kubectl pod fails to pull down an AWS ECR image

Question

step 1 sudo $(aws ecr get-login --no-include-email --region xx-xxxx-x)

step 2 curl -LSs https://github.com/fermayo/ecr-k8s-secret/raw/master/gen-secret.sh | bash -

step 3 kubectl describe secret aws-ecr-credentials

Name:         aws-ecr-credentials
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data

.dockerconfigjson:  32 bytes

step 4 kubectl describe pod x

Warning Failed 5s kubelet, ip-10-46-250-151 Failed to pull image "my-account.dkr.ecr.us-east-1.amazonaws.com/my-image:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://my-account.dkr.ecr.us-east-1.amazonaws.com/my-image/latest: no basic auth credentials

Why can't the pod pull down the image?

Answer 1

Created a script that pulls the token from AWS-ECR

ACCOUNT=xxxxxxxxxxxx
REGION=xx-xxxx-x
SECRET_NAME=${REGION}-ecr-registry
[email protected]

#
#

TOKEN=`aws ecr --region=$REGION get-authorization-token --output text \
    --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2`

#
#  Create or replace registry secret
#


kubectl delete secret --ignore-not-found $SECRET_NAME
kubectl create secret docker-registry $SECRET_NAME \
    --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \
    --docker-username=AWS \
    --docker-password="${TOKEN}" \
    --docker-email="${EMAIL}"

and created a Linux cronjob to run this every 10 hours

Answer 2

Your Deployment manifest will need to specify that the container registry credentials are in a secret. This is as simple as adding imagePullSecrets:

apiVersion: v1
kind: Deployment
metadata:
  name: deployment-name
spec:
  containers:
  - image: your-registry/image/name:tag
  imagePullSecrets:
  - name: secret-name