Skip to content

fix(eks): migrate all AMI types from AL2 to AL2023 for K8s 1.33+#674

Open
musa-asad wants to merge 1 commit into
mainfrom
fix/eks-test-infra-access-entries
Open

fix(eks): migrate all AMI types from AL2 to AL2023 for K8s 1.33+#674
musa-asad wants to merge 1 commit into
mainfrom
fix/eks-test-infra-access-entries

Conversation

@musa-asad
Copy link
Copy Markdown
Contributor

@musa-asad musa-asad commented Apr 29, 2026
edited
Loading

Description of the issue

EKS test clusters use deprecated AL2 AMI types which are no longer supported on K8s 1.33+. Additionally, AL2023 managed node groups default to IMDS hop limit 1, blocking pod IMDS access and breaking Container Insights.

Description of changes

  1. Migrate AMI types to AL2023:

    • AL2_x86_64AL2023_x86_64_STANDARD
    • AL2_ARM_64AL2023_ARM_64_STANDARD
    • AL2_x86_64_GPUAL2023_x86_64_NVIDIA
    • Updated in: test matrix JSON, generator, all variables.tf defaults
    • Replaced hardcoded ami_type in main.tf with var.ami_type

  2. Fix IMDS access for pods on AL2023:

    • Added aws_launch_template with http_put_response_hop_limit = 2
    • Removed disk_size from node groups (incompatible with launch templates)

  3. Add host_network = true to daemonset pod specs:

    • AL2023 hop limit 1 blocks IMDS from pods without hostNetwork
    • Production helm/add-on already sets hostNetwork; test terraform was missing it

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

https://github.com/aws/amazon-cloudwatch-agent/actions/runs/25810039514

@musa-asad musa-asad force-pushed the fix/eks-test-infra-access-entries branch 3 times, most recently from 86557f2 to d0d94cc Compare May 7, 2026 03:45
@musa-asad musa-asad marked this pull request as ready for review May 7, 2026 23:52
@musa-asad musa-asad requested a review from a team as a code owner May 7, 2026 23:52
@musa-asad musa-asad changed the title fix(eks): migrate Windows test clusters from aws-auth to Access Entries fix(eks): migrate all EKS test clusters to Access Entries (authentication_mode=API) May 8, 2026
@musa-asad musa-asad self-assigned this May 8, 2026
@musa-asad musa-asad requested review from Paamicky, TravisStark and sky333999 and removed request for TravisStark May 8, 2026 17:54
@Paamicky
Copy link
Copy Markdown
Contributor

Paamicky commented May 12, 2026

  1. I think a little explanation to why efa cluster uses a different mechanism for access entries authentication_mode = "API" rather than access_config used by all other clusters would be helpful for the future
  2. Multiple files have 3-4 blank lines added at the end. Cosmetic but worth cleaning.

@musa-asad
Copy link
Copy Markdown
Contributor Author

musa-asad commented May 12, 2026

Thanks for the review!

  1. authentication_mode vs access_config: They're actually the same thing — authentication_mode = "API" is set inside the access_config block on all clusters. The EFA cluster uses the same pattern:

    access_config {
  authentication_mode = "API"
}

    If the formatting looks different, it's just HCL style variation — functionally identical across all clusters. I'll double-check the EFA file to make sure it's consistent.

  2. Trailing blank lines: Will clean those up. Thanks for catching it.

@musa-asad musa-asad force-pushed the fix/eks-test-infra-access-entries branch from f14734a to 61e47f0 Compare May 12, 2026 16:18
@musa-asad musa-asad mentioned this pull request May 12, 2026
Merged
@musa-asad musa-asad force-pushed the fix/eks-test-infra-access-entries branch 2 times, most recently from 03cd53e to ff59a14 Compare May 12, 2026 20:21
@musa-asad musa-asad changed the title fix(eks): migrate all EKS test clusters to Access Entries (authentication_mode=API) fix(eks): remove aws-auth ConfigMap and migrate AMI types to AL2023 May 12, 2026
@musa-asad musa-asad requested review from okankoAMZ and removed request for Paamicky and sky333999 May 12, 2026 20:29
@musa-asad musa-asad force-pushed the fix/eks-test-infra-access-entries branch from ff59a14 to 9aba814 Compare May 12, 2026 22:58
@musa-asad musa-asad changed the title fix(eks): remove aws-auth ConfigMap and migrate AMI types to AL2023 fix(eks): migrate all AMI types from AL2 to AL2023 for K8s 1.33+ May 12, 2026
@musa-asad musa-asad force-pushed the fix/eks-test-infra-access-entries branch from 9aba814 to 8615e6e Compare May 13, 2026 03:59
@musa-asad
fix(eks): migrate all AMI types from AL2 to AL2023 for K8s 1.33+
6d261ea 
AL2_x86_64 and AL2_ARM_64 are no longer supported on K8s 1.33+.
- Update test matrix JSON to AL2023_x86_64_STANDARD / AL2023_ARM_64_STANDARD
- Update GPU AMI to AL2023_x86_64_NVIDIA in generator and addon matrix
- Update all variables.tf defaults to AL2023
- Replace hardcoded ami_type in main.tf with var.ami_type
@musa-asad musa-asad force-pushed the fix/eks-test-infra-access-entries branch from 8615e6e to 6d261ea Compare May 13, 2026 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@okankoAMZ okankoAMZ Awaiting requested review from okankoAMZ

At least 1 approving review is required to merge this pull request.

Assignees

@musa-asad musa-asad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@musa-asad @Paamicky