@shinyaz

BuildKit rootless doesn't work on EKS Auto Mode

1 min read
#eks#buildkit#kubernetes

Tried migrating from archived Kaniko to BuildKit, but rootless mode failed on EKS Auto Mode nodes.

Output
[rootlesskit:parent] /proc/sys/user/max_user_namespaces needs to be set to non-zero.
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: no space left on device

BuildKit rootless uses RootlessKit internally, which requires Linux user namespaces. EKS Auto Mode nodes are AWS-managed EC2 instances with max_user_namespaces=0, and kernel parameters can't be modified.

Also tried --oci-worker-no-process-sandbox with seccompProfile: Unconfined, but in privileged mode it errors with can't enable NoProcessSandbox without Rootless, and in rootless mode RootlessKit can't start without user namespaces. Neither path works.

Ended up using securityContext.privileged: true. Unlike Kaniko which runs unprivileged, BuildKit on EKS Auto Mode requires privileged access — a security tradeoff to be aware of. Full details in the extra post.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more