-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit IAM policies #38
Comments
It was added for the plan to host RADAR images in ECR in order to get around the issues of rate limiting by DockerHub. Maybe there is a general/not-cloud-specific solution now and if so, these policies can be removed. |
It's also good to add the ECR pull through cache to our Terraform code since the issue is still there. I'm making changes to Helm charts to make it easier to define an alternative registry. RADAR-base/radar-helm-charts#310 |
I have a GH workflow set up (currently disabled to minimise the cost) to sync ECR images with RADAR DockerHub images. Let me know if you guys are interested. |
I haven't used ECR pull through cache yet but I think it is not needed to mirror images? My impression is that you change the image registry in Helm chart and then it should get the image first time from Dockerhub and next times from the cache. |
The ECR pull-through cache only supports "official" public DockerHub images and https://hub.docker.com/r/radarbase is not one of them (as of the last time I checked at least). |
It looks like you can use regular images as well:
|
Can you test that in your own account and confirm if images from the radarbase community organisation can be cached? |
Sure |
The pull through cache works with custom images as well.
|
Thanks for testing it. This means ECR has relaxed their rule since this announcement. When last time I checked their PTC only supports officials. |
Would it make sense to add the terraform code to create a ECR pull through cache to this repository? |
Yes, will TAL. Looks like ECR PTC requires the DockerHub user credentials to be set as an SM secret, which is a less straightforward solution than I thought it would be. |
It seems like
ecr_access
andecr_pull_through_cache
policies allow access to all ECR repositories. I think it's safer to limit them to specific resources. Also, I don't see an ECR repository to be defined in the Terraform code, so I'm not why it's being defined.The text was updated successfully, but these errors were encountered: