Configure Bottlerocket container instances to support Container Security deployment by enabling privileged containers.
Before you begin
-
Access to your Bottlerocket container instances through AWS Systems Manager Session Manager or SSH.
-
Administrative privileges to modify instance settings.
-
An active Amazon ECS cluster with Bottlerocket AMI.
 |
ImportantAmazon ECS clusters using Bottlerocket AMI do not support Container Security by
default. Bottlerocket disables privileged containers by default, which prevents
the Container Security Scout daemonset from deploying to container
instances.
|
The Scout daemonset requires the
com.amazonaws.ecs.capability.privileged-container attribute to
function. Bottlerocket sets
settings.ecs.allow-privileged-containers to
false by default, which blocks this deployment. |
NoteEnabling privileged containers on Bottlerocket instances allows containers to run
with elevated permissions. Ensure this configuration aligns with your
organization's security requirements before proceeding.
|
Procedure
- Connect to your Bottlerocket container instance using AWS Systems Manager Session Manager or SSH.
- Enter the admin container.
- Enable privileged containers by running the following command:
apiclient set --json '{ "settings": { "ecs": { "allow-privileged-containers": true } } }' - Reboot the instance to ensure all settings are applied.
- Verify that the attribute has been added by checking the container instance
attributes in the Amazon ECS console. Look for the
com.amazonaws.ecs.capability.privileged-containerattribute.
The Container Security Scout daemonset automatically deploys to the instance once
the
com.amazonaws.ecs.capability.privileged-container attribute is
detected. |
NoteYou must perform this configuration on each Bottlerocket container instance in
your ECS cluster. To automate this process, consider using EC2 user data or AWS
Systems Manager automation documents.
|
Next steps
For more information about Bottlerocket ECS settings, see the Bottlerocket documentation.