Amazon EKS optimized Windows AMIs - Amazon EKS
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon EKS optimized Windows AMIs

Windows Amazon EKS optimized AMIs are built on top of Windows Server 2019 and Windows Server 2022. They are configured to serve as the base image for Amazon EKS nodes. By default, the AMIs include the following components:

Note

You can track security or privacy events for Windows Server with the Microsoft security update guide.

Amazon EKS offers AMIs that are optimized for Windows containers in the following variants:

  • Amazon EKS-optimized Windows Server 2019 Core AMI

  • Amazon EKS-optimized Windows Server 2019 Full AMI

  • Amazon EKS-optimized Windows Server 2022 Core AMI

  • Amazon EKS-optimized Windows Server 2022 Full AMI

Important
  • The Amazon EKS-optimized Windows Server 20H2 Core AMI is deprecated. No new versions of this AMI will be released.

  • To ensure that you have the latest security updates by default, Amazon EKS maintains at least the four most recent Windows Amazon EKS-optimized AMIs. After releasing new Windows Amazon EKS-optimized AMIs, Amazon EKS makes the Windows Amazon EKS-optimized AMIs that are older private. If there is a private AMI that you need access to, let us know by filing a ticket with Amazon Web Services Support.

Release calendar

The following table lists the release and end of support dates for Windows versions on Amazon EKS. If an end date is blank, it's because the version is still supported.

Windows version Amazon EKS release Amazon EKS end of support
Windows Server 2022 Core 10/17/2022
Windows Server 2022 Full 10/17/2022
Windows Server 20H2 Core 8/12/2021 8/9/2022
Windows Server 2004 Core 8/19/2020 12/14/2021
Windows Server 2019 Core 10/7/2019
Windows Server 2019 Full 10/7/2019
Windows Server 1909 Core 10/7/2019 12/8/2020

Bootstrap script configuration parameters

When you create a Windows node, there's a script on the node that allows for configuring different parameters. Depending on your setup, this script can be found on the node at a location similar to: C:\Program Files\Amazon\EKS\Start-EKSBootstrap.ps1. You can specify custom parameter values by specifying them as arguments to the bootstrap script. For example, you can update the user data in the launch template. For more information, see Amazon EC2 user data.

The script includes the following parameters:

  • -EKSClusterName – Specifies the Amazon EKS cluster name for this worker node to join.

  • -KubeletExtraArgs – Specifies extra arguments for kubelet (optional).

  • -KubeProxyExtraArgs – Specifies extra arguments for kube-proxy (optional).

  • -APIServerEndpoint – Specifies the Amazon EKS cluster API server endpoint (optional). Only valid when used with -Base64ClusterCA. Bypasses calling Get-EKSCluster.

  • -Base64ClusterCA – Specifies the base64 encoded cluster CA content (optional). Only valid when used with -APIServerEndpoint. Bypasses calling Get-EKSCluster.

  • -DNSClusterIP – Overrides the IP address to use for DNS queries within the cluster (optional). Defaults to 10.100.0.10 or 172.20.0.10 based on the IP address of the primary interface.

  • -ContainerRuntime – Specifies the container runtime to be used on the node.

  • -ServiceCIDR – Overrides the Kubernetes service IP address range from which cluster services are addressed. Defaults to 172.20.0.0/16 or 10.100.0.0/16 based on the IP address of the primary interface.

  • -ExcludedSnatCIDRs – A list of IPv4 CIDRs to exclude from Source Network Address Translation (SNAT). This means that the pod private IP which is VPC addressable wouldn't be translated to the IP address of the instance ENI's primary IPv4 address for outbound traffic. By default, the IPv4 CIDR of the VPC for the Amazon EKS Windows node is added. Specifying CIDRs to this parameter also additionally excludes the specified CIDRs. For more information, see SNAT for Pods.

Enable the containerd runtime bootstrap flag

For Kubernetes version 1.23, you can use an optional bootstrap flag to enable the containerd runtime for Amazon EKS optimized Windows AMIs. This feature gives you a clear path to migrate to containerd when updating to version 1.24 or later. Amazon EKS ended support for Docker starting with the Kubernetes version 1.24 launch. For more information, see Amazon EKS ended support for Dockershim.

