Skip to content

Commit 10f576e

Browse files
alpetrichcourdent
alpetric
and
hcourdent
authored
note about eks bottlerocket + nsjail (#1235)
Co-authored-by: Henri Courdent <122811744+hcourdent@users.noreply.github.com>
1 parent 9e48eaa commit 10f576e

File tree

2 files changed

+30
-0
lines changed

2 files changed

+30
-0
lines changed

docs/advanced/1_self_host/aws_eks_ecs.mdx

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,19 @@ import TabItem from '@theme/TabItem';
99
## Windmill on AWS EKS
1010
Windmill can be deployed on an EKS ([Elastic Kubernetes Service](https://aws.amazon.com/eks/)) cluster. Below are the detailed steps to get a Windmill stack up and running. The number of servers and [workers](../../core_concepts/9_worker_groups/index.mdx), as well as the instance sizes, should be tuned to your own usecases.
1111

12+
:::warning Bottlerocket AMI and PID isolation
13+
14+
If using Bottlerocket AMI for your EKS nodes, PID namespace isolation (`ENABLE_UNSHARE_PID`) and NSJAIL will not work by default. Bottlerocket sets `user.max_user_namespaces=0` which prevents the `unshare` command from creating user namespaces.
15+
16+
**Options**:
17+
- Use Amazon Linux 2023 or Amazon Linux 2 AMI instead (recommended)
18+
- Configure a custom launch template to increase `user.max_user_namespaces`
19+
- Set `disableUnsharePid: true` in Helm values (reduces security)
20+
21+
See [Security and process isolation](/docs/advanced/security_isolation) for more details.
22+
23+
:::
24+
1225
You can either setup your own EKS cluster and RDS instance and deploy Windmill using the [Helm chart](../self_host#helm-chart) or use the Cloudformation template below.
1326

1427
### Cloudformation

docs/advanced/security_isolation/index.mdx

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -386,6 +386,23 @@ For Helm deployments, set the appropriate values to enable privileged mode and t
386386
- Reduce number of concurrent jobs
387387
- Use `DISABLE_NSJAIL=true` and rely on PID isolation only
388388

389+
### AWS EKS with Bottlerocket AMI
390+
391+
**Cause**: Bottlerocket AMI sets `user.max_user_namespaces=0` by default, which prevents user namespace creation required for PID isolation and NSJAIL.
392+
393+
**Solutions**:
394+
395+
1. **Switch to a different AMI** (recommended): Use Amazon Linux 2023 or Amazon Linux 2 instead of Bottlerocket for your EKS node groups.
396+
397+
2. **Disable PID isolation**: Set `disableUnsharePid: true` in Helm values (global or per-worker-group). Note: This reduces security isolation.
398+
399+
3. **Configure Bottlerocket kernel parameters**: Use a custom launch template with user data to increase `max_user_namespaces`:
400+
```toml
401+
[settings.kernel.sysctl]
402+
"user.max_user_namespaces" = "65536"
403+
```
404+
See [AWS EKS launch template documentation](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) for details.
405+
389406
## Related documentation
390407

391408
- [Worker Groups](/docs/core_concepts/worker_groups) - Logical worker separation

0 commit comments

Comments
 (0)