harden pull-sandbox-image script #1649
Conversation
ndbaker1
changed the title
|
built on top of #1648 and #1646 |
files/pull-sandbox-image.sh
Outdated
| # see: https://github.com/awslabs/amazon-eks-ami/blob/baef6f0860f60dbec366de30853e47418e3fb430/files/bootstrap.sh#L320-L338 | ||
| # if the image is customer provided, then this is just a sane default for the | ||
| # region when attempting to get ecr credentials. | ||
| region=$(imds 'latest/dynamic/instance-identity/document' | jq .region -r) |
There was a problem hiding this comment.
one problem here is ... if the sandbox_image is specified from another region ( different from where the node is running in :( )
There was a problem hiding this comment.
could we check if the echo/cut version (from the sandbox_image) is present in aws account list-regions? and skip if not?
There was a problem hiding this comment.
oh but this would require new permissions on the role 😖
There was a problem hiding this comment.
are there docs stating required naming conventions of ecr registries? I'm not 100% sure what i can/can't check for
There was a problem hiding this comment.
if the sandbox_image is specified from another region
but this is only for user provided images right (based on the assumptions for the eks generated uri), which I'm not sure had a solution even prior to this 🤔
There was a problem hiding this comment.
then we can let it slide and leave it to the imds variation. (cross fingers!)
There was a problem hiding this comment.
I'm hesitant to touch this in this PR. Cutting the region out of the image reference has its caveats, for sure; but that logic has been in prod for over a year and it's proven solid. I think we should consider this change in a separate PR, since this one is mostly for mitigation
There was a problem hiding this comment.
that logic has been in prod for over a year and it's proven solid.
This logic has existed yes (https://github.com/awslabs/amazon-eks-ami/blame/master/files/pull-image.sh#L4), but its only been used in context where the image source was already known and decided by us right?
The only prior usage i know of is in
amazon-eks-ami/scripts/install-worker.sh
Line 484 in baef6f0
There was a problem hiding this comment.
pull-sandbox-image.sh used to call pull-image.sh instead of using crictl: 7fa037a#diff-57a6aadbbb1d3df65f4675ae80c562f7e406bcb11e41f6afb974043a2ede0aa0L11
There was a problem hiding this comment.
🤦 that escaped my mind (and my github searches)
yea i think pulling it out makes sense then since it won't break the expectation beyond whats already changed in last commit
|
/ci launch |
|
@cartermckinnon roger that! I've dispatched a workflow. 👍 |
|
@cartermckinnon the workflow that you requested has completed. 🎉
|
Issue #, if available:
Description of changes:
pipefailso that authentication errors don't fast fail the workflow since it is ok if the ecr call fails.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Testing Done
an empty credential pull for public repositories:
in the case where a region is malformed or incorrect, this will still succeed for a public image:
existing ecr uris:
See this guide for recommended testing for PRs. Some tests may not apply. Completing tests and providing additional validation steps are not required, but it is recommended and may reduce review time and time to merge.