This repository contains Packer scripts and definitions to create custom AMIs for use with Amazon EKS via self-managed Auto Scaling Groups and Managed Node Groups. Many organizations require running custom AMIs for security, compliance, or internal policy requirements. The Amazon EKS Optimized AMI remains the preferred way to deploy containers on Amazon EKS, these AMIs aim to provide a starting place for customers looking to implement custom AMIs with operating systems other than Amazon Linux. The AMIs built in this repository are based on the Amazon EKS optimized AMI published by AWS.
This repository also applies the Docker CIS Benchmark and Amazon EKS CIS Benchmark to all AMIs. We also support a number of optional hardening benchmarks such as DISA STIG, PCI-DSS, and HIPAA. These are based on OpenSCAP and other open source hardening guidelines.
Scripts and artifacts created by this repository do not guarantee compliance and these AMIs are not officially supported by AWS. Ensure your security and compliance teams thoroughly review these scripts before moving AMIs into production.
Lack of support in this repository does not indicate that you can't meet compliance with Amazon EKS, it simply means it is not supported by this repository. We welcome pull requests!
| Distribution | Version | Available | Supported Hardening |
|---|---|---|---|
| Amazon Linux | 2 | ✅ | CIS Benchmark |
| Ubuntu | 18.04 | ✅ | None |
| Ubuntu | 20.04 | ✅ | None |
| Red Hat Enterprise Linux | 7 | ✅ | CIS Benchmark, NIST 800-171, ACSC, HIPAA, OSPP, PCI-DSS, DISA STIG |
| Red Hat Enterprise Linux | 8 | ✅ | CIS Benchmark, NIST 800-171, ACSC, HIPAA, OSPP, PCI-DSS, DISA STIG |
| CentOS | 7 | CIS Benchmark, NIST 800-171, ACSC, HIPAA, OSPP, PCI-DSS | |
| CentOS | 8 | CIS Benchmark, NIST 800-171, ACSC, HIPAA, OSPP, PCI-DSS | |
| Windows | 18.09 | ✅ | None |
| Windows | 20.04 | ✅ | None |
This repository uses Packer to build AMIs. You can install these tools from their respective websites or via Homebrew.
brew install packerYou will also need to provision a VPC with a single public Subnet. You can leverage an existing VPC and Subnet or create one via the console. You will need the VPC ID and Subnet ID for the builds.
The Packer commands are encapsulated in Make commands. Packer handles provisioning the instance, the temporary ssh key, temporary security group, and creating the AMI. Below are the variables accepted by the build command. The Make commands folllow the following naming convention:
make build-<operating system>-<eks major version>| Parameter | Default | Description |
|---|---|---|
AWS_REGION |
The AWS Region to use for the packer instance | |
VPC_ID |
The AWS VPC to use for the packer instance | |
SUBNET_ID |
The AWS Subnet to use for the packer instance | |
eks_version |
1.18.9 |
The version of Kubernetes to install. See blow for information on how to get this value. |
eks_build_date |
2020-11-02 |
The build date of the Kubernetes build |
cni_plugin_version |
v0.8.6 |
The version of the Kubernetes Container Networking Interface (CNI) plugin to install |
http_proxy |
Specify an HTTP Proxy to use when running commands on the server. This will set the http_proxy and HTTP_PROXY environment variables on the server while commands are running. |
|
https_proxy |
Specify an HTTPS Proxy to use when running commands on the server. This will set the https_proxy and HTTPS_PROXY environment variables on the server while commands are running. |
|
no_proxy |
Specify the no proxy configuration to use when running commands on the server. This will set the no_proxy and NO_PROXY environment variables on the server while commands are running. |
|
hardening_flag |
false |
This flag specifies the hardening to apply to the instance. The default is only the Docker and EKS benchmark. |
root_volume_size |
10 |
The size of the root volume on the host. |
data_volume_size |
50 |
The size of the data volume that is attached to those. This volume houses docker, var, and logs. |
The AMI can be used with self-managed node groups and managed node groups within EKS. The AMIs built in this repository use the same bootstrap script used in the EKS Optimized AMI. To join the cluster, run the following command on boot:
/etc/eks/bootstrap.sh <cluster name> --kubelet-extra-args '--node-labels=eks.amazonaws.com/nodegroup=<node group name>,eks.amazonaws.com/nodegroup-image=<ami id>'This can also be used with eksctl to create a managed node group with a custom AMI. To use with managed node groups, you will first need to create a Launch Template. You need to create a Launch Template because eksctl uses a type of UserData that only support Amazon Linux 2 so we must provide our own.
