Review request for releasing ecr-credential-provider in classic confinement

I am part of the canonical-cloud-snaps publishers list. I am making this post on behalf of that account as we do not half a forum login for it.

The ecr-credential-provider snap was implementing as a classic confinement snap. This matches the existing implementation of the kubelet (and it’s variants) snap. This provider was pulled out of the k8s tree in 1.27, but is a hard requirement for integration with EKS. The team responsible for creating the EKS Ubuntu Cloud Image believes this snap should be published in classic confinement to ensure the kubelet snap has access to it. In the future, if the kubelet snap confinement changes, this decision would need to be revisited.

@rpocase hey,

Can you please describe the technical details behind this access and the requirements for having ecr-credential-provider as a classic confined snap as well?


technical details for requiring classic confinement

tl;dr Seems like there is a technical path forward that does not REQUIRE classic confinement, but there are UX trade offs that are valuable if we stick to classic confinement as long as kubelet does as well.

The rest is paraphrasing @cynerva’s recommended initial approach and a possible route forward to avoid classic confinement.

ecr-credential-provider is a binary that kubelet needs to be configured to use via the --image-credential-provider-bin-dir and --image-credential-provider-config options. One option would bet to embed the binary in the kubelet snap, but that bloats the generalized snap unnecessarily. Since kubelet and kubelet-eks share a source tree, both are already classic confined, so bundling the binary via a snap makes it easy to not only be compatible with the EKS specific kubetlet, but also be compatible with kubectl setups that have extensions installed (or even a host where kubelet is installed through a non-snap method.

The content interface may be a path forward to prevent the need for classic confinement, but understanding any deltas we may have with EKS 1.26 -> 1.27 is expected to be a more stable initial venture on this front.

We dug into this a bit more and believe using plugs: [network] is sufficient to expose the right functionality. I’ll follow up if we need anything else. Thanks!

1 Like