Ubuntu vs. Amazon Linux for EKS Worker Nodes: Benefits and Downsides

awsekskubernetesubuntuamazon-linuxlinuxdevopscloud

Bottom line

Ubuntu on EKS is a mature, officially partnered option that offers stronger cross-environment consistency, a broader package ecosystem, newer kernels. Optional enterprise-grade security/compliance via Ubuntu Pro.

The main trade-offs are significantly slower boot times (~2× Amazon Linux), extra configuration overhead (custom launch templates required for managed node groups). less native AWS integration compared to Amazon Linux 2023. Ubuntu makes the most sense for teams already standardized on Ubuntu across environments, those needing kernel features newer than AL2023's 6.1, or those requiring the 10-15 year security maintenance and compliance certifications that Ubuntu Pro provides. For teams that want the simplest, fastest, most tightly integrated EKS experience, AL2023 (or Bottlerocket for security-focused container-only workloads) remains the default best choice. Confidence. High, with independent benchmark data and primary-source documentation supporting all major claims.

Key findings

  • Boot time is 2× slower: Ubuntu 20.04 LTS EKS nodes boot in ~32.6 seconds vs. ~13.6 seconds for Amazon Linux 2 EKS, per an October 2023 independent benchmark. This directly impacts Karpenter-based autoscaling responsiveness. AL2023 was the fastest AMI overall in the same tests. (Source: Marty Sweet / martysweet.Co.Uk)
  • Ubuntu and AWS jointly develop an optimized kernel: Ubuntu EKS images use the linux-aws kernel (e.G., 6.8.0-1024-aws on 22.04), enabling Elastic Fabric Adapter, Nitro Enclaves, and Graviton optimizations. This is not a stock Ubuntu kernel - it's a purpose-built collaboration with AWS. (Sources: Canonical docs, Canonical blog, NVIDIA Terraform modules)
  • Ubuntu Pro adds enterprise-grade security at a per-vCPU premium: Includes kernel Livepatch (no-reboot patching), Expanded Security Maintenance (10-15 years), CIS hardening profiles, FIPS 140-3 certified modules, and coverage for thousands of open-source packages (Kafka, MongoDB, Redis, etc.). Pricing starts around $0.009/hr for t3.Nano. (Source: ubuntu.Com/aws/pro)
  • AL2 AMIs are being deprecated: AWS stopped publishing new AL2 EKS AMIs after November 26, 2025. Kubernetes 1.32 is the last version with AL2 support. From 1.33 onward, only AL2023 and Bottlerocket are AWS-published options. This makes the Ubuntu-vs-AL2023 comparison the relevant one going forward. (Source: DEV.To, AWS docs)
  • Ubuntu EKS nodes require self-managed configuration: Unlike AL2023 which works out-of-the-box with managed node groups, Ubuntu EKS requires creating EC2 launch templates with custom AMI IDs and user-data bootstrap scripts. This adds operational complexity. (Source: Canonical blog, Gruntwork)

Background

Canonical and AWS have partnered on EKS-optimized Ubuntu AMIs since October 2020 (Kubernetes 1.17/1.18). Ubuntu is the single most popular OS on AWS EC2 overall, with over 364,000 images running as of late 2019. The partnership was a natural extension: Canonical brings its Linux distribution expertise and enterprise support model, while AWS provides the managed Kubernetes control plane and infrastructure.

The Ubuntu EKS images are minimal, slimmed-down builds - not full Ubuntu Server installs. They include only the packages necessary to function as Kubernetes worker nodes: kubelet, kubectl, a container runtime, the AWS-optimized kernel, and basic system utilities. This makes them comparable in philosophy to AL2023's minimal approach, though Ubuntu images remain somewhat larger and slower to boot.

Ubuntu Pro for EKS reached general availability in May 2024, adding kernel Livepatch, Expanded Security Maintenance (covering the full "universe" package repository), CIS hardening. FIPS compliance on top of the base EKS images. AWS VP of Kubernetes Barry Cooks publicly endorsed the offering.

Current state

As of May 2026, the EKS node OS landscape has three primary options:

Option Publisher Kernel Support model Best for
AL2023 AWS 6.1 AWS-managed, LTS Default choice, fastest boot, tightest AWS integration
Bottlerocket AWS Varies AWS-managed, immutable Security-first, container-only workloads
Ubuntu (free) Canonical 6.8+ (linux-aws) Community + Canonical Ubuntu-standardized teams, hybrid cloud
Ubuntu Pro Canonical 6.8+ (linux-aws) Canonical enterprise (up to 15yr) Regulated industries, compliance requirements

AL2 is effectively end-of-life for EKS: no new AMIs after November 2025, and the base OS loses security patches on June 30, 2026.

Ubuntu EKS AMIs are available for all current Kubernetes versions across all AWS regions, for both AMD64 and ARM64 (Graviton) architectures.

