[Feature] Support ECR pull-through cache repos by default #8318
Labels
kind/feature
New feature or request
Comments
|
Note: Same change was already merged into upstream Karpenter. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
eksctlshould create node role with IAM permissions to pull images from ECR pull-through cache repositories (PTC) without users having to define custom IAM configuration.Currently (v0.206.0), node role is missing
ecr:BatchImportUpstreamImagepermission, which is absent in AmazonEC2ContainerRegistryReadOnly managed policy and present in AmazonEC2ContainerRegistryPullOnly managed policy. This permission is required to be able to pull new images from PTC repos.In general,
AmazonEC2ContainerRegistryReadOnlycan be replaced withAmazonEC2ContainerRegistryPullOnlywith no downsides. This will also remove unneeded permissions defined in ReadOnly role, thus making it better suited for the least privilege principle, and match the current AWS recommendations for node role. The only consideration is that it may break custom scripts some users run on the nodes, and maybe some pods that still use host IAM instead of IRSA/Pod Identity. I would propose addingAmazonEC2ContainerRegistryPullOnlymanaged policy to defaults now, and scheduling to removeAmazonEC2ContainerRegistryReadOnlyfrom defaults later.NOTE: EKS Auto Mode already uses
AmazonEC2ContainerRegistryPullOnly.The text was updated successfully, but these errors were encountered: