EKS Auto Mode pod unable to pull images when node is in public subnet with IGW route

Question

**Environment:**
1. EKS Auto Mode cluster
2. Karpenter NodePool + NodeClass
3. associatePublicIPAddress: false in NodeClass
4. Two clusters in the same VPC

**Problem:**
We have created two EKS clusters. In one cluster, the pods are failing to pull images from both ECR and ghcr.io with the following error:

Failed to pull image: failed to do request:
dial tcp x.x.x.x:443: i/o timeout

In the other cluster, the pods are able to pull images successfully and are running without any issues.

**Cluster Comparison**
Working Cluster
EC2 Subnet type: Private subnet
Image pull: Works

Broken Cluster
EC2 Subnet type: Public subnet
Image pull: Fails

**Findings:**

Both clusters use:

associatePublicIPAddress: false

So worker nodes do not receive public IP addresses.

**Questions:**

Is this expected behavior for EKS Auto Mode/Karpenter nodes failed to pull images when
public subnet route points to an Internet Gateway

Riku_Kobayashi · Answer

Hello.

> Is this expected behavior for EKS Auto Mode/Karpenter nodes failed to pull images when public subnet route points to an Internet Gateway

With the current settings, the above question is expected behavior.

When "associatePublicIPAddress: false" is set, the node will not be assigned a public IP address, and therefore will not be able to pull container images even in a public subnet with a route to the internet gateway.  
If you only need to access ECR, you can configure a VPC endpoint and it will work even with "associatePublicIPAddress: false".  
https://repost.aws/knowledge-center/eks-ecr-troubleshooting

EKS Auto Mode pod unable to pull images when node is in public subnet with IGW route

Add your answer

Relevant content