Create an Ubuntu Pro worker node AMI for Amazon EKS

Many customers have recently started asking for Ubuntu Pro as worker nodes. As of today, EKS only supports natively Amazon Linux 2, Bottlerocket, and Windows. Since 2018, we have been producing Ubuntu-EKS optimized AMIs for our users and clusters running with Ubuntu worker nodes have to be launched either via eksctl or using EC2 Launch templates.

This short guide will help you to create your own Ubuntu Pro worker node AMI for EKS.

Why choose Ubuntu Pro for worker nodes?

Ubuntu Pro takes Ubuntu’s security model to the next level. In the context of a Kubernetes environment, Ubuntu Pro offers several relevant features:

  • Kernel livepatch: This feature applies security patches in memory to your kernel, eliminating the need for emergency restarts. This not only enhances security but also improves uptime. You can choose to restart during your next maintenance window or simply recycle with newly updated nodes
  • FIPS crypto modules: Many customers have specific security regulations, such as the FedRAMP compliance, which require nodes to run on a FIPS certified kernel and specific FIPS certified crypto modules.
  • CIS and DISA-STIG hardening rules: With the Ubuntu Security Guide tool, you can harden your nodes according to CIS or DISA-STIG benchmarks. This ensures that your nodes are secure and compliant with industry standards.
  • ESM-Apps: While worker nodes typically do not run any software other than the Kubernetes runtime, ESM-Apps provides your cluster with the ability to run your containers with security patching coverage for all third-party applications installed from the Universe repository. This includes popular applications such as Apache, Kafka, MySQL, PostgreSQL, MongoDB, NginX, NodeJS, and a wide range of dependencies. By choosing Ubuntu Pro for your worker nodes, you can significantly improve the security and reliability of your Kubernetes environment.

Enabling Pro on Ubuntu-EKS images

Since Ubuntu Pro is not yet an official option for EKS, the path forward is to use Ubuntu-EKS optimized images (either from Marketplace or from the public images) and upgrade to Pro to create your own Pro-EKS AMI. There are two ways to achieve this:

1. Using a Pro Token:

1 year commitment, can be purchased through AWS.

Go to and get your tokens. Contact sales team for mode details and purchase options.

Once you have purchased the tokens, follow the steps shown in the following video:

The video shows how to create your own EKS AMI, in an automated way, from the official Ubuntu-EKS, using a token. The example shows how to enable FIPS, and though it may not be needed for your use case, the steps are the same. You can use Packer, EC2 Image Builder or even manually to create your own AMI with the tokens pre-loaded.

After creating your own AMI, you can create clusters either using EC2 Launch Templates (as shown in the video) or by using eksctl.

2. Upgrading to Pro using Amazon License Manager:

Pay as you go (PAYG), no long term commitments

AWS recently released a feature to upgrade an Ubuntu LTS EC2 instance to Ubuntu Pro, maintaining the PAYG model. Since EKS runs on EC2, we can leverage this process to enable Pro and its features. The process is done through AWS License Manager and SSM.

Upgrading an instance from the regular Ubuntu LTS to Ubuntu Pro is called a “license change” on Amazon License Manager. Since this change is applied to instances, it requires the user to launch an ubuntu-EKS AMI as a normal EC2 instance and follow the upgrade process as described in the following links:

After following the process, you will end up with an Ubuntu Pro EKS instance. You need to create an AMI and follow the described steps for launching a cluster with your own AMI (using EC2 launch templates or eksctl).