Container Registry Strategies for EKS: Using ECR

Container images are the heart of your application. If you are using Amazon EKS, the most natural and performant place to store your images is Amazon Elastic Container Registry (ECR).

Why ECR?

• Speed: ECR and EKS are in the same AWS network. Image pull operations are very fast and there is no data transfer fee (in the same region).
• Security: Fully integrated with IAM. You can precisely control who can pull or push which image.
• Scanning: Automatically scans uploaded images for vulnerabilities (CVE).

EKS and ECR Integration

For EKS nodes to pull images from ECR, it is sufficient for the node IAM role to have the AmazonEC2ContainerRegistryReadOnly policy.

Tip: ECR Public and Pull Through Cache

• Docker Hub Limits: If you pull images from Docker Hub too frequently, you get a "Rate Limit" error.
• Solution: Use ECR's Pull Through Cache feature. It pulls images from external sources like Docker Hub or Quay.io once and caches them in your own ECR. Your EKS cluster now pulls the image from ECR. It is both fast and you don't hit limits.

Lifecycle Policies

Don't let old images fill up your disk. Automate cleanup by defining Lifecycle Policies on ECR like "Keep the last 100 images, delete the rest" or "Delete untagged images older than 30 days".