Merge pull request #17545 from hakman/automated-cherry-pick-of-#16593-upstream-release-1.33

Automated cherry pick of #16593: Add support for using ECR as pull-through image cache

Author: k8s-ci-robot

docs/iam_roles.md

@@ -34,6 +34,10 @@ The additional permissions are:
     "ecr:GetAuthorizationToken",
     "ecr:GetDownloadUrlForLayer",
     "ecr:GetRepositoryPolicy",
+    "ecr:ReplicateImage",
+    "ecr:BatchImportUpstreamImage",
+    "ecr:CreateRepository",
+    "ecr:TagResource",
     "ecr:ListImages"
   ],
   "Resource": [

k8s/crds/kops.k8s.io_clusters.yaml

@@ -1002,6 +1002,10 @@ spec:
                     description: State directory for execution state files (default
                       "/run/containerd").
                     type: string
+                  useECRCredentialsForMirrors:
+                    description: Enables Kubelet ECR Credential helper to pass credentials
+                      to containerd mirrors, to use ECR as a pull-through cache
+                    type: boolean
                   version:
                     description: Version used to pick the containerd package.
                     type: string

k8s/crds/kops.k8s.io_instancegroups.yaml

@@ -238,6 +238,10 @@ spec:
                     description: State directory for execution state files (default
                       "/run/containerd").
                     type: string
+                  useECRCredentialsForMirrors:
+                    description: Enables Kubelet ECR Credential helper to pass credentials
+                      to containerd mirrors, to use ECR as a pull-through cache
+                    type: boolean
                   version:
                     description: Version used to pick the containerd package.
                     type: string

nodeup/pkg/model/kubelet.go

@@ -26,12 +26,15 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+	"time"
 
 	awsconfig "github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
+
 	"k8s.io/klog/v2"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/flagbuilder"
@@ -41,6 +44,7 @@ import (
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 	"k8s.io/kops/util/pkg/distributions"
+	kubeletv1 "k8s.io/kubelet/config/v1"
 	kubelet "k8s.io/kubelet/config/v1beta1"
 )
 
@@ -467,25 +471,65 @@ func (b *KubeletBuilder) addECRCredentialProvider(c *fi.NodeupModelBuilderContex
 	}
 
 	{
-		configContent := `apiVersion: kubelet.config.k8s.io/v1
-kind: CredentialProviderConfig
-providers:
-  - name: ecr-credential-provider
-    matchImages:
-      - "*.dkr.ecr.*.amazonaws.com"
-      - "*.dkr.ecr.*.amazonaws.com.cn"
-      - "*.dkr.ecr-fips.*.amazonaws.com"
-      - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
-      - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
-    defaultCacheDuration: "12h"
-    apiVersion: credentialprovider.kubelet.k8s.io/v1
-    args:
-      - get-credentials
-`
+
+		providerConfig := &kubeletv1.CredentialProviderConfig{}
+
+		// Build the list of container registry globs to match
+		registryList := []string{
+			"*.dkr.ecr.*.amazonaws.com",
+			"*.dkr.ecr.*.amazonaws.com.cn",
+			"*.dkr.ecr-fips.*.amazonaws.com",
+			"*.dkr.ecr.us-iso-east-1.c2s.ic.gov",
+		}
+
+		containerd := b.NodeupConfig.ContainerdConfig
+		if containerd.UseECRCredentialsForMirrors {
+			for name := range containerd.RegistryMirrors {
+				registryList = append(registryList, name)
+			}
+		}
+
+		cacheDuration, err := time.ParseDuration("12h")
+		if err != nil {
+			return err
+		}
+
+		providerConfig.Providers = []kubeletv1.CredentialProvider{
+			{
+				APIVersion:           "credentialprovider.kubelet.k8s.io/v1",
+				Name:                 "ecr-credential-provider",
+				MatchImages:          registryList,
+				DefaultCacheDuration: &v1.Duration{Duration: cacheDuration},
+				Args:                 []string{"get-credentials"},
+				Env: []kubeletv1.ExecEnvVar{
+					{
+						Name:  "AWS_REGION",
+						Value: b.Cloud.Region(),
+					},
+				},
+			},
+		}
+
+		sch := runtime.NewScheme()
+		if err := kubeletv1.AddToScheme(sch); err != nil {
+			return err
+		}
+
+		gv := kubeletv1.SchemeGroupVersion
+		codecFactory := serializer.NewCodecFactory(sch)
+		info, ok := runtime.SerializerInfoForMediaType(codecFactory.SupportedMediaTypes(), "application/yaml")
+		if !ok {
+			return fmt.Errorf("failed to find serializer")
+		}
+		encoder := codecFactory.EncoderForVersion(info.Serializer, gv)
+		var w bytes.Buffer
+		if err := encoder.Encode(providerConfig, &w); err != nil {
+			return err
+		}
 
