https://serverfault.com/questions/1048470/how-to-get-the-latest-kernel-package-on-aws-ec2
https://repost.aws/knowledge-center/amazon-linux-2-kernel-upgrade
https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-best-practices.html
Base eks-optimized image amazon/amazon-eks-node-1.28-v20231106 (ami-06b72a2948fb82288) has kernel-5.10, so lets update it to kernel-5.15
Create EC2 instance from ami-06b72a2948fb82288, connect via ssh
Ensure eksctl scripts exists
1
2
3
4
5
6
|
ls -al /etc/eks/bootstrap.sh
ls -al /var/lib/cloud/scripts/eksctl/bootstrap.helper.sh
sudo mkdir -p /var/lib/cloud/scripts/eksctl/
sudo curl https://github.com/eksctl-io/eksctl/blob/main/pkg/nodebootstrap/assets/scripts/bootstrap.helper.sh -o /var/lib/cloud/scripts/eksctl/bootstrap.helper.sh
sudo chmod +x /var/lib/cloud/scripts/eksctl/bootstrap.helper.sh
|
Update kernel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
# Check current kernel
uname -r
# Output: 5.10.198-187.748.amzn2.x86_64
# Get available kernels
sudo amazon-linux-extras | grep kernel
# Enable newer kernel from Amazon RPM repo
sudo amazon-linux-extras enable kernel-5.15
# Disable old
sudo amazon-linux-extras disable kernel-5.4
sudo amazon-linux-extras disable kernel-5.10
# See if kernel package locked
sudo yum versionlock list | grep kernel
# Output: 0:kernel-5.10.198-187.748.amzn2.*
# Output: 0:kernel-headers-5.10.198-187.748.amzn2.*
# Output: 0:kernel-devel-5.10.198-187.748.amzn2.*
# Remove package locks
sudo yum versionlock delete 0:kernel-5.10.198-187.748.amzn2.*
sudo yum versionlock delete 0:kernel-headers-5.10.198-187.748.amzn2.*
sudo yum versionlock delete 0:kernel-devel-5.10.198-187.748.amzn2.*
# Upgrade kernel versions (this example: 5.10->5.15)
sudo yum upgrade kernel kernel-devel kernel-headers
# See installed kernels
rpm -qa | grep kernel
sudo reboot
uname -r
sudo package-cleanup --leaves
sudo package-cleanup --oldkernels
sudo yum remove kernel-5.10* kernel-devel-5.10*
sudo yum clean metadata
sudo yum clean all
|
https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-best-practices.html
Stop instance
Create image
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
...
- name: custom_image
amiFamily: AmazonLinux2
ami: ami-12345 # custom ami with kernel-5.15 build on ami-06b72a2948fb82288
overrideBootstrapCommand: |
#!/bin/bash
echo "eksctl relies on a specific set of labels to be on the node, so it can find them."
source /var/lib/cloud/scripts/eksctl/bootstrap.helper.sh
# Note "--node-labels=${NODE_LABELS}" needs the above helper sourced to work, otherwise will have to be defined manually.
/etc/eks/bootstrap.sh ${CLUSTER_NAME} --container-runtime containerd --kubelet-extra-args "--node-labels=${NODE_LABELS}"
desiredCapacity: 1
minSize: 0
maxSize: 40
instancesDistribution:
instanceTypes
- c5.4xlarge # 32.0 GiB 16 vCPUs
- c6a.4xlarge # 32.0 GiB 16 vCPUs
- c6i.4xlarge # 32.0 GiB 16 vCPUs
- m5a.4xlarge # 64.0 GiB 16 vCPUs
onDemandBaseCapacity: 0
onDemandPercentageAboveBaseCapacity: 0
spotAllocationStrategy: "price-capacity-optimized"
tags:
'k8s.io/cluster-autoscaler/node-template/label/role': 'role'
'tag_name': 'tag_value'
labels:
role: role
volumeSize: 100
privateNetworking: true
securityGroups:
attachIDs:
- sg-12345
iam:
withAddonPolicies:
externalDNS: true
certManager: true
awsLoadBalancerController: true
imageBuilder: true
attachPolicy:
Statement:
- Effect: Allow
Action:
- "s3:ListBucket"
Resource:
- "arn:aws:s3:::prefix-*"
- Effect: Allow
Action:
- "s3:*Object"
Resource:
- "arn:aws:s3:::prefix-*/*"
ssh:
allow: true
publicKeyPath: ~/.ssh/key_rsa.pub
|