For Amazon EKS version 1.23, the supported values for the container runtime are docker and containerd. The container runtime is specified when launching the Windows nodes using either eksctl or the Amazon Web Services Management Console.

  • If the specified value is docker and the Amazon EKS version is 1.23, then Docker is used as the runtime on the node.

  • If any other value is specified, then the bootstrap fails and the node isn't able to join the cluster.

  • If this flag isn't specified, then the default value of the container runtime is selected. For Amazon EKS version 1.23 and earlier, the default is Docker. For 1.24 and later clusters, it is containerd.

When launching Windows nodes in your Amazon EKS cluster, follow the steps in Launching self-managed Windows nodes. Windows self-managed nodes with the containerd runtime can be launched using eksctl or the Amazon Web Services Management Console.

eksctl

To enable the containerd runtime with eksctl

For Windows self-managed nodes, the container runtime can be specified in the configuration while creating new node groups. You can use the following test-windows-with-containerd.yaml as reference.

Note

You must use eksctl version 0.95.0 or later to use the containerRuntime setting in the configuration file.

apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: windows-containerd-cluster region: us-west-2 version: 'X.XX' nodeGroups: - name: windows-ng instanceType: m5.2xlarge amiFamily: WindowsServer2019FullContainer volumeSize: 100 minSize: 2 maxSize: 3 containerRuntime: containerd - name: linux-ng amiFamily: AmazonLinux2 minSize: 2 maxSize: 3

The node groups can then be created using the following command.

eksctl create cluster -f test-windows-with-containerd.yaml
Note

Starting with eksctl version 0.95, you can no longer use preBootstrapCommands to configure ContainerRuntime for Windows nodes.

For more information, see Creating a nodegroup from a config file, defining containerd runtime, and Config file schema in the eksctl documentation.

Amazon Web Services Management Console

To enable the containerd runtime with the Amazon Web Services Management Console

In the Amazon CloudFormation template, there's a parameter named BootstrapArguments which can be used to pass in additional arguments to the bootstrap script. A parameter named ContainerRuntime can be used to select a particular runtime on the node.

Specify the following in BootstrapArguments to enable the containerd runtime:

-ContainerRuntime containerd

Launch self-managed Windows Server 2022 nodes with eksctl

Amazon EKS optimized Windows Server 2022 AMIs are available for Kubernetes version 1.23 or higher. You can use the following test-windows-2022.yaml as reference for running Windows Server 2022 as self-managed nodes.

Note

You must use eksctl version 0.116.0 or later to run self-managed Windows Server 2022 nodes.

apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: windows-2022-cluster region: us-west-2 version: '1.23' nodeGroups: - name: windows-ng instanceType: m5.2xlarge amiFamily: WindowsServer2022FullContainer volumeSize: 100 minSize: 2 maxSize: 3 - name: linux-ng amiFamily: AmazonLinux2 minSize: 2 maxSize: 3

The node groups can then be created using the following command.

eksctl create cluster -f test-windows-2022.yaml

gMSA authentication support

Amazon EKS Windows Pods allow different types of group Managed Service Account (gMSA) authentication.

Cached container images

Amazon EKS Windows optimized AMIs have certain container images cached for both the docker and containerd runtimes. Container images are cached when building custom AMIs using Amazon-managed build components. For more information, see Using the Amazon-managed build component.

For Amazon EKS 1.23 and lower

The docker runtime is the default and has the following container images cached on Amazon EKS Windows AMIs. Retrieve this image list by running docker images on the Amazon EKS Windows node:

  • amazonaws.com/eks/pause-windows

  • mcr.microsoft.com/windows/nanoserver

  • mcr.microsoft.com/windows/servercore

The containerd runtime only has one container image. Retrieve this image list by running ctr -n k8s.io images list:

  • amazonaws.com/eks/pause-windows

For Amazon EKS 1.24 and higher

There is no docker runtime. The following cached container images are for the containerd runtime:

  • amazonaws.com/eks/pause-windows

  • mcr.microsoft.com/windows/nanoserver

  • mcr.microsoft.com/windows/servercore

More information

For more information about using Amazon EKS optimized Windows AMIs, see the following sections: