eks: KubectlProvider should use the AmazonEC2ContainerRegistryPullOnly managed policy

[wagdav]

Describe the feature

The KubectlProvider has access to ECR so that it can fetch Helm charts stored in repositories:

aws-cdk/packages/aws-cdk-lib/aws-eks/lib/kubectl-provider.ts

Lines 169 to 172 in ec18b83

	// For OCI helm chart authorization.
	this.handlerRole.addManagedPolicy(
	iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'),
	);

Currently, the KubectlProvider uses the AmazonEC2ContainerRegistryReadOnly policy which works, but it's

1. Too broad: for example kubectl doesn't use the "ecr:ListImages" action
2. Too narrow: it doesn't include "ecr:BatchImportUpstreamImage" action, which is required to use a pull-through cache.

Reference:

• https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryPullOnly.html
• https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryReadOnly.html

Use Case

I discovered this issue when I configured an ECR as a pull-through cache, that is to pull images from another registry (in my case another ECR).

For my EKS setup I granted all my nodes the AmazonEC2ContainerRegistryPullOnly role, but I couldn't install Helm charts from ECR, using the CDK, because kubectl couldn't use the caching ECR repository because its policy doesn't allow the ecr:BatchImportUpstreamImage action.

Proposed Solution

I suggest to replace the AmazonEC2ContainerRegistryReadyOnly managed policy with AmazonEC2ContainerRegistryPullOnly in the KubectlProvider's code.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

2.204.0

AWS CDK CLI version

2.1020.2 (build cf35f57)

Environment details (OS name and version, etc.)

macOS

[pahud]

Hi @wagdav,

Thank you for this well-documented feature request! You're absolutely right that the KubectlProvider should use the AmazonEC2ContainerRegistryPullOnly managed policy instead of AmazonEC2ContainerRegistryReadOnly.

This change makes sense for several reasons:

1. Pull-through cache support: The current policy lacks ecr:BatchImportUpstreamImage permission required for ECR pull-through cache functionality
2. Security best practices: AmazonEC2ContainerRegistryPullOnly follows the principle of least privilege by removing unnecessary permissions like ecr:ListImages
3. AWS recommendations: This aligns with current AWS documentation for EKS node roles:

• Amazon EKS node IAM role - recommends AmazonEC2ContainerRegistryPullOnly
• Amazon EKS Auto Mode node IAM role - requires AmazonEC2ContainerRegistryPullOnly

The fix is straightforward - updating line 169-172 in the KubectlProvider constructor to use the correct managed policy. This change should be backward compatible since AmazonEC2ContainerRegistryPullOnly includes all the permissions needed for the KubectlProvider's OCI Helm chart functionality while adding the missing pull-through cache support.

We'll submit an immediate pull request to accelerate this fix - the change is simple and well-justified, so there's no need to wait. The modification will be in the packages/aws-cdk-lib/aws-eks/lib/kubectl-provider.ts file.

Thanks for helping improve the CDK! 🚀

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.