Automatic and secure Kubernetes updates with Bottlerocket OS

[weaveworks]

Bottlerocket is the new operating system from AWS. It is designed to be updated in an atomic and secure way using The Update Framework (TUF).

Bottlerocket OS was originally designed to support general containerized workloads and the current version now supports EKS clusters. Bottlerocket ships with a specific version of Kubernetes along with a set of operating system packages that have been tested and work well together. One of its design principles is that it does not allow individual packages to be upgraded. Everything must be together with a particular kernel version, Kubernetes, and its OS packages. This ensures that every update will be both secure and reliable.

Today, we can use Bottlerocket OS to power our EKS clusters and let its updating mechanism to automatically take care of our Kubernetes versions. In this post, we will show how to use our tool, EKSctl - the official CLI for EKS - to spin up an EKS cluster which is powered by Bottlerocket OS.

Bottlerocket OS and the Weave Kubernetes Platform (WKP)

We are also excited to announce that the Bottlerocket OS is now fully compatible with the WKP (Weave Kubernetes Platform), our production ready platform with GitOps as the underlying architecture and developer experience that simplifies cluster configuration and management across your organization.

In the next release of WKP, we plan to ship a feature that supports out-of-the-box provisioning of EKS clusters with Bottlerocket OS. This will further simplify the upgrade and maintenance process for platforms built with WKP. Later in this post, we will also show how to apply the same cluster configuration used by EKSctl to create a cluster with WKP also on top of the Bottlerocket OS.

Bottlerocket node groups with EKSctl

With EKSctl, Bottlerocket can be defined in a node group. We can define a node group and tell the group that we are using the Bottlerocket AMI Family. 

This is an example of the cluster configuration file used for preparing an EKS cluster with Bottlerocket OS.

Set the value for the amiFamily field to Bottlerocket and the ami field to auto-ssm so that EKSctl automatically searches for the correct Bottlerocket AMI for the different regions.

One of the most important points in this configuration is to ensure that each Kubernetes node can be updated automatically. To achieve that, we have to label each node with bottlerocket.aws/platform-version and bottlerocket.aws/update-interface-version. These labels will be detected by the update operator of Bottlerocket. If we enable the update via these labels, the node will be updated via TUF when there’s a new AMI of Bottlerocket available.

Let’s save the above file as eks-cluster.yaml and then type the following command to create an EKS cluster running on Bottlerocket OS:

$ eksctl create cluster -f eks-cluster.yaml

WKP on Bottlerocket OS

With the same node group configuration, we can just copy the nodegroup and put it into the WKP setup/config.yaml. After running the following command:

$ wk setup run

We’ll then see WKP starting up a cluster running on Bottlerocket OS:

After that add the YAML files of the Bottlerocket Update controller to the cluster/manifest and then commit and push. Afterward your Bottlerocket-powered GitOps-managed WKP cluster will be ready.

And you’ll have an automatically upgradable WKP cluster.

To check that have everything setup properly by running kubectl get nodes and/or describe nodes.

Summary

With Bottlerocket, you get a robust OS with atomic and a secure update mechanism for Kubernetes. If you’d like to try WKP on EKS cluster with Bottlerocket please contact our sales team. We’re happy to help.

View the full article