Create nodes with optimized Windows AMIs - Amazon EKS
Release calendarBootstrap script configuration parametersCached container imagesMore information

Help improve this page

To contribute to this user guide, choose the Edit this page on GitHub link that is located in the right pane of every page.

Create nodes with optimized Windows AMIs

Windows Amazon EKS optimized AMIs are built on top of Windows Server 2019 and Windows Server 2022. They are configured to serve as the base image for Amazon EKS nodes. By default, the AMIs include the following components:

Note

You can track security or privacy events for Windows Server with the Microsoft security update guide.

Amazon EKS offers AMIs that are optimized for Windows containers in the following variants:

  • Amazon EKS-optimized Windows Server 2019 Core AMI

  • Amazon EKS-optimized Windows Server 2019 Full AMI

  • Amazon EKS-optimized Windows Server 2022 Core AMI

  • Amazon EKS-optimized Windows Server 2022 Full AMI

Important

  • The Amazon EKS-optimized Windows Server 20H2 Core AMI is deprecated. No new versions of this AMI will be released.

  • To ensure that you have the latest security updates by default, Amazon EKS maintains optimized Windows AMIs for the last 4 months. Each new AMI will be available for 4 months from the time of initial release. After this period, older AMIs are made private and are no longer accessible. We encourage using the latest AMIs to avoid security vulnerabilities and losing access to older AMIs which have reached the end of their supported lifetime. While we can’t guarantee that we can provide access to AMIs that have been made private, you can request access by filing a ticket with AWS Support.

Release calendar

The following table lists the release and end of support dates for Windows versions on Amazon EKS. If an end date is blank, it’s because the version is still supported.

Windows version Amazon EKS release Amazon EKS end of support

Windows Server 2022 Core

10/17/2022

Windows Server 2022 Full

10/17/2022

Windows Server 20H2 Core

8/12/2021

8/9/2022

Windows Server 2004 Core

8/19/2020

12/14/2021

Windows Server 2019 Core

10/7/2019

Windows Server 2019 Full

10/7/2019

Windows Server 1909 Core

10/7/2019

12/8/2020

Bootstrap script configuration parameters

When you create a Windows node, there’s a script on the node that allows for configuring different parameters. Depending on your setup, this script can be found on the node at a location similar to: C:\Program Files\Amazon\EKS\Start-EKSBootstrap.ps1. You can specify custom parameter values by specifying them as arguments to the bootstrap script. For example, you can update the user data in the launch template. For more information, see Amazon EC2 user data.

The script includes the following command-line parameters:

  • -EKSClusterName – Specifies the Amazon EKS cluster name for this worker node to join.

  • -KubeletExtraArgs – Specifies extra arguments for kubelet (optional).

  • -KubeProxyExtraArgs – Specifies extra arguments for kube-proxy (optional).

  • -APIServerEndpoint – Specifies the Amazon EKS cluster API server endpoint (optional). Only valid when used with -Base64ClusterCA. Bypasses calling Get-EKSCluster.

  • -Base64ClusterCA – Specifies the base64 encoded cluster CA content (optional). Only valid when used with -APIServerEndpoint. Bypasses calling Get-EKSCluster.

  • -DNSClusterIP – Overrides the IP address to use for DNS queries within the cluster (optional). Defaults to 10.100.0.10 or 172.20.0.10 based on the IP address of the primary interface.

  • -ServiceCIDR – Overrides the Kubernetes service IP address range from which cluster services are addressed. Defaults to 172.20.0.0/16 or 10.100.0.0/16 based on the IP address of the primary interface.

  • -ExcludedSnatCIDRs – A list of IPv4 CIDRs to exclude from Source Network Address Translation (SNAT). This means that the pod private IP which is VPC addressable wouldn’t be translated to the IP address of the instance ENI’s primary IPv4 address for outbound traffic. By default, the IPv4 CIDR of the VPC for the Amazon EKS Windows node is added. Specifying CIDRs to this parameter also additionally excludes the specified CIDRs. For more information, see Enable outbound internet access for Pods.

In addition to the command line parameters, you can also specify some environment variable parameters. When specifying a command line parameter, it takes precedence over the respective environment variable. The environment variable(s) should be defined as machine (or system) scoped as the bootstrap script will only read machine-scoped variables.

The script takes into account the following environment variables:

  • SERVICE_IPV4_CIDR – Refer to the ServiceCIDR command line parameter for the definition.

  • EXCLUDED_SNAT_CIDRS – Should be a comma separated string. Refer to the ExcludedSnatCIDRs command line parameter for the definition.

gMSA authentication support

Amazon EKS Windows Pods allow different types of group Managed Service Account (gMSA) authentication.

Cached container images

Amazon EKS Windows optimized AMIs have certain container images cached for the containerd runtime. Container images are cached when building custom AMIs using Amazon-managed build components. For more information, see Using the Amazon-managed build component.

The following cached container images are for the containerd runtime:

  • amazonaws.com/eks/pause-windows

  • mcr.microsoft.com/windows/nanoserver

  • mcr.microsoft.com/windows/servercore

More information

For more information about using Amazon EKS optimized Windows AMIs, see the following sections: