Pull Images from AWS ECR on Minikube

I'm a big fan of Minikube for local Kubernetes development. If you haven't checked it out yet, I encourage you to do so; short of GKE, it's the easiest way to spin up a single node k8s cluster.

Minikube QuickStart

To get running on minikube first download the latest binary and put into your $PATH somewhere:

curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.10.0/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/

Next spin up a new cluster:

 minikube start --cpus=4 --memory=8096 --vm-driver=virtualbox --disk-size=40g

Pulling Images

Pulling public images on a Kubernetes cluster is super easy, it just works! However, if you are pulling from a private repo, there may be some extra work to do. Depending on how you want to attack the problem outlines what might need to be done. You can find docs here on how to do other repos: http://kubernetes.io/docs/user-guide/images

For the rest of this article, I'm going to focus on AWS ECR as the registry to connect to. If there's interest, I can add more, however, I want to address ECR right now.

Running in AWS

If your cluster is running in AWS and you have the correct CloudProvider set, then there's nothing else to do, ECR is supported out of the box.

Running in Minikube

Since Minikube doesn't run inside AWS (but on your local machine), we can't leverage the built-in cloud provider to help out. Before the cloud provider supported ECR natively, it was difficult to use ECR as a container registry so I wrote a tool which automates the process.

You can find the github repo here which does all the work: https://github.com/upmc-enterprises/awsecr-creds

How this tool works is it leverages ImagePullSecrets on the pod by first authenticating and getting credentials to pull images from ECR. Then it creates an ImagePullSecret so that when a pod gets created, those credentials are automatically placed into the pod.

12 Hour Max

The only 'gotcha' of how ECR works is that credentials are only good for 12 hours, so ever 11 hours and 55 minutes, the credentials are refreshed.


So how do you get running with awsecr-credson your Minikube cluster?

Simply edit the sample controller with credentials and account id's matching your AWS environment and deploy!

kubectl create -f k8s/replicationController.yml

Why pull from ECR?

I utilize AWS for many cloud resources today and letting AWS manage that resource is great. At the same time it's a good way to validate things since I can now tap into my CI system which is generating images for me. Now I can pull images and quickly test out components of my app without having to rebuild them all locally!

Author image

About Steve Sloka