Upgrade from Amazon Linux 2 to Amazon Linux 2023
The Amazon EKS optimized AMIs are available in two families based on AL2 and AL2023. AL2023 is a new Linux-based operating system designed to provide a secure, stable, and high-performance environment for your cloud applications. It’s the next generation of Amazon Linux from Amazon Web Services and is available across all supported Amazon EKS versions, including versions 1.23
and 1.24
in extended support.
AL2023 offers several improvements over AL2. For a full comparison, see Comparing AL2 and Amazon Linux 2023 in the Amazon Linux 2023 User Guide. Several packages have been added, upgraded, and removed from AL2. It’s highly recommended to test your applications with AL2023 before upgrading. For a list of all package changes in AL2023, see Package changes in Amazon Linux 2023 in the Amazon Linux 2023 Release Notes.
In addition to these changes, you should be aware of the following:
-
AL2023 introduces a new node initialization process
nodeadm
that uses a YAML configuration schema. If you’re using self-managed node groups or an AMI with a launch template, you’ll now need to provide additional cluster metadata explicitly when creating a new node group. An exampleof the minimum required parameters is as follows, where apiServerEndpoint
,certificateAuthority
, and servicecidr
are now required:--- apiVersion: node.eks.aws/v1alpha1 kind: NodeConfig spec: cluster: name: my-cluster apiServerEndpoint: https://example.com certificateAuthority: Y2VydGlmaWNhdGVBdXRob3JpdHk= cidr: 10.100.0.0/16
In AL2, the metadata from these parameters was discovered from the Amazon EKS
DescribeCluster
API call. With AL2023, this behavior has changed since the additional API call risks throttling during large node scale ups. This change doesn’t affect you if you’re using managed node groups without a launch template or if you’re using Karpenter. For more information oncertificateAuthority
and servicecidr
, see ` DescribeCluster` in the Amazon EKS API Reference. -
Docker isn’t supported in AL2023 for all supported Amazon EKS versions. Support for Docker has ended and been removed with Amazon EKS version
1.24
or greater in AL2. For more information on deprecation, see Migrate from dockershim to containerd. -
Amazon VPC CNI version
1.16.2
or greater is required for AL2023. -
AL2023 requires
IMDSv2
by default.IMDSv2
has several benefits that help improve security posture. It uses a session-oriented authentication method that requires the creation of a secret token in a simple HTTP PUT request to start the session. A session’s token can be valid for anywhere between 1 second and 6 hours. For more information on how to transition fromIMDSv1
toIMDSv2
, see Transition to using Instance Metadata Service Version 2 and Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure. If you would like to use IMDSv1
, you can still do so by manually overriding the settings using instance metadata option launch properties.Note
For
IMDSv2
, the default hop count for managed node groups is set to 1. This means that containers won’t have access to the node’s credentials using IMDS. If you require container access to the node’s credentials, you can still do so by manually overriding theHttpPutResponseHopLimit
in a custom Amazon EC2 launch template, increasing it to 2.Alternatively, you can use Amazon EKS Pod Identity to provide credentials instead ofIMDSv2
. -
AL2023 features the next generation of unified control group hierarchy (
cgroupv2
).cgroupv2
is used to implement a container runtime, and bysystemd
. While AL2023 still includes code that can make the system run usingcgroupv1
, this isn’t a recommended or supported configuration. This configuration will be completely removed in a future major release of Amazon Linux. -
eksctl
version0.176.0
or greater is required foreksctl
to support AL2023.
For previously existing managed node groups, you can either perform an in-place upgrade or a blue/green upgrade depending on how you’re using a launch template:
-
If you’re using a custom AMI with a managed node group, you can perform an in-place upgrade by swapping the AMI ID in the launch template. You should ensure that your applications and any user data transfer over to AL2023 first before performing this upgrade strategy.
-
If you’re using managed node groups with either the standard launch template or with a custom launch template that doesn’t specify the AMI ID, you’re required to upgrade using a blue/green strategy. A blue/green upgrade is typically more complex and involves creating an entirely new node group where you would specify AL2023 as the AMI type. The new node group will need to then be carefully configured to ensure that all custom data from the AL2 node group is compatible with the new OS. Once the new node group has been tested and validated with your applications, Pods can be migrated from the old node group to the new node group. Once the migration is completed, you can delete the old node group.
If you’re using Karpenter and want to use AL2023, you’ll need to modify the EC2NodeClass
amiFamily
field with AL2023. By default, Drift is enabled in Karpenter. This means that once the amiFamily
field has been changed, Karpenter will automatically update your worker nodes to the latest AMI when available.