Containers-roadmap: ECR PrivateLink Support

Created on 28 Nov 2018  Â·  23Comments  Â·  Source: aws/containers-roadmap

Provide customers with private endpoint access to their Amazon ECR repositories.

ECR
Source
picture abby-fuller
👍103

Most helpful comment

shipped 1/25!

picture abby-fuller on 25 Jan 2019
🎉5

All 23 comments

This should address or least mitigate the need for https://github.com/aws/amazon-ecs-agent/issues/1447.

coultn picture coultn on 6 Dec 2018
👍2

As well as adding an enthusiastic vote for this, I'd like to vote for endpoint policies on the PrivateLink when it comes 😄 same with #20 and #22 of course

copumpkin picture copumpkin on 11 Dec 2018
👍3

As well as adding an enthusiastic vote for this, I'd like to vote for endpoint policies on the PrivateLink when it comes 😄 same with #20 and #22 of course

We decided to break out this feature in order to ship PrivateLink sooner: https://github.com/aws/containers-roadmap/issues/132

jtoberon picture jtoberon on 25 Jan 2019

🚀 https://aws.amazon.com/about-aws/whats-new/2019/01/aws-fargate--amazon-ecs--and-amazon-ecr-now-have-support-for-aws/

christopherhein picture christopherhein on 25 Jan 2019
🎉2

shipped 1/25!

abby-fuller picture abby-fuller on 25 Jan 2019
🎉5

We're reopening this because we need to clarify a few details: You need to upgrade to the latest ECS agent, 1.25.1. If you rely on the ECR credentials helper, you need to upgrade, too. Fargate support is not available yet, but will be available soon.

jtoberon picture jtoberon on 26 Jan 2019
👍2

@jtoberon what goes wrong if you use it with Fargate? I just saw a blog post on the AWS blog about using them all together, so I'm a bit confused now.

copumpkin picture copumpkin on 27 Jan 2019

@copumpkin the blog refers to ECS in EC2 mode. Apologies for the confusion. Currently, if you use Fargate with ECR PrivateLink, then pulls will fail. When Fargate works for all Platform Versions, then we will close this issue.

jtoberon picture jtoberon on 28 Jan 2019

Ah I see the blog post I was talking about was taken down, never mind. Anyway I look forward to using it with fargate :)

On Jan 27, 2019, at 23:25, Josh Oberwetter notifications@github.com wrote:

@copumpkin the blog refers to ECS in EC2 mode. Apologies for the confusion.

Currently, if you use Fargate with ECR PrivateLink, then pulls will fail. When Fargate works for all Platform Versions, then we will close this issue.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

copumpkin picture copumpkin on 28 Jan 2019

Just try to use Fargate with ECR Privatelink but task start fail with error CannotPullContainerError: inactivity time exceeded timeout

angusfz picture angusfz on 28 Jan 2019
👀1

@angusfz

Just try to use Fargate with ECR Privatelink but task start fail with error CannotPullContainerError: inactivity time exceeded timeout

@angusfz Please see the information provided above: "Currently, if you use Fargate with ECR PrivateLink, then pulls will fail. When Fargate works for all Platform Versions, then we will close this issue."

jtoberon picture jtoberon on 28 Jan 2019
👍1

@abby-fuller solved? https://aws.amazon.com/about-aws/whats-new/2019/01/aws-fargate--amazon-ecs--and-amazon-ecr-now-have-support-for-aws/

gilinachum picture gilinachum on 29 Jan 2019

Yes, this is fully solved now.

jtoberon picture jtoberon on 5 Feb 2019
🎉2

ECR FAQs should be updated to reflect this great new feature.

Q: Can I access Amazon ECR inside a VPC?
To use Amazon ECR within a VPC, your instances must be able to communicate with the Internet. You can do this with Amazon VPC NAT Gateway.
https://aws.amazon.com/ecr/faqs/

RyPeck picture RyPeck on 6 Feb 2019

ECR FAQs should be updated to reflect this great new feature.

Q: Can I access Amazon ECR inside a VPC?
To use Amazon ECR within a VPC, your instances must be able to communicate with the Internet. You can do this with Amazon VPC NAT Gateway.
https://aws.amazon.com/ecr/faqs/

Nice catch. Thank you!

jtoberon picture jtoberon on 6 Feb 2019

Yes, this is fully solved now.

@jtoberon Does this mean Fargate can work with PrivateLink ?

angusfz picture angusfz on 11 Feb 2019

Yes.

jtoberon picture jtoberon on 11 Feb 2019

@jtoberon
So why does https://aws.amazon.com/about-aws/whats-new/2019/01/aws-fargate--amazon-ecs--and-amazon-ecr-now-have-support-for-aws/ mention that @gilinachum linked to say AWS Fargate support for PrivateLink will be available soon.? I'm confused :)

ronkorving picture ronkorving on 12 Feb 2019

@ronkorving At the time it was going to come soon, but now it's here.

Sodki picture Sodki on 12 Feb 2019
🎉3

Awesome, thanks! :) That was very soon then :)

ronkorving picture ronkorving on 12 Feb 2019

Is the ECR PrivateLink now also supported via EKS?

frumania picture frumania on 20 Mar 2019

Is the ECR PrivateLink now also supported via EKS?

@frumania not yet, there are changes that need to be made in https://github.com/kubernetes/kubernetes see https://github.com/kubernetes/kubernetes/pull/73435 which merged it into master and there is a cherrypick https://github.com/kubernetes/kubernetes/pull/73755 to add it into 1.13 once that is done we can cherrypick in into earlier versions

christopherhein picture christopherhein on 20 Mar 2019

@frumania with Kubernetes version 1.13, ECR PrivateLink is now supported via EKS. https://github.com/aws/containers-roadmap/issues/30#issuecomment-503370718

tabern picture tabern on 19 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

clareliguori picture clareliguori  Â·  3Comments
jeremietharaud picture jeremietharaud  Â·  3Comments
yavor-atanasov picture yavor-atanasov  Â·  3Comments
tabern picture tabern  Â·  3Comments
adlemich picture adlemich  Â·  3Comments