Launching self-managed Bottlerocket nodes
This topic helps you to launch an Auto Scaling group of Bottlerocket
Amazon EKS nodes are standard Amazon EC2 instances, and you are billed for them based
on normal Amazon EC2 instance prices. For more information, see Amazon EC2 pricing
Considerations
-
You can deploy to Amazon EC2 instances with x86 or Arm processors, but not to instances that have GPUs or Inferentia chips.
-
You can't deploy to the following regions: China (Beijing) (
cn-north-1
), China (Ningxia) (cn-northwest-1
), AWS GovCloud (US-East) (us-gov-east-1
), or AWS GovCloud (US-West) (us-gov-west-1
). -
There is no AWS CloudFormation template to deploy nodes with.
Do not use eksctl
to create a cluster or nodes in an AWS Region where you have AWS Outposts, AWS Wavelength,
or AWS Local Zones enabled. Create a cluster and self-managed nodes using the Amazon
EC2 API or AWS CloudFormation instead. For more information, see Launching self-managed Amazon Linux nodes and Launching self-managed Windows nodes.
To launch Bottlerocket nodes using eksctl
This procedure requires eksctl
version 0.38.0
or later. You can check your version with the following command:
eksctl version
For more information on installing or upgrading eksctl
, see Installing or upgrading eksctl.
This procedure only works for clusters that were created with
eksctl
.
-
(Optional) If the AmazonEKS_CNI_Policy managed IAM policy is attached to your Amazon EKS node IAM role, we recommend assigning it to an IAM role that you associate to the Kubernetes
aws-node
service account instead. For more information, see Configuring the VPC CNI plugin to use IAM roles for service accounts. -
This procedure assumes that you have an existing cluster named
my-cluster
in theus-west-2
Region. For a different existing cluster, change the values. If you don't have an existing cluster then you must first create a cluster.Create a file named
windows-cluster.yaml
with the following contents. Replace the
with your own values. If you changeexample values
, then it can only be changed to1.19
1.15
or later. If you want to deploy on Arm instances, then replace
with an Arm instance type. If specifying an Arm Amazon EC2 instance type, then review the considerations in Amazon EKS optimized Arm Amazon Linux AMIs before deploying. If you want to deploy using a custom AMI, then see Building Bottlerocketm5.large
on GitHub and Custom AMI support in the eksctl
documentation. If you want to deploy a managed node group then you must deploy a custom AMI using a launch template. For more information, see Launch template support.For more information about using a config file
with eksctl
, the config file schema, and config file samples , see the eksctl
documentation.--- apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name:
my-cluster
region:us-west-2
version:'1.19'
nodeGroups: - name:ng-bottlerocket
instanceType:m5.large
desiredCapacity:3
amiFamily:Bottlerocket
iam: attachPolicyARNs: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore ssh: allow: true publicKeyName:YOUR_EC2_KEYPAIR_NAME
-
Deploy your nodes with the following command.
eksctl create nodegroup --config-file=
windows-cluster.yaml
If nodes fail to join the cluster, then see Nodes fail to join cluster in the Troubleshooting guide.
Output:
You'll see several lines of output as the nodes are created. One of the last lines of output is the following example line.
[✔] created 1 nodegroup(s) in cluster "
my-cluster
" -
(Optional) Create a Kubernetes persistent volume
on a Bottlerocket node using the Amazon EBS CSI Plugin . The default Amazon EBS driver relies on file system tools that are not included with Bottlerocket. For more information about creating a storage class using the driver, see Amazon EBS CSI driver. -
(Optional) By default
kube-proxy
will set thenf_conntrack_max
kernel parameter to a default value that may differ from what Bottlerocket originally sets at boot. If you prefer to keep Bottlerocket's default setting, then edit the kube-proxy configuration with the following command. kubectl edit -n kube-system daemonset kube-proxy
Add --conntrack-max-per-core and --conntrack-min to the kube-proxy arguments as shown in the following example. A setting of
0
implies no change.containers: - command: - kube-proxy - --v=2 - --config=/var/lib/kube-proxy-config/config - --conntrack-max-per-core=0 - --conntrack-min=0
-
(Optional) Deploy a sample application to test your Bottlerocket nodes.
-
(Optional) If the AmazonEKS_CNI_Policy managed IAM policy is attached to your Amazon EKS node IAM role, we recommend assigning it to an IAM role that you associate to the Kubernetes
aws-node
service account instead. For more information, see Configuring the VPC CNI plugin to use IAM roles for service accounts. -
(Optional) If you plan to assign IAM roles to all of your Kubernetes service accounts so that pods only have the minimum permissions that they need, and no pods in the cluster require access to the Amazon EC2 instance metadata service (IMDS) for other reasons, such as retrieving the current Region, then we recommend blocking pod access to IMDS. For more information, see IAM roles for service accounts and Restricting access to the IMDS and Amazon EC2 instance profile credentials.