In the dynamic world of cloud computing, Kubernetes has emerged as the go-to platform for container orchestration, and Amazon EKS is a popular choice for managing Kubernetes clusters. However, what adds an extra layer of efficiency and security to an EKS cluster is the use of Bottlerocket OS.
What is Bottlerocket OS?
Bottlerocket OS is a purpose-built, minimalistic Linux distribution designed specifically for running containers at scale. Developed by AWS, it’s built to provide an optimized, secure, and reliable platform for managing containerized applications within Kubernetes clusters. Here’s why Bottlerocket OS stands out:
- Security: Bottlerocket employs a minimal attack surface by using a read-only file system, reducing the risk of security vulnerabilities. It also supports automatic updates, ensuring that clusters are always up to date with the latest security patches.
- Minimalist Design: Bottlerocket OS comes with a minimalist design, focusing solely on the requirements of container orchestration. This streamlined approach eliminates unnecessary components, reducing the attack surface and enhancing security.
- Immutable Infrastructure: Bottlerocket OS operates on an immutable infrastructure model, meaning once deployed, the OS image cannot be modified. This approach ensures consistency across nodes and simplifies management by allowing for easy rollbacks and updates.
Now that we have a good understanding of Bottlerocket OS and its advantages, let’s explore how to use the crictl tool to interact with the Bottlerocket OS and perform operations, for example listing the docker images being used in the cluster.
Imagine encountering a minor hiccup – a Docker image refusing to be pulled. The solution seems simple: log into the node and take a peek at the existing images. But hold your horses! If your EKS cluster nodes are powered by Bottlerocket OS, get ready for a detour through its robust security guardrails. As they say, with great power comes great responsibility – and a bit of extra legwork! 😉
Getting access to your node running Bottlerocket OS can sometimes feel like traversing a labyrinth of IAM roles and security protocols. Thankfully, with proper IAM roles attached to my nodes, initiating a session using the AWS Session Manager was a breeze.
Once you logged into the console, to interact with the Bottlerocket host filesystem, our gateway was the admin container. We can use the below command to enter into admin container:
enter-admin-container
Now, the next step is to switch to the root shell of the Bottlerocket OS so that we can access the root filesystem. Execute the following command:
sudo sheltie
Once you are in the root shell, you need to navigate to the exact location of the crictl tool (/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/usr/local/bin/crictl ) to interact with the OS. For example, if you want to check the crictl tool version or list down the docker images available, run the below commands:
/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/usr/local/bin/crictl --version
/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/usr/local/bin/crictl images
I hope this has been informative for you. Please comment in case of any queries.
Virtual Cloud 