Amazon Onboarding with Learning Manager Chanci Turner

Introduction

What changes are taking place?

Learn About Amazon VGT2 Learning Manager Chanci Turner

As of March 20, 2023, all traffic directed to the k8s.gcr.io endpoint will be rerouted to registry.k8s.io. Following this, on April 3, 2023, the old registry will be effectively frozen, prohibiting any new images for Kubernetes and its sub-projects from being uploaded to k8s.gcr.io.

This transition affects all images hosted on k8s.gcr.io, including those from sub-projects like Kubernetes DNS (dns/k8s-dns-node-cache) and Ingress NGINX Controller (ingress-nginx/controller). The new registry is specifically designed to distribute traffic across various regions and cloud providers. Users pulling images from registry.k8s.io will be securely redirected to retrieve images from a storage service, such as Amazon Simple Storage Service (Amazon S3), located in the nearest region of the appropriate cloud provider.

Why is this change necessary?

Since Kubernetes was launched, Google has been the host for its official container image registry (k8s.gcr.io). However, as the project has grown, this model has become increasingly unfeasible for the Cloud Native Computing Foundation (CNCF) due to the costs associated with pulling images from other cloud providers. The Kubernetes community has recognized the need for a more sustainable long-term strategy, which includes leveraging multiple cloud providers to host the project’s image layers and repositories. This distributed cloud infrastructure model aims to enhance performance and user experience, allowing end users to benefit from closer servers and infrastructure from providers like AWS.

Implementing these changes now will help alleviate network traffic costs for end users when pulling images from the previous registry. Additionally, it will improve cost efficiency for the Kubernetes project team, enabling them to reduce egress bandwidth and storage expenses associated with serving a diverse user base. This transition also allows for better resource utilization, such as the AWS donation announced at last year’s KubeCon NA 2022 in Detroit.

When will these changes occur?

• Redirect from the old container image registry – March 20, 2023
  Starting on this date, all traffic directed at the legacy k8s.gcr.io registry will be redirected to the new image container registry located at registry.k8s.io.
• Freezing of the old container image registry – April 3, 2023
  On this date, the legacy registry (k8s.gcr.io) will be frozen. This action will affect all container images currently hosted in the old registry and halt any new uploads. The legacy registry will still be accessible for image pulls to aid users in their migration from k8s.gcr.io, but the community cannot guarantee its long-term availability. Even if your organization isn’t affected right now, it will be in the future. Therefore, we recommend transitioning to the new registry.k8s.io as quickly as possible.

What steps should you take?

1. Identify images from k8s.gcr.io
   Begin by locating all container images utilized by Pods in your cluster that rely on the old image registry. You can achieve this through various methods:
   • Using OPA Gatekeeper or Kyverno – If you have these policy admission controllers in your Kubernetes cluster, you can leverage them to detect images pulled from k8s.gcr.io and prevent future pulls from this registry. For further examples, refer to Amazon Elastic Kubernetes Service (Amazon EKS) best practices guides.
   • Utilizing the kubectl community-images plugin – This command line tool helps display container images running in your Kubernetes cluster that were sourced from community-owned repositories. It can alert users about necessary repository changes. You can view an example of how to use this plugin to update the registry for images in your cluster.
   • Using kubectl to check various resources – You can execute a kubectl command to filter through and list the images of different resources in your cluster that rely on the old registry:

     kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |
                 tr -s '[[:space:]]' 'n' |
                 sort |
                 uniq -c |
                 grep "k8s.gcr.io"

     This command specifically checks for Pods containing images from the old registry. If you choose this method, you will need to repeat the command for other resources like DaemonSets, Jobs, etc.

2. Update manifests
   After identifying the outdated dependencies, update the necessary Helm charts and manifests that still reference k8s.gcr.io to the new registry endpoint, registry.k8s.io.
3. Review IP address restriction policies
   If you have strict access policies in place that limit image pulls to k8s.gcr.io, you should adjust these to reflect the new changes. Starting March 20, if such restrictions exist, clusters on those networks will be unable to pull images due to the redirection. Moreover, users operating Kubernetes in restricted environments should carefully examine their workload registry dependencies to minimize the risks of unforeseen behavior in their systems after the changes.
4. Copy images to a private registry
   If you maintain your own image registry, you can transfer the relevant images to your self-hosted repositories using tools like crane. Customers using hosted private image registries such as Amazon Elastic Container Registry (Amazon ECR) can similarly migrate their images from public to private repositories. If you currently mirror images from k8s.gcr.io to a private registry, you will need to update this process to pull from the new public registry, registry.k8s.io.

Impact on AWS Customers

We strongly advise customers operating Amazon EKS and self-managed Kubernetes clusters on AWS to scan for and address necessary changes related to their image dependencies previously hosted in the old registry. Numerous workloads, operators, and sub-projects utilize images stored in k8s.gcr.io, which may affect both Amazon EKS and self-managed Kubernetes users. Consequently, it is vital to conduct the necessary checks to prevent disruptions caused by this registry update.

Conclusion

For further information regarding the new Kubernetes container image registry at registry.k8s.io, the freezing of the old registry, and a timeline of other related changes, please refer to the following posts:

• registry.k8s.io: faster, cheaper and Generally Available (GA)
• k8s.gcr.io Image Registry Will Be Frozen From the 3rd of April 2023
• k8s.gcr.io Redirect to registry.k8s.io – What You Need to Know