kubernetes · rifelpet · Jan 30, 2026
diff --git a/nodeup/pkg/model/packages.go b/nodeup/pkg/model/packages.go
@@ -56,7 +56,7 @@ func (b *PackagesBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 			// install iptables-nft in al2023 (NOT the iptables-legacy!)
 			c.AddTask(&nodetasks.Package{Name: "iptables-nft"})
 		case distributions.DistributionRhel8, distributions.DistributionRhel9,
-			distributions.DistributionRocky8, distributions.DistributionAmazonLinux2:
+			distributions.DistributionRocky8:
 			c.AddTask(&nodetasks.Package{Name: "iptables"})
 		default:
 			c.AddTask(&nodetasks.Package{Name: "nftables"})
@@ -66,11 +66,7 @@ func (b *PackagesBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 			c.AddTask(&nodetasks.Package{Name: "nftables"})
 		}
 		c.AddTask(&nodetasks.Package{Name: "util-linux"})
-		// Handle some packages differently for each distro
-		// Amazon Linux 2 doesn't have SELinux enabled by default
-		if b.Distribution != distributions.DistributionAmazonLinux2 {
-			c.AddTask(&nodetasks.Package{Name: "container-selinux"})
-		}
+		c.AddTask(&nodetasks.Package{Name: "container-selinux"})
 		// Additional packages
 		for _, additionalPackage := range b.NodeupConfig.Packages {
 			c.EnsureTask(&nodetasks.Package{Name: additionalPackage})

diff --git a/nodeup/pkg/model/sysctls.go b/nodeup/pkg/model/sysctls.go
@@ -134,19 +134,6 @@ func (b *SysctlBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 			"")
 	}
 
-	// Running Flannel on Amazon Linux 2 needs custom settings
-	if b.NodeupConfig.Networking.Flannel != nil && b.Distribution == distributions.DistributionAmazonLinux2 && b.NodeupConfig.KubeProxy != nil {
-		proxyMode := b.NodeupConfig.KubeProxy.ProxyMode
-		if proxyMode == "" || proxyMode == "iptables" {
-			sysctls = append(sysctls,
-				"# Flannel settings on Amazon Linux 2",
-				"# Issue https://github.com/coreos/flannel/issues/902",
-				"net.bridge.bridge-nf-call-ip6tables=1",
-				"net.bridge.bridge-nf-call-iptables=1",
-				"")
-		}
-	}
-
 	if b.IsIPv6Only() {
 		if b.Distribution == distributions.DistributionDebian11 {
 			// Accepting Router Advertisements must be enabled for each existing network interface to take effect.

diff --git a/pkg/resources/aws/aws.go b/pkg/resources/aws/aws.go
@@ -472,7 +472,7 @@ func (s *dumpState) getImageInfo(imageID string) (*imageInfo, error) {
 func guessSSHUser(image *ec2types.Image) string {
 	owner := aws.ToString(image.OwnerId)
 	switch owner {
-	case awsup.WellKnownAccountAmazonLinux2, awsup.WellKnownAccountRedhat:
+	case awsup.WellKnownAccountAmazonLinux2023, awsup.WellKnownAccountRedhat:
 		return "ec2-user"
 	case awsup.WellKnownAccountDebian:
 		return "admin"

diff --git a/tests/e2e/pkg/tester/skip_regex.go b/tests/e2e/pkg/tester/skip_regex.go
@@ -136,8 +136,6 @@ func (t *Tester) setSkipRegexFlag() error {
 			// SupplementalGroupsPolicy requires containerd v2 but we're pinning these distros to container v1.7:
 			// https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#implementations-supplementalgroupspolicy
 			// https://github.com/kubernetes/test-infra/blob/0fa3c1f53ee2b715469380f9e50200d6b7612dff/config/jobs/kubernetes/kops/helpers.py#L107-L109
-			// amazonlinux2 isn't included here because we pin it to K8s 1.34 which doesn't include these tests:
-			// https://github.com/kubernetes/test-infra/blob/0fa3c1f53ee2b715469380f9e50200d6b7612dff/config/jobs/kubernetes/kops/build_jobs.py#L1355-L1357
 			skipMap["SupplementalGroupsPolicy"] = nil
 		}
 		if matchesAnySubstrings(ig.Spec.Image, []string{

diff --git a/upup/pkg/fi/cloudup/awsup/aws_cloud.go b/upup/pkg/fi/cloudup/awsup/aws_cloud.go
@@ -105,12 +105,12 @@ const TagNameClusterOwnershipPrefix = "kubernetes.io/cluster/"
 const tagNameDetachedInstance = "kops.k8s.io/detached-from-asg"
 
 const (
-	WellKnownAccountAmazonLinux2 = "137112412989"
-	WellKnownAccountDebian       = "136693071363"
-	WellKnownAccountFlatcar      = "075585003325"
-	WellKnownAccountRedhat       = "309956199498"
-	WellKnownAccountUbuntu       = "099720109477"
-	WellKnownAccountRockyLinux   = "792107900819"
+	WellKnownAccountAmazonLinux2023 = "137112412989"
+	WellKnownAccountDebian          = "136693071363"
+	WellKnownAccountFlatcar         = "075585003325"
+	WellKnownAccountRedhat          = "309956199498"
+	WellKnownAccountUbuntu          = "099720109477"
+	WellKnownAccountRockyLinux      = "792107900819"
 )
 
 const instanceInServiceState = "InService"
@@ -1908,7 +1908,7 @@ func resolveImage(ctx context.Context, ssmClient awsinterfaces.SSMAPI, ec2Client
 			// Check for well known owner aliases
 			switch owner {
 			case "amazon", "amazon.com":
-				owner = WellKnownAccountAmazonLinux2
+				owner = WellKnownAccountAmazonLinux2023
 			case "debian10":
 				owner = WellKnownAccountDebian
 			case "debian11":

diff --git a/util/pkg/distributions/distributions.go b/util/pkg/distributions/distributions.go
@@ -63,7 +63,6 @@ var (
 	DistributionFedora42        = Distribution{packageFormat: "rpm", project: "fedora", id: "fedora42", version: 42}
 	DistributionFedora43        = Distribution{packageFormat: "rpm", project: "fedora", id: "fedora43", version: 43}
 	DistributionFedora44        = Distribution{packageFormat: "rpm", project: "fedora", id: "fedora44", version: 44}
-	DistributionAmazonLinux2    = Distribution{packageFormat: "rpm", project: "amazonlinux2", id: "amazonlinux2", version: 0}
 	DistributionAmazonLinux2023 = Distribution{packageFormat: "rpm", project: "amazonlinux2023", id: "amzn", version: 2023}
 
 	// Immutable distros
@@ -106,8 +105,6 @@ func (d *Distribution) HasDNF() bool {
 		return d.version >= 8
 	case "fedora":
 		return d.version >= 22
-	case "amazonlinux2":
-		return false
 	default:
 		klog.Warningf("unknown project for HasDNF (%q), assuming does support dnf", d.project)
 		return true
@@ -128,7 +125,7 @@ func (d *Distribution) DefaultUsers() ([]string, error) {
 		return []string{"ubuntu", "root"}, nil
 	case "centos":
 		return []string{"centos"}, nil
-	case "rhel", "amazonlinux2", "amazonlinux2023":
+	case "rhel", "amazonlinux2023":
 		return []string{"ec2-user"}, nil
 	case "rocky":
 		return []string{"rocky"}, nil
@@ -169,7 +166,7 @@ func (d *Distribution) ForceNftables() bool {
 
 	// These distros have working iptables or iptables-nft
 	switch *d {
-	case DistributionAmazonLinux2, DistributionAmazonLinux2023:
+	case DistributionAmazonLinux2023:
 		return false
 	case DistributionRhel8, DistributionRhel9:
 		return false

diff --git a/util/pkg/distributions/identify.go b/util/pkg/distributions/identify.go
@@ -48,8 +48,6 @@ func FindDistribution(rootfs string) (Distribution, error) {
 
 	// Most distros have a fixed VERSION_ID
 	switch distro {
-	case "amzn-2":
-		return DistributionAmazonLinux2, nil
 	case "amzn-2023":
 		return DistributionAmazonLinux2023, nil
 	case "debian-10":

diff --git a/util/pkg/distributions/identify_test.go b/util/pkg/distributions/identify_test.go
@@ -29,11 +29,6 @@ func TestFindDistribution(t *testing.T) {
 		err      error
 		expected Distribution
 	}{
-		{
-			rootfs:   "amazonlinux2",
-			err:      nil,
-			expected: DistributionAmazonLinux2,
-		},
 		{
 			rootfs:   "amazonlinux2023",
 			err:      nil,

diff --git a/util/pkg/distributions/tests/amazonlinux2/etc/os-release b/util/pkg/distributions/tests/amazonlinux2/etc/os-release