ERR parsing policy

[stdmje]

Hello! I am getting a parse error when trying to use the following policy:

    ecrOptions:
      accessPolicy: |
        {
          "Statement": [
            {
              "Sid": "AllowCrossAccountPull",
              "Effect": "Allow",
              "Principal": {
                "AWS": "*"
              },
              "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
              ],
              "Condition": {
                "StringEquals": {
                  "aws:PrincipalOrgID": "o-XXXX"
                }
              }
            }
          ],
          "Version": "2008-10-17"
        }

Logs:

k8s-image-swapper-576dbbb84b-4zrkd k8s-image-swapper 11:09AM ERR parsing image swap policy failed error="unknown image swap policy string: '', defaulting to exists" policy=
k8s-image-swapper-576dbbb84b-4zrkd k8s-image-swapper 11:09AM ERR parsing image copy policy failed error="unknown image copy policy string: '', defaulting to delayed" policy=

Please note that i am upgrading from 1.1.0 helm chart version to 1.8.0 and in the previous version everything was working fine.

Thanks

[estahn]

@stdmje Is this still an issue?

Is this snippet from the configmap or the helm chart? If it is from the helm chart values can you check if the configmap is properly propagated?

[stdmje]

It's from the helm chart. With those values, the configmap looks ok but i get those errors.

apiVersion: v1
data:
  config.yaml: |
    dryRun: false
    logFormat: console
    logLevel: error
    source:
      filters:
      - jmespath: obj.metadata.namespace == 'default'
      - jmespath: contains(container.image, '.dkr.ecr.') && contains(container.image,
          '.amazonaws.com')
      - jmespath: contains(container.image, 'public.ecr.aws')
      - jmespath: contains(container.image, 'gcr.io')
      - jmespath: contains(container.image, 'quay.io')
      - jmespath: contains(container.image, 'ghcr.io')
      - jmespath: contains(container.image, 'registry.k8s.io')
      - jmespath: contains(container.image, 'cr.fluentbit.io')
      - jmespath: contains(container.image, 'xpkg.upbound.io')
      - jmespath: contains(container.image, 'registry.access.redhat.com')
    target:
      aws:
        accountId: "xxx"
        ecrOptions:
          accessPolicy: |
            {
              "Statement": [
                {
                  "Sid": "AllowCrossAccountPull",
                  "Effect": "Allow",
                  "Principal": {
                    "AWS": "*"
                  },
                  "Action": [
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:BatchGetImage",
                    "ecr:BatchCheckLayerAvailability"
                  ],
                  "Condition": {
                    "StringEquals": {
                      "aws:PrincipalOrgID": "o-xxx"
                    }
                  }
                }
              ],
              "Version": "2008-10-17"
            }
        region: eu-west-1
        role: arn:aws:iam::xxx:role/xxx-cross-account-k8s-image-swapper
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: k8s-image-swapper
    meta.helm.sh/release-namespace: kube-system
  creationTimestamp: "2024-08-30T14:15:24Z"
  labels:
    app.kubernetes.io/component: app
    app.kubernetes.io/instance: k8s-image-swapper
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: k8s-image-swapper
    app.kubernetes.io/version: 1.5.10
    helm.sh/chart: k8s-image-swapper-1.10.3
  name: k8s-image-swapper
  namespace: kube-system
  resourceVersion: "1139493674"
  uid: 26399153-cac0-45f2-92ec-e67ade8523f9

This policy is correct and if i configure in a ECR repo, it works perfectly.