-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document ECR repo location #259
Labels
help wanted
Extra attention is needed
Comments
Helpful info for folks running EKS on AWS and finding this issue: the requested information can, as of right now, be found in And in Terraform code: data "aws_partition" "current" {
}
data "aws_region" "current" {
}
locals {
# AWS-managed ECR Repositories for Bottlerocket images
# See https://github.com/bottlerocket-os/bottlerocket/blob/develop/sources/api/schnauzer/src/helpers.rs
# and https://github.com/bottlerocket-os/bottlerocket-project-website/issues/259
bottlerocket_ecr_image_accounts_lookup = {
"af-south-1" = "917644944286"
"ap-east-1" = "375569722642"
"ap-northeast-1" = "328549459982"
"ap-northeast-2" = "328549459982"
"ap-northeast-3" = "328549459982"
"ap-south-1" = "328549459982"
"ap-southeast-1" = "328549459982"
"ap-southeast-2" = "328549459982"
"ca-central-1" = "328549459982"
"eu-central-1" = "328549459982"
"eu-north-1" = "328549459982"
"eu-south-1" = "586180183710"
"eu-west-1" = "328549459982"
"eu-west-2" = "328549459982"
"eu-west-3" = "328549459982"
"me-south-1" = "509306038620"
"sa-east-1" = "328549459982"
"us-east-1" = "328549459982"
"us-east-2" = "328549459982"
"us-west-1" = "328549459982"
"us-west-2" = "328549459982"
}
}
data "aws_iam_policy_document" "eks_bottlerocket_permissions" {
# Allow worker nodes to auth with ECR Private
statement {
sid = "ecrtoken"
effect = "Allow"
actions = [
"ecr:GetAuthorizationToken",
]
resources = [
"*",
]
}
# Allow worker nodes to pull images from ECR Private
statement {
sid = "ecrget"
effect = "Allow"
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
]
resources = [
"arn:${data.aws_partition.current.partition}:ecr:${data.aws_region.current.name}:${local.bottlerocket_ecr_image_accounts_lookup[data.aws_region.current.name]}:repository/bottlerocket-control",
"arn:${data.aws_partition.current.partition}:ecr:${data.aws_region.current.name}:${local.bottlerocket_ecr_image_accounts_lookup[data.aws_region.current.name]}:repository/bottlerocket-admin", # You may actually want to restrict this?
# whatever other repositories you want
# or EKS needs to run
# or ECS needs to run
# or your apps need
# ...and so on
]
}
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As per discussion here, we should think about documenting the ECR repo to allow customers to create their own set of scoped-down policies.
The text was updated successfully, but these errors were encountered: