[EKS] Managed Node Groups Launch Template Support

[tabern]

Launch template support ability to launch managed nodes using a provided EC2 launch template. This will support multiple customization options for managed nodes including providing custom AMIs and passing user data during node provisioning.

[ivanmp91]

will this allow adding node taints for EKS managed node groups?

[eswarbala]

This issue has the unintended potential to become a bucket for all features. Let's make sure we track the launch template support separately from other feature requests like custom AMIs, passing user data, tainting nodes during provisioning/editing nodegroups. Launch template should definitely support any feature supported by NodeGroups just in a declarative way.

@ivanmp91 - Can you please open an issue if one doesn't exist for node taints and describe the use case and the expected workflow that needs to support node tainting? I am assuming here that you want nodes to be tainted as part of provisioning / editing nodegroups?

[ivanmp91]

Hi @eswarbala ! That's right, I'd like to have nodes tainted as part of the provisioning/editing nodegroups. Looks like somebody else created an issue: #507, my use case it's pretty much the same as the one already described, but I'm gonna provide some more details there. Thanks!

[yann-soubeyrand]

Will this feature allow adding nodes to NLB target groups?

[halimwi]

we have use case to configure forward proxy to the managed worker nodes, looking forward to have this feature released.

[0xlen]

The managed nodegroup currently only allows IAM role with following attached IAM policies:

• AmazonEKSWorkerNodePolicy
• AmazonEKS_CNI_Policy
• AmazonEC2ContainerRegistryReadOnly

It does not support the usage of IAM roles for the nodes without the above managed policies, even though the roles have required capabilities. Supporting this feature as well as can help on doing IAM role customization.

[AndrewMcFarren]

Can this feature also support associate public IPs for nodes = false. Would like to have private subnets of managed nodes (no public IPs) on the nodes.

[tomiszili]

Hi all!
I want to use EKS managed nodegroups without automatic public IPv4 and root volume encryption. I modified the launch template genereted by the managed nodegroup, and i changed the default launch template version to the newer one. In the EKS console, now i see that the managed nodegroup is DEGRADED so no longer managed by EKS The Amazon EC2 Launch Template : lt-*** has a new version (2), which is not managed by AWS EKS.

My questions are:
This degraded nodegroup will be updated if there is a new AMI?
Do you have any workaround for this problem?

thanks

[ravisinha0506]

Update version ( update-nodegroup-version api ) is disallowed if the Launch Template of the ASG has been modified since customer changes are not guaranteed to be sticky after our upgrade.

To be able to perform update and upgrade operation on the node group, kindly revert the manual changes made on the node group resources.

Thanks

[llamahunter]

When using IAM Roles for Service Accounts (IRSA), the best practice describe in https://docs.aws.amazon.com/eks/latest/userguide/restrict-ec2-credential-access.html is to edit the launch config user-data of the worker node to use iptables block docker container access to the metadata server. When we were running self managed worker nodes, we had this configured in the user-data. The managed worker nodes don't seem to do this on their own (they really should, no?), and there's no way to add it via existing EKS managed worker node apis.

[jhoule-splice]

Hey all,
I see that this is on the roadmap but as of the last update it doesn't look like there was a timeline set. Has there been any movement on this one? We are hoping to use the launch template to push traffic to a proxy in a secured internal only environment.

Thanks

[mikestef9]

Hi @jhoule-splice we are working on this feature, but as per the roadmap guidelines, we can't share specific timelines in this forum.

[llamahunter]

Will this support tagging of ec2 instances launched by managed worker node groups? #608

[mikestef9]

Managed node groups now supports EC2 launch templates! See the launch blog and EKS documentation for more details

This launch addresses the following feature requests, and these issues will be closed soon:

• Custom security groups [EKS] [request]: EKS Managed Nodes should allow for custom security groups #609
• Custom user data [EKS] [request]: Managed Node Groups Custom Userdata support #596
• Tagging EC2 instances [EKS] [request]: Nodegroup should support tagging ASGs #608
• Custom AMIs [EKS] Custom AMI for managed worker nodes #741
• Volume configuration and encryption [EKS] Support for Managed nodes AMI encryption #665 [EKS] [Feature]: Allow custom KMS keys to encrypt worker node root volume #719
• Changing instance types [EKS] [request]: Rolling update to change instance type for Managed Nodes #746

The latest eksctl release supports launch template functionality.

Excited to see all the use cases this unlocks for applications running on managed node groups, and as always, we welcome your feedback!

[os-virtualretail]

Great feature! Congrats

[xor007]

It seems launch templates with BlockDeviceMappings are not passed to EKS API. at least not through cloudformation calls to eks. I see

"blockDeviceMapping": {},

In the EKS runIntances call.

This, even though the launch template id was included in create node group request