DOC-2311 - AL2 deprecation notice and migration guide for EKS clusters (#8374)

benradstone · web-flow · commit 1b5d187c7533 · 2025-10-15T12:54:39.000+01:00
* docs: AL2 migration guide for EKS clusters

* docs: address Vale comment

* docs: additional steps for troubleshooting

* docs: Apply suggestion from code review

* ci: auto-formatting prettier issues

* docs: Apply suggestion from code review (part 2)

* ci: auto-formatting prettier issues

* docs: add release note for deprecation notice

* docs: Set removal date to April 4th 2026

* docs: clarify disablement and removal guidance

* docs: further clarification on disablement and removal

* docs: final hopeful date fixes
diff --git a/docs/docs-content/clusters/public-cloud/aws/eks.md b/docs/docs-content/clusters/public-cloud/aws/eks.md
@@ -11,6 +11,18 @@ sidebar_position: 30
 Palette supports creating and managing Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) clusters deployed to
 an AWS account. This section guides you on how to create an EKS cluster in AWS that Palette manages.
 
+:::warning
+
+[EKS-optimized Amazon Linux 2 (AL2) AMIs](https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-deprecation-faqs.html)
+will be disabled in Palette from January 10, 2026, and removed on April 4, 2026. When disabled, you will no longer be
+able to select the AL2 AMIs for EKS worker nodes in Palette for new clusters. For existing clusters, you must create new
+worker nodes using AL2023 AMIs. Existing AL2 AMI worker nodes will no longer receive bug fixes or security patches after
+the removal date. Refer to our
+[Scenario - Unable to Upgrade EKS Worker Nodes from AL2 to AL2023](../../../troubleshooting/cluster-deployment.md#scenario---unable-to-upgrade-eks-worker-nodes-from-al2-to-al2023)
+guide for help with migrating workloads.
+
+:::
+
 ## Prerequisites
 
 - Access to an AWS cloud account.
diff --git a/docs/docs-content/release-notes/announcements.md b/docs/docs-content/release-notes/announcements.md
@@ -31,10 +31,11 @@ for the changes in your environment.
 The table below lists the upcoming deprecations in Palette and Palette VerteX. Review the information to below and take
 necessary actions to avoid any disruptions in your environment.
 
-| Change                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Target Removal Date | Published Date |
-| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -------------- |
-| The [Palette Edge CLI](../downloads/cli-tools.md#palette-edge-cli) is deprecated and will be removed in a future release. We recommend using the [Palette CLI](../automation/palette-cli/palette-cli.md) for the creation and management of content bundles. Refer to the [Build Content Bundle](../clusters/edge/edgeforge-workflow/palette-canvos/build-content-bundle.md) guide for further information.                                                                                                     | _To be announced_   | May 25, 2025   |
-| The `stylus.installationMode` [Edge Installer Configuration](../clusters/edge/edge-configuration/installer-reference.md) flag is deprecated. We recommend using the `stylus.managementMode` flag instead, which has two allowed values: `central`, which means the Edge host is connected to Palette, and `local`, which means the Edge host has no connection to a Palette instance. Refer to the [Prepare User Data](../clusters/edge/edgeforge-workflow/prepare-user-data.md) guide for further information. | December 6, 2025    | May 25, 2025   |
+| Change                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Target Removal Date | Published Date   |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | ---------------- |
+| [EKS-optimized Amazon Linux 2 (AL2) AMIs](https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-deprecation-faqs.html) will be disabled in Palette from January 10, 2026 and removed on 4 April, 2026. When disabled, you will no longer be able to select the AL2 AMIs for EKS worker nodes in Palette for new clusters. For existing clusters, you must create new worker nodes using AL2023 AMIs. Existing AL2 AMI worker nodes will no longer receive bug fixes or security patches after the removal date. Refer to our [Scenario - Unable to Upgrade EKS Worker Nodes from AL2 to AL2023](../troubleshooting/cluster-deployment.md#scenario---unable-to-upgrade-eks-worker-nodes-from-al2-to-al2023) guide for help with migrating workloads. | April 4, 2026       | October 18, 2025 |
+| The [Palette Edge CLI](../downloads/cli-tools.md#palette-edge-cli) is deprecated and will be removed in a future release. We recommend using the [Palette CLI](../automation/palette-cli/palette-cli.md) for the creation and management of content bundles. Refer to the [Build Content Bundle](../clusters/edge/edgeforge-workflow/palette-canvos/build-content-bundle.md) guide for further information.                                                                                                                                                                                                                                                                                                                                            | _To be announced_   | May 25, 2025     |
+| The `stylus.installationMode` [Edge Installer Configuration](../clusters/edge/edge-configuration/installer-reference.md) flag is deprecated. We recommend using the `stylus.managementMode` flag instead, which has two allowed values: `central`, which means the Edge host is connected to Palette, and `local`, which means the Edge host has no connection to a Palette instance. Refer to the [Prepare User Data](../clusters/edge/edgeforge-workflow/prepare-user-data.md) guide for further information.                                                                                                                                                                                                                                        | December 6, 2025    | May 25, 2025     |
 
 ## Removals
 
diff --git a/docs/docs-content/release-notes/release-notes.md b/docs/docs-content/release-notes/release-notes.md
@@ -43,6 +43,14 @@ tags: ["release-notes"]
 
 #### Deprecations and Removals
 
+- [EKS-optimized Amazon Linux 2 (AL2) AMIs](https://docs.aws.amazon.com/eks/latest/userguide/eks-ami-deprecation-faqs.html)
+  will be disabled in Palette from January 10, 2026 and removed on April 4, 2026. When disabled, you will no longer be
+  able to select the AL2 AMIs for EKS worker nodes in Palette for new clusters. For existing clusters, you must create
+  new worker nodes using AL2023 AMIs. Existing AL2 AMI worker nodes will no longer receive bug fixes or security patches
+  after the removal date. Refer to our
+  [Scenario - Unable to Upgrade EKS Worker Nodes from AL2 to AL2023](../troubleshooting/cluster-deployment.md#scenario---unable-to-upgrade-eks-worker-nodes-from-al2-to-al2023)
+  guide for help with migrating workloads.
+
 ### Edge
 
 #### Features
diff --git a/docs/docs-content/troubleshooting/cluster-deployment.md b/docs/docs-content/troubleshooting/cluster-deployment.md
@@ -10,6 +10,188 @@ tags: ["troubleshooting", "cluster-deployment"]
 
 The following steps will help you troubleshoot errors in the event issues arise while deploying a cluster.
 
+## Scenario - Unable to Upgrade EKS Worker Nodes from AL2 to AL2023
+
+AWS does not provide a direct upgrade path from Amazon Linux 2 (AL2) to Amazon Linux 2023 (AL2023) for EKS worker nodes.
+This is due to significant changes between AL2 and AL2023, including differences in worker node initialization and
+bootstrapping prior to joining an EKS cluster. Refer to the
+[AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/al2023.html) for more details.
+
+You can use the following debug steps for existing clusters that were deployed using AL2 worker nodes and need to be
+upgraded to AL2023 worker nodes.
+
+:::info
+
+After January 10, 2026, you can only create node pools with the AL2023 AMI type in Palette. If AL2 is needed, consider
+using custom AMIs. Ensure you have accounted for this change in any of your automation, such as Terraform, API, etc.
+
+:::
+
+### Debug Steps
+
+1. Check the
+   [Compatibility Requirements](https://docs.aws.amazon.com/eks/latest/userguide/al2023.html#al2023-compatibility-requirements)
+   for AL2023 to ensure your applications run correctly on AL2023.
+
+   If your applications are not ready to run on AL2023, continue with the following steps but use a custom AL2 AMI
+   instead of AL2023.
+
+2. Log in to [Palette](https://console.spectrocloud.com/).
+
+3. Ensure you are in the correct project scope.
+
+4. From the left main menu, click **Profiles** and select the profile used to deploy your EKS cluster.
+
+5. [Create a new version of the cluster profile](../profiles/cluster-profiles/modify-cluster-profiles/version-cluster-profile.md).
+
+6. Select the **Kubernetes** layer of your cluster profile.
+
+7. On the **Edit Pack** page, select **Values** under **Pack Details**.
+
+8. Add your IRSA roles to the `managedControlPlane.irsaRoles` and `managedMachinePool.roleAdditionalPolicies` sections
+   if they are not already configured.
+
+   ```yaml hideClipboard title="Example configuration"
+   managedControlPlane:
+     ...
+     irsaRoles:
+       - name: "{{.spectro.system.cluster.name}}-irsa-cni"
+         policies:
+           - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
+         serviceAccount:
+           name: aws-node
+           namespace: kube-system
+       - name: "{{.spectro.system.cluster.name}}-irsa-csi" # optional, defaults to audience sts.amazonaws.com
+         policies:
+           - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy
+   ...
+   managedMachinePool:
+     ...
+     roleAdditionalPolicies:
+       - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+   ```
+
+   Refer to the
+   [Scenario - PV/PVC Stuck in Pending Status for EKS Cluster Using AL2023 AMI](#scenario---pvpvc-stuck-in-pending-status-for-eks-cluster-using-al2023-ami)
+   section for further information on why it is necessary to configure IRSA roles for AL2023.
+
+9. Click **Confirm Updates** after editing.
+
+10. Select the **Storage** layer of your cluster profile.
+
+11. On the **Edit Pack** page, select **Values** under **Pack Details**.
+
+12. Use the YAML editor to add an IAM role ARN annotation to the AWS EBS CSI Driver so that the IRSA role is correctly
+    referenced. Replace `<aws-account-id>` with your AWS account ID.
+
+    ```yaml hideClipboard title="Example configuration" {12}
+    charts:
+    ...
+    aws-ebs-csi-driver:
+    ...
+      controller:
+        ...
+        serviceAccount:
+          # A service account will be created for you if set to true. Set to false if you want to use your own.
+          create: true
+          name: ebs-csi-controller-sa
+          annotations: {
+            "eks.amazonaws.com/role-arn":"arn:aws:iam::<aws-account-id>:role/{{.spectro.system.cluster.name}}-irsa-csi"
+          }
+          ## Enable if EKS IAM for SA is used
+          # eks.amazonaws.com/role-arn: arn:<partition>:iam::<account>:role/ebs-csi-role
+          automountServiceAccountToken: true
+    ```
+
+13. Click **Confirm Updates** after editing.
+
+14. Click **Save Changes** on the cluster profile page.
+
+15. From the left main menu, click **Clusters** and select your EKS cluster.
+
+16. Select the **Profile** tab.
+
+17. Click the version drop-down for **INFRASTRUCTURE LAYERS** and select the new version of the cluster profile that you
+    created with these changes.
+
+18. Click **Review & Save**. In the pop-up window, click **Review changes in Editor**.
+
+19. Review your changes and click **Apply Changes** when ready.
+
+20. Select the **Nodes** tab.
+
+21. Click **New Node Pool**.
+
+22. Fill out the input fields in the **Add node pool** page as per your requirements.
+
+    Ensure that you select an **Amazon Linux 2023** AMI type, or, if you are using a custom AL2 AMI, select **Custom
+    AMI** and provide the AMI ID.
+
+23. Click **Confirm** to create the new node pool.
+
+24. Wait for the new nodes to be **Healthy** (green tick) in the **Health** column and show a **Status** of **Running**.
+
+25. Repeat steps 20-24 to create additional AL2023 node pools as needed. Ensure that the total number of nodes in the
+    AL2023 node pools meets your requirements to replace the AL2 node pools.
+
+26. On the **Nodes** tab, click the **Edit** option for your existing AL2 node pool.
+
+27. Click the **Add New Taint** option and add a
+    [taint](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to the AL2 node pool. Use the
+    `NoExecute` effect to evict workloads from the AL2 nodes.
+
+    Example:
+
+    - **Key** = `migrate-to-al2023`
+    - **Value** = `true`
+    - **Effect** = `NoExecute`
+
+28. Click **Confirm** to update the AL2 node pool.
+
+29. Wait for the workloads to be evicted from the AL2 nodes and rescheduled on the AL2023 nodes.
+
+    You can check for running pods on the AL2 nodes by issuing the following command. Replace `<al2-node-identifier>`
+    with part of the name of one of your AL2 nodes.
+
+    ```bash title="Example command"
+    kubectl get pods --all-namespaces --output wide --field-selector spec.nodeName=<al2-node-identifier>
+    ```
+
+    The AL2 nodes will display only system pods, such as `aws-node`, `ebs-csi-controller`, `ebs-csi-node`, `kube-proxy`,
+    and potentially `palette-webhook`.
+
+    ```shell hideClipboard title="Example output from AL2 node"
+    NAMESPACE        NAME                                  READY   STATUS    RESTARTS   AGE   IP             NODE                           NOMINATED NODE   READINESS GATES
+    kube-system      aws-node-rvkbv                        2/2     Running   0          29m   10.0.206.110   ip-10-11-12-13.ec2.internal    <none>           <none>
+    kube-system      ebs-csi-controller-6f6f7d776b-q7hlj   5/5     Running   0          58m   10.0.196.103   ip-10-11-12-13.ec2.internal    <none>           <none>
+    kube-system      ebs-csi-node-tbm7t                    3/3     Running   0          29m   10.0.215.130   ip-10-11-12-13.ec2.internal    <none>           <none>
+    kube-system      kube-proxy-xqm5w                      1/1     Running   0          29m   10.0.206.110   ip-10-11-12-13.ec2.internal    <none>           <none>
+    palette-system   palette-webhook-86c7b5f99d-tdcf7      1/1     Running   0          29m   10.0.205.155   ip-10-11-12-13.ec2.internal    <none>           <none>
+    ```
+
+    You can compare this output with the output from the same command issued for one of your AL2023 nodes to confirm
+    that the workloads have been successfully migrated.
+
+    ```shell hideClipboard title="Example output from AL2023 node"
+    NAMESPACE                          NAME                                                             READY   STATUS    RESTARTS   AGE     IP             NODE                           NOMINATED NODE   READINESS GATES
+    capi-webhook-system                capa-controller-manager-59c947b948-lwwrv                         1/1     Running   0          8m22s   10.0.201.130   ip-20-21-22-23.ec2.internal   <none>           <none>
+    capi-webhook-system                capi-controller-manager-5455d67696-pv69l                         1/1     Running   0          8m21s   10.0.215.178   ip-20-21-22-23.ec2.internal   <none>           <none>
+    capi-webhook-system                capi-kubeadm-control-plane-controller-manager-67b7d996cd-96lqp   1/1     Running   0          8m21s   10.0.252.246   ip-20-21-22-23.ec2.internal   <none>           <none>
+    cert-manager                       cert-manager-webhook-6b5c469577-wwsqb                            1/1     Running   0          8m22s   10.0.234.189   ip-20-21-22-23.ec2.internal   <none>           <none>
+    cluster-68ee17be1ccd1304cf843c0f   cluster-management-agent-645f84964f-sw9n4                        1/1     Running   0          8m21s   10.0.212.43    ip-20-21-22-23.ec2.internal   <none>           <none>
+    cluster-68ee17be1ccd1304cf843c0f   metrics-server-56594bcd99-mkjlp                                  1/1     Running   0          8m17s   10.0.209.82    ip-20-21-22-23.ec2.internal   <none>           <none>
+    cluster-68ee17be1ccd1304cf843c0f   palette-controller-manager-68c698776c-xjnn4                      3/3     Running   0          8m22s   10.0.204.59    ip-20-21-22-23.ec2.internal   <none>           <none>
+    kube-system                        aws-node-77hv6                                                   2/2     Running   0          43m     10.0.200.120   ip-20-21-22-23.ec2.internal   <none>           <none>
+    kube-system                        coredns-6b9575c64c-trp5v                                         1/1     Running   0          8m22s   10.0.204.97    ip-20-21-22-23.ec2.internal   <none>           <none>
+    kube-system                        ebs-csi-controller-6f6f7d776b-q7hlj                              5/5     Running   0          42m     10.0.196.103   ip-20-21-22-23.ec2.internal   <none>           <none>
+    kube-system                        ebs-csi-node-mjth6                                               3/3     Running   0          42m     10.0.216.41    ip-20-21-22-23.ec2.internal   <none>           <none>
+    kube-system                        kube-proxy-544fg                                                 1/1     Running   0          40m     10.0.200.120   ip-20-21-22-23.ec2.internal   <none>           <none>
+    palette-system                     palette-webhook-86c7b5f99d-f8n5v                                 1/1     Running   0          40m     10.0.206.77    ip-20-21-22-23.ec2.internal   <none>           <none>
+    ```
+
+30. Once all workloads have been successfully migrated to the AL2023 nodes, you can
+    [delete](../clusters/cluster-management/node-pool.md#delete-a-node-pool) the AL2 node pools.
+
 ## Scenario - PV/PVC Stuck in Pending Status for EKS Cluster Using AL2023 AMI
 
 After deploying an Amazon EKS cluster using an
