Configure credentials for AWS Elastic Container Registry using registry-creds addon
Overview
The minikube registry-creds addon enables developers to setup credentials for pulling images from AWS ECR from inside their minikube cluster.
The addon automagically refreshes the service account token for the default
service account in the default
namespace.
Prerequisites
- a working minikube cluster
- a container image in AWS ECR that you would like to use
- AWS access keys that can be used to pull the above image
- AWS account number of the account hosting the registry
Configuring and enabling the registry-creds addon
Configure the registry-creds addon
Configure the minikube registry-creds addon with the following command:
Note: In this tutorial, we will focus only on the AWS ECR.
minikube addons configure registry-creds
Follow the prompt and enter y
for AWS ECR. Provide the requested information. It should look like this -
$ minikube addons configure registry-creds
Do you want to enable AWS Elastic Container Registry? [y/n]: y
-- Enter AWS Access Key ID: <put_access_key_here>
-- Enter AWS Secret Access Key: <put_secret_access_key_here>
-- (Optional) Enter AWS Session Token:
-- Enter AWS Region: us-west-2
-- Enter 12 digit AWS Account ID (Comma separated list): <account_number>
-- (Optional) Enter ARN of AWS role to assume:
Do you want to enable Google Container Registry? [y/n]: n
Do you want to enable Docker Registry? [y/n]: n
Do you want to enable Azure Container Registry? [y/n]: n
✅ registry-creds was successfully configured
Enable the registry-creds addon
Enable the minikube registry-creds addon with the following command:
minikube addons enable registry-creds
The add-on will create secrets in each namespace other than kube-system
that can be used for imagePullSecrets
on a pod. It also
updates the default
service account in each namespace to use these imagePullSecrets
, which means any pod created outside
the kube-system
namespace without an explicit service account other than default
will use the image pull secrets automatically.
Create a deployment that uses an image in AWS ECR
This tutorial will use a vanilla alpine image that has been already uploaded into a repository in AWS ECR.
Let’s use this alpine deployment that is setup to use the alpine image from ECR. Make sure you update the image
field with a valid URI.
alpine-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: alpine-deployment
labels:
app: alpine
spec:
replicas: 1
selector:
matchLabels:
app: alpine
template:
metadata:
labels:
app: alpine
spec:
containers:
- name: alpine
image: <<aws_account_number>>.dkr.ecr.<<aws_region>>.amazonaws.com/alpine:latest
command: ['sh', '-c', 'echo Container is Running ; sleep 3600']
Create a file called alpine-deployment.yaml
and paste the contents above. Be sure to replace «aws_account_number» and «aws_region» with your actual account number and aws region. Then create the alpine deployment with the following command:
kubectl apply -f alpine-deployment.yaml
Test your deployment
Describe the pod and verify the image pull was successful:
kubectl describe pods << alpine-deployment-pod-name >>
You should see an event like this:
Successfully pulled image "<<account_number>>.dkr.ecr.<<aws_region>>.amazonaws.com/alpine:latest"
If you do not see that event, look at the troubleshooting section.
Review
In the above tutorial, we configured the registry-creds
addon to refresh the credentials for AWS ECR so that we could pull private container images onto our minikube cluster. We ultimately created a deployment that used an image in a private AWS ECR repository.
Troubleshooting
- Check if you have a secret called
awsecr-cred
in thedefault
namespace by runningkubectl get secrets
. - Check if the image path is valid.
- Check if the registry-creds addon is enabled by using
minikube addons list
. - Check if you have specified
imagePullSecrets
on the workload or related service account if you’re using a custom service account.
Related articles
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.