feat: Added evictionHard, kubeReserved and podsPerCore to Provisioner (#2444)

Author: jonathan-innis

charts/karpenter/crds/karpenter.sh_provisioners.yaml

@@ -62,10 +62,35 @@ spec:
                     description: ContainerRuntime is the container runtime to be used
                       with your worker nodes.
                     type: string
+                  evictionHard:
+                    additionalProperties:
+                      type: string
+                    description: EvictionHard is the map of signal names to quantities
+                      that define hard eviction thresholds
+                    type: object
+                  kubeReserved:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: KubeReserved contains resources reserved for Kubernetes
+                      system components.
+                    type: object
                   maxPods:
                     description: MaxPods is an override for the maximum number of
                       pods that can run on a worker node instance.
                     format: int32
+                    minimum: 0
+                    type: integer
+                  podsPerCore:
+                    description: PodsPerCore is an override for the number of pods
+                      that can run on a worker node instance based on the number of
+                      cpu cores. This value cannot exceed MaxPods, so, if MaxPods
+                      is a lower value, that value will be used.
+                    format: int32
+                    minimum: 0
                     type: integer
                   systemReserved:
                     additionalProperties:

pkg/apis/provisioning/v1alpha5/provisioner.go

@@ -120,10 +120,24 @@ type KubeletConfiguration struct {
 	ContainerRuntime *string `json:"containerRuntime,omitempty"`
 	// MaxPods is an override for the maximum number of pods that can run on
 	// a worker node instance.
+	// +kubebuilder:validation:Minimum:=0
 	// +optional
 	MaxPods *int32 `json:"maxPods,omitempty"`
+	// PodsPerCore is an override for the number of pods that can run on a worker node
+	// instance based on the number of cpu cores. This value cannot exceed MaxPods, so, if
+	// MaxPods is a lower value, that value will be used.
+	// +kubebuilder:validation:Minimum:=0
+	// +optional
+	PodsPerCore *int32 `json:"podsPerCore,omitempty"`
 	// SystemReserved contains resources reserved for OS system daemons and kernel memory.
+	// +optional
 	SystemReserved v1.ResourceList `json:"systemReserved,omitempty"`
+	// KubeReserved contains resources reserved for Kubernetes system components.
+	// +optional
+	KubeReserved v1.ResourceList `json:"kubeReserved,omitempty"`
+	// EvictionHard is the map of signal names to quantities that define hard eviction thresholds
+	// +optional
+	EvictionHard map[string]string `json:"evictionHard,omitempty"`
 }
 
 // Provisioner is the Schema for the Provisioners API

pkg/apis/provisioning/v1alpha5/provisioner_validation.go

@@ -18,9 +18,11 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"strings"
 
 	"go.uber.org/multierr"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"knative.dev/pkg/apis"
@@ -36,6 +38,22 @@ var (
 		string(v1.NodeSelectorOpExists),
 		string(v1.NodeSelectorOpDoesNotExist),
 	)
+
+	SupportedReservedResources = sets.NewString(
+		v1.ResourceCPU.String(),
+		v1.ResourceMemory.String(),
+		v1.ResourceEphemeralStorage.String(),
+		"pid",
+	)
+
+	SupportedEvictionSignals = sets.NewString(
+		"memory.available",
+		"nodefs.available",
+		"nodefs.inodesFree",
+		"imagefs.available",
+		"imagefs.inodesFree",
+		"pid.available",
+	)
 )
 
 const (
@@ -84,6 +102,7 @@ func (s *ProvisionerSpec) Validate(ctx context.Context) (errs *apis.FieldError)
 		s.validateLabels(),
 		s.validateTaints(),
 		s.validateRequirements(),
+		s.validateKubeletConfiguration(),
 	)
 }
 
@@ -173,6 +192,76 @@ func (s *ProvisionerSpec) validateProvider() *apis.FieldError {
 	return nil
 }
 
+func (s *ProvisionerSpec) validateKubeletConfiguration() (errs *apis.FieldError) {
+	if s.KubeletConfiguration == nil {
+		return
+	}
+	return errs.Also(
+		s.KubeletConfiguration.validateEvictionHard(),
+		s.KubeletConfiguration.validateKubeReserved(),
+		s.KubeletConfiguration.validateSystemReserved(),
+	)
+}
+
+func (kc *KubeletConfiguration) validateKubeReserved() (errs *apis.FieldError) {
+	if kc.KubeReserved == nil {
+		return
+	}
+	for k, v := range kc.KubeReserved {
+		if !SupportedReservedResources.Has(k.String()) {
+			errs = errs.Also(apis.ErrInvalidKeyName(k.String(), "kubeReserved"))
+		}
+		if v.Value() < 0 {
+			errs = errs.Also(apis.ErrInvalidValue(v.String(), fmt.Sprintf(`kubeReserved["%s"]`, k), "Value cannot be a negative resource quantity"))
+		}
+	}
+	return errs
+}
+
+func (kc *KubeletConfiguration) validateSystemReserved() (errs *apis.FieldError) {
+	if kc.SystemReserved == nil {
+		return
+	}
+	for k, v := range kc.SystemReserved {
+		if !SupportedReservedResources.Has(k.String()) {
+			errs = errs.Also(apis.ErrInvalidKeyName(k.String(), "systemReserved"))
+		}
+		if v.Value() < 0 {
+			errs = errs.Also(apis.ErrInvalidValue(v.String(), fmt.Sprintf(`systemReserved["%s"]`, k), "Value cannot be a negative resource quantity"))
+		}
+	}
+	return errs
+}
+
+func (kc *KubeletConfiguration) validateEvictionHard() (errs *apis.FieldError) {
+	if kc.EvictionHard == nil {
+		return
+	}
+	for k, v := range kc.EvictionHard {
+		if !SupportedEvictionSignals.Has(k) {
+			errs = errs.Also(apis.ErrInvalidKeyName(k, "evictionHard"))
+		}
+		if strings.HasSuffix(v, "%") {
+			p, err := strconv.ParseFloat(strings.Trim(v, "%"), 64)
+			if err != nil {
+				errs = errs.Also(apis.ErrInvalidValue(v, fmt.Sprintf(`evictionHard["%s"]`, k), fmt.Sprintf("Value could not be parsed as a percentage value, %v", err.Error())))
+			}
+			if p < 0 {
+				errs = errs.Also(apis.ErrInvalidValue(v, fmt.Sprintf(`evictionHard["%s"]`, k), "Percentage values cannot be negative"))
+			}
+			if p > 100 {
+				errs = errs.Also(apis.ErrInvalidValue(v, fmt.Sprintf(`evictionHard["%s"]`, k), "Percentage values cannot be greater than 100"))
+			}
+		} else {
+			_, err := resource.ParseQuantity(v)
+			if err != nil {
+				errs = errs.Also(apis.ErrInvalidValue(v, fmt.Sprintf("evictionHard[%s]", k), fmt.Sprintf("Value could not be parsed as a resource quantity, %v", err.Error())))
+			}
+		}
+	}
+	return errs
+}
+
 func ValidateRequirement(requirement v1.NodeSelectorRequirement) error { //nolint:gocyclo
 	var errs error
 	if normalized, ok := NormalizedLabels[requirement.Key]; ok {

pkg/apis/provisioning/v1alpha5/suite_test.go

@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"k8s.io/apimachinery/pkg/api/resource"
 
 	"github.com/Pallinder/go-randomdata"
 	. "github.com/onsi/ginkgo/v2"
@@ -267,4 +268,67 @@ var _ = Describe("Validation", func() {
 			}
 		})
 	})
+	Context("KubeletConfiguration", func() {
+		It("should fail on kubeReserved with invalid keys", func() {
+			provisioner.Spec.KubeletConfiguration = &KubeletConfiguration{
+				KubeReserved: v1.ResourceList{
+					v1.ResourcePods: resource.MustParse("2"),
+				},
+			}
+			Expect(provisioner.Validate(ctx)).ToNot(Succeed())
+		})
+		It("should fail on systemReserved with invalid keys", func() {
+			provisioner.Spec.KubeletConfiguration = &KubeletConfiguration{
+				SystemReserved: v1.ResourceList{
+					v1.ResourcePods: resource.MustParse("2"),
+				},
+			}
+			Expect(provisioner.Validate(ctx)).ToNot(Succeed())
+		})
+		It("should succeed on evictionHard with valid keys", func() {
+			provisioner.Spec.KubeletConfiguration = &KubeletConfiguration{
+				EvictionHard: map[string]string{
+					"memory.available":   "5%",
+					"nodefs.available":   "10%",
+					"nodefs.inodesFree":  "15%",
+					"imagefs.available":  "5%",
+					"imagefs.inodesFree": "5%",
+					"pid.available":      "5%",
+				},
+			}
+			Expect(provisioner.Validate(ctx)).To(Succeed())
+		})
+		It("should fail on evictionHard with invalid keys", func() {
+			provisioner.Spec.KubeletConfiguration = &KubeletConfiguration{
+				EvictionHard: map[string]string{
+					"memory": "5%",
+				},
+			}
+			Expect(provisioner.Validate(ctx)).ToNot(Succeed())
+		})
+		It("should fail on invalid formatted percentage value in evictionHard", func() {
+			provisioner.Spec.KubeletConfiguration = &KubeletConfiguration{
+				EvictionHard: map[string]string{
+					"memory.available": "5%3",
+				},
+			}
+			Expect(provisioner.Validate(ctx)).ToNot(Succeed())
+		})
+		It("should fail on invalid percentage value (too large) in evictionHard", func() {
+			provisioner.Spec.KubeletConfiguration = &KubeletConfiguration{
+				EvictionHard: map[string]string{
+					"memory.available": "110%",
+				},
+			}
+			Expect(provisioner.Validate(ctx)).ToNot(Succeed())
+		})
+		It("should fail on invalid quantity value in evictionHard", func() {
+			provisioner.Spec.KubeletConfiguration = &KubeletConfiguration{
+				EvictionHard: map[string]string{
+					"memory.available": "110GB",
+				},
+			}
+			Expect(provisioner.Validate(ctx)).ToNot(Succeed())
+		})
+	})
 })

pkg/apis/provisioning/v1alpha5/zz_generated.deepcopy.go

@@ -92,3 +92,7 @@ func (a AL2) EphemeralBlockDevice() *string {
 func (a AL2) ENILimitedMemoryOverhead() bool {
 	return true
 }
+
+func (a AL2) PodsPerCoreEnabled() bool {
+	return true
+}

pkg/cloudprovider/aws/amifamily/al2.go

@@ -53,6 +53,8 @@ func (b Bottlerocket) Script() (string, error) {
 	}
 	if b.KubeletConfig != nil {
 		s.Settings.Kubernetes.SystemReserved = resources.StringMap(b.KubeletConfig.SystemReserved)
+		s.Settings.Kubernetes.KubeReserved = resources.StringMap(b.KubeletConfig.KubeReserved)
+		s.Settings.Kubernetes.EvictionHard = b.KubeletConfig.EvictionHard
 	}
 
 	s.Settings.Kubernetes.NodeTaints = map[string][]string{}

pkg/cloudprovider/aws/amifamily/bootstrap/bottlerocket.go

@@ -28,9 +28,8 @@ import (
 	"strings"
 	"sync"
 
-	"knative.dev/pkg/ptr"
-
 	"github.com/samber/lo"
+	"knative.dev/pkg/ptr"
 
 	"github.com/aws/karpenter/pkg/apis/provisioning/v1alpha5"
 )
@@ -46,6 +45,7 @@ const (
 	MIMEContentTypeHeaderTemplate = "Content-Type: multipart/mixed; boundary=\"%s\""
 )
 
+//nolint:gocyclo
 func (e EKS) Script() (string, error) {
 	var caBundleArg string
 	if e.CABundle != nil {
@@ -59,16 +59,21 @@ func (e EKS) Script() (string, error) {
 
 	kubeletExtraArgs := strings.Join([]string{e.nodeLabelArg(), e.nodeTaintArg()}, " ")
 
-	// Backwards compatibility for AWSENILimitedPodDensity flag
 	if e.KubeletConfig != nil && e.KubeletConfig.MaxPods != nil {
 		userData.WriteString(" \\\n--use-max-pods false")
 		kubeletExtraArgs += fmt.Sprintf(" --max-pods=%d", ptr.Int32Value(e.KubeletConfig.MaxPods))
 	} else if !e.AWSENILimitedPodDensity {
 		userData.WriteString(" \\\n--use-max-pods false")
 		kubeletExtraArgs += " --max-pods=110"
 	}
+	if e.KubeletConfig != nil && e.KubeletConfig.PodsPerCore != nil {
+		kubeletExtraArgs += fmt.Sprintf(" --pods-per-core=%d", ptr.Int32Value(e.KubeletConfig.PodsPerCore))
+	}
+
 	if e.KubeletConfig != nil {
 		kubeletExtraArgs += e.systemReservedArg()
+		kubeletExtraArgs += e.kubeReservedArg()
+		kubeletExtraArgs += e.evictionThresholdArg()
 	}
 	if e.ContainerRuntime != "" {
 		userData.WriteString(fmt.Sprintf(" \\\n--container-runtime %s", e.ContainerRuntime))
@@ -131,6 +136,36 @@ func (e EKS) systemReservedArg() string {
 	return ""
 }
 
+// kubeReservedArg gets the kubelet-defined arguments for any valid resource
+// values that are specified within the kube reserved resource list
+func (e EKS) kubeReservedArg() string {
+	var args []string
+	if e.KubeletConfig.KubeReserved != nil {
+		for k, v := range e.KubeletConfig.KubeReserved {
+			args = append(args, fmt.Sprintf("%v=%v", k.String(), v.String()))
+		}
+	}
+	if len(args) > 0 {
+		return " --kube-reserved=" + strings.Join(args, ",")
+	}
+	return ""
+}
+
+// evictionThresholdArg gets the kubelet-defined arguments for eviction
+// threshold values that are specified within the eviction threshold list
+func (e EKS) evictionThresholdArg() string {
+	var args []string
+	if e.KubeletConfig.EvictionHard != nil {
+		for k, v := range e.KubeletConfig.EvictionHard {
+			args = append(args, fmt.Sprintf("%v<%v", k, v))
+		}
+	}
+	if len(args) > 0 {
+		return " --eviction-hard=" + strings.Join(args, ",")
+	}
+	return ""
+}
+
 func (e EKS) mergeCustomUserData(userData *bytes.Buffer) (*bytes.Buffer, error) {
 	var outputBuffer bytes.Buffer
 	writer := multipart.NewWriter(&outputBuffer)

pkg/cloudprovider/aws/amifamily/bootstrap/eksbootstrap.go

@@ -85,3 +85,12 @@ func (b Bottlerocket) EphemeralBlockDevice() *string {
 func (b Bottlerocket) ENILimitedMemoryOverhead() bool {
 	return false
 }
+
+// PodsPerCoreEnabled is currently disabled for Bottlerocket AMIFamily because it does
+// not currently support the podsPerCore parameter passed through the kubernetes settings TOML userData
+// If a Provisioner sets the podsPerCore value when using the Bottlerocket AMIFamily in the provider,
+// podsPerCore will be ignored
+// https://github.com/bottlerocket-os/bottlerocket/issues/1721
+func (b Bottlerocket) PodsPerCoreEnabled() bool {
+	return false
+}

pkg/cloudprovider/aws/amifamily/bottlerocket.go

@@ -55,3 +55,7 @@ func (c Custom) EphemeralBlockDevice() *string {
 func (c Custom) ENILimitedMemoryOverhead() bool {
 	return true
 }
+
+func (c Custom) PodsPerCoreEnabled() bool {
+	return true
+}

pkg/cloudprovider/aws/amifamily/custom.go

@@ -77,6 +77,7 @@ type AMIFamily interface {
 	DefaultMetadataOptions() *v1alpha1.MetadataOptions
 	EphemeralBlockDevice() *string
 	ENILimitedMemoryOverhead() bool
+	PodsPerCoreEnabled() bool
 }
 
 // New constructs a new launch template Resolver

pkg/cloudprovider/aws/amifamily/resolver.go

@@ -66,3 +66,7 @@ func (u Ubuntu) EphemeralBlockDevice() *string {
 func (u Ubuntu) ENILimitedMemoryOverhead() bool {
 	return true
 }
+
+func (u Ubuntu) PodsPerCoreEnabled() bool {
+	return true
+}

pkg/cloudprovider/aws/amifamily/ubuntu.go

@@ -363,6 +363,7 @@ func (e *EC2API) DescribeInstanceTypesPagesWithContext(_ context.Context, _ *ec2
 					SupportedArchitectures: aws.StringSlice([]string{"x86_64"}),
 				},
 				VCpuInfo: &ec2.VCpuInfo{
+					DefaultCores: aws.Int64(1),
 					DefaultVCpus: aws.Int64(2),
 				},
 				MemoryInfo: &ec2.MemoryInfo{
@@ -384,6 +385,7 @@ func (e *EC2API) DescribeInstanceTypesPagesWithContext(_ context.Context, _ *ec2
 					SupportedArchitectures: aws.StringSlice([]string{"x86_64"}),
 				},
 				VCpuInfo: &ec2.VCpuInfo{
+					DefaultCores: aws.Int64(1),
 					DefaultVCpus: aws.Int64(2),
 				},
 				MemoryInfo: &ec2.MemoryInfo{
@@ -405,6 +407,7 @@ func (e *EC2API) DescribeInstanceTypesPagesWithContext(_ context.Context, _ *ec2
 					SupportedArchitectures: aws.StringSlice([]string{"x86_64"}),
 				},
 				VCpuInfo: &ec2.VCpuInfo{
+					DefaultCores: aws.Int64(2),
 					DefaultVCpus: aws.Int64(4),
 				},
 				MemoryInfo: &ec2.MemoryInfo{
@@ -426,6 +429,7 @@ func (e *EC2API) DescribeInstanceTypesPagesWithContext(_ context.Context, _ *ec2
 					SupportedArchitectures: aws.StringSlice([]string{"x86_64"}),
 				},
 				VCpuInfo: &ec2.VCpuInfo{
+					DefaultCores: aws.Int64(16),
 					DefaultVCpus: aws.Int64(32),
 				},
 				MemoryInfo: &ec2.MemoryInfo{
@@ -457,6 +461,7 @@ func (e *EC2API) DescribeInstanceTypesPagesWithContext(_ context.Context, _ *ec2
 					SupportedArchitectures: aws.StringSlice([]string{"x86_64"}),
 				},
 				VCpuInfo: &ec2.VCpuInfo{
+					DefaultCores: aws.Int64(16),
 					DefaultVCpus: aws.Int64(32),
 				},
 				MemoryInfo: &ec2.MemoryInfo{
@@ -492,6 +497,7 @@ func (e *EC2API) DescribeInstanceTypesPagesWithContext(_ context.Context, _ *ec2
 					SupportedArchitectures: aws.StringSlice([]string{v1alpha5.ArchitectureArm64}),
 				},
 				VCpuInfo: &ec2.VCpuInfo{
+					DefaultCores: aws.Int64(2),
 					DefaultVCpus: aws.Int64(2),
 				},
 				MemoryInfo: &ec2.MemoryInfo{
@@ -513,6 +519,7 @@ func (e *EC2API) DescribeInstanceTypesPagesWithContext(_ context.Context, _ *ec2
 					SupportedArchitectures: aws.StringSlice([]string{"x86_64"}),
 				},
 				VCpuInfo: &ec2.VCpuInfo{
+					DefaultCores: aws.Int64(4),
 					DefaultVCpus: aws.Int64(8),
 				},
 				MemoryInfo: &ec2.MemoryInfo{
@@ -539,6 +546,7 @@ func (e *EC2API) DescribeInstanceTypesPagesWithContext(_ context.Context, _ *ec2
 					SupportedArchitectures: aws.StringSlice([]string{"x86_64"}),
 				},
 				VCpuInfo: &ec2.VCpuInfo{
+					DefaultCores: aws.Int64(12),
 					DefaultVCpus: aws.Int64(24),
 				},
 				MemoryInfo: &ec2.MemoryInfo{
@@ -565,6 +573,7 @@ func (e *EC2API) DescribeInstanceTypesPagesWithContext(_ context.Context, _ *ec2
 					SupportedArchitectures: aws.StringSlice([]string{"x86_64"}),
 				},
 				VCpuInfo: &ec2.VCpuInfo{
+					DefaultCores: aws.Int64(48),
 					DefaultVCpus: aws.Int64(96),
 				},
 				MemoryInfo: &ec2.MemoryInfo{

pkg/cloudprovider/aws/fake/ec2api.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"math"
 	"regexp"
+	"strconv"
 	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -37,6 +38,10 @@ import (
 	"github.com/aws/karpenter/pkg/utils/resources"
 )
 
+const (
+	memoryAvailable = "memory.available"
+)
+
 var (
 	_                  cloudprovider.InstanceType = (*InstanceType)(nil)
 	instanceTypeScheme                            = regexp.MustCompile(`(^[a-z]+)(\-[0-9]+tb)?([0-9]+).*\.`)
@@ -49,7 +54,7 @@ type InstanceType struct {
 	requirements scheduling.Requirements
 	resources    v1.ResourceList
 	provider     *v1alpha1.AWS
-	maxPods      *int32
+	maxPods      *int64
 	region       string
 }
 
@@ -60,14 +65,7 @@ func NewInstanceType(ctx context.Context, info *ec2.InstanceTypeInfo, kc *v1alph
 		offerings:        offerings,
 		region:           region,
 	}
-
-	// set max pods before computing resources
-	// backwards compatibility for AWSENILimitedPodDensity flag
-	if kc != nil && kc.MaxPods != nil {
-		instanceType.maxPods = kc.MaxPods
-	} else if !injection.GetOptions(ctx).AWSENILimitedPodDensity {
-		instanceType.maxPods = ptr.Int32(110)
-	}
+	instanceType.maxPods = instanceType.computeMaxPods(ctx, kc)
 
 	// Precompute to minimize memory/compute overhead
 	instanceType.resources = instanceType.computeResources(injection.GetOptions(ctx).AWSEnablePodENI)
@@ -201,10 +199,7 @@ func (i *InstanceType) ephemeralStorage() *resource.Quantity {
 }
 
 func (i *InstanceType) pods() *resource.Quantity {
-	if i.maxPods != nil {
-		return resources.Quantity(fmt.Sprint(ptr.Int32Value(i.maxPods)))
-	}
-	return resources.Quantity(fmt.Sprint(i.eniLimitedPods()))
+	return resources.Quantity(fmt.Sprint(ptr.Int64Value(i.maxPods)))
 }
 
 func (i *InstanceType) awsPodENI(enablePodENI bool) *resource.Quantity {
@@ -251,17 +246,11 @@ func (i *InstanceType) awsNeurons() *resource.Quantity {
 }
 
 func (i *InstanceType) computeOverhead(vmMemOverhead float64, kc *v1alpha5.KubeletConfiguration) v1.ResourceList {
-	pods := i.pods()
-	amiFamily := amifamily.GetAMIFamily(i.provider.AMIFamily, &amifamily.Options{})
-	podsQuantity := pods.Value()
-	if amiFamily.ENILimitedMemoryOverhead() {
-		podsQuantity = i.eniLimitedPods()
-	}
-
 	srr := i.systemReservedResources(kc)
-	krr := i.kubeReservedResources(podsQuantity)
+	krr := i.kubeReservedResources(kc)
 	misc := i.miscResources(vmMemOverhead)
-	overhead := resources.Merge(srr, krr, misc)
+	et := i.evictionThreshold(kc, misc[v1.ResourceMemory])
+	overhead := resources.Merge(srr, krr, et, misc)
 
 	return overhead
 }
@@ -280,18 +269,22 @@ func (i *InstanceType) systemReservedResources(kc *v1alpha5.KubeletConfiguration
 		v1.ResourceMemory:           resource.MustParse("100Mi"),
 		v1.ResourceEphemeralStorage: resource.MustParse("1Gi"),
 	}
-
 	if kc != nil && kc.SystemReserved != nil {
-		for _, name := range []v1.ResourceName{v1.ResourceCPU, v1.ResourceMemory, v1.ResourceEphemeralStorage} {
-			if v, ok := kc.SystemReserved[name]; ok {
-				resources[name] = v
-			}
-		}
+		return lo.Assign(resources, kc.SystemReserved)
 	}
 	return resources
 }
 
-func (i *InstanceType) kubeReservedResources(pods int64) v1.ResourceList {
+func (i *InstanceType) kubeReservedResources(kc *v1alpha5.KubeletConfiguration) v1.ResourceList {
+	// We reserve memory based off of --max-pods unless we are using the EKS-optimized AMI
+	// which relies on ENI-limited pod density regardless of the --max-pods value
+	// https://github.com/awslabs/amazon-eks-ami/issues/782
+	amiFamily := amifamily.GetAMIFamily(i.provider.AMIFamily, &amifamily.Options{})
+	pods := i.pods().Value()
+	if amiFamily.ENILimitedMemoryOverhead() {
+		pods = i.eniLimitedPods()
+	}
+
 	resources := v1.ResourceList{
 		v1.ResourceMemory:           resource.MustParse(fmt.Sprintf("%dMi", (11*pods)+255)),
 		v1.ResourceEphemeralStorage: resource.MustParse("1Gi"), // default kube-reserved ephemeral-storage
@@ -319,19 +312,67 @@ func (i *InstanceType) kubeReservedResources(pods int64) v1.ResourceList {
 			resources[v1.ResourceCPU] = *cpuOverhead
 		}
 	}
+	if kc != nil && kc.KubeReserved != nil {
+		return lo.Assign(resources, kc.KubeReserved)
+	}
 	return resources
 }
 
-func (i *InstanceType) miscResources(vmMemOverhead float64) v1.ResourceList {
+func (i *InstanceType) evictionThreshold(kc *v1alpha5.KubeletConfiguration, vmMemoryOverhead resource.Quantity) v1.ResourceList {
+	overhead := v1.ResourceList{
+		v1.ResourceMemory: resource.MustParse("100Mi"),
+	}
+	if kc == nil || kc.EvictionHard == nil {
+		return overhead
+	}
+
+	if v, ok := kc.EvictionHard[memoryAvailable]; ok {
+		if strings.HasSuffix(v, "%") {
+			p, err := strconv.ParseFloat(strings.Trim(v, "%"), 64)
+			if err != nil {
+				panic(fmt.Sprintf("expected percentage value to be a float but got %s, %v", v, err))
+			}
+			// Setting percentage value to 100% is considered disabling the threshold according to
+			// https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
+			if p == 100 {
+				p = 0
+			}
+			// Calculation is node.capacity * evictionHard[memory.available] if percentage
+			// From https://kubernetes.io/docs/concepts/scheduling-eviction/node-pressure-eviction/#eviction-signals
+			totalAllocatable := i.resources.Memory().DeepCopy()
+			totalAllocatable.Sub(vmMemoryOverhead)
+			overhead[v1.ResourceMemory] = resource.MustParse(fmt.Sprint(math.Ceil(float64(totalAllocatable.Value()) / 100 * p)))
+		} else {
+			overhead[v1.ResourceMemory] = resource.MustParse(v)
+		}
+	}
+	return overhead
+}
+
+func (i *InstanceType) miscResources(overheadPercentage float64) v1.ResourceList {
 	memory := i.memory().Value()
 	return v1.ResourceList{
-		v1.ResourceMemory: resource.MustParse(fmt.Sprintf("%dMi",
-			// vm-overhead
-			(int64(math.Ceil(float64(memory)*vmMemOverhead/1024/1024)))+
-				// eviction threshold https://github.com/kubernetes/kubernetes/blob/ea0764452222146c47ec826977f49d7001b0ea8c/pkg/kubelet/apis/config/v1beta1/defaults_linux.go#L23
-				100,
-		)),
+		v1.ResourceMemory: resource.MustParse(fmt.Sprintf("%dMi", int64(math.Ceil(float64(memory)*overheadPercentage/1024/1024)))),
+	}
+}
+
+func (i *InstanceType) computeMaxPods(ctx context.Context, kc *v1alpha5.KubeletConfiguration) *int64 {
+	amiFamily := amifamily.GetAMIFamily(i.provider.AMIFamily, &amifamily.Options{})
+	var mp *int64
+
+	switch {
+	case kc != nil && kc.MaxPods != nil:
+		mp = ptr.Int64(int64(ptr.Int32Value(kc.MaxPods)))
+	case !injection.GetOptions(ctx).AWSENILimitedPodDensity:
+		mp = ptr.Int64(110)
+	default:
+		mp = ptr.Int64(i.eniLimitedPods())
+	}
+
+	if kc != nil && ptr.Int32Value(kc.PodsPerCore) > 0 && amiFamily.PodsPerCoreEnabled() {
+		mp = ptr.Int64(lo.Min([]int64{int64(ptr.Int32Value(kc.PodsPerCore)) * ptr.Int64Value(i.VCpuInfo.DefaultVCpus), ptr.Int64Value(mp)}))
 	}
+	return mp
 }
 
 func lowerKabobCase(s string) string {

pkg/cloudprovider/aws/instancetype.go

@@ -23,6 +23,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/ec2"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"github.com/samber/lo"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -271,6 +272,89 @@ var _ = Describe("Instance Types", func() {
 			overhead := it.Overhead()
 			Expect(overhead.Memory().String()).To(Equal("21473Mi"))
 		})
+		It("should override kube reserved when specified", func() {
+			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
+			Expect(err).To(BeNil())
+			provisioner = test.Provisioner(test.ProvisionerOptions{
+				Kubelet: &v1alpha5.KubeletConfiguration{
+					SystemReserved: v1.ResourceList{
+						v1.ResourceCPU:              resource.MustParse("1"),
+						v1.ResourceMemory:           resource.MustParse("20Gi"),
+						v1.ResourceEphemeralStorage: resource.MustParse("1Gi"),
+					},
+					KubeReserved: v1.ResourceList{
+						v1.ResourceCPU:              resource.MustParse("2"),
+						v1.ResourceMemory:           resource.MustParse("10Gi"),
+						v1.ResourceEphemeralStorage: resource.MustParse("2Gi"),
+					},
+				},
+			})
+			it := NewInstanceType(injection.WithOptions(ctx, opts), instanceInfo["m5.xlarge"], provisioner.Spec.KubeletConfiguration, "", provider, nil)
+			overhead := it.Overhead()
+			Expect(overhead.Memory().String()).To(Equal("30820Mi"))
+			Expect(overhead.Cpu().String()).To(Equal("3"))
+			Expect(overhead.StorageEphemeral().String()).To(Equal("3Gi"))
+		})
+		It("should override eviction threshold (hard) when specified as a quantity", func() {
+			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
+			Expect(err).To(BeNil())
+			provisioner = test.Provisioner(test.ProvisionerOptions{
+				Kubelet: &v1alpha5.KubeletConfiguration{
+					SystemReserved: v1.ResourceList{
+						v1.ResourceMemory: resource.MustParse("20Gi"),
+					},
+					KubeReserved: v1.ResourceList{
+						v1.ResourceMemory: resource.MustParse("10Gi"),
+					},
+					EvictionHard: map[string]string{
+						memoryAvailable: "500Mi",
+					},
+				},
+			})
+			it := NewInstanceType(injection.WithOptions(ctx, opts), instanceInfo["m5.xlarge"], provisioner.Spec.KubeletConfiguration, "", provider, nil)
+			overhead := it.Overhead()
+			Expect(overhead.Memory().String()).To(Equal("31220Mi"))
+		})
+		It("should override eviction threshold (hard) when specified as a percentage value", func() {
+			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
+			Expect(err).To(BeNil())
+			provisioner = test.Provisioner(test.ProvisionerOptions{
+				Kubelet: &v1alpha5.KubeletConfiguration{
+					SystemReserved: v1.ResourceList{
+						v1.ResourceMemory: resource.MustParse("20Gi"),
+					},
+					KubeReserved: v1.ResourceList{
+						v1.ResourceMemory: resource.MustParse("10Gi"),
+					},
+					EvictionHard: map[string]string{
+						memoryAvailable: "10%",
+					},
+				},
+			})
+			it := NewInstanceType(injection.WithOptions(ctx, opts), instanceInfo["m5.xlarge"], provisioner.Spec.KubeletConfiguration, "", provider, nil)
+			overhead := it.Overhead()
+			Expect(overhead.Memory().String()).To(Equal("33930241639"))
+		})
+		It("should consider the eviction threshold (hard) disabled when specified as 100%", func() {
+			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
+			Expect(err).To(BeNil())
+			provisioner = test.Provisioner(test.ProvisionerOptions{
+				Kubelet: &v1alpha5.KubeletConfiguration{
+					SystemReserved: v1.ResourceList{
+						v1.ResourceMemory: resource.MustParse("20Gi"),
+					},
+					KubeReserved: v1.ResourceList{
+						v1.ResourceMemory: resource.MustParse("10Gi"),
+					},
+					EvictionHard: map[string]string{
+						memoryAvailable: "100%",
+					},
+				},
+			})
+			it := NewInstanceType(injection.WithOptions(ctx, opts), instanceInfo["m5.xlarge"], provisioner.Spec.KubeletConfiguration, "", provider, nil)
+			overhead := it.Overhead()
+			Expect(overhead.Memory().String()).To(Equal("30Gi"))
+		})
 		It("should set max-pods to user-defined value if specified", func() {
 			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
 			Expect(err).To(BeNil())
@@ -281,7 +365,7 @@ var _ = Describe("Instance Types", func() {
 				Expect(resources.Pods().Value()).To(BeNumerically("==", 10))
 			}
 		})
-		It("should override max-pods value when AWSENILimitedPodDensity is set", func() {
+		It("should override max-pods value when AWSENILimitedPodDensity is unset", func() {
 			opts.AWSENILimitedPodDensity = false
 			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
 			Expect(err).To(BeNil())
@@ -292,6 +376,48 @@ var _ = Describe("Instance Types", func() {
 				Expect(resources.Pods().Value()).To(BeNumerically("==", 10))
 			}
 		})
+		It("should override pods-per-core value", func() {
+			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
+			Expect(err).To(BeNil())
+			provisioner = test.Provisioner(test.ProvisionerOptions{Kubelet: &v1alpha5.KubeletConfiguration{PodsPerCore: ptr.Int32(1)}})
+			for _, info := range instanceInfo {
+				it := NewInstanceType(injection.WithOptions(ctx, opts), info, provisioner.Spec.KubeletConfiguration, "", provider, nil)
+				resources := it.Resources()
+				Expect(resources.Pods().Value()).To(BeNumerically("==", ptr.Int64Value(info.VCpuInfo.DefaultVCpus)))
+			}
+		})
+		It("should take the minimum of pods-per-core and max-pods", func() {
+			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
+			Expect(err).To(BeNil())
+			provisioner = test.Provisioner(test.ProvisionerOptions{Kubelet: &v1alpha5.KubeletConfiguration{PodsPerCore: ptr.Int32(4), MaxPods: ptr.Int32(20)}})
+			for _, info := range instanceInfo {
+				it := NewInstanceType(injection.WithOptions(ctx, opts), info, provisioner.Spec.KubeletConfiguration, "", provider, nil)
+				resources := it.Resources()
+				Expect(resources.Pods().Value()).To(BeNumerically("==", lo.Min([]int64{20, ptr.Int64Value(info.VCpuInfo.DefaultVCpus) * 4})))
+			}
+		})
+		It("should ignore pods-per-core when using Bottlerocket AMI", func() {
+			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
+			Expect(err).To(BeNil())
+			provider.AMIFamily = &awsv1alpha1.AMIFamilyBottlerocket
+			provisioner = test.Provisioner(test.ProvisionerOptions{Kubelet: &v1alpha5.KubeletConfiguration{PodsPerCore: ptr.Int32(1)}, Provider: provider})
+			for _, info := range instanceInfo {
+				it := NewInstanceType(injection.WithOptions(ctx, opts), info, provisioner.Spec.KubeletConfiguration, "", provider, nil)
+				resources := it.Resources()
+				Expect(resources.Pods().Value()).To(BeNumerically("==", it.eniLimitedPods()))
+			}
+		})
+		It("should take 110 to be the default pods number when pods-per-core is 0 and AWSENILimitedPodDensity is unset", func() {
+			opts.AWSENILimitedPodDensity = false
+			instanceInfo, err := instanceTypeProvider.getInstanceTypes(ctx)
+			Expect(err).To(BeNil())
+			provisioner = test.Provisioner(test.ProvisionerOptions{Kubelet: &v1alpha5.KubeletConfiguration{PodsPerCore: ptr.Int32(0)}})
+			for _, info := range instanceInfo {
+				it := NewInstanceType(injection.WithOptions(ctx, opts), info, provisioner.Spec.KubeletConfiguration, "", provider, nil)
+				resources := it.Resources()
+				Expect(resources.Pods().Value()).To(BeNumerically("==", 110))
+			}
+		})
 	})
 	Context("Insufficient Capacity Error Cache", func() {
 		It("should launch instances of different type on second reconciliation attempt with Insufficient Capacity Error Cache fallback", func() {

pkg/cloudprovider/aws/instancetypes_test.go

@@ -589,7 +589,7 @@ var _ = Describe("LaunchTemplates", func() {
 			Expect(string(userData)).To(ContainSubstring("--max-pods=10"))
 		})
 		It("should specify --system-reserved when overriding system reserved values", func() {
-			newProvisioner := test.Provisioner(test.ProvisionerOptions{
+			provisioner = test.Provisioner(test.ProvisionerOptions{
 				Kubelet: &v1alpha5.KubeletConfiguration{
 					SystemReserved: v1.ResourceList{
 						v1.ResourceCPU:              resource.MustParse("500m"),
@@ -598,7 +598,7 @@ var _ = Describe("LaunchTemplates", func() {
 					},
 				},
 			})
-			ExpectApplied(ctx, env.Client, newProvisioner)
+			ExpectApplied(ctx, env.Client, provisioner)
 			pod := ExpectProvisioned(ctx, env.Client, controller, test.UnschedulablePod())[0]
 			ExpectScheduled(ctx, env.Client, pod)
 			Expect(fakeEC2API.CalledWithCreateLaunchTemplateInput.Len()).To(Equal(1))
@@ -610,10 +610,92 @@ var _ = Describe("LaunchTemplates", func() {
 			i := strings.Index(string(userData), arg)
 			rem := string(userData)[(i + len(arg)):]
 			i = strings.Index(rem, "'")
-			for k, v := range newProvisioner.Spec.KubeletConfiguration.SystemReserved {
+			for k, v := range provisioner.Spec.KubeletConfiguration.SystemReserved {
+				Expect(rem[:i]).To(ContainSubstring(fmt.Sprintf("%v=%v", k.String(), v.String())))
+			}
+		})
+		It("should specify --kube-reserved when overriding system reserved values", func() {
+			provisioner = test.Provisioner(test.ProvisionerOptions{
+				Kubelet: &v1alpha5.KubeletConfiguration{
+					KubeReserved: v1.ResourceList{
+						v1.ResourceCPU:              resource.MustParse("500m"),
+						v1.ResourceMemory:           resource.MustParse("1Gi"),
+						v1.ResourceEphemeralStorage: resource.MustParse("2Gi"),
+					},
+				},
+			})
+			ExpectApplied(ctx, env.Client, provisioner)
+			pod := ExpectProvisioned(ctx, env.Client, controller, test.UnschedulablePod())[0]
+			ExpectScheduled(ctx, env.Client, pod)
+			Expect(fakeEC2API.CalledWithCreateLaunchTemplateInput.Len()).To(Equal(1))
+			input := fakeEC2API.CalledWithCreateLaunchTemplateInput.Pop()
+			userData, _ := base64.StdEncoding.DecodeString(*input.LaunchTemplateData.UserData)
+
+			// Check whether the arguments are there for --kube-reserved
+			arg := "--kube-reserved="
+			i := strings.Index(string(userData), arg)
+			rem := string(userData)[(i + len(arg)):]
+			i = strings.Index(rem, "'")
+			for k, v := range provisioner.Spec.KubeletConfiguration.KubeReserved {
 				Expect(rem[:i]).To(ContainSubstring(fmt.Sprintf("%v=%v", k.String(), v.String())))
 			}
 		})
+		It("should pass eviction threshold hard values when specified", func() {
+			provisioner = test.Provisioner(test.ProvisionerOptions{
+				Kubelet: &v1alpha5.KubeletConfiguration{
+					EvictionHard: map[string]string{
+						"memory.available":  "10%",
+						"nodefs.available":  "15%",
+						"nodefs.inodesFree": "5%",
+					},
+				},
+			})
+			ExpectApplied(ctx, env.Client, provisioner)
+			pod := ExpectProvisioned(ctx, env.Client, controller, test.UnschedulablePod())[0]
+			ExpectScheduled(ctx, env.Client, pod)
+			Expect(fakeEC2API.CalledWithCreateLaunchTemplateInput.Len()).To(Equal(1))
+			input := fakeEC2API.CalledWithCreateLaunchTemplateInput.Pop()
+			userData, _ := base64.StdEncoding.DecodeString(*input.LaunchTemplateData.UserData)
+
+			// Check whether the arguments are there for --kube-reserved
+			arg := "--eviction-hard="
+			i := strings.Index(string(userData), arg)
+			rem := string(userData)[(i + len(arg)):]
+			i = strings.Index(rem, "'")
+			for k, v := range provisioner.Spec.KubeletConfiguration.EvictionHard {
+				Expect(rem[:i]).To(ContainSubstring(fmt.Sprintf("%v<%v", k, v)))
+			}
+		})
+		It("should specify --pods-per-core", func() {
+			provisioner = test.Provisioner(test.ProvisionerOptions{
+				Kubelet: &v1alpha5.KubeletConfiguration{
+					PodsPerCore: ptr.Int32(2),
+				},
+			})
+			ExpectApplied(ctx, env.Client, provisioner)
+			pod := ExpectProvisioned(ctx, env.Client, controller, test.UnschedulablePod())[0]
+			ExpectScheduled(ctx, env.Client, pod)
+			Expect(fakeEC2API.CalledWithCreateLaunchTemplateInput.Len()).To(Equal(1))
+			input := fakeEC2API.CalledWithCreateLaunchTemplateInput.Pop()
+			userData, _ := base64.StdEncoding.DecodeString(*input.LaunchTemplateData.UserData)
+			Expect(string(userData)).To(ContainSubstring(fmt.Sprintf("--pods-per-core=%d", 2)))
+		})
+		It("should specify --pods-per-core with --max-pods enabled", func() {
+			provisioner = test.Provisioner(test.ProvisionerOptions{
+				Kubelet: &v1alpha5.KubeletConfiguration{
+					PodsPerCore: ptr.Int32(2),
+					MaxPods:     ptr.Int32(100),
+				},
+			})
+			ExpectApplied(ctx, env.Client, provisioner)
+			pod := ExpectProvisioned(ctx, env.Client, controller, test.UnschedulablePod())[0]
+			ExpectScheduled(ctx, env.Client, pod)
+			Expect(fakeEC2API.CalledWithCreateLaunchTemplateInput.Len()).To(Equal(1))
+			input := fakeEC2API.CalledWithCreateLaunchTemplateInput.Pop()
+			userData, _ := base64.StdEncoding.DecodeString(*input.LaunchTemplateData.UserData)
+			Expect(string(userData)).To(ContainSubstring(fmt.Sprintf("--pods-per-core=%d", 2)))
+			Expect(string(userData)).To(ContainSubstring(fmt.Sprintf("--max-pods=%d", 100)))
+		})
 		It("should specify --container-runtime containerd by default", func() {
 			ExpectApplied(ctx, env.Client, test.Provisioner(test.ProvisionerOptions{Provider: provider}))
 			pod := ExpectProvisioned(ctx, env.Client, controller, test.UnschedulablePod())[0]
@@ -770,7 +852,7 @@ var _ = Describe("LaunchTemplates", func() {
 					AWS:      *provider,
 				})
 				ExpectApplied(ctx, env.Client, nodeTemplate)
-				newProvisioner := test.Provisioner(test.ProvisionerOptions{
+				provisioner = test.Provisioner(test.ProvisionerOptions{
 					ProviderRef: &v1alpha5.ProviderRef{
 						Name: nodeTemplate.Name,
 					},
@@ -782,7 +864,7 @@ var _ = Describe("LaunchTemplates", func() {
 						},
 					},
 				})
-				ExpectApplied(ctx, env.Client, newProvisioner)
+				ExpectApplied(ctx, env.Client, provisioner)
 				pod := ExpectProvisioned(ctx, env.Client, controller, test.UnschedulablePod())[0]
 				ExpectScheduled(ctx, env.Client, pod)
 				Expect(fakeEC2API.CalledWithCreateLaunchTemplateInput.Len()).To(Equal(1))
@@ -795,6 +877,70 @@ var _ = Describe("LaunchTemplates", func() {
 				Expect(config.Settings.Kubernetes.SystemReserved[v1.ResourceMemory.String()]).To(Equal("3Gi"))
 				Expect(config.Settings.Kubernetes.SystemReserved[v1.ResourceEphemeralStorage.String()]).To(Equal("10Gi"))
 			})
+			It("should override kube reserved values in user data", func() {
+				provider.AMIFamily = &awsv1alpha1.AMIFamilyBottlerocket
+				nodeTemplate := test.AWSNodeTemplate(v1alpha1.AWSNodeTemplateSpec{
+					UserData: nil,
+					AWS:      *provider,
+				})
+				ExpectApplied(ctx, env.Client, nodeTemplate)
+				provisioner = test.Provisioner(test.ProvisionerOptions{
+					ProviderRef: &v1alpha5.ProviderRef{
+						Name: nodeTemplate.Name,
+					},
+					Kubelet: &v1alpha5.KubeletConfiguration{
+						KubeReserved: v1.ResourceList{
+							v1.ResourceCPU:              resource.MustParse("2"),
+							v1.ResourceMemory:           resource.MustParse("3Gi"),
+							v1.ResourceEphemeralStorage: resource.MustParse("10Gi"),
+						},
+					},
+				})
+				ExpectApplied(ctx, env.Client, provisioner)
+				pod := ExpectProvisioned(ctx, env.Client, controller, test.UnschedulablePod())[0]
+				ExpectScheduled(ctx, env.Client, pod)
+				Expect(fakeEC2API.CalledWithCreateLaunchTemplateInput.Len()).To(Equal(1))
+				input := fakeEC2API.CalledWithCreateLaunchTemplateInput.Pop()
+				userData, _ := base64.StdEncoding.DecodeString(*input.LaunchTemplateData.UserData)
+				config := &bootstrap.BottlerocketConfig{}
+				Expect(config.UnmarshalTOML(userData)).To(Succeed())
+				Expect(len(config.Settings.Kubernetes.KubeReserved)).To(Equal(3))
+				Expect(config.Settings.Kubernetes.KubeReserved[v1.ResourceCPU.String()]).To(Equal("2"))
+				Expect(config.Settings.Kubernetes.KubeReserved[v1.ResourceMemory.String()]).To(Equal("3Gi"))
+				Expect(config.Settings.Kubernetes.KubeReserved[v1.ResourceEphemeralStorage.String()]).To(Equal("10Gi"))
+			})
+			It("should override kube reserved values in user data", func() {
+				provider.AMIFamily = &awsv1alpha1.AMIFamilyBottlerocket
+				nodeTemplate := test.AWSNodeTemplate(v1alpha1.AWSNodeTemplateSpec{
+					UserData: nil,
+					AWS:      *provider,
+				})
+				ExpectApplied(ctx, env.Client, nodeTemplate)
+				provisioner = test.Provisioner(test.ProvisionerOptions{
+					ProviderRef: &v1alpha5.ProviderRef{
+						Name: nodeTemplate.Name,
+					},
+					Kubelet: &v1alpha5.KubeletConfiguration{
+						EvictionHard: map[string]string{
+							"memory.available":  "10%",
+							"nodefs.available":  "15%",
+							"nodefs.inodesFree": "5%",
+						},
+					},
+				})
+				ExpectApplied(ctx, env.Client, provisioner)
+				pod := ExpectProvisioned(ctx, env.Client, controller, test.UnschedulablePod())[0]
+				ExpectScheduled(ctx, env.Client, pod)
+				Expect(fakeEC2API.CalledWithCreateLaunchTemplateInput.Len()).To(Equal(1))
+				input := fakeEC2API.CalledWithCreateLaunchTemplateInput.Pop()
+				userData, _ := base64.StdEncoding.DecodeString(*input.LaunchTemplateData.UserData)
+				config := &bootstrap.BottlerocketConfig{}
+				Expect(config.UnmarshalTOML(userData)).To(Succeed())
+				Expect(len(config.Settings.Kubernetes.EvictionHard)).To(Equal(3))
+				Expect(config.Settings.Kubernetes.EvictionHard["memory.available"]).To(Equal("10%"))
+				Expect(config.Settings.Kubernetes.EvictionHard["nodefs.available"]).To(Equal("15%"))
+				Expect(config.Settings.Kubernetes.EvictionHard["nodefs.inodesFree"]).To(Equal("5%"))
+			})
 			It("should specify max pods value when passing maxPods in configuration", func() {
 				bottlerocketProvider := provider.DeepCopy()
 				bottlerocketProvider.AMIFamily = &awsv1alpha1.AMIFamilyBottlerocket

pkg/cloudprovider/aws/launchtemplate_test.go

@@ -75,6 +75,15 @@ var provisioner *v1alpha5.Provisioner
 var provider *awsv1alpha1.AWS
 var pricingProvider *PricingProvider
 
+var defaultOpts = options.Options{
+	ClusterName:               "test-cluster",
+	ClusterEndpoint:           "https://test-cluster",
+	AWSNodeNameConvention:     string(options.IPName),
+	AWSENILimitedPodDensity:   true,
+	AWSEnablePodENI:           true,
+	AWSDefaultInstanceProfile: "test-instance-profile",
+}
+
 func TestAWS(t *testing.T) {
 	ctx = TestContextWithLogger(t)
 	RegisterFailHandler(Fail)
@@ -83,14 +92,7 @@ func TestAWS(t *testing.T) {
 
 var _ = BeforeSuite(func() {
 	env = test.NewEnvironment(ctx, func(e *test.Environment) {
-		opts = options.Options{
-			ClusterName:               "test-cluster",
-			ClusterEndpoint:           "https://test-cluster",
-			AWSNodeNameConvention:     string(options.IPName),
-			AWSENILimitedPodDensity:   true,
-			AWSEnablePodENI:           true,
-			AWSDefaultInstanceProfile: "test-instance-profile",
-		}
+		opts = defaultOpts
 		Expect(opts.Validate()).To(Succeed(), "Failed to validate options")
 		ctx = injection.WithOptions(ctx, opts)
 		ctx, stop = context.WithCancel(ctx)
@@ -161,6 +163,7 @@ var _ = BeforeEach(func() {
 		SecurityGroupSelector: map[string]string{"*": "*"},
 	}
 	provisioner = test.Provisioner(test.ProvisionerOptions{Provider: provider})
+	opts = defaultOpts
 	fakeEC2API.Reset()
 	fakePricingAPI.Reset()
 	launchTemplateCache.Flush()

pkg/cloudprovider/aws/suite_test.go

@@ -162,6 +162,8 @@ var _ = Describe("Provisioning", func() {
 		}
 	})
 	It("should provision multiple nodes when maxPods is set", func() {
+		// Kubelet configuration is actually not observed here, the scheduler is relying on the
+		// pods resource value which is statically set in the fake cloudprovider
 		ExpectApplied(ctx, env.Client, test.Provisioner(test.ProvisionerOptions{
 			Kubelet: &v1alpha5.KubeletConfiguration{MaxPods: ptr.Int32(1)},
 			Requirements: []v1.NodeSelectorRequirement{

pkg/controllers/provisioning/suite_test.go

@@ -154,6 +154,9 @@ func String(list v1.ResourceList) string {
 
 // StringMap returns the string map representation of the resource list
 func StringMap(list v1.ResourceList) map[string]string {
+	if list == nil {
+		return nil
+	}
 	m := make(map[string]string)
 	for k, v := range list {
 		m[k.String()] = v.String()

pkg/utils/resources/resources.go

@@ -0,0 +1,109 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package integration_test
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	v1 "k8s.io/api/core/v1"
+	"knative.dev/pkg/ptr"
+
+	"github.com/aws/karpenter/pkg/apis/awsnodetemplate/v1alpha1"
+	"github.com/aws/karpenter/pkg/apis/provisioning/v1alpha5"
+	awsv1alpha1 "github.com/aws/karpenter/pkg/cloudprovider/aws/apis/v1alpha1"
+	"github.com/aws/karpenter/pkg/test"
+)
+
+var _ = Describe("KubeletConfiguration Overrides", func() {
+	It("should schedule pods onto separate nodes when maxPods is set", func() {
+		provider := test.AWSNodeTemplate(v1alpha1.AWSNodeTemplateSpec{AWS: awsv1alpha1.AWS{
+			SecurityGroupSelector: map[string]string{"karpenter.sh/discovery": env.ClusterName},
+			SubnetSelector:        map[string]string{"karpenter.sh/discovery": env.ClusterName},
+		}})
+		// MaxPods needs to account for the daemonsets that will run on the nodes
+		provisioner := test.Provisioner(test.ProvisionerOptions{
+			ProviderRef: &v1alpha5.ProviderRef{Name: provider.Name},
+			Kubelet: &v1alpha5.KubeletConfiguration{
+				MaxPods: ptr.Int32(3),
+			},
+		})
+
+		pods := []*v1.Pod{test.Pod(), test.Pod(), test.Pod()}
+		env.ExpectCreated(provisioner, provider)
+		for _, pod := range pods {
+			env.ExpectCreated(pod)
+		}
+		env.EventuallyExpectHealthy(pods...)
+		env.ExpectCreatedNodeCount("==", 3)
+	})
+	It("should schedule pods onto separate nodes when podsPerCore is set", func() {
+		provider := test.AWSNodeTemplate(v1alpha1.AWSNodeTemplateSpec{AWS: awsv1alpha1.AWS{
+			SecurityGroupSelector: map[string]string{"karpenter.sh/discovery": env.ClusterName},
+			SubnetSelector:        map[string]string{"karpenter.sh/discovery": env.ClusterName},
+		}})
+		// PodsPerCore needs to account for the daemonsets that will run on the nodes
+		// This will have 4 pods available on each node (2 taken by daemonset pods)
+		provisioner := test.Provisioner(test.ProvisionerOptions{
+			ProviderRef: &v1alpha5.ProviderRef{Name: provider.Name},
+			Kubelet: &v1alpha5.KubeletConfiguration{
+				PodsPerCore: ptr.Int32(2),
+			},
+			Requirements: []v1.NodeSelectorRequirement{
+				{
+					Key:      awsv1alpha1.LabelInstanceCPU,
+					Operator: v1.NodeSelectorOpIn,
+					Values:   []string{"2"},
+				},
+			},
+		})
+
+		pods := []*v1.Pod{test.Pod(), test.Pod(), test.Pod(), test.Pod()}
+		env.ExpectCreated(provisioner, provider)
+		for _, pod := range pods {
+			env.ExpectCreated(pod)
+		}
+		env.EventuallyExpectHealthy(pods...)
+		env.ExpectCreatedNodeCount("==", 2)
+	})
+	It("should ignore podsPerCore value when Bottlerocket is used", func() {
+		provider := test.AWSNodeTemplate(v1alpha1.AWSNodeTemplateSpec{AWS: awsv1alpha1.AWS{
+			SecurityGroupSelector: map[string]string{"karpenter.sh/discovery": env.ClusterName},
+			SubnetSelector:        map[string]string{"karpenter.sh/discovery": env.ClusterName},
+			AMIFamily:             &awsv1alpha1.AMIFamilyBottlerocket,
+		}})
+		// All pods should schedule to a single node since we are ignoring podsPerCore value
+		// This would normally schedule to 3 nodes if not using Bottlerocket
+		provisioner := test.Provisioner(test.ProvisionerOptions{
+			ProviderRef: &v1alpha5.ProviderRef{Name: provider.Name},
+			Kubelet: &v1alpha5.KubeletConfiguration{
+				PodsPerCore: ptr.Int32(2),
+			},
+			Requirements: []v1.NodeSelectorRequirement{
+				{
+					Key:      awsv1alpha1.LabelInstanceCPU,
+					Operator: v1.NodeSelectorOpIn,
+					Values:   []string{"2"},
+				},
+			},
+		})
+
+		pods := []*v1.Pod{test.Pod(), test.Pod(), test.Pod(), test.Pod(), test.Pod(), test.Pod()}
+		env.ExpectCreated(provisioner, provider)
+		for _, pod := range pods {
+			env.ExpectCreated(pod)
+		}
+		env.EventuallyExpectHealthy(pods...)
+		env.ExpectCreatedNodeCount("<=", 2) // should probably all land on a single node, but at worst two depending on batching
+	})
+})