Customers running Red Hat OpenShift Service on AWS (ROSA) frequently use Amazon Elastic Container Registry (ECR) for storing, sharing, and deploying their container images. As the number of containerized workloads continually grows, along with the associated container images, customers need enhanced methods to segment their container repositories with improved security features, limiting access to specific namespaces or projects that require them.
In this blog, we will demonstrate how to use ROSA with ECR and AWS Identity and Access Management (IAM) to protect access to your container images on a pod, namespace, node, or cluster level. Implementing controlled ECR repository access in ROSA helps enhance your security controls and enables improved governance for your ROSA workloads. This includes encryption of data at rest and in transit, vulnerability scanning of container images, detailed access logging through AWS CloudTrail, and automated compliance reporting.
Overview of solution
This tutorial will demonstrate the installation and configuration of the ECR Secret Operator in a ROSA cluster. Once configured, we will use the ECR Secret Operator to deploy project level secrets for workload-based service accounts. Additionally, we will configure AWS IAM roles that will negotiate with ECR permissions for access to container images in secure repositories.
Reference Architecture
Figure 1. Reference Architecture
Prerequisites
For this walkthrough, you should have the following prerequisites:
- An AWS account with administrative access
- A ROSA Cluster with cluster-admin privileges
- The OpenShift command-line-interface (oc) installed and configured
- Docker Desktop or alternative image builder
- Enabled AWS CloudTrail logging
Prepare the ECR environment
- Log in to your AWS account and search for Elastic Container Registry
Figure 2. Amazon Elastic Container Registry
- Select Create to begin configuring a private repository
Use awsrosa/testrepo for the namespace/repo-name values, leave the other options as-is, and click Create
Figure 3. Creating a private ECR repository
- Once the repository is created, take note of the URI value
Figure 4. URI value of the new private repository
Create the IAM Role to be used for ECR access
- Set up environment variables for the OIDC provider, AWS account ID, and ECR repository name
- Create a new policy (ECRLoginPolicy1) with permissions to get the ECR authorization token
- Create a new IAM role (ECRLogin1) and attach a trust policy with ECR and the IAM policy defined in step 2.
- Create an ECR repository policy providing permissions to the ECRLogin1 role to manage images
- Create an STS kubernetes secret and apply it to a new project (ecr-secret-operator1)
Install and configure the ECR Secrets Operator
The ECR Private Registry Authentication service uses an authorization token with a 12-hour expiry. The ECR Secret Operator automatically refreshes the authorization token prior to expiration, eliminating the need to manage it as part of the authentication flow.
- Search for the ECR Secret Operator in the OperatorHub of your ROSA cluster
Figure 5. OperatorHub catalog in ROSA
- Install the operator using the All namespaces on the cluster (default) installation mode and choose the ecr-secret-operator namespace created during the ECR setup.
- Create a new project (app-ecr-operator) in the ROSA cluster
- Create a new secret in the app-ecr-operator namespace
- Create a deployment from your private ECR repository to the new app-ecr-operator1 namespace
Control access to the repository using the permissions policy in the ECR console
Once the pod has deployed successfully, we can validate the permissions and controls in the ECR console.
- Log in the AWS console and navigate to the awsrosa/testrepo repository created previously
- Select the Permissions link for the repository
Notice the IAM Entities associated with the repository permissions. These are the only roles permitted to access the repository. Additionally, only the specified actions listed in the permissions policy can be executed by the IAM entities
Figure 6. Permissions section of the ECR repository
- Select Edit policy JSON on the Permissions screen and remove the ECRLogin1 role from the list of Principals and Save the changes
Figure 7. Permissions JSON with ECRLogin1 removed
- Return to the ROSA console and delete the pod you previously deployed to require a new pull of the image from the ECR repository
Figure 8. Delete the pod in the ROSA console
The pod will fail to deploy since we removed the ECRLogin1 role from the ECR repository permissions
Figure 9. Pod deployment failure
- The pod deployment failure can be validated in the CloudTrail event history for the ecr.amazonaws.com event source. The error message will include the user (ECRLogin1) and authorization error
Figure 10. Cloud Trail error message for the failed ECR image pull
- Add the ECRLogin1 IAM entity back in to the ECR repository permissions and save the change
Figure 11. ECR permissions with the ECRLogin1 role
- The pod will now be able to deploy properly with the required ECR access in place
Figure 12. Successful deployment
Cleaning up
- Remove the ecr-deployment from the ROSA console
- Uninstall the ECR Secret Operator from the ROSA Installed Operators screen
- Remove the app-ecr-operator and ecr-secret-operator projects from ROSA
- Delete the awsrosa/testrepo repository from ECR
Conclusion
Integrating Amazon Elastic Container Registry (ECR) with Red Hat OpenShift Service on AWS (ROSA) provides enhanced operational capabilities with improved security features. When properly configured with the security controls outlined above, this integration helps organizations maintain compliance requirements while enabling efficient container management. In this blog we highlighted how to configure fine-grained access control to your repositories using ECR Permissions and AWS IAM policies and roles. This additional level of security and governance provides customers with a trusted model for ensuring the right users are accessing the right images.
Next Steps
Now that you understand how to secure access to your ECR repositories, explore methods for repository cross-account and cross-Region replication to ensure your images are readily available to all your clusters