AWS recently released the public preview of Bottlerocket OS, an operating system optimized to run orchestrated containers at scale. Bottlerocket OS is a secure, fast and easy to manage, Linux-based operating system. With EKS as the cluster control plane, Bottlerocket instances join the cluster as workers. It also works out of the box with one of our GitOps models, Fork Clone Run.


In this post, we’ll demonstrate how to perform GitOps operations on an EKS cluster backed by these new Bottlerocket instances.


In addition to aGitHub account, you’ll need these four command line programs installed on your system in order to run this tutorial:

  1. kubectl - we used version 1.14.9 (install kubectl)
  2. a recent version of the aws CLI - we used 1.16.266 (install the aws CLI)
  3. eksctl - we used 0.14.0 (install eksctl)
  4. the git CLI (install the git CLI)

Let’s fork, clone, run!

  1. Fork a new repository from the base Bottlerocket GitOps repository at
  2. Clone the repository to a local folder.
    `git clone<your-github-username>/gitops-bottlerocket`
  3. Run the setup process by changing into the directory and running our setup script.
    `cd gitops-bottlerocket`

What does `` do?

  • It creates an EKS cluster with --nodes=0, starting the cluster with only the control plane and an empty node group.
  • It prepares all the necessary permissions to allow a Bottlerocket node to join our EKS node group.
  • Finally, it starts an EC2 node using the Bottlerocket AMI.

After the Bottlerocket node starts up and joins the cluster, the script will turn our local Git repository into a GitOps configuration and deploys Flux and the Helm Operator for us.

In the final step of the GitOps setup, EKSctl will display a public key that you’ll need to add as a Deploy Key with write access to your repository fork to complete the GitOps setup process.

After completing the Fork Clone Run steps, you’ll have a GitOps-ready Bottlerocket cluster as shown in the screenshot below. In the example screenshot below, you can see the OS image listed as “Bottlerocket OS 0.3.0”, which is the public preview version of the OS.


Updating Bottlerocket

Updating Bottlerocket is secure by design via an TUF channel. Bottlerocket ships with an update agent, the Bottlerocket Update Operator. But before the update operator can be deployed, it currently requires the following label to be on each node.


Here’s the command to update the label on our GitOps Bottlerocket cluster:

$ kubectl label node \
  $(kubectl get nodes -o jsonpath='{.items[*]}') \

The script does not do this step automatically because we want to emphasize that this label is explicitly required by the operator manifest. The operator manifest already exists in the example GitOps-Bottlerocket repository. If you get a newer version of this manifest please just activate it with Git commit and push commands.

$ git add update-operator.yaml
$ git commit -m “add update operator manifest”


After deploying the operator, you’ll see a number of pods running. First, you’ll see a controller pod that is the operator itself. Second, an update agent will be running on each Bottlerocket node. They are responsible for doing real-time updates to a Bottlerocket node. Whenever the new version of Bottlerocket is pushed into the TUF channel, the agent takes care of all the tedious work for us.


And all nodes got updated to Bottlerocket 0.3.1 automatically!


We are excited to welcome Bottlerocket OS, a new container-optimized operating system from AWS. This post showed that our Fork Clone Run model works nicely to enable GitOps on a Bottlerocket cluster. Bottlerocket OS simplifies and speeds up Kubernetes cluster creation, providing a seamless secure GitOps user-experience.