./helpers/eksctl-lt.sh --cluster custom-ami --name ng-1 --ami ami-123456789abcdefgh --instance-type t3.xlarge
# lt-123456789abcdefghThe excerpt from a cluster.yml shows how to supply a Launch Template ID:
managedNodeGroups:
- name: ng-1
ami: <id of created AMI>
instanceType: t3.xlarge
minSize: 3
desiredCapacity: 3
maxSize: 6
privateNetworking: true
labels:
role: worker
tags:
k8s.io/cluster-autoscaler/enabled: "true"
k8s.io/cluster-autoscaler/<cluster name>: "true"
launchTemplate:
id: lt-123456789abcdefghThe following operating systems are supported by this repository. This repository is not officially supported by AWS or Amazon EKS.
| Distribution | Version | Build Command | CIS Benchmark |
|---|---|---|---|
| Amazon Linux | 2 | build-al2-<eks major version> |
hardening_flag=cis |
The Amazon Linux 2 EKS Optmized AMI is used as the base for this image. This image extends the EKS Optimized AMI to apply the Amazon Linux 2 CIS Benchmark, Docker CIS Benchmark, and Amazon EKS CIS Benchmark. These benchmarks are typically used to meet NIST 800-53 controls. Hardening is provided as a "best effort" and does not guarantee compliance with the above frameworks.
# build amazon linux 2 for amazon eks 1.15
make build-al2-1.15
# build amazon linux 2 for amazon eks 1.16
make build-al2-1.16
# build amazon linux 2 for amazon eks 1.17
make build-al2-1.17
# build amazon linux 2 for amazon eks 1.18
make build-al2-1.18| Distribution | Version | Supported |
|---|---|---|
| Ubuntu | 18.04 | build-ubuntu1804-<eks major version> |
| Ubuntu | 20.04 | build-ubuntu2004-<eks major version> |
Ubuntu AMIs are aimed to provide a similar experience to the EKS Optimized AMI. This reposiroty installs Docker and the Amazon EKS components.
# build ubuntu 18.04 for amazon eks 1.15
make build-ubuntu1804-1.15
# build ubuntu 18.04 for amazon eks 1.16
make build-ubuntu1804-1.16
# build ubuntu 18.04 for amazon eks 1.17
make build-ubuntu1804-1.17
# build ubuntu 18.04 for amazon eks 1.18
make build-ubuntu1804-1.18# build ubuntu 20.04 for amazon eks 1.15
make build-ubuntu2004-1.15
# build ubuntu 20.04 for amazon eks 1.16
make build-ubuntu2004-1.16
# build ubuntu 20.04 for amazon eks 1.17
make build-ubuntu2004-1.17
# build ubuntu 20.04 for amazon eks 1.18
make build-ubuntu2004-1.18| Distribution | Version | Build Command | CIS Benchmark | NIST 800-171 | E8 | HIPAA | OSPP | PCI | DISA STIG |
|---|---|---|---|---|---|---|---|---|---|
| Red Hat Enterprise Linux | 7 | build-rhel7-<eks major version> |
hardening_flag=cis |
hardening_flag=cui |
hardening_flag=e8 |
hardening_flag=hipaa |
hardening_flag=ospp |
hardening_flag=pci-dss |
hardening_flag=stig |
| Red Hat Enterprise Linux | 8 | build-rhel8-<eks major version> |
hardening_flag=cis |
hardening_flag=cui |
hardening_flag=e8 |
hardening_flag=hipaa |
hardening_flag=ospp |
hardening_flag=pci-dss |
hardening_flag=stig |
Red Hat Enterprise Linux 7/8 are aimed to provide a similar experience to the EKS Optimized AMI. This reposiroty installs Docker and the Amazon EKS components. OpenSCAP is used to apply the above hardening frameworks. Hardening is provided as a "best effort" and does not guarantee compliance with the above frameworks. Certain adjustments are made in order to work with Amazon EKS:
- This repository leverages the latest version of Docker CE available from Docker. The version of Docker that comes with RHEL 7 is out of date and overidden with the Docker CE repository.
- The
firewalldserivce is disable to support Docker and Kubernetes. - When FIPS 140-2 mode is enabled,
boot=<UUID>is not added as the/bootfolder is not on a separate partition. - The SELinux boolean
container_manage_cgroupis enabled to support containers. - Hardening frameworks such as the DISA STIG that enable SELinux require the VPC CNI
aws-nodecontainer be run in privileged mode. - Packer does not support RHEL 8 in FIPS mode. SSH authentication breaks once FIPS is enabled. This repository enables FIPS as the last step as a workaround.
