Setup cloudflare mTLS cert-based authentication to private container registry from EKS

Question

Hi, I am trying to configure access to a private container registry from EKS (running on VPC with private subnets)
Access to the container registry is done via authentication through cloudflared with mTLS certs, which makes it a bit complicated to configure on our EKS cluster as AWS guidelines only show support for configuring private registry authentication using dockercfg and docker formats. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth-container-instances.html

I have tried using the dockercfg credentials stored in a secret (referencing it with imagePullSecrets in the pod manifest) but it does not work as cloudflared mTLS cert-based authentication is required in addition to pull the image.
Is there anyway to configure this? Or it is maybe a better option to start using AWS ECR and just pull images from there directly?

Answer

Hello,

Kubernetes currently does not have an in-built mechanism to perform TLS authentication for private registry access.

The work-around for enabling mTLS encryption is by using a client certificate by adding the certificate and key to the `/etc/docker/certs.d/{registry}` directory on every node. For more info, please review this github issue [41965](https://github.com/kubernetes/kubernetes/issues/41965). However, it is not a feasible approach.

As you mentioned, you can use Amazon ECR as your private registry which uses the secure IAM authentication for registry access.

Answer

Hello,
thank you very much for your support and for the proposed work-around. As I'm using EKS and getting more nodes added on-demand I also agree with you that even with the work-around it is not a feasible approach. I have decided to go for the ECR option and now I have no issues pulling images from there. Thanks again!

Setup cloudflare mTLS cert-based authentication to private container registry from EKS

Relevanter Inhalt