Technical or implementation details

Kernel differences

  • AL2023: kernel 6.1, cgroup v2, SELinux in permissive mode, IMDSv2 enforced by default
  • Ubuntu 22.04 EKS: kernel 6.8.0-1024-aws (linux-aws optimized), cgroup v2
  • Ubuntu 24.04 EKS: kernel 6.8+ (confirmed in Canonical cloud images)
  • The Ubuntu kernel is newer and includes features relevant to eBPF tooling (Cilium, Falco), though AWS warns that non-standard kernels may cause "compatibility issues" with EKS components

Package management

  • AL2023: DNF (yum aliased), no amazon-linux-extras, no EPEL, no Python 2.7, no cron (systemd timers instead)
  • Ubuntu: APT, full Ubuntu package repositories, cron available, broader package selection

Container runtime

Both use containerd. The Ubuntu EKS images include a pre-configured containerd setup tested against EKS. A known issue existed with containerd 1.7.22+ and AWS VPC CNI on AL2023 nodes (caused aws-node pod crashes). This was an AL2023-specific packaging issue resolved by AWS - not a cross-OS incompatibility.

Boot process

Per Marty Sweet's October 2023 benchmarks (c6a.2xlarge, unencrypted gp3 20GiB):

  • AL2 EKS: 13.63 seconds to user-data execution
  • Ubuntu 20.04 LTS EKS: 32.64 seconds
  • AL2023 (general purpose): fastest overall

The slower Ubuntu boot is attributed to larger image size (more blocks to fetch from S3-backed AMI snapshots) and more extensive cloud-init processing. This matters for Karpenter-driven scaling where new nodes need to be ready quickly to handle workload spikes. The difference is less pronounced on instance stop/start (~14s for Ubuntu 22.04 vs. Sub-10s for AL2023).

Deployment mechanics

Ubuntu on EKS requires:

  1. Locating the correct AMI ID from cloud-images.ubuntu.com/docs/aws/eks/
  2. Creating an EC2 launch template with the Ubuntu AMI ID and bootstrap user-data (/etc/eks/bootstrap.sh <cluster-name>)
  3. Creating a managed or self-managed node group referencing that launch template

This is an extra step compared to AL2023's "select amiFamily: AmazonLinux2023 in eksctl" simplicity.

Evidence, comparisons, and related context

Boot time benchmark (independent)

The Marty Sweet benchmark (October 2023) is the most concrete quantitative comparison found. It directly tested EKS-specific AMIs and found Ubuntu 20.04 EKS took 2.4× longer to reach user-data execution than AL2 EKS. While this predates Ubuntu 24.04 EKS AMIs (which may have improved boot times), no newer equivalent benchmark was found. Caveat: The benchmark used Ubuntu 20.04, not 22.04 or 24.04.

Kernel and eBPF support

Ubuntu's newer kernel (6.8+) provides better out-of-the-box eBPF support with BTF (BPF Type Format) enabled, which is important for modern Kubernetes networking/security tools like Cilium and Falco. AL2023's kernel 6.1 also supports eBPF and BTF, but Ubuntu 22.04+ images have more extensively tested BTF coverage. This is a practical advantage for teams running eBPF-based tooling.

Ubuntu Pro vs. AWS support model

  • AL2023: Security patches come from AWS as part of the base service. No additional per-node cost beyond EC2. Support through AWS Support plans.
  • Ubuntu Pro: Per-vCPU-hour cost (e.G., $0.045/hr for t3.Medium). Adds kernel Livepatch, 10-year ESM for "main" packages, ESM-Apps for "universe" packages (Kafka, MongoDB, NGINX, Redis, etc.), CIS hardening profiles, FIPS 140-3 modules, and optional 24/7 phone support. Up to 15 years total coverage with Legacy add-on.
  • Ubuntu Pro also extends Kubernetes version support by 12 months beyond EKS standard support, aligning node OS patching with the full EKS extended support lifecycle.

Bottlerocket comparison

Bottlerocket is the other "non-AL2023" AWS-supported option. It takes the opposite philosophy from Ubuntu:

  • Bottlerocket: immutable root FS, no package manager, no SSH, atomic updates, minimal attack surface - container workloads only
  • Ubuntu: traditional Linux, SSH access, apt package management, flexible for debugging and mixed workloads

Teams that need to SSH into nodes, install custom agents, or run non-container processes will prefer Ubuntu over Bottlerocket. Teams prioritizing security posture and minimal maintenance will prefer Bottlerocket.

Canonical-AWS partnership depth

AWS VP of Compute Services Deepak Singh publicly endorsed Ubuntu Pro in 2019, and AWS VP of Kubernetes Barry Cooks endorsed Ubuntu Pro for EKS in 2024. The jointly-developed linux-aws kernel is a concrete technical artifact of this partnership, not just a marketing arrangement. Ubuntu Pro images are available directly through AWS Marketplace with integrated billing.

