As of Kubernetes 1.18 the default images used by kOps are the official Ubuntu 20.04 images.
You can choose a different image for an instance group by editing it with kops edit ig nodes
. You should see an image
field in one of the following formats:
ami-abcdef
- specifies an AMI by id directly<owner>/<name>
specifies an AMI by its owner's account ID and name properties<alias>/<name>
specifies an AMI by its owner's alias and name properties
Using the AMI id is precise, but ids vary by region. It is often more convenient to use the <owner/alias>/<name>
if equivalent images with the same name have been copied to other regions.
image: ami-00579fbb15b954340
image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200423
image: ubuntu/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200423
You can find the name for an image using:
aws ec2 describe-images --region us-east-1 --image-id ami-00579fbb15b954340
Automated security updates are handled by kOps for Debian, Flatcar and Ubuntu distros. This can be disabled by editing the cluster configuration:
spec:
updatePolicy: external
The following table provides the support status for various distros with regards to kOps version:
Distro | Experimental | Stable | Deprecated | Removed |
---|---|---|---|---|
Amazon Linux 2 | 1.10 | 1.18 | - | - |
CentOS 7 | - | 1.5 | 1.21 | - |
CentOS 8 | 1.15 | - | 1.21 | - |
CoreOS | 1.6 | 1.9 | 1.17 | 1.18 |
Debian 8 | - | 1.5 | 1.17 | 1.18 |
Debian 9 | 1.8 | 1.10 | 1.21 | - |
Debian 10 | 1.13 | 1.17 | - | - |
Debian 11 | 1.21.1 | - | - | - |
Flatcar | 1.15.1 | 1.17 | - | - |
Kope.io | - | - | 1.18 | - |
RHEL 7 | - | 1.5 | 1.21 | - |
RHEL 8 | 1.15 | 1.18 | - | - |
Ubuntu 16.04 | 1.5 | 1.10 | 1.17 | 1.20 |
Ubuntu 18.04 | 1.10 | 1.16 | 1.21 | - |
Ubuntu 20.04 | 1.16.2 | 1.18 | - | - |
Amazon Linux 2 has variants using Kernel versions 4.14 and 5.10. Be sure to use the 5.10 images as specified in the image filter below. More information is available in the AWS Documentation.
For kOps versions 1.16 and 1.17, the only supported Docker version is 18.06.3
. Newer versions of Docker cannot be installed due to missing dependencies for container-selinux
. This issue is fixed in kOps 1.18.
Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 137112412989 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=amzn2-ami-kernel-5.10-hvm-2*-x86_64-gp2"
Debian 10 is based on Kernel version 4.19 which fixes some of the bugs present in Debian 9 and effects are less visible.
One notable change is the addition of iptables
NFT, which is by default. This is not yet supported by most CNI plugins and seems to be slower than the legacy version. It is recommended to switch to iptables
legacy by using the following script in additionalUserData
for each instance group:
additionalUserData:
- name: busterfix.sh
type: text/x-shellscript
content: |
#!/bin/sh
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy
Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 136693071363 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=debian-10-amd64-*"
Debian 11 is based on Kernel version 5.10 which has no known major Kernel bugs and fully supports all Cilium features.
Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 136693071363 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=debian-11-amd64-*"
Flatcar is a friendly fork of CoreOS and as such, compatible with it.
Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 075585003325 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=Flatcar-stable-*-hvm"
RHEL 8 is based on Kernel version 4.18 which fixes some of the bugs present in RHEL/CentOS 7 and effects are less visible.
One notable change is the addition of iptables
NFT, which is the only iptables backend available. This may not be supported by some CNI plugins and should be used with care.
Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 309956199498 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=RHEL-8.*x86_64*"
Ubuntu 20.04 is based on Kernel version 5.4 which fixes all the known major Kernel bugs.
Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 099720109477 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-*"
CentOS 7 is based on Kernel version 3.10 which has a considerable number of known bugs that affect it and may be noticed in production clusters:
The minimum supported version is 7.4. Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 125523088429 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=CentOS 7.*x86_64"
CentOS 8 has announced its End Of Life is December 31, 2021.
CentOS 8 is based on Kernel version 4.18 which fixes some of the bugs present in RHEL/CentOS 7 and effects are less visible.
One notable change is the addition of iptables
NFT, which is the only iptables backend available. This may not be supported by some CNI plugins and should be used with care.
Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 125523088429 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=CentOS 8.*x86_64"
Debian 9 is based on Kernel version 4.9 which has a number of known bugs that affect it and which may be noticed with larger clusters:
This release is EOL, which means that the Debian Security Team no longer handles security fixes. That is now the responsibility/purview of the LTS team, which is a group of volunteers who are paid by donations to Debian LTS.
Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 379101102735 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=debian-stretch-hvm-x86_64-gp2-*"
Support for kope.io images is deprecated. These images were the default until Kubernetes 1.18, when they were replaced by the official Ubuntu 20.04 images.
The kope.io images were based on Debian 9 (Stretch) and had all packages required by kOps pre-installed. Other than that, the changes to the official Debian images were minimal.
RHEL 7 is based on Kernel version 3.10 which has a considerable number of known bugs that affect it and may be noticed in production clusters:
The minimum supported version is 7.4. Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 309956199498 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=RHEL-7.*x86_64*"
Ubuntu 18.04 is based on Kernel version 4.15 which has a number of known bugs that affect it and which may be noticed with larger clusters:
Available images can be listed using:
aws ec2 describe-images --region us-east-1 --output table \
--owners 099720109477 \
--query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
--filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-*"
kOps supports owner aliases for the official accounts of supported distros:
kope.io
=>383156758163
amazon
=>137112412989
centos
=>125523088429
debian9
=>379101102735
debian10
=>136693071363
debian11
=>136693071363
flatcar
=>075585003325
redhat
=>309956199498
ubuntu
=>099720109477