serving: The Knative Serving controller can not access the same set of private registries as the K8s cluster

Expected Behavior

The Knative Serving controller is able to access the same set of private registries as the K8s cluster.

Actual Behavior

The Knative Serving Controller fails to authenticate itself to the same private registries as the K8s cluster.

Steps to Reproduce the Problem

An example would be a Kops cluster that is able to access a private AWS ECR registry, while the Knative Serving controller can not.

A high-level set of steps to reproduce the issue is provided below:

Create a Kops cluster that is able to access a private ECR registry
Observe that creating a Pod directly in the cluster that references an image in the private ECR registry successfully pulls the image
Observe that the Knative Serving controller will fail to access the image at this point with an error unsupported status code 401; body: Not Authorized

The difference in behavior is due to Kops setting the --cloud-provider flag and that this is not enabled by the Knative Serving controller when executing: https://github.com/kubernetes/kubernetes/blob/36877dafe40495cb43994464e2427355f99042c7/pkg/credentialprovider/aws/aws_credentials.go#L158

Additional Info

Possible solutions:

The Knative Serving controller could create a pod in the target namespace and then query (e.g. .status.containerStatuses[0].imageID) the pod status to extract the digest. This would effectively delegate the image pull to the K8s cluster. An example pod spec is provided below:

kind: Pod
metadata:
  name: knative-resolver-{target_image_address}
spec:
    containers:
     - name: knative-resolver-{target_image_address}
       imagePullPolicy: Always
       args: []
       command: []
       image: {target_image_address}

The Knative Serving controller image could provide a mechanism to supply Docker credentials helpers at a known path. This would make it possible to use, for example, the ECR credential helper.

Workarounds

Specify the digest in the image address which will prevent the controller from attempting to resolve to a digest: https://github.com/knative/serving/blob/b707183d8355544c3cd8e841923eb08ccb91ceba/pkg/reconciler/v1alpha1/revision/resolve.go#L52
Configure the registry in registriesToSkip for the controller

The above stated workarounds both lose the tag-to-digest resolution functionality.

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 26 (17 by maintainers)

Commits related to this issue

Ditch ECR for DockerHub Fully ECR support is blocked by https://github.com/knative/serving/issues/1996 — committed to projectriff/fats by scothis 5 years ago
EKS cluster (and almost ECR registry) support (#91) EKS support is limited to k8s 1.10. Fully ECR support is blocked by https://github.com/knative/serving/issues/1996 — committed to projectriff/fats by scothis 5 years ago

Most upvoted comments

I am curious to see who else faces this issue ?

https://github.com/knative/build/issues/3

Since it seems that we can push to a in-cluster repo but serving cannot pull

sebgoa on Sep 24, 2018