# Red Hat Enterprise Linux 7
################################
# build red hat enterprise linux 7 for amazon eks 1.15
make build-rhel7-1.15
# build red hat enterprise linux 7 for amazon eks 1.16
make build-rhel7-1.16
# build red hat enterprise linux 7 for amazon eks 1.17
make build-rhel7-1.17
# build red hat enterprise linux 7 for amazon eks 1.18
make build-rhel7-1.18
# Red Hat Enterprise Linux 8
################################
# build red hat enterprise linux 8 for amazon eks 1.15
make build-rhel8-1.15
# build red hat enterprise linux 8 for amazon eks 1.16
make build-rhel8-1.16
# build red hat enterprise linux 8 for amazon eks 1.17
make build-rhel8-1.17
# build red hat enterprise linux 8 for amazon eks 1.18
make build-rhel8-1.18| Distribution | Version | Build Command | CIS Benchmark | NIST 800-171 | E8 | HIPAA | OSPP | PCI |
|---|---|---|---|---|---|---|---|---|
| CentOS | 7 | build-centos7-<eks major version> |
hardening_flag=cis |
hardening_flag=cui |
hardening_flag=e8 |
hardening_flag=hipaa |
hardening_flag=ospp |
hardening_flag=pci-dss |
| CentOS | 8 | build-centos8-<eks major version> |
hardening_flag=cis |
hardening_flag=cui |
hardening_flag=e8 |
hardening_flag=hipaa |
hardening_flag=ospp |
hardening_flag=pci-dss |
CentOS 7/8 are aimed to provide a similar experience to the EKS Optimized AMI. This reposiroty installs Docker and the Amazon EKS components. OpenSCAP is used to apply the above hardening frameworks. Hardening is provided as a "best effort" and does not guarantee compliance with the above frameworks. Certain adjustments are made in order to work with Amazon EKS:
- The
firewalldserivce is disable to support Docker and Kubernetes. - While FIPS 140-2 modules can be applied to CentOS, CentOS has not been formally validated.
- The SELinux boolean
container_manage_cgroupis enabled to support containers. - Hardening is applied using RHEL hardening guides.
# CentOS 7
################################
# build centos 7 for amazon eks 1.15
make build-centos7-1.15
# build centos 7 for amazon eks 1.16
make build-centos7-1.16
# build centos 7 for amazon eks 1.17
make build-centos7-1.17
# build centos 7 for amazon eks 1.18
make build-centos7-1.18
# CentOS 8
################################
# build centos 8 for amazon eks 1.15
make build-centos8-1.15
# build centos 8 for amazon eks 1.16
make build-centos8-1.16
# build centos 8 for amazon eks 1.17
make build-centos8-1.17
# build centos 8 for amazon eks 1.18
make build-centos8-1.18Note: This build may not work while on a corporate VPN as it uses WinRM to communicate with the instance.
| Distribution | Version | Build Command | CIS Benchmark |
|---|---|---|---|
| Windows Server Core | 18.09 | build-windows1809core-<eks major version> |
|
| Windows Server Full | 18.09 | build-windows1809full-<eks major version> |
|
| Windows Server Core | 20.04 | build-windows2004core-<eks major version> |
The Windows Server EKS Optmized AMI is used as the base for this image.
# build windows for amazon eks 1.16
make build-windows1809core-1.16
make build-windows1809full-1.16
make build-windows2004core-1.16
# build windows for amazon eks 1.17
make build-windows1809core-1.17
make build-windows1809full-1.17
make build-windows2004core-1.17
# build windows for amazon eks 1.18
make build-windows1809core-1.18
make build-windows1809full-1.18
make build-windows2004core-1.18Amazon EKS builds and tests specific versions of Kubernetes together for compatability. It is important that you use versions that have been tested together.
| Kubernetes Version | Build Date |
|---|---|
| 1.18.9 | 2020-11-02 |
| 1.17.12 | 2020-11-02 |
| 1.16.15 | 2020-11-02 |
| 1.15.12 | 2020-11-02 |
To get the list of support Kubernetes versions run the following command:
aws s3 ls amazon-eks --region=us-west-2
# ...
# PRE 1.14.9/
# PRE 1.15.10/
# ...Once you select a version you will need to get the build date:
aws s3 ls s3://amazon-eks/1.15.10/ --region=us-west-2
# PRE 2020-02-22/This library is licensed under the MIT-0 License. See the LICENSE file.