contains the repository for which to create a lifecycle policy. In the navigation pane, choose Repositories.

How do you create a life cycle policy?

To create a lifecycle ruleSign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, choose the name of the bucket that you want to create a lifecycle rule for. Choose the Management tab, and choose Create lifecycle rule.

What is an AWS ECR repository?

Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM.


1 Answers

If you only have one rule, it will indeed delete your Stable images.

However, you can accomplish this with 2 rules in a policy. A rule at priority 10 will keep your Stable images (16.XXXX) safe, and a rule at priority 20 will 'see' the number of tags with your Unstable versions (16_XXXX) but will be unable to ever delete a Stable image because it is at a higher priority. Here's an example:

{
    "rules": [
        {
            "rulePriority": 10,
            "description": "Keep Stable Images",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["16."],
                "countType": "imageCountMoreThan",
                "countNumber": 9999
            },
            "action": {
                "type": "expire"
            }
        },
        {
            "rulePriority": 20,
            "description": "Delete Old Unstable Images",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["16_"],
                "countType": "imageCountMoreThan",
                "countNumber": 500
            },
            "action": {
                "type": "expire"
            }
        }
    ]
}

Source: I wrote the rule evaluation logic for Lifecycle Policies :) You can also check the docs, at the bottom of this page describes some facts about the system that users can take advantage of: https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html

An image that matches the tagging requirements of a rule cannot be expired by a rule with a lower priority.
like image 144
VolatileRig Avatar answered Sep 20 '22 06:09

VolatileRig