Pull ECR images using Kubelet credential provider is not working in Microk8s 1.28.3

General Discussions microk8s
1

I am trying to configure a kubelet image credential provider to pull images from an ECR private registry. It looks like the ‘ecr-credential-provider’ gets registered but never pulls image from ECR. I am expecting that the credential provider should pull images from my private registry.

Here are the steps that I followed.

  1. Create a new file /var/snap/microk8s/common/credential-provider-config.yaml with the following content.
apiVersion: kubelet.config.k8s.io/v1
kind: CredentialProviderConfig
providers:
  - name: ecr-credential-provider
    apiVersion: credentialprovider.kubelet.k8s.io/v1
    matchImages:
      - "*.dkr.ecr.*.amazonaws.com"
    defaultCacheDuration: 12h
  1. Add following arguments in file /var/snap/microk8s/current/args/kubelet. The credential provider binary is /usr/local/bin/ecr-credential-provider.
--image-credential-provider-config=${SNAP_COMMON}/credential-provider-config.yaml
--image-credential-provider-bin-dir=/usr/local/bin/
  1. Restart Microk8s
  2. Create a Pod that uses images in my repository.

I have checked that the ecr credentials provider binary working fine when I use following commands.

echo '{
  "apiVersion": "credentialprovider.kubelet.k8s.io/v1",
  "kind": "CredentialProviderRequest",
  "image": "XXXXXXXXXXX.dkr.ecr.XXXX.amazonaws.com/repository/image"
}' | /usr/local/bin/ecr-credential-provider
2

Hi,
Have you configured AWS credentials for the user that kubelet is running under? Otherwise this will not work.

3

Yes I did. Also I have checked that the ecr credentials provider binary working fine when I use following commands.

echo '{
  "apiVersion": "credentialprovider.kubelet.k8s.io/v1",
  "kind": "CredentialProviderRequest",
  "image": "XXXXXXXXXXX.dkr.ecr.XXXX.amazonaws.com/repository/image"
}' | /usr/local/bin/ecr-credential-provider
4

Can you check whether kubelet actually picks up this configuration?