Comprehensive & Detailed Explanation (150–250 words):

EKS control plane nodes are fully managed by AWS and are not accessible for configuration, SSH, SSM commands, or custom workloads. Therefore, any prefetching of container images must occur on the worker nodes (EC2 instances in the node groups) because those are the machines that pull and cache container images before running pods.

Option C is the only solution that aligns with AWS architecture:

It creates an IAM role allowing Systems Manager Run Command to execute on EC2 worker nodes.

It uses node group tags to target the correct nodes dynamically.

State Manager runs the prefetch script whenever triggered by the EventBridge automation — ensuring newly added nodes pre-pull images and reduce cold-start latency to seconds.

Options A and D are invalid because you cannot run Systems Manager commands on EKS control plane nodes; AWS manages them and does not expose them. Option B incorrectly targets node groups based on machine size, which does not provide reliable node identification or filtering.

Thus, Option C provides the correct, scalable, and supported method for prefetching images across all worker nodes.