review:

1. Fix maxPods
2. Make clusterDNS optional
3. Move node-labels from gotemplate to go func, for readability
4. Add usage documentation in the book

Author: mloiseleur

bootstrap/eks/controllers/eksconfig_controller.go

@@ -194,7 +194,6 @@ func (r *EKSConfigReconciler) resolveSecretFileContent(ctx context.Context, ns s
 
 func (r *EKSConfigReconciler) joinWorker(ctx context.Context, cluster *clusterv1.Cluster, config *eksbootstrapv1.EKSConfig, configOwner *bsutil.ConfigOwner) (ctrl.Result, error) {
 	log := logger.FromContext(ctx)
-	log.Info("joinWorker called", "config", config.Name, "nodeType", config.Spec.NodeType, "cluster", cluster.Name)
 
 	// only need to reconcile the secret for Machine kinds once, but MachinePools need updates for new launch templates
 	if config.Status.DataSecretName != nil && configOwner.GetKind() == "Machine" {

bootstrap/eks/internal/userdata/node.go

@@ -87,10 +87,12 @@ spec:
   kubelet:
     config:
       maxPods: {{.MaxPods}}
+      {{- with .DNSClusterIP }}
       clusterDNS:
-      - {{.DNSClusterIP}}
+      - {{.}}
+      {{- end }}
     flags:
-    - "--node-labels={{if and .KubeletExtraArgs (index .KubeletExtraArgs "node-labels")}}{{index .KubeletExtraArgs "node-labels"}}{{else}}eks.amazonaws.com/nodegroup-image={{if .AMIImageID}}{{.AMIImageID}}{{end}},eks.amazonaws.com/capacityType={{if .CapacityType}}{{.CapacityType}}{{else}}ON_DEMAND{{end}},eks.amazonaws.com/nodegroup={{.NodeGroupName}}{{end}}"
+    - "--node-labels={{.NodeLabels}}"
 
 --{{.Boundary}}--`
 )
@@ -123,15 +125,16 @@ type NodeInput struct {
 	AMIFamilyType string
 
 	// AL2023 specific fields
+	AMIImageID        string
 	APIServerEndpoint string
+	Boundary          string
 	CACert            string
-	NodeGroupName     string
-	AMIImageID        string
 	CapacityType      *v1beta2.ManagedMachinePoolCapacityType
-	MaxPods           *int32
-	Boundary          string
-	ClusterDNS        string
 	ClusterCIDR       string // CIDR range for the cluster
+	ClusterDNS        string
+	MaxPods           *int32
+	NodeGroupName     string
+	NodeLabels        string // Not exposed in CRD, computed from user input
 }
 
 // PauseContainerInfo holds pause container information for templates.
@@ -255,6 +258,24 @@ func generateAL2023UserData(input *NodeInput) ([]byte, error) {
 	return buf.Bytes(), nil
 }
 
+// getNodeLabels returns the string representation of node-labels flags for nodeadm
+func (ni *NodeInput) getNodeLabels() string {
+	if ni.KubeletExtraArgs != nil {
+		if _, ok := ni.KubeletExtraArgs["node-labels"]; ok {
+			return ni.KubeletExtraArgs["node-labels"]
+		}
+	}
+	nodeLabels := make([]string, 0, 3)
+	if ni.AMIImageID != "" {
+		nodeLabels = append(nodeLabels, fmt.Sprintf("eks.amazonaws.com/nodegroup-image=%s", ni.AMIImageID))
+	}
+	if ni.NodeGroupName != "" {
+		nodeLabels = append(nodeLabels, fmt.Sprintf("eks.amazonaws.com/nodegroup=%s", ni.NodeGroupName))
+	}
+	nodeLabels = append(nodeLabels, fmt.Sprintf("eks.amazonaws.com/capacityType=%s", ni.getCapacityTypeString()))
+	return strings.Join(nodeLabels, ",")
+}
+
 // getCapacityTypeString returns the string representation of the capacity type.
 func (ni *NodeInput) getCapacityTypeString() string {
 	if ni.CapacityType == nil {
@@ -287,22 +308,22 @@ func validateAL2023Input(input *NodeInput) error {
 
 	if input.MaxPods == nil {
 		if input.UseMaxPods != nil && *input.UseMaxPods {
-			input.MaxPods = ptr.To[int32](58)
-		} else {
 			input.MaxPods = ptr.To[int32](110)
+		} else {
+			input.MaxPods = ptr.To[int32](58)
 		}
 	}
-	if input.DNSClusterIP == nil {
-		input.DNSClusterIP = ptr.To[string]("10.96.0.10")
+	if input.DNSClusterIP != nil {
+		input.ClusterDNS = *input.DNSClusterIP
 	}
-	input.ClusterDNS = *input.DNSClusterIP
 
 	if input.Boundary == "" {
 		input.Boundary = boundary
 	}
+	input.NodeLabels = input.getNodeLabels()
 
-	klog.V(2).Infof("AL2023 Userdata Generation - maxPods: %d, clusterDNS: %s, amiID: %s, capacityType: %s",
-		*input.MaxPods, *input.DNSClusterIP, input.AMIImageID, input.getCapacityTypeString())
+	klog.V(2).Infof("AL2023 Userdata Generation - maxPods: %d, node-labels: %s",
+		*input.MaxPods, input.NodeLabels)
 
 	return nil
 }

docs/book/src/topics/eks/enabling.md

@@ -6,6 +6,42 @@ Support for EKS is enabled by default when you use the AWS infrastructure provid
 clusterctl init --infrastructure aws
 ```
 
+## Amazon Linux 2023
+
+Amazon EKS will end support for EKS optimized AL2 AMIs on November 26, 2025.
+
+With AL2023, [nodeadm](https://github.com/awslabs/amazon-eks-ami/tree/main/nodeadm) is used to join EKS cluster.
+Starting with v2.9.0, it's possible to set the node type in `EKSConfig` and `EKSConfigTemplate` like this:
+
+```yaml
+apiVersion: bootstrap.cluster.x-k8s.io/v1beta2
+kind: EKSConfigTemplate
+metadata:
+  name: al2023
+spec:
+  template:
+    spec:
+      nodeType: al2023
+```
+
+AL2023 AMI can also be set in `AWSMAchineTemplate`. The use of Secrets Manager trick should be disabled because
+nodeadm expect the `NodeConfig` in plain text in EC2 instance's userdata.
+
+
+```yaml
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
+kind: AWSMachineTemplate
+metadata:
+  name: al2023
+spec:
+  template:
+    spec:
+      ami:
+        eksLookupType: AmazonLinux2023
+      cloudInit:
+        insecureSkipSecretsManager: true
+```
+
 ## Enabling optional **EKS** features
 
 There are additional EKS experimental features that are disabled by default. The sections below cover how to enable these features.