Unable to create an EKS cluster with al2023 when FIPS is enabled

[LochanRn]

What happened: Unable to create an EKS cluster with al2023 with FIPS enabled AMI.

What you expected to happen: To be able to create an EKS cluster with al2023 with FIPS enabled AMI.

How to reproduce it (as minimally and precisely as possible):

• Build an AL2023 FIPS enabled to AMI.
• Use the same AMI to create an EKS cluster worker node group.

Anything else we need to know?:

The nodes get created but unable to join the cluster.

After I logged into the vm and checked the cloud-init logs i see the bootstrap.sh file is missing. I built the AMI using the official upstream repo. Used the al2023 template https://github.com/awslabs/amazon-eks-ami/tree/main/templates/al2023 The template does not have the bootstrap.sh script.

Environment:

• AWS Region: east-us-2
• Instance Type(s): m5.2xlarge
• EKS Platform version (use aws eks describe-cluster --name <name> --query cluster.platformVersion): eks.7
• Kubernetes version (use aws eks describe-cluster --name <name> --query cluster.version): 1.29
• AMI Version: AL2023
• Kernel (e.g. uname -a):

  Linux ip-10-0-10-16.us-east-2.compute.internal 6.1.92-99.174.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Jun  4 15:43:46 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

• Release information (run cat /etc/eks/release on a node):

  BASE_AMI_ID="ami-0bfa2fb693fc2aeb2"
  BUILD_TIME="Fri Jun 14 08:44:55 UTC 2024"
  BUILD_KERNEL="6.1.92-99.174.amzn2023.x86_64"
  ARCH="x86_64"

[LochanRn]

Any docs regarding how to create an EKS cluster using AL2023 is also very helpful.

[KrisJohnstone]

I suggest you read the following blog post as al2023 doesn't use bootstrap.sh, the code in this repo also has pretty good documentation in how nodeadm works: https://github.com/awslabs/amazon-eks-ami/blob/main/nodeadm/README.md

EDIT: the terraform module for eks supports al2023 and has examples: https://github.com/terraform-aws-modules/terraform-aws-eks