How to use an Amazon ECR with EKS ?
Amazon ECR is the de facto registry when working with Amazon EKS. This post focuses on how to use Amazon ECR with Amazon EKS.
Note : I have used AWS CloudShell to execute various commands if not mentioned explicitly.
Step 1 — Create EKS Cluster
EKS cluster is created using eksctl.
You can check the following post if you want to create an EKS cluster in the easiest and fastest way.
Step 2 — Publish an Image to ECR
In this step an Apache based image is pushed to an Amazon ECR.
Refer the following post which pushes the simple image to ECR using AWS CloudShell.
https://amod-kadam.medium.com/getting-started-with-amazon-ecr-3a07abd96d8a.
This image is used to run as a Pod in EKS.
Step 3 — Verify connectivity to ECR
Just to ensure that we are able to connect to ECR execute the following commands.
AWS_ACCOUNT_ID=$(aws sts get-caller-identity — query “Account” — output text)
# construct the ECR URL
ECR_URL=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
#get login-password for ECR and do docker login to ECR
aws ecr get-login-password | docker login - username AWS - password-stdin ${ECR_URL}List the images from the repository (optional)
ECR_NAME=demo/sample-repo
aws ecr list-images - repository-name ${ECR_NAME}When running as Container it simply prints humble ‘Hello World !’
Step 4 — Run the POD in EKS
Step — Create POD template file
- Create a POD template file as vi demo-pod.yaml
- Note ensure to replace <aws-account-id> with your actual AWS Account id and point it to appropriate region
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
containers:
- name: hello-world
image: 297106433303.dkr.ecr.ap-south-1.amazonaws.com/demo/sample-repo:latest
ports:
- containerPort: 80Step — Create pod
kubectl apply -f demo-pod.yamlYou should see POD hello-world gets created and is in Running status.
Connect to POD and verify whether Apache is running or not and if it returns the “Hello World!”
The running pod can be seen from the AWS Portal as well.
Thus the EKS is now pulling the image from ECR and running as a POD.
However, wait a second and think about how EKS managed to pull the image from ECR as we did not set any permissions here. Does the EKS cluster have relevant permissions ?
How is the EKS cluster able to pull images from ECR ?
If you check the permissions of the EKS Cluster EKS cluster does not have any relevant permissions for ECR !
Now if you check the Role (permissions) associated with NodeGroup and Node of EKS cluster you should see the Role has relevant permissions for working with Amazon ECR.
- The EKS cluster consists of NodeGroup and the NodeGroup contains the Nodes.
- The Role (eksctl-test-cluster-xxx-jxOU ) seen in the figure below is associated with NodeGroup which gets automatically associated with the underlying EC2 instance.
- The Role eksctl-test-cluster-xxx-jxOU has a policy AmazonEC2ContainerRegistryReadOnly which contains the relevant ECR permissions to pull the images from ECR. (See the screenshot below)
This makes it possible for EKS nodes to pull the images.
It is important to note that the EKS cluster have wider permissions compared to NodeGroup as EKS Cluster can dynamically allocate various resources such as EC2 instances and ELB etc whereas the Nodes have lesser privileges as in the current context it has to just pull the image from ECR.
The relevant roles and permissions are created by eksctl utility for us. If you are provisioning EKS Cluster in different ways, ensure that the relevant permissions are attached to the appropriate resources.
Thus one can easily use Amazon ECR with EKS for deploying workload using Containers !
Note : As the cluster is going to cost some money it is advisable to delete the cluster once done. The following is the handy command.
# to delete eks clsuter
eksctl delete cluster — name test-cluster
