Question

我很好奇是否有办法设置一个公共生命周期策略，该策略将应用于ECR中的所有存储库？

目前，据我所知，没有办法做到这一点。

我正在考虑的一种方法是使用生命周期策略的JSON定义，并使用AWS CLI将其应用于所有存储库（可以稍微自动化）。但是每次都应该运行这个东西，因为创建了一个增加复杂性的新存储库。

Answer 1

您可以为此使用Terraform

resource "aws_ecr_lifecycle_policy" "untagged_removal_policy" {
count      = "${length(split(",",local.registries))}"
depends_on = [ "aws_ecr_repository.ecr_repositories" ]
repository = "${aws_ecr_repository.ecr_repositories.*.name[count.index]}"

policy = <<EOF
{
"rules": [
    {
        "rulePriority": 1,
        "description": "Expire Docker images older than 7 days",
        "selection": {
            "tagStatus": "untagged",
            "countType": "sinceImagePushed",
            "countUnit": "days",
            "countNumber": 7
        },
        "action": {
            "type": "expire"
        }
    }
]
}
EOF

}

Answer 2

仍然没有默认的ECR生命周期策略模板或其他内容。因此，正如您提到的，您可以使用aws cli方法，并将其分配为从某个地方执行，例如Lambda或k8s作业：

获取所有存储库名称：

repositories=($(aws ecr describe-repositories --profile=$profile --output text --query "repositories[*].repositoryName"))

将策略应用于每个存储库：

for repository in "${repositories[@]}";
do
aws ecr put-lifecycle-policy --profile=$profile --repository-name $repository --lifecycle-policy-text "file://policy.json"
done;

Answer 3

我正在使用 CloudFormation 映射来定义一项策略，然后通过一行将其应用于所有存储库：

Mappings:
 ECRPolicy:
  DevPolicy:
    RemoveUntagged: |
      {
        "rules": [
          {
            "rulePriority": 1,
            "description": "Expire images older than 3 days",
            "selection": {
              "tagStatus": "untagged",
              "countType": "sinceImagePushed",
              "countUnit": "days",
              "countNumber": 3
            },
            "action": {
              "type": "expire"
            }
          }
        ]
      }

对于 repos，它只是：

  ECRRepository:
   Type: AWS::ECR::Repository
   Properties:
    RepositoryName: !Sub ${ECRRepositoryName}-dev
    RepositoryPolicyText:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - ecr:GetAuthorizationToken
            - ecr:BatchCheckLayerAvailability
            - ecr:GetDownloadUrlForLayer
            - ecr:GetRepositoryPolicy
            - ecr:DescribeRepositories
            - ecr:ListImages
            - ecr:DescribeImages
            - ecr:BatchGetImage
          Principal:
            AWS:
              - !Sub arn:aws:iam::${DevAccount}:root
          Sid: AllowCrossAccountPull
    LifecyclePolicy:
      LifecyclePolicyText: !FindInMap [ECRPolicy, DevPolicy, RemoveUntagged]

Answer 4

AWS DOCS：有关如何使用Terraform实施带标签和无标签图像的策略的示例

https://docs.aws.amazon.com/AmazonECR/latest/userguide/lifecycle_policy_examples.html

{
    "rules": [
        {
            "rulePriority": 1,
            "description": "Remove tagged images with prefix prod-*",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["prod"],
                "countType": "imageCountMoreThan",
                "countNumber": 1
            },
            "action": {
                "type": "expire"
            }
        },
        {
            "rulePriority": 2,
            "description": "Remove untagged images",
            "selection": {
                "tagStatus": "untagged",
                "countType": "imageCountMoreThan",
                "countNumber": 1
            },
            "action": {
                "type": "expire"
            }
        }
    ]
}

为ECR中的所有存储库设置一个生命周期策略

4 个答案: