2 min read kubernetes

Automatically pull new AWS ECR latest tags from AWS EKS

How to automatically pull latest tag image on Elastic Container Registry (ECR) from Elastic Kubernetes Service (EKS) on AWS and automatically restart pods.
Automatically pull new AWS ECR latest tags from AWS EKS

Problem

A common use case on AWS Elastic Kubernetes Service (EKS) is to automatically pull latest images stored on AWS Elastic Container Registry (ECR) with tag name that doesn't change over time (ex. latest)

Solution

Use Urunner.
URunner is a lightweight Kubernetes utility in order to auto restart pods on image tag digest change.

How it works

Urunner is a standalone pod (running by default on urunner namespace) that continuosly check changes on external container registries that support Docker API V2, for example AWS ECR.
Urunner detects changes from container tags that don't change their names over time (like latest)

When Urunner detects changes on ECR (thanks to sha1 tag digest), automatically restart the specific deployment (the same of kubectl rollout restart deployment/<deployName>)

Urunner stores its state on an internal sqllite db.

How to install Urunner

Prerequisites

Install Urunner

Create urunner-values.yaml file.

image:
  repository: ghcr.io/texano00/urunner
  tag: 0.1.5

config:
  URUNNER_CONF_FREQUENCY_CHECK_SECONDS: 5
  URUNNER_CONF_CONTAINER_REGISTRY_TO_WATCH: <replace-me-ecr>
  URUNNER_CONF_CONTAINER_REGISTRY_TYPE: aws_ecr
secret:
  create: true
  aws:
    access_key_id: <replace-me-access>
    secret_access_key: <replace-me-secret>

<replace-me-ecr> --> <account-id>.dkr.ecr.<region>.amazonaws.com

AWS access and secret key. Assign to this user the following AWS managed role AmazonEC2ContainerRegistryReadOnly
<replace-me-access> --> aws access_key_id
<replace-me-secret --> aws secret_access_key

Helm install

Artifact Hub
helm upgrade --install urunner oci://ghcr.io/texano00/urunner/helm/urunner --version 0.1.0 --values urunner-values.yaml -n urunner --create-namespace

Labeling

Add urunner=enable to all namespaces you want to be watched from Urunner.

kubectl label ns mynamespace urunner=enable

For full documentation --> https://github.com/texano00/urunner#configurable-watcher

Check the installation

Once Urunner detects a tag digest change, it will output the following row

Published by:

Yuri Bacciarini

You might also like...

Jan
27
[k8s] Automatically pull images from GitLab container registry without change the tag

[k8s] Automatically pull images from GitLab container registry without change the tag

Sometimes is very useful in a continuous integration and deployment process to override and push the same image tag (ex. `latest`) to a gitlab registry and then ideally have the same new image up&running from Kubernetes cluster(s). URunner lighweight tool solves exactly this specific problem.
5 min read
Dec
19
Thanks for all Kubernetes Ingress API, Long life to Gateway API

Thanks for all Kubernetes Ingress API, Long life to Gateway API

Ingress API has been frozen. Yes, you heard well, our lovely Ingress API was officially frozen by Kubernetes itself during October 2023.
7 min read
Oct
26
Kubernetes image distribution challenge - thoughts and tests

Kubernetes image distribution challenge - thoughts and tests

I studied, compared and tried some solutions (Dragonfly, Uber Kraker, kube-image-keeper,..) to understand how they addressed the above challenge. I then produced a final thought
6 min read
Aug
21
How TorchServe could scale in a Kubernetes environment using KEDA

How TorchServe could scale in a Kubernetes environment using KEDA

I almost burned a 7K Euros GPU card (NVIDIA A100 PCIe GPU) to understand how a TorchServe could meet the increasing of ondemand inference requests at scale.
5 min read
Aug
15
Serve AI models using TorchServe in Kubernetes at scale

Serve AI models using TorchServe in Kubernetes at scale

In a tipical MLOps pratice, among the various things, we need to serve our AI models to users exposing inference APIs. I tried a production ready framework (TorchServe) installing it on Azure Kubernetes Service and tested its power to the maximum.
9 min read
Tweets by YBacciarini