Support ECR pull-through cache repos #7956
Labels
documentation
Improvements or additions to documentation
triage/accepted
Indicates that the issue has been accepted as a valid issue
Comments
artem-nefedov
added
documentation
|
Do you want to open a PR to make this change to our docs? Given that this is for creating new clusters, I think that it's fine to push this out if you want to open the PR |
jonathan-innis
added
triage/accepted
|
@jonathan-innis done, please check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Example CFN template should create node role with IAM permissions to pull images from ECR pull-through cache repositories (PTC).
Currently (v1.3.3), node role is missing
ecr:BatchImportUpstreamImagepermission, which is absent in AmazonEC2ContainerRegistryReadOnly managed policy and present in AmazonEC2ContainerRegistryPullOnly managed policy. This permission is required to be able to pull new images from PTC repos.In general,
AmazonEC2ContainerRegistryReadOnlycan be replaced withAmazonEC2ContainerRegistryPullOnlywith no downsides. This will also remove unneeded permissions defined in ReadOnly role, thus making it better suited for the least privilege principle, and match the current AWS recommendations for node role.NOTE: EKS Auto Mode already uses
AmazonEC2ContainerRegistryPullOnly.The text was updated successfully, but these errors were encountered: