does not seem to support kube2iam for ECR access

[yogeek]

Hello,

I have a K8S cluster deployed in AWS with kubeadm.
Some of my images comes from the ECR of the K8S AWS account and I wanted to use kube2iam annotation on version-checker pod to allow it to check for image tags but it does not seem to work :

version-checker pod :

apiVersion: v1
kind: Pod
metadata:
  annotations:
    enable.version-checker.io/version-checker: "true"
    iam.amazonaws.com/role: ecr-read-profile
[...]

version-checker logs :

time="2020-12-07T14:47:39Z" level=error msg="error syncing 'checkoutservice-78b576896d-9pk6z/microdemo': failed to sync pod checkoutservice-78b576896d-9pk6z/microdemo: failed to check container image \"server\": failed to get tags from remote registry for \"<AWS_ACCOUNT_ID>.dkr.ecr.eu-central-1.amazonaws.com/google-samples/microservices-demo/checkoutservice\": failed to describe images: EmptyStaticCreds: static credentials are empty, requeuing" module=controller

Does the ECR authent only work with static credentials ?
Would it be possible to support kube2iam to avoid giving the pod static key and password ?
Thanks

[james-gonzalez]

Something like this would also be useful for us. We could use the service-account with the annotation "eks.amazonaws.com/role-arn" : role-arn so that we don't have to hard-code keys anywhere.