Add docs on change

awslabs · Oct 18, 2024 · 550fdbe · 550fdbe
1 parent b839714
commit 550fdbe
Showing 1 changed file with 70 additions and 0 deletions.
diff --git a/doc/usage/al2023.md b/doc/usage/al2023.md
@@ -68,3 +68,73 @@ One can pass the NVIDIA driver major version using the following:
 make k8s=1.29 os_distro=al2023 enable_accelerator=nvidia enable_efa=true nvidia_driver_major_version=560
 ```
 To see which driver versions are available, one can check the NVIDIA AL2023 [repository](https://developer.download.nvidia.com/compute/cuda/repos/amzn2023/).
+
+## Pause Container Image
+
+Since [PR #2000](https://github.com/awslabs/amazon-eks-ami/pull/2000), the pause
+container image is no longer pulled in at runtime on AL2023. `nodeadm` uses a
+static pause container reference to populate the
+[`sandbox`](https://github.com/containerd/containerd/blob/963c2160485631c3d4c1068aa28cea34c884a347/docs/cri/config.md?plain=1#L190)
+field of the containerd config.toml, which is baked into the AMI during the
+build based on the packer template variable `pause_container_image`.
+
+The default for `pause_container_image` is adequate for building in the `aws`
+partition, but if you require a region-specific ECR image, below is a table of
+the recommended pause container image for each region:
+
+> **NOTE**: some regions that reference an image from a sibling region are
+> matched with a wildcard (`*`)
+
+| Region | Image URI |
+| - | - |
+| af-south-1 | 877085696533.dkr.ecr.af-south-1.amazonaws.com | <!-- aws -->
+| ap-east-1 | 800184023465.dkr.ecr.ap-east-1.amazonaws.com |
+| ap-northeast-1 | 602401143452.dkr.ecr.ap-northeast-1.amazonaws.com |
+| ap-northeast-2 | 602401143452.dkr.ecr.ap-northeast-2.amazonaws.com |
+| ap-northeast-3 | 602401143452.dkr.ecr.ap-northeast-3.amazonaws.com |
+| ap-south-1 | 602401143452.dkr.ecr.ap-south-1.amazonaws.com |
+| ap-south-2 | 900889452093.dkr.ecr.ap-south-2.amazonaws.com |
+| ap-southeast-1 | 602401143452.dkr.ecr.ap-southeast-1.amazonaws.com |
+| ap-southeast-2 | 602401143452.dkr.ecr.ap-southeast-2.amazonaws.com |
+| ap-southeast-3 | 296578399912.dkr.ecr.ap-southeast-3.amazonaws.com |
+| ap-southeast-4 | 491585149902.dkr.ecr.ap-southeast-4.amazonaws.com |
+| ap-southeast-5 | 151610086707.dkr.ecr.ap-southeast-5.amazonaws.com |
+| ca-central-1 | 602401143452.dkr.ecr.ca-central-1.amazonaws.com |
+| ca-west-1 | 761377655185.dkr.ecr.ca-west-1.amazonaws.com |
+| eu-central-1 | 602401143452.dkr.ecr.eu-central-1.amazonaws.com |
+| eu-central-2 | 900612956339.dkr.ecr.eu-central-2.amazonaws.com |
+| eu-north-1 | 602401143452.dkr.ecr.eu-north-1.amazonaws.com |
+| eu-south-1 | 590381155156.dkr.ecr.eu-south-1.amazonaws.com |
+| eu-south-2 | 455263428931.dkr.ecr.eu-south-2.amazonaws.com |
+| eu-west-1 | 602401143452.dkr.ecr.eu-west-1.amazonaws.com |
+| eu-west-2 | 602401143452.dkr.ecr.eu-west-2.amazonaws.com |
+| eu-west-3 | 602401143452.dkr.ecr.eu-west-3.amazonaws.com |
+| il-central-1 | 066635153087.dkr.ecr.il-central-1.amazonaws.com |
+| me-central-1 | 759879836304.dkr.ecr.me-central-1.amazonaws.com |
+| me-south-1 | 558608220178.dkr.ecr.me-south-1.amazonaws.com |
+| sa-east-1 | 602401143452.dkr.ecr.sa-east-1.amazonaws.com |
+| us-east-1 | 602401143452.dkr.ecr.us-east-1.amazonaws.com |
+| us-east-2 | 602401143452.dkr.ecr.us-east-2.amazonaws.com |
+| cn-north-1 | 918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn | <!-- aws-cn -->
+| cn-northwest-1 | 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn |
+| cn-* | 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn |
+| us-gov-east-1 | 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com | <!-- aws-us-gov -->
+| us-gov-west-1 | 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com |
+| us-gov-* | 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com |
+| us-iso-east-1 | 725322719131.dkr.ecr.us-iso-east-1.c2s.ic.gov | <!-- aws-iso -->
+| us-iso-west-1 | 608367168043.dkr.ecr.us-iso-west-1.c2s.ic.gov |
+| us-iso-* | 725322719131.dkr.ecr.us-iso-east-1.c2s.ic.gov |
+| us-isob-east-1 | 187977181151.dkr.ecr.us-isob-east-1.sc2s.sgov.gov | <!-- aws-isob -->
+| us-isob-* | 187977181151.dkr.ecr.us-isob-east-1.sc2s.sgov.gov |
+| eu-isoe-west-1 | 249663109785.dkr.ecr.eu-isoe-west-1.cloud.adc-e.uk | <!-- aws-isoe -->
+| eu-isoe-* | 249663109785.dkr.ecr.eu-isoe-west-1.cloud.adc-e.uk |
+| us-isof-south-1 | 676585237158.dkr.ecr.us-isof-south-1.csp.hci.ic.gov | <!-- aws-isof -->
+| us-isof-* | 676585237158.dkr.ecr.us-isof-south-1.csp.hci.ic.gov |
+
+You can also use another pause image entirely, such as the `registry.k8s.io/pause`.
+
+If would like to use a FIPS endpoint, this requires a small change to the URI:
+```diff
+-<ACCOUNT_ID>.dkr.ecr.<REGION>.<DOMAIN>"
++<ACCOUNT_ID>.dkr.ecr-fips.<REGION>.<DOMAIN>"
+```