registry.k8s.io: Serve container image layers from AWS by default (make exception when clients are from Google)

Our current logic is to default to Google for traffic not from AWS. We should update the logic to default to AWS if not Google.

This will directly address our top two priorities from our meeting last week.

  • -1 : GCP spend HAS to go down (So we stay within budget and make room for other things we need the $$'s for)
  • 0 : AWS spend HAS to go up (If we don’t use it, we will end up not getting more)

Our main logic for handling redirects is here: https://github.com/kubernetes/registry.k8s.io/blob/main/cmd/archeio/app/handlers.go#L123-L131

		// check if client is known to be coming from an AWS region
		awsRegion, ipIsKnown := regionMapper.GetIP(clientIP)
		if !ipIsKnown {
			// no region match, redirect to main upstream registry
			redirectURL := upstreamRedirectURL(rc, rPath)
			klog.V(2).InfoS("redirecting blob request to upstream registry", "path", rPath, "redirect", redirectURL)
			http.Redirect(w, r, redirectURL, http.StatusTemporaryRedirect)
			return
		}

I’m suggesting the following or similar:

	// initialize map of clientIP to AWS region
	regionMapper := gcp.NewGCPRegionMapper()
       //... snip ...//
		// check if client is known to be coming from an GCP region
		gcpRegion, ipIsKnown := regionMapper.GetIP(clientIP) // 
		if !ipIsKnown {
			// no region match at GCP, redirect to main upstream registry
			redirectURL := upstreamRedirectURL(rc, rPath)
			klog.V(2).InfoS("redirecting blob request to upstream registry", "path", rPath, "redirect", redirectURL)
			http.Redirect(w, r, redirectURL, http.StatusTemporaryRedirect)
			return
		}

We will need to create a net/cidrs/gcp similar to main/pkg/net/cidrs/aws

It should be nearly the same code, with minor changes to main/pkg/net/cidrs/aws/internal/ranges2go/genrawdata.sh

Swapping out the AWS ranges with GCP ranges:

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 1
  • Comments: 22 (15 by maintainers)

Most upvoted comments

AFAICT the simple per-cloud-run-region regionalizing approach is working well, based on logs etc.

For example pulling from the California Bay area, I am redirected to GCP us-west2 Artifact Registry (Los Angeles) and AWS us-west1 S3 bucket (N. California).

We can revisit cloudfront later, but I don’t think we need to rush.

We might want to consider adding more S3 regions, notably South America where we have cloud run / artifact registry but no AWS presence https://github.com/kubernetes/k8s.io/pull/4739#discussion_r1100671677

+1
BenTheElder on Feb 9, 2023

BTW https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/#why-isn-t-there-a-stable-list-of-domains-ips-why-can-t-i-restrict-image-pulls is a better link for “don’t depend on any implementation details”.

+1
sftim on Jan 30, 2023
Read more comments on GitHub
← registry.k8s.io: 403 error when pulling images from Swiss cloud provider
release: CI builds are breaking after we stopped immediately building rc.0 →