Cross-cloud consistency

A key Ubuntu advantage not captured in EKS-specific comparisons. Teams running multi-cloud Kubernetes (EKS + AKS + GKE + on-prem) can standardize on Ubuntu across all environments, using the same package management, security tooling, and operational procedures. NVIDIA's Terraform modules for GPU-accelerated Kubernetes explicitly support Ubuntu 22.04 LTS on EKS with kernel 6.8.0-1024-aws - indicating real production use.

Limitations and critiques

  1. Boot time impact on autoscaling: Ubuntu's ~2× slower boot directly increases the latency between Karpenter deciding to provision a node and that node being ready to accept pods. For latency-sensitive or bursty workloads, this could require maintaining larger warm-node buffers, partially offsetting cost savings from dynamic scaling.

  2. Not "first-party" from AWS perspective: Ubuntu EKS AMIs are classified as "partner AMIs" in AWS documentation. AWS support engineers are primarily trained on AL2023 and Bottlerocket. If you open a support ticket about a node issue on Ubuntu, AWS may redirect you to Canonical or be less able to help. (Source. AWS re:Post discussion where support stated custom kernels "may cause compatibility issues and isn't a supported configuration").

  3. Extra operational complexity: Every node group requires a launch template with the correct AMI ID and bootstrap script. AMI IDs are region-specific and change with releases. Teams need automation to track and update these - more work than amiFamily: AmazonLinux2023 in eksctl.

  4. Ubuntu Pro cost at scale: At $0.045/hr for a t3.Medium, Ubuntu Pro adds ~$32/month per node. For a 100-node cluster, that's ~$3,200/month in additional OS licensing, on top of EC2 costs. This needs to be weighed against the value of Livepatch, ESM, and compliance features.

  5. Security update cadence: Canonical controls the release of updated Ubuntu EKS AMIs. While Canonical publishes updates regularly, AWS controls the AL2023 release cadence directly and can coordinate security patches with EKS platform updates. This could theoretically result in slightly slower patch delivery for Ubuntu, though no concrete evidence of this was found in sources.

  6. Benchmark data limitations: The most compelling performance comparison (Marty Sweet, Oct 2023) used Ubuntu 20.04, not 22.04 or 24.04. Ubuntu 22.04/24.04 boot times may be different. No head-to-head workload performance benchmarks (e.G., TPC-DS, application throughput) comparing Ubuntu vs. AL2023 on EKS were found. This is a significant evidence gap.

  7. IRSA and security model differences: AL2023 enforces IMDSv2 and blocks pod access to node IAM roles by default, pushing teams toward IRSA (IAM Roles for Service Accounts) - a stronger security posture. Ubuntu EKS images can be configured similarly but don't enforce this by default, potentially leaving less-disciplined teams with weaker pod security boundaries.

Open questions

  • What are the boot times for Ubuntu 22.04 and 24.04 EKS AMIs compared to AL2023 on current-generation instances? No benchmark newer than October 2023 was found.
  • Are there any published workload-level performance benchmarks (application throughput, network performance, I/O) comparing Ubuntu vs. AL2023 on identical EKS clusters? None were found in this research.
  • How does Canonical's security patch turnaround for EKS AMIs compare to AWS's for AL2023 in practice? No quantitative data was found.
  • What percentage of EKS production clusters run Ubuntu, and what is the trend? No adoption statistics specific to EKS node OS choice were found.
  • Does Ubuntu 24.04 EKS offer materially better boot performance than 20.04 EKS, potentially narrowing the gap with AL2023?

Practical takeaways

  • Default to AL2023 unless you have a specific reason for Ubuntu. It's the path of least resistance: faster boot, simpler configuration (amiFamily: AmazonLinux2023), and AWS-first support.
  • Choose Ubuntu if your organization is already standardized on Ubuntu across environments (on-prem, other clouds, developer workstations). The operational consistency benefit outweighs the boot time cost for most established Ubuntu shops.
  • Choose Ubuntu Pro if you need 10+ year security maintenance, FIPS compliance, CIS hardening, or kernel Livepatch and prefer Canonical's support model over AWS's. The per-node cost is modest for regulated workloads.
  • Choose Bottlerocket over Ubuntu if security posture is the primary driver and you don't need SSH access or traditional package management on your nodes.
  • If using Karpenter or dynamic scaling with Ubuntu, test your specific boot times and consider maintaining a small warm-node buffer to compensate for the ~20-second boot time delta.
  • Automate AMI ID tracking when using Ubuntu - the AMI IDs change per release and per region. Use SSM Parameter Store or a script that queries cloud-images.ubuntu.com to always deploy the latest tested image.
  • If switching from AL2 to Ubuntu (skipping AL2023), audit your dependencies. AL2023's removals (Python 2.7, amazon-linux-extras, cron, EPEL) don't affect you on Ubuntu, but you will need to adapt any AL2-specific user-data scripts to Ubuntu conventions.

Sources used