ECR Pull-Through Cache for platform system images

We’re rolling out an ECR Pull-Through Cache across all customers. Platform system images (cert-manager, Prometheus stack, Flux, Velero, etc.) will be mirrored from upstream public registries (quay.io, registry.k8s.io, docker.io, ghcr.io) into your own AWS account’s ECR, guarding platform workloads from upstream rate limits and outages.

What changed

The default tier (quay.io and registry.k8s.io) is enabled out of the box; nothing is required from your side. Image references for ~50 platform components now resolve to your customer-specific ECR registry: the first pull populates the cache, subsequent pulls are served from ECR.

Enable the opt-in tiers (recommended)

Docker Hub and ghcr.io are opt-in because AWS requires Secrets Manager credentials for those upstreams. We strongly encourage enabling both: Docker Hub’s anonymous-pull rate limit has hit Velero in particular in the past, and the ghcr.io tier adds a buffer against outages there too. Setup is short: create one access token per registry, store it in Secrets Manager, and share the ARN with us. Full instructions in the setup guide.

Coming soon

A follow-up opt-in feature will transparently rewrite your application workload image references at admission time via a mutating webhook, so your manifests can stay untouched. We’ll announce it separately when it ships.

For background and design rationale, see the Roadmap entry.