Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for ecr-fips endpoint availability - VPC Endpoint #1984

Open
jeremymcgee73 opened this issue Oct 1, 2024 · 2 comments
Open

Check for ecr-fips endpoint availability - VPC Endpoint #1984

jeremymcgee73 opened this issue Oct 1, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@jeremymcgee73
Copy link

What happened:
There is a bug when you have enabled FIPS on the image, in a region with FIPS endpoints, and have VPC endpoints enabled. The issue is that the check implemented in #1524 , checks to see if the FIPS endpoint resolves. In an isolated environment, the endpoint does resolve. But, there is not a FIPS enabled ECR VPC endpoint available.

Error:

[   68.459399] cloud-init[1077]: E1001 16:45:44.492873    1141 remote_image.go:135] PullImage "013241004608.dkr.ecr-fips.us-gov-west-1.amazonaws.com/eks/pause:3.5" from image service failed: rpc error: code = DeadlineExceeded desc = failed to pull and unpack image "013241004608.dkr.ecr-fips.us-gov-west-1.amazonaws.com/eks/pause:3.5": failed to resolve reference "013241004608.dkr.ecr-fips.us-gov-west-1.amazonaws.com/eks/pause:3.5": failed to do request: Head "https://013241004608.dkr.ecr-fips.us-gov-west-1.amazonaws.com/v2/eks/pause/manifests/3.5": dial tcp 52.222.42.110:443: i/o timeout

What you expected to happen:
Instead of checking for if the FIPS endpoint resolves, check for connectivity.

https://github.com/Issacwww/amazon-eks-ami/blob/9ef1b17cc4b250496096d89fd8ec3c1b129943bd/nodeadm/internal/aws/ecr/ecr.go#L53

How to reproduce it (as minimally and precisely as possible):

Environment:

  • AWS Region: us-gov-west-
  • Instance Type(s):
  • Cluster Kubernetes version:
  • Node Kubernetes version:
  • AMI Version:
@jeremymcgee73 jeremymcgee73 added the bug Something isn't working label Oct 1, 2024
@jeremymcgee73
Copy link
Author

This issue was only happening on RHEL. You can close if this isn't applicable.

@cartermckinnon
Copy link
Member

Sounds legit to me, feel free to open a PR 👍

@jeremymcgee73 jeremymcgee73 mentioned this issue Oct 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cartermckinnon @jeremymcgee73