AWS eks documentation change
Summary
Added note about optional permissions for kubelet to pull images from Amazon ECR Public using the AmazonElasticContainerRegistryPublicReadOnly policy to avoid rate-limiting
Security assessment
The change documents an optional IAM policy that provides controlled access to public ECR repositories. This is a security feature that enables proper authentication and authorization for pulling public container images, but there's no indication it fixes a specific security vulnerability.
Diff
diff --git a/eks/latest/userguide/create-node-role.md b/eks/latest/userguide/create-node-role.md index fede133b3..8093caa3c 100644 --- a//eks/latest/userguide/create-node-role.md +++ b//eks/latest/userguide/create-node-role.md @@ -28,0 +29,2 @@ Before you create nodes, you must create an IAM role with the following permissi + * (Optional) Permissions for the `kubelet` to use container images from Amazon ECR Public (public.ecr.aws), such as provided by the [AmazonElasticContainerRegistryPublicReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticContainerRegistryPublicReadOnly.html) policy. These permissions are recommended if you pull container images from ECR Public. Without them, the pulls will succeed, but may be rate-limited. +