When your security team mandates a specific AMI, private subnets, custom security groups, and encrypted EBS, Karpenter's EC2NodeClass is exactly where all of that infrastructure detail lives.
You'll learn:
- The core separation of concerns: NodePool defines what to provision (requirements, constraints); EC2NodeClass defines how (the cloud-provider infrastructure details)
- How to pin a specific AMI using amiSelectorTerms and lock nodes to private subnets via tag-based subnetSelectorTerms
- Configuring securityGroupSelectorTerms and enforcing EBS encryption through blockDeviceMappings in the EC2NodeClass spec
- How nodeClassRef wires a NodePool to a NodeClass — and why one NodeClass can back many NodePools, making AMI rotation straightforward
Keywords: Karpenter EC2NodeClass, Karpenter NodePool vs NodeClass, Karpenter AMI selection, Karpenter private subnets, Kubernetes node provisioning security
🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud
