maxkabakov - Fotolia
AWS abstracts container orchestration so IT teams don't have to worry about managing master nodes and API versions -- but that doesn't solve everything. These deployments still need patching, security implementations and proper performance monitoring.
To address this, AWS built Bottlerocket, a Linux-based OS with the sole purpose of running containers in AWS, on bare metal or in virtualized environments. In this article, you will learn the pros and cons of Bottlerocket and see how to configure it for Amazon Elastic Kubernetes Service (EKS).
When Kubernetes first launched, users had to create clusters with master nodes and worker nodes. Although this was a breakthrough at the time for managing containers in a scalable world, developers wanted more. They wanted a way to use the orchestration platform without having to manage the infrastructure and, to meet this demand, vendors deployed managed services, such as EKS.
Although EKS strips out a lot of the infrastructure components, users need to manage worker nodes. Thus, they still need a proper way to navigate a Linux operating system and secure these Kubernetes nodes. Bottlerocket aims to simplify some of these issues by providing a purpose-built container OS that's essentially a stripped-down version of Linux.
One of the key benefits of Bottlerocket is that it doesn't just pertain to Docker. Bottlerocket works with any containerization platform that caters to the Open Container Initiative format. Essentially, all containers are welcome.
Some of the more popular containerization platforms you will see are:
You might wonder why you should use Bottlerocket, since EKS is a managed service. But there are good reasons to incorporate this OS in your AWS container strategy.
Although Linux is open source, some organizations that operate solely on Linux -- or other variants like Free/OpenBSD -- still license the operating system. With Bottlerocket, it is 100% open source and can be found on GitHub. That means you can see what is happening under the hood before committing to it.
Because Bottlerocket is a stripped-down OS, users don't have to worry about too much overhead. There are no fancy features or added parts of the OS that you won't use for a containerized environment.
There are security gaps in every system because security needs constantly change. You may never get rid of all security issues but you should mitigate them as much as possible.
With Bottlerocket, you only have to manage the essential components of the OS, which improves security. You don't have to worry about many zero-day attacks or attacks on well-known technologies that may be standard in a Linux distribution. These more common threats are mitigated because you're working with a stripped-down version of Linux.
Another great security feature is automated updates. Users can automate OS updates using an orchestration platform, such as EKS.
Even though Bottlerocket promises to solve a lot of problems with containers, it's still in preview and has notable drawbacks. At this time, Bottlerocket is not available in Amazon Elastic Container Service and does not support ARM64. Although AWS touts Bottlerocket's OS security for its use of a primarily read-only file system, that comes with its own set of problems. For example, some applications need to write to areas of the disk, thus requiring application code modifications.
And since the OS has been slimmed down to be faster, a developer might find that some of the Linux components it previously depended on aren't included. Because Bottlerocket is in preview, a lot may change once it becomes generally available. However, with such drastic changes needed to create this specialty OS, there are bound to be changes in the applications that run on it.
How to set up Bottlerocket for EKS
Now that you have a basic understanding of Bottlerocket, it's time to jump into a demo. In this section, you'll learn the key setup features, the best ways to implement Bottlerocket and how you can take advantage of the features of this container OS.
Create an EKS cluster
To proceed further, you will need an EKS cluster. If you do not have one ready, you can follow these directions to create an EKS cluster through the AWS Management Console or AWS CLI. Or, to quickly create one, use the eksctl tool in your terminal.
eksctl create cluster \ --name my-cluster \ --version 1.16 \ --without-nodegroup
Create the Bottlerocket EC2 instance
Because Bottlerocket runs on EC2, you will need to create some instances. For the purposes of this tutorial, you will create one Bottlerocket EC2 instance.
Log into the AWS Management Console.
In the search bar, type "ec2" and click on EC2.
Under Instances, click on the orange Launch Instance button.
After clicking the Launch Instance button, select Launch Instance from the drop-down menu.
Under the search bar, search for "Bottlerocket."
Click on Community AMIs.
Community AMIs are images built by the public. At the time of publication, AWS does not have an image readily available outside of community AMIs. Choose the first AMI, which is AMI ami-06851e719b3441357 and click the blue Select button.
For the next steps, you can use the free tier portions of AWS to create the EC2 instance.
Connect a Bottlerocket image to EKS
Now that you know how to deploy a Bottlerocket EC2 instance, it's time to deploy and connect a Bottlerocket Docker image to an EKS cluster.
To update the EKS cluster, you will need to use a Kubernetes manifest to update the EKS cluster with Bottlerocket. Clone the Kubernetes manifest and store it on a local computer.
Change directory (cd) into where the new Kubernetes manifest exists.
Run the following command to create the Kubernetes deployment.
kubectl apply -f ./update-operator.yaml
The output will look similar to the screenshot below.
Next, to ensure the pods are scheduled to go on Bottlerocket, run the following command to specify the Bottlerocket implementation.
kubectl label node $NODE_NAME bottlerocket.aws/updater-interface-version=1.0.0
Congratulations, you have successfully set up Bottlerocket to work in EKS.