note about eks bottlerocket + nsjail

alpetric · alpetric · commit 66d670522ed1 · 2026-02-04T16:02:12.000Z
diff --git a/docs/advanced/1_self_host/aws_eks_ecs.mdx b/docs/advanced/1_self_host/aws_eks_ecs.mdx
@@ -9,6 +9,19 @@ import TabItem from '@theme/TabItem';
 ## Windmill on AWS EKS
 Windmill can be deployed on an EKS ([Elastic Kubernetes Service](https://aws.amazon.com/eks/)) cluster. Below are the detailed steps to get a Windmill stack up and running. The number of servers and [workers](../../core_concepts/9_worker_groups/index.mdx), as well as the instance sizes, should be tuned to your own usecases.
 
+:::warning Bottlerocket AMI and PID isolation
+
+If using Bottlerocket AMI for your EKS nodes, PID namespace isolation (`ENABLE_UNSHARE_PID`) and NSJAIL will not work by default. Bottlerocket sets `user.max_user_namespaces=0` which prevents the `unshare` command from creating user namespaces.
+
+**Options**:
+- Use Amazon Linux 2023 or Amazon Linux 2 AMI instead (recommended)
+- Configure a custom launch template to increase `user.max_user_namespaces`
+- Set `disableUnsharePid: true` in Helm values (reduces security)
+
+See [Security and process isolation](/docs/advanced/security_isolation) for more details.
+
+:::
+
 You can either setup your own EKS cluster and RDS instance and deploy Windmill using the [Helm chart](../self_host#helm-chart) or use the Cloudformation template below.
 
 ### Cloudformation
diff --git a/docs/advanced/security_isolation/index.mdx b/docs/advanced/security_isolation/index.mdx
@@ -401,6 +401,23 @@ For Helm deployments, set the appropriate values to enable privileged mode and t
 - Reduce number of concurrent jobs
 - Use `DISABLE_NSJAIL=true` and rely on PID isolation only
 
+### AWS EKS with Bottlerocket AMI
+
+**Cause**: Bottlerocket AMI sets `user.max_user_namespaces=0` by default, which prevents user namespace creation required for PID isolation and NSJAIL.
+
+**Solutions**:
+
+1. **Switch to a different AMI** (recommended): Use Amazon Linux 2023 or Amazon Linux 2 instead of Bottlerocket for your EKS node groups.
+
+2. **Disable PID isolation**: Set `disableUnsharePid: true` in Helm values (global or per-worker-group). Note: This reduces security isolation.
+
+3. **Configure Bottlerocket kernel parameters**: Use a custom launch template with user data to increase `max_user_namespaces`:
+   ```toml
+   [settings.kernel.sysctl]
+   "user.max_user_namespaces" = "65536"
+   ```
+   See [AWS EKS launch template documentation](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) for details.
+
 ## Related documentation
 
 - [Worker Groups](/docs/core_concepts/worker_groups) - Logical worker separation
