Skip to content

AWS ECR - Elastic Container Registry Integration & EKS

Step-01: What are we going to learn?

Image

Step-02: ECR Terminology

  • Registry: An ECR registry is provided to each AWS account; we can create image repositories in our registry and store images in them.
  • Repository: An ECR image repository contains our Docker images.
  • Repository policy: We can control access to our repositories and the images within them with repository policies.
  • Authorization token: Our Docker client must authenticate to Amazon ECR registries as an AWS user before it can push and pull images. The AWS CLI get-login command provides us with authentication credentials to pass to Docker.
  • Image: We can push and pull container images to our repositories.

Step-03: Pre-requisites

  • Install required CLI software on your local desktop
  • Install AWS CLI V2 version
    • Documentation Reference: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html
  • Install Docker CLI

    • We have taken of Docker local desktop installation as part of Docker Fundamentals section
    • Docker Desktop for MAC: https://docs.docker.com/docker-for-mac/install/
    • Docker Desktop for Windows: https://docs.docker.com/docker-for-windows/install/
    • Docker on Linux: https://docs.docker.com/install/linux/docker-ce/centos/
  • On AWS Console

    • Create Authorization Token for admin user if not created
    • Configure AWS CLI with Authorization Token
      aws configure
      AWS Access Key ID: ****
      AWS Secret Access Key: ****
      Default Region Name: us-east-1
      

Step-04: Create ECR Repository

  • Create simple ECR repository via AWS Console
  • Repository Name: aws-ecr-kubenginx
  • Tag Immutability: Enable
  • Scan on Push: Enable
  • Explore ECR console.
  • Create ECR Repository using AWS CLI
    aws ecr create-repository --repository-name aws-ecr-kubenginx --region us-east-1
    aws ecr create-repository --repository-name <your-repo-name> --region <your-region>
    

Best Selling AWS EKS Kubernetes Course on Udemy

Start Learning Now!

Step-05: Create Docker Image locally

  • Navigate to folder 10-ECR-Elastic-Container-Registry\01-aws-ecr-kubenginx from course github content download.
  • Create docker image locally
  • Run it locally and test
    # Build Docker Image
    docker build -t <ECR-REPOSITORY-URI>:<TAG> . 
    docker build -t 180789647333.dkr.ecr.us-east-1.amazonaws.com/aws-ecr-kubenginx:1.0.0 . 
    
    # Run Docker Image locally & Test
    docker run --name <name-of-container> -p 80:80 --rm -d <ECR-REPOSITORY-URI>:<TAG>
    docker run --name aws-ecr-kubenginx -p 80:80 --rm -d 180789647333.dkr.ecr.us-east-1.amazonaws.com/aws-ecr-kubenginx:1.0.0
    
    # Access Application locally
    http://localhost
    
    # Stop Docker Container
    docker ps
    docker stop aws-ecr-kubenginx
    docker ps -a -q
    

Dockerfile to be used to build Docker Image

FROM nginx
COPY index.html /usr/share/nginx/html

index.html file to be used during building Docker Image

<!DOCTYPE html>
<html>
<body style="background-color:rgb(217, 250, 210);">

<h1>Welcome to Stack Simplify</h1>
<h3>AWS EKS Master Class - Integration with ECR Registry</h3>

</body>
</html>

Step-06: Push Docker Image to AWS ECR

  • Firstly, login to ECR Repository
  • Push the docker image to ECR
  • AWS CLI Version 2.x
    # Get Login Password
    aws ecr get-login-password --region <your-region> | docker login --username AWS --password-stdin <ECR-REPOSITORY-URI>
    aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 180789647333.dkr.ecr.us-east-1.amazonaws.com/aws-ecr-kubenginx
    
    # Push the Docker Image
    docker push <ECR-REPOSITORY-URI>:<TAG>
    docker push 180789647333.dkr.ecr.us-east-1.amazonaws.com/aws-ecr-kubenginx:1.0.0
    
  • Verify the newly pushed docker image on AWS ECR.
  • Verify the vulnerability scan results.

