ecr-lifecycle-with-eks removes expired images in AWS ECR repositories, excluding images in use on your eks clusters.
This project uses secure Docker practices:
- Alpine Linux 3.19 base image for minimal attack surface
- Non-root user execution for enhanced security
- Latest Golang 1.23 for security updates
- Explicit CA certificates for secure HTTPS communication
public.ecr.aws/q1m5p9s1/ecr-lifecycle-with-eks (amd64 and arm64 linux)
$ docker build -t <<your repository>>:<<tag>> .
-config-file string
Location of config file. (default "/config.yaml")
-dry-run
enable dry run (just log tags to be delete)
See also samples/config.yaml
| Name | Required | Description |
|---|---|---|
| region | true | AWS default region in all processes. |
| profile | false | AWS profile if you need to specify. |
| ecr.roleARN | true | AWS Role ARN to operate ecr resources. |
| ecr.allRepos | false | If set true, target is all ECR repositories. (within role's permissions and regions) |
| ecr.repos | false | Target ECR repositories. (either repos or allRepos is required) |
| eks.roleARN | true | AWS Role ARN to access eks resource and cluster. |
| eks.clusterName | true | EKS cluster name using images you want to exclude from deletion. |
| commonLifecycle.type | true | Base lifecycle. (sinceImagePushed or imageCountMoreThan) |
| commonLifecycle.number | true | Base lifecycle value. (units are days for sinceImagePushed, number of images for imageCountMoreThan) |
| ignoreRegex | false | Regex strings to exclude from deletion. |
The execution environment of ecr-lifecycle-with-eks needs to be able to assumeRole for two roles below.
ecr:DescribeImages
ecr:DescribeRepositories
ecr:BatchDeleteImage
eks:DescribeCluster
and clusterRole that allows list pods in kubernetes cluster.