I have some questions about how to use an Amazon Elastic Kubernetes Service (Amazon EKS) optimized Amazon Linux 2023 (AL2023) Amazon Machine Image (AMI) in my Amazon EKS cluster.
Q: Can I use Docker as a container runtime with an Amazon EKS optimized AL2023 AMI?
Amazon EKS doesn't support Docker as a container runtime in AL2023 for any supported Amazon EKS versions. AWS removed this support with Amazon EKS version 1.24 or later in Amazon Linux 2 (AL2). For more information, see Amazon EKS ended support for Dockershim.
Q: Are there major changes that I must consider when I use AL2023 to bootstrap a node?
AL2023 uses a new node initialization process, called nodeadm, that uses a YAML configuration schema. For more information, see nodeadm on the GitHub website.
You must explicitly provide additional cluster details when you do either of the following actions:
- Create a self-managed node group.
- Specify an AMI in your launch template to create a managed node group.
To bootstrap the node in a self-managed node group, be sure to include at least the apiServerEndpoint, certificateAuthority, and cidr required parameters. In AL2, Amazon EKS uses the DescribeCluster API call to get these parameters. However in AL2023, the API call can throttle during large node scale ups. To avoid excessive DescribeCluster API calls, you must include these parameters.
Q: Are there changes that I must consider for Amazon EKS add-ons when I use AL2023?
Make sure that the Amazon VPC CNI add-on version 1.16.2 or later.
Q: Are there changes that I must consider for service accounts when I use AL2023?
AL2023 requires Instance Metadata Service Version 2 (IMDSv2). For IMDSv2, the default hop count for managed node groups is set to 1, so the containers can't use IMDS to access to the node's credentials. If your container must access the node's credentials, then manually override HttpPutResponseHopLimit in the custom Amazon EC2 launch template and increase it to 2. Or, you can use Amazon EKS Pod Identity to provide the credentials.
Q: Are there changes that I must consider for third-party add-ons when I use AL2023?
Some third-party add-ons, such as node termination handler, might use the underlying node metadata. In AL2023, the default hop count for managed node groups is set to 1, so the add-ons can't access the node's metadata. To resolve this issue, increase the hop limit of the instance to 2. For more information, see When your application needs access to IMDS, use IMDSv2 and increase the hop limit on EC2 instances to 2 in the EKS Best Practice Guides on the GitHub website.
Q: What AMI do I need to I use for accelerated workloads on Amazon EKS?
For accelerated workloads, use an AL2 accelerated AMI or Bottlerocket. Amazon EKS accelerated AMIs based on AL2023 aren't currently available.