Amazon Elastic Kubernetes Service (EKS) has announced a major change:
- After November 26, 2025, Amazon EKS will no longer publish EKS-optimized Amazon Linux 2 (AL2) AMIs.
- Kubernetes 1.32 will be the final version with AL2 AMI support.
- From Kubernetes 1.33 onwards, EKS will only release Amazon Linux 2023 (AL2023) and Bottlerocket based AMIs.
This means that organizations running EKS clusters with AL2 worker nodes must migrate before upgrading beyond Kubernetes 1.32.
Why is Amazon EKS Ending AL2 AMIs?
Amazon Linux 2 has been the default for many workloads on AWS for years. However, AWS is now moving towards more modern operating systems:
- Amazon Linux 2023 (AL2023): Successor to AL2, providing long-term support, predictable release cycles, and better security patching.
- Bottlerocket: A container-optimized OS with an immutable root filesystem and reduced attack surface.
Both offer:
- Improved security posture (predictable updates, hardened defaults).
- Performance optimizations for cloud-native workloads.
- Future-proofing for Kubernetes versions beyond 1.32.
What Does This Mean for EKS Users?
- If your clusters run Amazon Linux 2 node groups, you can continue using them up to Kubernetes 1.32.
- When you plan to upgrade to Kubernetes 1.33 or later, you must migrate your nodes to AL2023 or Bottlerocket.
- After Nov 26, 2025, there will be no new AL2 AMIs or security patches, even if you stay on older Kubernetes versions.
Migration Strategy with eksctl
The good news: you don’t need to rebuild your cluster. With eksctl, you can replace node groups or upgrade them in place while keeping your control plane and workloads intact.
🔹 Option 1: Create a New AL2023 Node Group
You can add a new node group running AL2023 alongside your existing AL2 group.
eksctl create nodegroup \
--cluster my-cluster \
--name al2023-ng \
--node-type t3.medium \
--nodes 3 \
--nodes-min 2 \
--nodes-max 5 \
--managed \
--ami-family AmazonLinux2023
Then:
- Drain old nodes:
kubectl drain <old-node-name> --ignore-daemonsets --delete-local-data
- Delete old node group once workloads are migrated:
eksctl delete nodegroup --cluster my-cluster --name al2-ng
🔹 Option 2: Update Existing Node Group to AL2023
If you want to upgrade in place:
cluster.yaml (snippet):
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: my-cluster
region: ap-southeast-1
nodeGroups:
- name: al2023-ng
instanceType: t3.medium
desiredCapacity: 3
amiFamily: AmazonLinux2023
Apply the upgrade:
eksctl upgrade nodegroup --config-file=cluster.yaml --name=al2023-ng
This will cordon, drain, and replace nodes with AL2023-based ones.
🔹 Option 3: Move to Bottlerocket
For security-focused or container-only workloads, Bottlerocket is a strong choice:
eksctl create nodegroup \
--cluster my-cluster \
--name bottlerocket-ng \
--node-type t3.medium \
--nodes 3 \
--nodes-min 2 \
--nodes-max 5 \
--managed \
--ami-family Bottlerocket
Verifying Migration
After migration, confirm that nodes are running the new OS:
kubectl get nodes -o wide
kubectl describe node <node-name> | grep "OS Image"
Expected outputs:
- AL2023:
Amazon Linux 2023 - Bottlerocket:
Bottlerocket OS
Best Practices
- Test first in staging before production.
- Use rolling upgrades: never drain all nodes at once.
-
Automate configs: keep
cluster.yamlunder version control for repeatable upgrades. - Monitor workloads: watch CloudWatch and Kubernetes metrics after migration.
Final Thoughts
Amazon EKS ending support for AL2 AMIs is a big change — but also a chance to modernize.
- Short term: AL2 remains usable until Kubernetes 1.32.
- Long term: Migrate to AL2023 (closest successor) or Bottlerocket (security-focused OS).
By starting your migration early and using eksctl to manage node group upgrades, you can ensure a smooth transition before the November 2025 cutoff.
Top comments (0)