github.com/sentienttechnologies/studio-go-runner@v0.0.0-20201118202441-6d21f2ced8ee/docs/aws_ecs_images.md (about) 1 # studio-go-runner AWS ECS offboard registry support 2 3 This document contains notes and information that might be of value to administrators wanting to access AWS docker image registries. 4 5 This document is a work in progress for storing and using AWS secrets and tokens. These techniques are intended for use in walled garden or fully RBAC managed Kubernetes clusters. 6 7 ## Section 8 9 When using images from AWS the best practice calls for using a private AWS registry. To do this AWS credentials need to be used to refresh a token on a regular basis and to store it for use by the cluster when pulling images during upgrades and the like. To do this a Kubernetes cron job should be created much like the following: 10 11 ``` 12 --- 13 apiVersion: v1 14 kind: ConfigMap 15 metadata: 16 name: studioml-go-runner-ecr-env 17 data: 18 SECRET_NAME: studioml-go-docker-key 19 EMAIL: karlmutch@gmail.com 20 AWS_ACCOUNT: 999999999999 21 AWS_DEFAULT_REGION: us-west-2 22 AWS_ACCESS_KEY_ID: AnAccessKeyIdThatIsVerySecret 23 AWS_SECRET_ACCESS_KEY: "ALongKeyThatIsVerySecret" 24 --- 25 apiVersion: batch/v1beta1 26 kind: CronJob 27 metadata: 28 annotations: 29 name: studioml-go-runner-ecr-cred 30 spec: 31 concurrencyPolicy: Allow 32 failedJobsHistoryLimit: 1 33 jobTemplate: 34 metadata: 35 creationTimestamp: null 36 spec: 37 template: 38 metadata: 39 creationTimestamp: null 40 spec: 41 containers: 42 - command: 43 - /bin/sh 44 - -c 45 - |- 46 TOKEN=`aws ecr get-login --region ${AWS_DEFAULT_REGION} --registry-ids ${AWS_ACCOUNT} | cut -d' ' -f6` 47 kubectl delete secret --ignore-not-found $SECRET_NAME 48 kubectl create secret docker-registry $SECRET_NAME \ 49 --docker-server=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com \ 50 --docker-username=AWS \ 51 --docker-password="${TOKEN}" \ 52 --docker-email="${EMAIL}" 53 kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"'$SECRET_NAME'"}]}' 54 image: odaniait/aws-kubectl:latest 55 imagePullPolicy: IfNotPresent 56 name: studioml-go-runner-ecr-cred 57 envFrom: 58 - configMapRef: 59 name: studioml-go-runner-ecr-env 60 resources: {} 61 securityContext: 62 capabilities: {} 63 terminationMessagePath: /dev/termination-log 64 terminationMessagePolicy: File 65 dnsPolicy: Default 66 hostNetwork: true 67 restartPolicy: Never 68 schedulerName: default-scheduler 69 securityContext: {} 70 terminationGracePeriodSeconds: 30 71 schedule: 0 */6 * * * 72 successfulJobsHistoryLimit: 3 73 suspend: false 74 ``` 75 76 The Deployment specification you use for the runner is then augmented with the following fragments to enable image pull secrets and to refer to your private AWS image repository. 77 78 ``` 79 piVersion: apps/v1beta2 80 kind: Deployment 81 metadata: 82 ... 83 spec: 84 template: 85 spec: 86 imagePullSecrets: 87 - name: studioml-go-docker-key 88 containers: 89 ... 90 image: ${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/leafai/studio-go-runner:${VERSION} 91 imagePullPolicy: Always 92 ... 93 ``` 94 95 To add the cronjob and start it the following comamnd would be used: 96 97 ``` 98 kubectl -f ... apply 99 kubectl create job --from=cronjob/studioml-go-runner-ecr-cred start 100 ``` 101 102 Copyright © 2019-2020 Cognizant Digital Business, Evolutionary AI. All rights reserved. Issued under the Apache 2.0 license.