Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document ECR repo location #259

Open
zmrow opened this issue Mar 16, 2020 · 1 comment
Open

Document ECR repo location #259

zmrow opened this issue Mar 16, 2020 · 1 comment
Labels
help wanted Extra attention is needed

Comments

@zmrow
Copy link

zmrow commented Mar 16, 2020
edited

As per discussion here, we should think about documenting the ECR repo to allow customers to create their own set of scoped-down policies.
@zmrow zmrow changed the title Document ECR repo Document ECR repo location Mar 16, 2020
@zmrow zmrow mentioned this issue Mar 16, 2020
Merged
@Vlaaaaaaad Vlaaaaaaad mentioned this issue Jan 1, 2022
Open
@Vlaaaaaaad
Copy link

Helpful info for folks running EKS on AWS and finding this issue: the requested information can, as of right now, be found in sources/api/schnauzer/src/helpers.rs.
There may also be a need for the pause container repositories (see this related issue for the EKS location).

And in Terraform code:

data "aws_partition" "current" {
}

data "aws_region" "current" {
}

locals {
  # AWS-managed ECR Repositories for Bottlerocket images
  # See https://github.com/bottlerocket-os/bottlerocket/blob/develop/sources/api/schnauzer/src/helpers.rs
  #  and https://github.com/bottlerocket-os/bottlerocket-project-website/issues/259
  bottlerocket_ecr_image_accounts_lookup = {
    "af-south-1"     = "917644944286"
    "ap-east-1"      = "375569722642"
    "ap-northeast-1" = "328549459982"
    "ap-northeast-2" = "328549459982"
    "ap-northeast-3" = "328549459982"
    "ap-south-1"     = "328549459982"
    "ap-southeast-1" = "328549459982"
    "ap-southeast-2" = "328549459982"
    "ca-central-1"   = "328549459982"
    "eu-central-1"   = "328549459982"
    "eu-north-1"     = "328549459982"
    "eu-south-1"     = "586180183710"
    "eu-west-1"      = "328549459982"
    "eu-west-2"      = "328549459982"
    "eu-west-3"      = "328549459982"
    "me-south-1"     = "509306038620"
    "sa-east-1"      = "328549459982"
    "us-east-1"      = "328549459982"
    "us-east-2"      = "328549459982"
    "us-west-1"      = "328549459982"
    "us-west-2"      = "328549459982"
  }
}



data "aws_iam_policy_document" "eks_bottlerocket_permissions" {
  # Allow worker nodes to auth with ECR Private
  statement {
    sid = "ecrtoken"

    effect = "Allow"
    actions = [
      "ecr:GetAuthorizationToken",
    ]
    resources = [
      "*",
    ]
  }
  # Allow worker nodes to pull images from ECR Private
  statement {
    sid = "ecrget"

    effect = "Allow"
    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
    ]
    resources = [
      "arn:${data.aws_partition.current.partition}:ecr:${data.aws_region.current.name}:${local.bottlerocket_ecr_image_accounts_lookup[data.aws_region.current.name]}:repository/bottlerocket-control",
      "arn:${data.aws_partition.current.partition}:ecr:${data.aws_region.current.name}:${local.bottlerocket_ecr_image_accounts_lookup[data.aws_region.current.name]}:repository/bottlerocket-admin", # You may actually want to restrict this?
      # whatever other repositories you want
      #  or EKS needs to run
      #  or ECS needs to run
      #  or your apps need
      #  ...and so on
    ]
  }
}

@stmcginnis stmcginnis added the help wanted Extra attention is needed label Dec 19, 2022
@arnaldo2792 arnaldo2792 transferred this issue from bottlerocket-os/bottlerocket Sep 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zmrow @stmcginnis @Vlaaaaaaad