Setup cloudflare mTLS cert-based authentication to private container registry from EKS

0

Hi, I am trying to configure access to a private container registry from EKS (running on VPC with private subnets) Access to the container registry is done via authentication through cloudflared with mTLS certs, which makes it a bit complicated to configure on our EKS cluster as AWS guidelines only show support for configuring private registry authentication using dockercfg and docker formats. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth-container-instances.html

I have tried using the dockercfg credentials stored in a secret (referencing it with imagePullSecrets in the pod manifest) but it does not work as cloudflared mTLS cert-based authentication is required in addition to pull the image. Is there anyway to configure this? Or it is maybe a better option to start using AWS ECR and just pull images from there directly?

2 Answers
0

Hello,

Kubernetes currently does not have an in-built mechanism to perform TLS authentication for private registry access.

The work-around for enabling mTLS encryption is by using a client certificate by adding the certificate and key to the /etc/docker/certs.d/{registry} directory on every node. For more info, please review this github issue 41965. However, it is not a feasible approach.

As you mentioned, you can use Amazon ECR as your private registry which uses the secure IAM authentication for registry access.

profile pictureAWS
SUPPORT ENGINEER
answered 2 years ago
0

Hello, thank you very much for your support and for the proposed work-around. As I'm using EKS and getting more nodes added on-demand I also agree with you that even with the work-around it is not a feasible approach. I have decided to go for the ECR option and now I have no issues pulling images from there. Thanks again!

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions