Containers-roadmap: [EKS] [request]: Managed Node Groups Custom Userdata support
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
EKS Managed Node Groups should support adding additional custom user-data and additional bootstrap/kubelet args
Which service(s) is this request for?
EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
- We can't enable docker0 bridge easily in Managed Node Groups, when we want to deploy CI/CD tools
- Any other customs tasks we need to do on worker nodes
Are you currently working around this issue?
Old way of launching worker nodes
shanmugakarna
All 22 comments
We have to install certain agents onto EC2 instances for security compliance. This would give us an option to do that on startup without going down the path and headache of managing our own ami.
atheiman
on 27 Nov 2019
This would also allow us to set taints on various nodegroups by passing kubelet arguments, which does not appear to be possible in the current state of nodegroups.
bhops
on 27 Nov 2019
I鈥檓 specifically looking to add taints to nodes, whether via specifying user data or direct api support.
dschaaff
on 2 Dec 2019
we have exact same usecase with @atheiman where we need to install agent and configure system level to integrate with our central auth service through PAM for SSH access
girikuncoro
on 20 Dec 2019
Userdata is the standard, AWS-native way to modify an instance post-launch.
We perform a considerable amount of dynamic instance customisation in userdata for things like networking. Baking a custom AMI is the only alternative.
drewhemm
on 8 Jan 2020
Also, Userdata is the only current recommended way of "Restricting Access to Amazon EC2 Instance Profile Credentials" (https://docs.aws.amazon.com/eks/latest/userguide/restrict-ec2-credential-access.html ).
If you don't do this it leaves your cluster vulnerable by default, allowing any pod using an un-annotated service account (e.g. default) to interfere with ENIs and cluster IPs on the host.
3oris
on 21 Jan 2020
@tabern any change to get this on the roadmap?
splieth
on 24 Jan 2020
Also looking for the ability to taint nodes in the managed worker node autoscaling group.
Explicitly stated here under the Feature parity with unmanaged nodegroups section is:
_"Control over the node bootstrapping process and customization of the kubelet are not supported. This includes the following fields: maxPodsPerNode, taints, targetGroupARNs, preBootstrapCommands, overrideBootstrapCommand, clusterDNS and kubeletExtraConfig."_
Exposing the kubelet-extra-args flag during the worker node ami bootstrapping could be a path forward...https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/
funkswing
on 24 Jan 2020
This is a big blocker for our usage of node groups. We need to set enable-docker-bridge on one of the groups in our cluster and can't so we have to go back to managing autoscaling groups, etc.
johncblandii
on 7 Feb 2020
we need the ability to use custom user data to configure http proxy for the docker daemon and kubelet.
vadapalliravikumar
on 25 Feb 2020
Any update on this feature request ? This is required for our internal security compliance
bneelima84
on 3 Mar 2020
Hey guys,
Is there any updates on this one?
MatteoMori
on 28 Mar 2020
Hi @MatteoMori, this feature will come as part of #585. We are working on it, but no timeline that I can share right now.
mikestef9
on 28 Mar 2020
This would also allow us to set taints on various nodegroups by passing kubelet arguments, which does not appear to be possible in the current state of nodegroups.
I also came here looking for a way to add taints to nodegroups, any news?
jgoeres
on 28 Apr 2020
System.aws.out.println("隆脕ndale, 脕ndale AWS!")
GKE already has the support for this for years...
I'm not here to troll. I'm just really pissed off. This is basic security we are talking about...
0verc1ocker
on 19 May 2020
We'd need this to be able to configure additional services for logrotation, for example ipamd.
im-erikjohansson
on 18 Jun 2020
need add args for bootstrap.sh --kubelet-extra-args , make the node support --allowed-unsafe-sysctls=net.ipv4.*
AmarkFox
on 5 Jul 2020
@mikestef9 Can you tell when this feature will be released in production?
odg0318
on 4 Aug 2020
Can't give specific dates in this forum, but with that said, I'd highly recommend checking out the AWS container day presentations at Kubecon next week :)
mikestef9
on 14 Aug 2020
Can't give specific dates in this forum, but with that said, I'd highly recommend checking out the AWS container day presentations at Kubecon next week :)
I also noticed in the CloudFormation release history that AWS::EKS::Nodegroup now has a LaunchTemplate property.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-eks-nodegroup-launchtemplatespecification.html
dgarbus
on 14 Aug 2020
bgsilvait
on 17 Aug 2020
Closing as this feature request is addressed by launch template support. See #585 for details!
An important note is that user data must in MIME multi-part archive format, as by default, EKS will merge the bootstrapping command required for nodes to join the cluster with your user data. If you use a custom AMI in your launch template, this merging will not happen and you are responsible for nodes joining the cluster. See docs for more details.
mikestef9
on 17 Aug 2020
Related issues
abby-fuller
路
3Comments
jeremietharaud
路
3Comments
inductor
路
3Comments
MartinDevillers
路
3Comments
chungath
路
3Comments
Most helpful comment
This would also allow us to set taints on various nodegroups by passing kubelet arguments, which does not appear to be possible in the current state of nodegroups.