ECR和我们的Maven Nexus一样是我们的软件仓库,只不过ECR是专门存放我们的Docker image而已.
ECR能做一些附加的功能:
- 跨账户,跨区域副本
- docker image的生命周期管理
- docker image的推送检查
本文主要是争对ECR的安全和成本角度来介绍一些设置技巧
安全
当我们推送自己的docker image到ECR中时,建议提前为repository设置好2个参数
- docker image镜像标签不可变
- docker image镜像推送时进行安全扫描
非必要不需要启用红色的部分,默认情况下打开了会让你的镜像能被其他人拉取,不仔细设置的话就容易泄露你的镜像.
By default, when a pull through cache rule is created, any IAM user, group, or role that has permission to pull images can pull through cache as well.
You can use registry permissions to further scope down these permissions to specific repositories.
成本
ECR是按需收费的,docker镜像最好是进行生命周期管理,这样就能有条件的淘汰有些镜像,降低ECR的存储容量,进而降低成本
比如下图就是一个典型的生命周期策略
- untag的image会在30天后过期
- tag的image只会保留最近的10个
- 全部的image只会保留最近的30个
本次的生命周期策略
{
"rules": [
{
"rulePriority": 1,
"description": "Expire images older than 30 days",
"selection": {
"tagStatus": "untagged",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 30
},
"action": {
"type": "expire"
}
},
{
"action": {
"type": "expire"
},
"selection": {
"countType": "imageCountMoreThan",
"countNumber": 10,
"tagStatus": "tagged",
"tagPrefixList": [
"v",
"V"
]
},
"description": "Only the last 10 tagged images are retained",
"rulePriority": 2
},
{
"rulePriority": 3,
"description": "Only the last 30 tagged/untagged images are retained",
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 30
},
"action": {
"type": "expire"
}
}
]
}
