Containers-roadmap: [EKS] Custom AMI for managed worker nodes

Created on 7 Feb 2020  路  10Comments  路  Source: aws/containers-roadmap

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
As of date, managed nodes can only run only on predefined options of AMI.
I see only 2 options at present. Provide option of choosing custom AMI in managed nodes.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now?
A custom AMI, based out of "https://github.com/awslabs/amazon-eks-ami " is being used in EKS cluster which I am managing. Even though there are little changes from the "aws-eks-ami" those changes are critical.
This can be overcome by configuring the nodes after they are alive and present in cluster.But this adds overhead of initial configuration and periodic checks for new nodes.
What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.
Its not possible to move to managed node groups.

Are you currently working around this issue?
Yes, I am not using managed node groups.

Additional context
None

Attachments
None

EKS EKS Managed Nodes Proposed
Source
picture cshivashankar
👍84 👀1

Most helpful comment

Thanks @tabern , Any ETA for shipping this feature?

picture cshivashankar on 11 Feb 2020
👍3

All 10 comments

We would love to have a BYO AMI feature for EKS (similar to ECS). We need to get our compute CIS and docker benchmark compliant. AND we would need to get SSM connected to the AMI in order to access the instances.

Pratima picture Pratima on 11 Feb 2020

This should be solved by https://github.com/aws/containers-roadmap/issues/585

tabern picture tabern on 11 Feb 2020

Thanks @tabern , Any ETA for shipping this feature?

cshivashankar picture cshivashankar on 11 Feb 2020
👍3

Hi @cshivashankar and @Pratima

Do you build your custom AMIs based off the EKS Optimized AMI template?
https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh

How would you expect worker node bootstrapping to work?
Today, EKS Managed Nodes set EC2 user data that includes a command to call the bootstrap script with cluster name and certificate authority

This is required for a node to join the cluster. Would you want managed nodes to continue to include this user data and merge with any other user data you have? Or you would rather have full control over what user data is passed in that is need for your custom AMI based worker node to join the cluster?

mikestef9 picture mikestef9 on 20 Feb 2020

Hi @mikestef9 ,

Yes I do consume files based on EKS optimized AMI template.
User data is used for joining the cluster .

I would say managed nodes should continue including the basic user data so that basic functionalities like joining the cluster are still automated.
However Either through additional user data or some option of running custom configurations will be helpful. It might be installing required templates and customization or it could be some other configuration in the server itself.
An oversimplified example will be to install the Zabbix agent and connect to the central Zabbix server at boot or maybe a customized daemon configs, however, there might be other complicated cases.

cshivashankar picture cshivashankar on 23 Feb 2020
👍2

Related #596

bneelima84 picture bneelima84 on 3 Mar 2020

We also have a case wherein we would need an option to specify the AMI for the managed worker nodes. So basically, we use the base AMIs, encrypt them with KMS encryption (also encrypt the volumes that gets attached to the instances) and then specify this encrypted image (on the fly) for the managed nodes that we bring up in EKS. Our application requires the encryption at all the stages. Hence it'd be great if an option to specify the AMIs can be provided while bringing up managed worker nodes in AWS EKS.

MeghanaSrinath picture MeghanaSrinath on 8 Jun 2020

@mikestef9 Is there any ETA on this feature?

MeghanaSrinath picture MeghanaSrinath on 9 Jul 2020

Moved to coming soon, can't give any more fine grained details that that in this forum

mikestef9 picture mikestef9 on 9 Jul 2020

Closing as this feature request is addressed by launch template support. See #585 for details!

See EKS docs for specific details on using custom AMIs with managed node groups.

mikestef9 picture mikestef9 on 17 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tabern picture tabern  路  3Comments
miztch picture miztch  路  3Comments
aliabas7 picture aliabas7  路  3Comments
MartinDevillers picture MartinDevillers  路  3Comments
ORESoftware picture ORESoftware  路  3Comments