Many customers have recently started asking for Ubuntu Pro as the EKS worker node OS. Currently, EKS supports natively Amazon Linux 2, Bottlerocket, and Windows. This quick guide will help you understand the process of building your own Ubuntu-Pro-EKS AMI.
Ubuntu LTS EKS Optimized images
Since 2018, we have been producing Ubuntu-EKS optimized AMIs for EKS worker nodes, based on Minimal Ubuntu. These images, being a 3rd party option, need to be launched either via
eksctl or using EC2 Launch templates.
For more information visit Ubuntu on Amazon Elastic Kubernetes Service (EKS)
Why choose Ubuntu Pro for worker nodes?
Ubuntu Pro takes Ubuntu’s security model to the next level. In the context of a Kubernetes environment, Ubuntu Pro offers several relevant features:
- Kernel livepatch: This feature applies security patches in memory to your kernel, eliminating the need for emergency restarts. This not only enhances security but also improves uptime. You can choose to restart during your next maintenance window or simply recycle with newly updated nodes
- FIPS crypto modules: Many customers have specific security regulations, such as the FedRAMP compliance, which require nodes to run on a FIPS certified kernel and specific FIPS certified crypto modules.
- CIS and DISA-STIG hardening rules: With the Ubuntu Security Guide tool, you can harden your nodes according to CIS or DISA-STIG benchmarks. This ensures that your nodes are secure and compliant with industry standards.
- ESM-Apps: While worker nodes typically do not run any software other than the Kubernetes runtime, ESM-Apps provides your cluster with the ability to run your containers with security patching coverage for all third-party applications installed from the Universe repository. This includes popular applications such as Apache, Kafka, MySQL, PostgreSQL, MongoDB, NginX, NodeJS, and a wide range of dependencies. By choosing Ubuntu Pro for your worker nodes, you can significantly improve the security and reliability of your Kubernetes environment.
Enabling Pro on Ubuntu-EKS images
Since Ubuntu Pro is not yet an official option for EKS, the path forward is to use Ubuntu-EKS optimized images (either from Marketplace or from the public images) and upgrade to Pro to create your own Pro-EKS AMI. There are two ways to achieve this:
1. Using a Pro Token:
One year commitment, can be purchased through AWS.
Once you have purchased the tokens, follow the steps shown in the following video:
The video shows how to create your own EKS AMI, in an automated way, from the official Ubuntu-EKS, using a token. The example shows how to enable FIPS, and though it may not be needed for your use case, the steps are the same. You can use Packer, EC2 Image Builder or even manually to create your own AMI with the tokens pre-loaded.
After creating your own AMI, you can create clusters either using EC2 Launch Templates (as shown in the video) or by using eksctl.
2. Upgrading to Pro using Amazon License Manager:
Pay as you go (PAYG), no long term commitments
AWS recently released a feature that allows upgrading an Ubuntu LTS EC2 instance to Ubuntu Pro while maintaining the PAYG model. As EKS runs on EC2, we can utilize this process to upgrade a regular Ubuntu-EKS image to Ubuntu Pro. The upgrade process is carried out through AWS License Manager and SSM.
The process of upgrading an instance from regular Ubuntu LTS to Ubuntu Pro is referred to as a “license change” on Amazon License Manager. Since this change is applied to instances, users need to launch an ubuntu-EKS AMI as a regular EC2 instance and follow the upgrade process outlined below.
Go to our eks image locator and find the right AMI ID for your region.
Launch this AMI ID. You can use AWSCLI, EC2 web console, or any other method.
Start the license conversion process as described in the following links:
After following the process, you will end up with an Ubuntu Pro EKS instance.
Create your own image from this instance: Create an AMI from an Amazon EC2 Instance
Launch your cluster with your new AMI (using EC2 launch templates or