Forem: Marco Ferraioli The latest articles on Forem by Marco Ferraioli (@paranoiasystem). https://forem.com/paranoiasystem https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F94936%2Fac9fc731-6d97-4d0b-87a8-cc90446d0baa.jpeg Forem: Marco Ferraioli https://forem.com/paranoiasystem en Automatic Management of AWS ECR Credentials in a Kubernetes Cluster Marco Ferraioli Wed, 21 Jun 2023 11:55:00 +0000 https://forem.com/paranoiasystem/automatic-management-of-aws-ecr-credentials-in-a-kubernetes-cluster-2pgn https://forem.com/paranoiasystem/automatic-management-of-aws-ecr-credentials-in-a-kubernetes-cluster-2pgn <p>In the course of my work with <strong><em>AWS ECR (Elastic Container Registry)</em></strong>, I ran into a problem: The repository access key expires every six hours. Working with a non-AWS Kubernetes test cluster, I had to constantly update these credentials manually, a repetitive and tedious process.</p> <p>From this experience came the idea to create a tool that automated this process: <strong><em><a href="https://github.com/paranoiasystem/k8s-aws-ecr-secret-updater">k8s-aws-ecr-secret-updater</a></em></strong>. This tool is a Kubernetes cronjob, designed to automatically update the AWS ECR repository access credentials.</p> <h2> Cronjob Configuration </h2> <p>The YAML code to create the cronjob consists of several parts, which I will now analyze piece by piece:</p> <h3> A Role that has permission to get, create, and delete secrets and get and update ServiceAccounts. </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">secrets"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">create"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">delete"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">serviceaccounts"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">patch"</span><span class="pi">]</span> </code></pre> </div> <p>A key component of this configuration is the <strong><em>k8sawsecrsecretupdater</em></strong> role. This role is fundamental for authorization within the Kubernetes namespace, allowing the cronjob to perform specific operations on certain resources.</p> <p>In particular, the <strong><em>k8sawsecrsecretupdater</em></strong> role has the following permissions:</p> <ol> <li>It has permissions to get (<strong><em>get</em></strong>), create (<strong><em>create</em></strong>), and delete (<strong><em>delete</em></strong>) <strong><em>Secrets</em></strong>. This is crucial because the cronjob needs to be able to create and delete AWS ECR credentials, which are stored as secrets in Kubernetes.</li> <li>It has permissions to get (<strong><em>get</em></strong>) and update (<strong><em>patch</em></strong>) <strong><em>ServiceAccounts</em></strong>. The cronjob needs to be able to manage service accounts in order to associate the AWS ECR credentials with the service that runs the cronjob.</li> </ol> <p>Creating a specific role for these operations ensures that the cronjob has exactly the permissions it needs to do its job, without granting it access to unnecessary resources. This approach is in line with the principle of least privilege, a common security practice that limits access to resources only to what is strictly necessary to perform a specific task. This helps to minimize the potential impact of a possible attack.</p> <h3> ServiceAccount to be used by the job and cronjob. </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> </code></pre> </div> <h3> RoleBinding to associate the Role with the ServiceAccount. </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <h3> Job that creates the secret. </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Job</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">backoffLimit</span><span class="pi">:</span> <span class="m">4</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Never</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ghcr.io/paranoiasystem/k8s-aws-ecr-secret-updater:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_ACCOUNT</span> <span class="na">value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">YourAwsAccountID'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_ACCESS_KEY_ID</span> <span class="na">value</span><span class="pi">:</span> <span class="s">YourAccessKeyID</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_SECRET_ACCESS_KEY</span> <span class="na">value</span><span class="pi">:</span> <span class="s">YourSecretAccessKey</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s">YourRegion</span> </code></pre> </div> <h3> CronJob that runs the Job every 6 hours. </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">batch/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CronJob</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">schedule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0</span><span class="nv"> </span><span class="s">*/6</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*"</span> <span class="na">successfulJobsHistoryLimit</span><span class="pi">:</span> <span class="m">3</span> <span class="na">failedJobsHistoryLimit</span><span class="pi">:</span> <span class="m">1</span> <span class="na">jobTemplate</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Never</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">k8sawsecrsecretupdater</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ghcr.io/paranoiasystem/k8s-aws-ecr-secret-updater:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_ACCOUNT</span> <span class="na">value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">YourAwsAccountID'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_ACCESS_KEY_ID</span> <span class="na">value</span><span class="pi">:</span> <span class="s">YourAccess</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_SECRET_ACCESS_KEY</span> <span class="na">value</span><span class="pi">:</span> <span class="s">YourSecretAccessKey</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS_REGION</span> <span class="na">value</span><span class="pi">:</span> <span class="s">YourRegion</span> </code></pre> </div> <h2> Creating the Docker Image </h2> <p>The cronjob uses a specific Docker image to perform its task. This Docker image is built from the following Dockerfile:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--E_c27ifN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rf1v330lps7nk2ob9pb1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--E_c27ifN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rf1v330lps7nk2ob9pb1.png" alt="Dockerfile" width="800" height="598"></a></p> <p>In the Dockerfile, starting from an Alpine base image, the necessary tools are installed, including git, bash, curl, openssh, python3, py3-pip, py-cryptography, wget, curl, jq. Also, kubectl and AWSCLI are installed for interaction with Kubernetes and AWS, respectively.</p> <p>Subsequently, the working directory is set to /scripts and the contents of the local /scripts directory are copied. Finally, an ENTRYPOINT is defined that starts the entrypoint.sh script when the container is run.</p> <h2> Execution of the Script </h2> <p>When the cronjob is run, it starts the bash script contained in the Docker image. This script checks for the existence of a secret called <code>"regcred"</code>. If it exists, it deletes it and creates a new one. If it doesn't exist, it creates it. Below is the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> create_secret<span class="o">()</span> <span class="o">{</span> kubectl create secret docker-registry regcred <span class="se">\</span> <span class="nt">--docker-server</span><span class="o">=</span><span class="k">${</span><span class="nv">AWS_ACCOUNT</span><span class="k">}</span>.dkr.ecr.<span class="k">${</span><span class="nv">AWS_REGION</span><span class="k">}</span>.amazonaws.com <span class="se">\</span> <span class="nt">--docker-username</span><span class="o">=</span>AWS <span class="se">\</span> <span class="nt">--docker-password</span><span class="o">=</span><span class="si">$(</span>aws ecr get-login-password <span class="nt">--region</span> <span class="k">${</span><span class="nv">AWS_REGION</span><span class="k">}</span><span class="si">)</span> <span class="o">}</span> <span class="c"># Check if the secret exists</span> <span class="k">if </span>kubectl get secret regcred<span class="p">;</span> <span class="k">then</span> <span class="c"># If it exists, delete it</span> kubectl delete secret regcred <span class="c"># Create the secret again</span> create_secret <span class="k">else</span> <span class="c"># If it doesn't exist, create it</span> create_secret <span class="k">fi</span> </code></pre> </div> <h2> Installing k8s-aws-ecr-secret-updater on Kubernetes </h2> <p>To use the <strong><em><a href="https://github.com/paranoiasystem/k8s-aws-ecr-secret-updater">k8s-aws-ecr-secret-updater</a></em></strong> in your Kubernetes environment, you need to follow some simple steps.</p> <p>Let's start by cloning the project's GitHub repository onto your local system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/paranoiasystem/k8s-aws-ecr-secret-updater </code></pre> </div> <p>Next, you need to open and edit the <strong><em>install.yaml</em></strong> file present in the repository. In this file, you will need to set the following values:</p> <ul> <li> <strong>AWS_ACCOUNT</strong>: your AWS account ID.</li> <li> <strong>AWS_ACCESS_KEY_ID</strong>: your AWS access key.</li> <li> <strong>AWS_SECRET_ACCESS_KEY</strong>: your AWS secret access key.</li> <li> <strong>AWS_REGION</strong>: the AWS region where your ECR is located.</li> </ul> <p>Once you have made these changes, save and exit the install.yaml file.</p> <p>Now, to install the <strong><em><a href="https://github.com/paranoiasystem/k8s-aws-ecr-secret-updater">k8s-aws-ecr-secret-updater</a></em></strong> in your Kubernetes cluster, you need to execute the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-n</span> &lt;destination_namespace&gt; <span class="nt">-f</span> install.yaml </code></pre> </div> <p>Remember to replace <strong>destination_namespace</strong> with the Kubernetes namespace where you want to install the cronjob.</p> <h2> Conclusions </h2> <p>This tool eliminates the need for manual updating of credentials, saving time and reducing the risk of errors. I hope this article and the tool I created can be of help to anyone dealing with a similar issue in managing AWS ECR credentials in a Kubernetes cluster.</p> kubernetes secret docker aws