Add -disable-ecr flag

Luan Pinto · Luan Pinto · commit fe8a30397218 · 2026-03-02T17:51:59.000Z
Signed-off-by: Luan Pinto &lt;luan.pinto@luan-pinto.bofh.etux&gt;
diff --git a/main.go b/main.go
@@ -36,6 +36,7 @@ func main() {
 	imageCheckInterval := flag.Duration("check-interval", time.Minute, "image re-check interval")
 	ignoredImagesStr := flag.String("ignored-images", "", "tilde-separated image regexes to ignore, each image will be checked against this list of regexes")
 	allowedImagesStr := flag.String("allowed-images", "", "tilde-separated image regexes to allow, each image will be checked against this list of regexes")
+	disableECR := flag.Bool("disable-ecr", false, "disable AWS ECR integration (always use k8s provider)")
 	bindAddr := flag.String("bind-address", ":8080", "address:port to bind /metrics endpoint to")
 	namespaceLabels := flag.String("namespace-label", "", "namespace label for checks")
 	insecureSkipVerify := flag.Bool("skip-registry-cert-verification", false, "whether to skip registries' certificate verification")
@@ -103,6 +104,7 @@ func main() {
 		*defaultRegistry,
 		*namespaceLabels,
 		mirrors,
+		*disableECR,
 	)
 	prometheus.MustRegister(registryChecker)
 
diff --git a/pkg/providers/provider.go b/pkg/providers/provider.go
@@ -31,10 +31,13 @@ var (
 )
 
 func (p ProviderRegistry) GetAuthKeychain(registry string) (authn.Keychain, error) {
-	switch {
-	case amazonURLRegex.MatchString(registry):
-		return p["amazon"].GetAuthKeychain(registry)
-	default:
-		return p["k8s"].GetAuthKeychain(registry)
-	}
+  switch {
+  case amazonURLRegex.MatchString(registry):
+    if amazonProvider, ok := p["amazon"]; ok && amazonProvider != nil {
+      return amazonProvider.GetAuthKeychain(registry)
+    }
+    return p["k8s"].GetAuthKeychain(registry)
+  default:
+    return p["k8s"].GetAuthKeychain(registry)
+  }
 }
diff --git a/pkg/registry/checker.go b/pkg/registry/checker.go
@@ -87,6 +87,7 @@ func NewChecker(
 	defaultRegistry string,
 	namespaceLabel string,
 	mirrorsMap map[string]string,
+	disableECR bool,
 ) *Checker {
 	informerFactory := informers.NewSharedInformerFactory(kubeClient, time.Hour)
 
@@ -259,11 +260,20 @@ func NewChecker(
 	logrus.Info("Caches populated successfully")
 
 	rc.imageStore.RunGC(rc.controllerIndexers.GetContainerInfosForImage)
-	registry := providers.NewProviderChain(
-		amazon.NewProvider(),
-		k8s.NewProvider(rc.controllerIndexers.GetImagePullSecrets),
-	)
-	rc.providerRegistry = registry
+
+	var registry providers.ProviderRegistry
+        if disableECR {
+          registry = providers.NewProviderChain(
+            k8s.NewProvider(rc.controllerIndexers.GetImagePullSecrets),
+          )
+        } else {
+          registry = providers.NewProviderChain(
+            amazon.NewProvider(),
+            k8s.NewProvider(rc.controllerIndexers.GetImagePullSecrets),
+          )
+        }
+        
+        rc.providerRegistry = registry
 
 	return rc
 }
