Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

imagePullSecret used as fallback, not as first-class sitizen #27

Open
evgkrsk opened this issue Nov 3, 2020 · 3 comments
Open

imagePullSecret used as fallback, not as first-class sitizen #27

evgkrsk opened this issue Nov 3, 2020 · 3 comments

Comments

@evgkrsk
Copy link
Contributor

evgkrsk commented Nov 3, 2020

We observe bunch of such messages in k8s-iae log:

time="2020-11-03T06:30:23Z" level=error msg="GET https://eu.gcr.io/v2/giftery-ci/evotor-api-v3/manifests/v-c170103c: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication" availability_mode=authentication_failure image_name="eu.gcr.io/giftery-ci/evotor-api-v3:v-c170103c"

when use private gcr.io registry. But all metrics for such projects is in normal state (all images available). We use "imagePullSecrets" in yaml manifests to indicate auth data for grc.io, but seems like k8s-iae dont use it right from start, only as fallback.

Maybe it is right thing to use imagePullSecrets right away (especially when it contains one secret) to check registry?
@31337Ghost 31337Ghost mentioned this issue Aug 24, 2021
Merged
@usefree
Copy link

usefree commented Sep 1, 2021

Hello! Thanks for tool)
seems like fix not help or i have wrong configuration.. get error availability_mode=authorization_failure while checking image from private registry. In serviceaccount for iae i have

kind: ServiceAccount
metadata:
  name: image-availability-exporter
  namespace: monitoring
imagePullSecrets:
- name: deploy-token

and deploy-token is used in other deployments without auth errors
using 0.1.16 iae version
Thanks!

@zuzzas
Copy link
Contributor

zuzzas commented Mar 29, 2022

What's in the logs?

@arslanbekov
Copy link

The problem with the inaccessibility of private repositories remains.

I have imagePullSecrets configured with the correct secret (under which I can pull my images), but the exporter itself has some errors, such as availability_mode=authorization_failure:

time="2024-06-05T22:11:37Z" level=error msg="GET https://region-docker.pkg.dev/v2/token?scope=repository%3Aproject%2Fimage%2Fapp%3Apull&service=: DENIED: Unauthenticated request. Unauthenticated requests do not have permission \"artifactregistry.repositories.downloadArtifacts\" on resource \"projects/project/locations/region/repositories/linkerd\" (or it may not exist)" availability_mode=authorization_failure image_name="region-docker.pkg.dev/project-name/registry/app:0.1"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@evgkrsk @arslanbekov @zuzzas @usefree