Description
eksctl should create node role with IAM permissions to pull images from ECR pull-through cache repositories (PTC) without users having to define custom IAM configuration.
Currently (v0.206.0), node role is missing ecr:BatchImportUpstreamImage permission, which is absent in AmazonEC2ContainerRegistryReadOnly managed policy and present in AmazonEC2ContainerRegistryPullOnly managed policy. This permission is required to be able to pull new images from PTC repos.
In general, AmazonEC2ContainerRegistryReadOnly can be replaced with AmazonEC2ContainerRegistryPullOnly with no downsides. This will also remove unneeded permissions defined in ReadOnly role, thus making it better suited for the least privilege principle, and match the current AWS recommendations for node role. The only consideration is that it may break custom scripts some users run on the nodes, and maybe some pods that still use host IAM instead of IRSA/Pod Identity. I would propose adding AmazonEC2ContainerRegistryPullOnly managed policy to defaults now, and scheduling to remove AmazonEC2ContainerRegistryReadOnly from defaults later.
NOTE: EKS Auto Mode already uses AmazonEC2ContainerRegistryPullOnly.