Step-07: Using ECR Image with Amazon EKS

Review the k8s manifests

  • Understand the Deployment and Service kubernetes manifests present in folder 10-ECR-Elastic-Container-Registry\02-kube-manifests
  • Deployment: 01-ECR-Nginx-Deployment.yml
  • NodePort Service: 02-ECR-Nginx-NodePortService.yml
  • ALB Ingress Service: 03-ECR-Nginx-ALB-IngressService.yml

Verify ECR Access to EKS Worker Nodes

  • Go to Services -> EC2 -> Running Instances > Select a Worker Node -> Description Tab
  • Click on value in IAM Role field
    # Sample Role Name 
    eksctl-eksdemo1-nodegroup-eksdemo-NodeInstanceRole-1U4PSS3YLALN6
    
  • In IAM on that specific role, verify permissions tab
  • Policy with name AmazonEC2ContainerRegistryReadOnly, AmazonEC2ContainerRegistryPowerUser should be associated

Kubernetes Manifests

#01-ECR-Nginx-Deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubeapp-ecr
labels:
   app: kubeapp-ecr
spec:
replicas: 2
selector:
   matchLabels:
      app: kubeapp-ecr
template:
   metadata:
      labels:
      app: kubeapp-ecr
   spec:
      containers:
      - name: kubeapp-ecr
         image: 180789647333.dkr.ecr.us-east-1.amazonaws.com/aws-ecr-kubenginx:1.0.0
         resources:
            requests:
            memory: "128Mi"
            cpu: "500m"
            limits:
            memory: "256Mi"
            cpu: "1000m"
         ports:
            - containerPort: 80
#02-ECR-Nginx-NodePortService.yml
apiVersion: v1
kind: Service
metadata:
name: kubeapp-ecr-nodeport-service
labels:
   app: kubeapp-ecr
annotations:    
#Important Note:  Need to add health check path annotations in service level if we are planning to use multiple targets in a load balancer    
   alb.ingress.kubernetes.io/healthcheck-path: /index.html    
spec:
type: NodePort
selector:
   app: kubeapp-ecr
ports:
   - port: 80
      targetPort: 80
#03-ECR-Nginx-ALB-IngressService.yml
# Annotations Reference:  https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ecr-ingress-service
labels:
   app: kubeapp-ecr
annotations:
   # Ingress Core Settings  
   kubernetes.io/ingress.class: "alb"
   alb.ingress.kubernetes.io/scheme: internet-facing
   # Health Check Settings
   alb.ingress.kubernetes.io/healthcheck-protocol: HTTP 
   alb.ingress.kubernetes.io/healthcheck-port: traffic-port
   alb.ingress.kubernetes.io/healthcheck-interval-seconds: '15'
   alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
   alb.ingress.kubernetes.io/success-codes: '200'
   alb.ingress.kubernetes.io/healthy-threshold-count: '2'
   alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
   ## SSL Settings
   alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
   alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/9f042b5d-86fd-4fad-96d0-c81c5abc71e1
   #alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 #Optional (Picks default if not used)    
   # SSL Redirect Setting
   alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'   
   # External DNS - For creating a Record Set in Route53
   external-dns.alpha.kubernetes.io/hostname: ecrdemo.kubeoncloud.com       
spec:
rules:
   - http:
      paths:
         - path: /* # SSL Redirect Setting
            backend:
            serviceName: ssl-redirect
            servicePort: use-annotation            
         - path: /*
            backend:
            serviceName: kubeapp-ecr-nodeport-service
            servicePort: 80                                   
# Important Note-1: In path based routing order is very important, if we are going to use  "/*", try to use it at the end of all rules.         

Deploy the kubernetes manifests

# Deploy
kubectl apply -f 02-kube-manifests/

# Verify
kubectl get deploy
kubectl get svc
kubectl get po
kubectl get ingress

Access Application

  • Wait for ALB Ingress to be provisioned
  • Verify Route 53 DNS registration ecrdemo.kubeoncloud.com
    # Get external ip of EKS Cluster Kubernetes worker nodes
    kubectl get nodes -o wide
    
    # Access Application
    http://ecrdemo.kubeoncloud.com/index.html
    

Step-08: Clean Up

# Clean-Up
kubectl delete -f 02-kube-manifests/

How ALB Ingress Controller Works?

AWS ALB Ingress Installation

AWS ALB Ingress Implementation Basics

Subscribe to our Youtube Channel

Free Courses

Image

Start with our Getting Started Free Courses!