Is there a way to set the environment variables in kubernetes before it pulls the container image?
For some context, I'm looking for alternatives to what I've asked in ECR IAM policy document for EKS node access. According to the kubernetes docs (https://kubernetes.io/docs/concepts/containers/images/#using-aws-ec2-container-registry), it sounds like what I want to do is not possible by default since if I give the node role permission to read from ECR, any user that can create jobs/pods on the EKS cluster will be able to pull any image that the node role can pick up. The line from the k8s docs in question is:
All users of the cluster who can create pods will be able to run pods that use any of the images in the ECR registry.
As an alternative, I'm trying to see if there's a way to set the environment variables (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) in the pod before it pulls the image. I'm not entirely sure on the implementation/integration for kubernetes with ECR, but if I think if I'm able to set those environment variables and the image pull process does a aws ecr get-login ... before actually pulling the image, then I might be able to restrict which images can be pulled by setting those variables.
I found some documentation on how to set variables in the container after the image has been pulled but nothing before.