 		t := &nodetasks.File{
 			Path:     credentialProviderConfigFilePath,
-			Contents: fi.NewStringResource(configContent),
+			Contents: fi.NewBytesResource(w.Bytes()),
 			Type:     nodetasks.FileType_File,
 			Mode:     s("0644"),
 		}

pkg/apis/kops/containerdconfig.go

@@ -54,6 +54,8 @@ type ContainerdConfig struct {
 	SeLinuxEnabled bool `json:"selinuxEnabled,omitempty"`
 	// NRI configures the Node Resource Interface.
 	NRI *NRIConfig `json:"nri,omitempty"`
+	// Enables Kubelet ECR Credential helper to pass credentials to containerd mirrors, to use ECR as a pull-through cache
+	UseECRCredentialsForMirrors bool `json:"useECRCredentialsForMirrors,omitempty"`
 }
 
 type NRIConfig struct {

pkg/apis/kops/v1alpha2/containerdconfig.go

@@ -51,6 +51,8 @@ type ContainerdConfig struct {
 	SeLinuxEnabled bool `json:"selinuxEnabled,omitempty"`
 	// NRI configures the Node Resource Interface.
 	NRI *NRIConfig `json:"nri,omitempty"`
+	// Enables Kubelet ECR Credential helper to pass credentials to containerd mirrors, to use ECR as a pull-through cache
+	UseECRCredentialsForMirrors bool `json:"useECRCredentialsForMirrors,omitempty"`
 }
 
 type NRIConfig struct {

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -51,6 +51,8 @@ type ContainerdConfig struct {
 	SeLinuxEnabled bool `json:"selinuxEnabled,omitempty"`
 	// NRI configures the Node Resource Interface.
 	NRI *NRIConfig `json:"nri,omitempty"`
+	// Enables Kubelet ECR Credential helper to pass credentials to containerd mirrors, to use ECR as a pull-through cache
+	UseECRCredentialsForMirrors bool `json:"useECRCredentialsForMirrors,omitempty"`
 }
 
 type NRIConfig struct {

pkg/apis/kops/v1alpha3/containerdconfig.go

@@ -362,6 +362,10 @@ func (r *NodeRoleAPIServer) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addECRPermissions(p)
 	}
 
+	if b.Cluster.Spec.Containerd != nil && b.Cluster.Spec.Containerd.UseECRCredentialsForMirrors {
+		addECRPullThroughPermissions(p)
+	}
+
 	if b.Cluster.Spec.Networking.AmazonVPC != nil {
 		addAmazonVPCCNIPermissions(p)
 	}
@@ -430,6 +434,10 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addECRPermissions(p)
 	}
 
+	if b.Cluster.Spec.Containerd != nil && b.Cluster.Spec.Containerd.UseECRCredentialsForMirrors {
+		addECRPullThroughPermissions(p)
+	}
+
 	if b.Cluster.Spec.Networking.AmazonVPC != nil {
 		addAmazonVPCCNIPermissions(p)
 	}
@@ -465,6 +473,10 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 		addECRPermissions(p)
 	}
 
+	if b.Cluster.Spec.Containerd != nil && b.Cluster.Spec.Containerd.UseECRCredentialsForMirrors {
+		addECRPullThroughPermissions(p)
+	}
+
 	if b.Cluster.Spec.Networking.AmazonVPC != nil {
 		addAmazonVPCCNIPermissions(p)
 	}
@@ -776,6 +788,17 @@ func addECRPermissions(p *Policy) {
 	)
 }
 
+func addECRPullThroughPermissions(p *Policy) {
+	// Permissions needed for ECR pull-through cache functionality
+	// These permissions are only needed when UseECRCredentialsForMirrors is enabled
+	p.unconditionalAction.Insert(
+		"ecr:ReplicateImage",
+		"ecr:BatchImportUpstreamImage",
+		"ecr:CreateRepository",
+		"ecr:TagResource",
+	)
+}
+
 func addCalicoSrcDstCheckPermissions(p *Policy) {
 	p.unconditionalAction.Insert(
 		"ec2:DescribeInstances",