Images

As of Kubernetes 1.18 the default images used by kOps are the official Ubuntu 20.04 images.

You can choose a different image for an instance group by editing it with kops edit ig nodes. You should see an image field in one of the following formats:

  • ami-abcdef - specifies an AMI by id directly
  • <owner>/<name> specifies an AMI by its owner’s account ID and name properties
  • <alias>/<name> specifies an AMI by its owner’s alias and name properties

Using the AMI id is precise, but ids vary by region. It is often more convenient to use the <owner/alias>/<name> if equivalent images with the same name have been copied to other regions.

  1. image: ami-00579fbb15b954340
  2. image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200423
  3. image: ubuntu/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200423

You can find the name for an image using:

aws ec2 describe-images --region us-east-1 --image-id ami-00579fbb15b954340

Security Updates

Automated security updates are handled by kOps for Debian, Flatcar and Ubuntu distros. This can be disabled by editing the cluster configuration:

  1. spec:
  2. updatePolicy: external

Distros Support Matrix

The following table provides the support status for various distros with regards to kOps version:

DistroExperimentalStableDeprecatedRemoved
Amazon Linux 21.101.18--
CentOS 7-1.51.21-
CentOS 81.15-1.21-
CoreOS1.61.91.171.18
Debian 8-1.51.171.18
Debian 91.81.101.21-
Debian 101.131.17--
Flatcar1.15.11.17--
Kope.io--1.18-
RHEL 7-1.51.21-
RHEL 81.151.18--
Ubuntu 16.041.51.101.171.20
Ubuntu 18.041.101.161.21-
Ubuntu 20.041.16.21.18--

Supported Distros

Amazon Linux 2

Amazon Linux 2 is based on Kernel version 4.14 which fixes some of the bugs present in RHEL/CentOS 7 and effects are less visible, but it’s still quite old.

For kOps versions 1.16 and 1.17, the only supported Docker version is 18.06.3. Newer versions of Docker cannot be installed due to missing dependencies for container-selinux. This issue is fixed in kOps 1.18.

Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 137112412989 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=amzn2-ami-hvm-2*-x86_64-gp2"

Debian 10 (Buster)

Debian 10 is based on Kernel version 4.19 which fixes some of the bugs present in Debian 9 and effects are less visible.

One notable change is the addition of iptables NFT, which is by default. This is not yet supported by most CNI plugins and seems to be slower than the legacy version. It is recommended to switch to iptables legacy by using the following script in additionalUserData for each instance group:

  1. additionalUserData:
  2. - name: busterfix.sh
  3. type: text/x-shellscript
  4. content: |
  5. #!/bin/sh
  6. update-alternatives --set iptables /usr/sbin/iptables-legacy
  7. update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
  8. update-alternatives --set arptables /usr/sbin/arptables-legacy
  9. update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 136693071363 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=debian-10-amd64-*"

Flatcar

Flatcar is a friendly fork of CoreOS and as such, compatible with it.

Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 075585003325 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=Flatcar-stable-*-hvm"

RHEL 8

RHEL 8 is based on Kernel version 4.18 which fixes some of the bugs present in RHEL/CentOS 7 and effects are less visible.

One notable change is the addition of iptables NFT, which is the only iptables backend available. This may not be supported by some CNI plugins and should be used with care.

Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 309956199498 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=RHEL-8.*x86_64*"

Ubuntu 20.04 (Focal)

Ubuntu 20.04 is based on Kernel version 5.4 which fixes all the known major Kernel bugs.

Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 099720109477 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-*"

Deprecated Distros

CentOS 7

CentOS 7 is based on Kernel version 3.10 which has a considerable number of known bugs that affect it and may be noticed in production clusters:

The minimum supported version is 7.4. Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 125523088429 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=CentOS 7.*x86_64"

CentOS 8

CentOS 8 has announced its End Of Life is December 31, 2021.

CentOS 8 is based on Kernel version 4.18 which fixes some of the bugs present in RHEL/CentOS 7 and effects are less visible.

One notable change is the addition of iptables NFT, which is the only iptables backend available. This may not be supported by some CNI plugins and should be used with care.

Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 125523088429 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=CentOS 8.*x86_64"

Debian 9 (Stretch)

Debian 9 is based on Kernel version 4.9 which has a number of known bugs that affect it and which may be noticed with larger clusters:

This release is EOL, which means that the Debian Security Team no longer handles security fixes. That is now the responsibility/purview of the LTS team, which is a group of volunteers who are paid by donations to Debian LTS.

Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 379101102735 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=debian-stretch-hvm-x86_64-gp2-*"

Kope.io

Support for kope.io images is deprecated. These images were the default until Kubernetes 1.18, when they were replaced by the official Ubuntu 20.04 images.

The kope.io images were based on Debian 9 (Stretch) and had all packages required by kOps pre-installed. Other than that, the changes to the official Debian images were minimal.

RHEL 7

RHEL 7 is based on Kernel version 3.10 which has a considerable number of known bugs that affect it and may be noticed in production clusters:

The minimum supported version is 7.4. Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 309956199498 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=RHEL-7.*x86_64*"

Ubuntu 18.04 (Bionic)

Ubuntu 18.04 is based on Kernel version 4.15 which has a number of known bugs that affect it and which may be noticed with larger clusters:

Available images can be listed using:

  1. aws ec2 describe-images --region us-east-1 --output table \
  2. --owners 099720109477 \
  3. --query "sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]" \
  4. --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-*"

Owner aliases

kOps supports owner aliases for the official accounts of supported distros:

  • kope.io => 383156758163
  • amazon => 137112412989
  • centos => 125523088429
  • debian9 => 379101102735
  • debian10 => 136693071363
  • flatcar => 075585003325
  • redhat => 309956199498
  • ubuntu => 099720109477