3

I am getting a no basic auth credentials ErrImagePull error when pulling an image hosted on a private ECR registry. I have to my knowledge checked off all the necessary requirements for successful authorization, so I'll list them below in hopes that someone might suggest something I missed.

  • aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin redacted.dkr.ecr.eu-west-2.amazonaws.com is successful

  • I can successfully run the image through a docker pull and docker run. Meaning my account has privileges to pull the image

  • I have created a separate namespace called client-ns

  • I have created a regcred with this command:

    kubectl create secret docker-registry regcred \
      --docker-server=redacted.dkr.ecr.eu-west-2.amazonaws.com \
      --docker-username=AWS \
      --docker-password=$(aws ecr get-login-password) \
      --namespace=client-ns
  • In my manifest.yml I have added the variables:
    imagePullSecrets:
    - name: regcred
  • I have inspected the secrets and double checked that they match using the commands below
    aws ecr get-login-password

    kubectl get secret regcred --namespace=client-ns --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode

Despite all these steps I still get the error, any ideas what could be causing this? Below are the events of the pod

Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  45s                default-scheduler  Successfully assigned client-ns/client-deployment-8567f459b8-9j25j to minikube
  Normal   BackOff    17s (x3 over 43s)  kubelet            Back-off pulling image "redacted.dkr.ecr.eu-west-2.amazonaws.com/client:v1.0.1"
  Warning  Failed     17s (x3 over 43s)  kubelet            Error: ImagePullBackOff
  Normal   Pulling    5s (x3 over 44s)   kubelet            Pulling image "redacted.dkr.ecr.eu-west-2.amazonaws.com/client:v1.0.1"
  Warning  Failed     5s (x3 over 44s)   kubelet            Failed to pull image "redacted.dkr.ecr.eu-west-2.amazonaws.com/client:v1.0.1": rpc error: code = Unknown desc = Error response from daemon: Head "https://redacted.dkr.ecr.eu-west-2.amazonaws.com/v2/client/manifests/v1.0.1": no basic auth credentials
  Warning  Failed     5s (x3 over 44s)   kubelet            Error: ErrImagePull

Edit: Below is my deployment manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: client-deployment 
  namespace: client-ns
spec:
  replicas: 1
  selector:
    matchLabels:
      app: client-app
  template:
    metadata:
      labels:
        app: client-app
    spec:
      containers:
      - name: client-app 
        image: redacted.dkr.ecr.eu-west-2.amazonaws.com/client:v1.0.1
        imagePullPolicy: Always
        ports:
          - containerPort: 50054
            name: eds-app
        securityContext:
          runAsUser: 20000
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
        resources:
          requests:
            memory: "64Mi"
            cpu: "100m"
            ephemeral-storage: "5Mi"
          limits:
            memory: "128Mi"
            cpu: "200m"
            ephemeral-storage: "10Mi"
        volumeMounts:
        - name: env-file
          mountPath: /client/build/default.env
          subPath: default.env
        - name: csv-file
          mountPath: /client/csv/customers.csv
          subPath: customers.csv
      volumes:
      - name: env-file
        hostPath:
          path: /home/nocnoc/Documents/redacted/github/client/build/default.env
      - name: csv-file
        hostPath:
          path: /home/nocnoc/Documents/redacted/github/client/csv/customers.csv
      imagePullSecrets:
      - name: regcred
nocnoc
  • 337
  • 2
  • 12
  • 1
    Can you add the deployment yml file to the quetion? – SuleymanSah May 05 '23 at 13:46
  • @SuleymanSah Added the manifest at the bottom – nocnoc May 05 '23 at 13:52
  • 1
    Can you try this answer? https://stackoverflow.com/a/60440134/11717458 – SuleymanSah May 05 '23 at 13:56
  • @SuleymanSah As far as I can see I have it set up in the same way unless you're suggesting the order that imagePullSecrets is place is important? – nocnoc May 05 '23 at 14:10
  • 1
    Maybe the order matters, can you try? – SuleymanSah May 05 '23 at 14:11
  • @SuleymanSah Just tried it, same error unfortunately... – nocnoc May 05 '23 at 14:25
  • 1
    ok, do you see the secret when you run `kubectl get secrets -n client-ns` – SuleymanSah May 05 '23 at 14:28
  • @SuleymanSah yes regcred is there in the namespace – nocnoc May 05 '23 at 14:29
  • 1
    Is the image correct? Can you add the screenshot of the Image in the ecr? – SuleymanSah May 05 '23 at 14:36
  • @SuleymanSah I can't view the image in my company's ecr, but I can successfully run it through `docker pull` and `docker run` – nocnoc May 05 '23 at 14:38
  • 1
    If you can access the ecr with aws cli, can you try to get the ecr repository and image info with these commands? `aws ecr describe-repositories` and then `aws ecr describe-images --repository-name RELATED_REPO` – SuleymanSah May 05 '23 at 14:47
  • @SuleymanSah the first command returns an empty value to the key "repositories". What does this mean? – nocnoc May 05 '23 at 14:59
  • 1
    Amazon ECR repository url's seems to be start with accountId but in your image it starts with redacted. Please be sure that your repo url is correct. It should be something like this: `yourAccountId.dkr.ecr.eu-west-2.amazonaws.com/client:v1.0.1` – SuleymanSah May 05 '23 at 16:54
  • @SuleymanSah I think you've figured the issue out. My aws id doesn't match with the docker pull endpoint my coworker gave me. This would explain why the docker pull works but the kubernetes pull didn't and why the repositories were empty – nocnoc May 05 '23 at 17:36
  • 1
    Yes, that's may be the reason why `aws ecr describe-repositories` returned empty list. – SuleymanSah May 05 '23 at 17:56

1 Answers1

0

I had exactly the same problem on my bare-metal k8s 1.27 cluster (1 control plane, 8 workers, containerd runtime, cilium CNI) the problem was a RBAC control on secrets, I got the error Unknown desc = Error response from daemon: Head "……": no basic auth credentials
The deployement was:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: netshell
  namespace: sandbox
  labels:
    app: echo-on-port-8000
spec:
  replicas: 1
  selector:
    matchLabels:
      app: echo-on-port-8000
  strategy: {}
  template:
    metadata:
      labels:
        app: echo-on-port-8000
    spec:
      containers:
        - name: netshell
          image: aregistry.example.org/net/net-tools:latest
          imagePullPolicy: Always
          command: ["/bin/sh"]
          args: ["-c", "cd ~/ && touch file.txt && mknod -m 777 fifo p && cat fifo | netcat -k -l 8000 > fifo && sleep infinity"]
          ports:
            - containerPort: 8000
          resources:
            limits:
              cpu: 250m
              memory: "536870912"
      restartPolicy: Always
      imagePullSecrets:
        - name: local-registry-credential
status: {}

I solved it by adding the get,watch,list capabilities on secrets.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: sandbox
  name: secret-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets"]  #grants reading namespace pods and secrets
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: secret-reader
  namespace: sandbox
subjects:
- kind: ServiceAccount
  name: default # "name" is case sensitive
  namespace: sandbox
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: secret-reader 
  apiGroup: rbac.authorization.k8s.io
---
Albert Tinon
  • 136
  • 5