Windows Amazon EKS optimized AMIs are built on top of Windows Server 2019 and Windows Server 2022. They are configured to serve as the base image for Amazon EKS nodes. By default, the AMIs include the following components:
- https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/
- AWS IAM Authenticator for Kubernetes
- https://github.com/kubernetes-csi/csi-proxy
- https://www.docker.com/ (only available for Kubernetes version
1.23) Important
For Windows Amazon EKS optimized AMIs versions that include the Docker component, those that are published in September 2022 or later include the Docker CE (Moby project) runtime instead of the Docker EE (Mirantis) runtime. For more information, see Amazon ECS and Amazon EKS optimized Amazon Machine Images for Microsoft Windows Server now use Docker CE runtime. - https://containerd.io/
Note
You can track security or privacy events for Windows Server with the Microsoft security update guide.
Amazon EKS offers AMIs that are optimized for Windows containers in the following variants:
- Amazon EKS-optimized Windows Server 2019 Core AMI
- Amazon EKS-optimized Windows Server 2019 Full AMI
- Amazon EKS-optimized Windows Server 2022 Core AMI
- Amazon EKS-optimized Windows Server 2022 Full AMI
Important
The Amazon EKS-optimized Windows Server 20H2 Core AMI is deprecated. No new versions of this AMI will be released.
To ensure that you have the latest security updates by default, Amazon EKS maintains at least the four most recent Windows Amazon EKS-optimized AMIs. After releasing new Windows Amazon EKS-optimized AMIs, Amazon EKS makes the Windows Amazon EKS-optimized AMIs that are older private. If there is a private AMI that you need access to, let us know by filing a ticket with AWS Support.
The following table lists the release and end of support dates for Windows versions on Amazon EKS. If an end date is blank, it's because the version is still supported.
| Windows version | Amazon EKS release | Amazon EKS end of support |
|---|---|---|
| Windows Server 2022 Core | 10/17/2022 | |
| Windows Server 2022 Full | 10/17/2022 | |
| Windows Server 20H2 Core | 8/12/2021 | 8/9/2022 |
| Windows Server 2004 Core | 8/19/2020 | 12/14/2021 |
| Windows Server 2019 Core | 10/7/2019 | |
| Windows Server 2019 Full | 10/7/2019 | |
| Windows Server 1909 Core | 10/7/2019 | 12/8/2020 |
When you create a Windows node, there's a script on the node that allows for configuring different parameters. Depending on your setup, this script can be found on the node at a location similar to: C:\Program Files\Amazon\EKS\Start-EKSBootstrap.ps1. You can specify custom parameter values by specifying them as arguments to the bootstrap script. For example, you can update the user data in the launch template. For more information, see Amazon EC2 user data.
The script includes the following parameters:
-EKSClusterName– Specifies the Amazon EKS cluster name for this worker node to join.-KubeletExtraArgs– Specifies extra arguments forkubelet(optional).-KubeProxyExtraArgs– Specifies extra arguments forkube-proxy(optional).-APIServerEndpoint– Specifies the Amazon EKS cluster API server endpoint (optional). Only valid when used with-Base64ClusterCA. Bypasses callingGet-EKSCluster.-Base64ClusterCA– Specifies the base64 encoded cluster CA content (optional). Only valid when used with-APIServerEndpoint. Bypasses callingGet-EKSCluster.-DNSClusterIP– Overrides the IP address to use for DNS queries within the cluster (optional). Defaults to10.100.0.10or172.20.0.10based on the IP address of the primary interface.-ContainerRuntime– Specifies the container runtime to be used on the node.-ServiceCIDR– Overrides the Kubernetes service IP address range from which cluster services are addressed. Defaults to172.20.0.0/16or10.100.0.0/16based on the IP address of the primary interface.-ExcludedSnatCIDRs– A list ofIPv4CIDRs to exclude from Source Network Address Translation (SNAT). This means that the pod private IP which is VPC addressable wouldn't be translated to the IP address of the instance ENI's primaryIPv4address for outbound traffic. By default, theIPv4CIDR of the VPC for the Amazon EKS Windows node is added. Specifying CIDRs to this parameter also additionally excludes the specified CIDRs. For more information, see SNAT for Pods.
For Kubernetes version 1.23, you can use an optional bootstrap flag to enable the containerd runtime for Amazon EKS optimized Windows AMIs. This feature gives you a clear path to migrate to containerd when updating to version 1.24 or later. Amazon EKS ended support for Docker starting with the Kubernetes version 1.24 launch. For more information, see Amazon EKS ended support for Dockershim.
For Amazon EKS version 1.23, the supported values for the container runtime are docker and containerd. The container runtime is specified when launching the Windows nodes using either eksctl or the AWS Management Console.
- If the specified value is
dockerand the Amazon EKS version is1.23, then Docker is used as the runtime on the node. - If any other value is specified, then the bootstrap fails and the node isn't able to join the cluster.
- If this flag isn't specified, then the default value of the container runtime is selected. For Amazon EKS version
1.23and earlier, the default is Docker. For1.24and later clusters, it iscontainerd.
When launching Windows nodes in your Amazon EKS cluster, follow the steps in Launching self-managed Windows nodes. Windows self-managed nodes with the containerd runtime can be launched using eksctl or the AWS Management Console.
To enable the containerd runtime with eksctl
For Windows self-managed nodes, the container runtime can be specified in the configuration while creating new node groups. You can use the following test-windows-with-containerd.yaml as reference.
Note
You must use eksctl version https://github.com/weaveworks/eksctl/releases/tag/v0.95.0 or later to use the containerRuntime setting in the configuration file.
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: windows-containerd-cluster
region: us-west-2
version: 'X.XX'
nodeGroups:
- name: windows-ng
instanceType: m5.2xlarge
amiFamily: WindowsServer2019FullContainer
volumeSize: 100
minSize: 2
maxSize: 3
containerRuntime: containerd
- name: linux-ng
amiFamily: AmazonLinux2
minSize: 2
maxSize: 3
The node groups can then be created using the following command.
eksctl create cluster -f test-windows-with-containerd.yaml
Note
Starting with eksctl version 0.95, you can no longer use preBootstrapCommands to configure ContainerRuntime for Windows nodes.
For more information, see Creating a nodegroup from a config file, defining containerd runtime, and Config file schema in the eksctl documentation.
To enable the containerd runtime with the AWS Management Console
In the AWS CloudFormation template, there's a parameter named BootstrapArguments which can be used to pass in additional arguments to the bootstrap script. A parameter named ContainerRuntime can be used to select a particular runtime on the node.
Specify the following in BootstrapArguments to enable the containerd runtime:
-ContainerRuntime containerd
Amazon EKS optimized Windows Server 2022 AMIs are available for Kubernetes version 1.23 or higher. You can use the following test-windows-2022.yaml as reference for running Windows Server 2022 as self-managed nodes.
Note
You must use eksctl version https://github.com/weaveworks/eksctl/releases/tag/v0.116.0 or later to run self-managed Windows Server 2022 nodes.
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: windows-2022-cluster
region: us-west-2
version: '1.23'
nodeGroups:
- name: windows-ng
instanceType: m5.2xlarge
amiFamily: WindowsServer2022FullContainer
volumeSize: 100
minSize: 2
maxSize: 3
- name: linux-ng
amiFamily: AmazonLinux2
minSize: 2
maxSize: 3
The node groups can then be created using the following command.
eksctl create cluster -f test-windows-2022.yaml
Amazon EKS Windows Pods allow different types of group Managed Service Account (gMSA) authentication.
- Amazon EKS supports Active Directory domain identities for authentication. For more information on domain-joined gMSA, see Windows Authentication on Amazon EKS Windowspods on the AWS blog.
- Amazon EKS offers a plugin that enables non-domain-joined Windows nodes to retrieve gMSA credentials with a portable user identity. For more information on domainless gMSA, see Domainless Windows Authentication for Amazon EKS Windowspods on the AWS blog.
Amazon EKS Windows optimized AMIs have certain container images cached for both the docker and containerd runtimes. Container images are cached when building custom AMIs using Amazon-managed build components. For more information, see Using the Amazon-managed build component.
The docker runtime is the default and has the following container images cached on Amazon EKS Windows AMIs. Retrieve this image list by running docker images on the Amazon EKS Windows node:
amazonaws.com/eks/pause-windowsmcr.microsoft.com/windows/nanoservermcr.microsoft.com/windows/servercore
The containerd runtime only has one container image. Retrieve this image list by running ctr -n k8s.io images list:
amazonaws.com/eks/pause-windows
There is no docker runtime. The following cached container images are for the containerd runtime:
amazonaws.com/eks/pause-windowsmcr.microsoft.com/windows/nanoservermcr.microsoft.com/windows/servercore
For more information about using Amazon EKS optimized Windows AMIs, see the following sections:
- To use Windows with managed node groups, see Managed node groups.
- To launch self-managed Windows nodes, see Launching self-managed Windows nodes.
- For version information, see Amazon EKS optimized Windows AMI versions.
- To retrieve the latest IDs of the Amazon EKS optimized Windows AMIs, see Retrieving Amazon EKS optimized Windows AMI IDs.
- To use Amazon EC2 Image Builder to create custom Amazon EKS optimized Windows AMIs, see Creating custom Amazon EKS optimized Windows AMIs.