feat: add permissions for ECR Public container pulls to Auto Mode NodeRole (#8698)

fletcherw · web-flow · commit a20fb5410690 · 2026-03-25T13:10:33.000-07:00
feat: ECR Public authenticated pulls

Update the default EKS Auto Mode Node Role to allow authenticated pulls from ECR public.
This ensures that container pulls are not unnecessarily throttled due to
unauthenticated pulls.
diff --git a/pkg/cfn/builder/roles/auto-mode-node-role.yaml b/pkg/cfn/builder/roles/auto-mode-node-role.yaml
@@ -18,6 +18,7 @@ Resources:
               - sts:AssumeRole
       ManagedPolicyArns:
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly"
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy"
 
 Outputs:
