Bottlerocket 1.0: Secure OS for Kubernetes Nodes

Introduction

Amazon Web Services launched Bottlerocket 1.0 on August 17, 2020—a minimal, container-focused Linux distribution that makes Kubernetes node management safer and easier to automate.

Immutable by Design

Bottlerocket ships just enough OS to run containers, locking down package managers and interactive shells by default.
Transactional updates apply atomically and roll back on failure, reducing drift across fleets.
The OS partitions differentiate user data from system images, easing diagnostics and compliance.

API-Driven Operations

The Bottlerocket API daemon (apiserver) exposes settings via REST and SSM, enabling GitOps or automation tooling to configure kubelets, container runtimes, and kernel parameters.
SNTP, journald, and container log routing integrate with AWS CloudWatch and Fluent Bit agents.
Control containers provide safe entry points for troubleshooting without modifying the base image.

Kubernetes & AWS Integration

Managed node groups for EKS support Bottlerocket AMIs across multiple regions, with defaults for containerd and Amazon VPC CNI.
Out-of-the-box integration with IAM Roles for Service Accounts (IRSA) and aws-iam-authenticator streamlines identity management.
Open-source builds and community variants target bare metal and VM providers beyond AWS.

Getting Started

aws eks create-nodegroup \
  --cluster-name demo \
  --nodegroup-name bottlerocket \
  --ami-type BOTTLEROCKET_ARM64

Configure via API:

apiclient set settings.kubernetes.cluster-name=demo
apiclient apply -f user-data.toml

Summary

Aspect	Details
Release Date	August 17, 2020
Headline Features	Immutable OS, transactional updates, API-driven config
Why it Matters	Gives Kubernetes operators a hardened, predictable node platform purpose-built for containers

Bottlerocket 1.0 offers a modern alternative to general-purpose Linux on Kubernetes nodes, combining security best practices with cloud-native automation hooks.