Skip to content

note about eks bottlerocket + nsjail #1235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hcourdent merged 3 commits into from
Feb 5, 2026
Merged

note about eks bottlerocket + nsjail #1235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
66d6705
note about eks bottlerocket + nsjail
alpetric Feb 4, 2026
2f52826
Merge branch 'main' into alp/njsail_warn
hcourdent Feb 5, 2026
3869e54
Merge branch 'main' into alp/njsail_warn
hcourdent Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions docs/advanced/1_self_host/aws_eks_ecs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,19 @@ import TabItem from '@theme/TabItem';
## Windmill on AWS EKS
Windmill can be deployed on an EKS ([Elastic Kubernetes Service](https://aws.amazon.com/eks/)) cluster. Below are the detailed steps to get a Windmill stack up and running. The number of servers and [workers](../../core_concepts/9_worker_groups/index.mdx), as well as the instance sizes, should be tuned to your own usecases.

:::warning Bottlerocket AMI and PID isolation

If using Bottlerocket AMI for your EKS nodes, PID namespace isolation (`ENABLE_UNSHARE_PID`) and NSJAIL will not work by default. Bottlerocket sets `user.max_user_namespaces=0` which prevents the `unshare` command from creating user namespaces.

**Options**:
- Use Amazon Linux 2023 or Amazon Linux 2 AMI instead (recommended)
- Configure a custom launch template to increase `user.max_user_namespaces`
- Set `disableUnsharePid: true` in Helm values (reduces security)

See [Security and process isolation](/docs/advanced/security_isolation) for more details.

:::

You can either setup your own EKS cluster and RDS instance and deploy Windmill using the [Helm chart](../self_host#helm-chart) or use the Cloudformation template below.

### Cloudformation
Expand Down
17 changes: 17 additions & 0 deletions docs/advanced/security_isolation/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,23 @@ For Helm deployments, set the appropriate values to enable privileged mode and t
- Reduce number of concurrent jobs
- Use `DISABLE_NSJAIL=true` and rely on PID isolation only

### AWS EKS with Bottlerocket AMI

**Cause**: Bottlerocket AMI sets `user.max_user_namespaces=0` by default, which prevents user namespace creation required for PID isolation and NSJAIL.

**Solutions**:

1. **Switch to a different AMI** (recommended): Use Amazon Linux 2023 or Amazon Linux 2 instead of Bottlerocket for your EKS node groups.

2. **Disable PID isolation**: Set `disableUnsharePid: true` in Helm values (global or per-worker-group). Note: This reduces security isolation.

3. **Configure Bottlerocket kernel parameters**: Use a custom launch template with user data to increase `max_user_namespaces`:
```toml
[settings.kernel.sysctl]
"user.max_user_namespaces" = "65536"
```
See [AWS EKS launch template documentation](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) for details.

## Related documentation

- [Worker Groups](/docs/core_concepts/worker_groups) - Logical worker separation
Expand Down