diff --git a/examples/eks-managed-nodegroup/bastion.tf b/examples/eks-managed-nodegroup/bastion.tf
index 9f4f105..274c0b4 100644
--- a/examples/eks-managed-nodegroup/bastion.tf
+++ b/examples/eks-managed-nodegroup/bastion.tf
@@ -6,7 +6,7 @@ module "bastion" {
   ami                         = data.aws_ami.this.id
   ignore_ami_changes          = true
   subnet_id                   = var.subnet_ids[0]
-  vpc_security_group_ids      = [module.sg.id, "sg-0735e2bab44a525b8"]
+  vpc_security_group_ids      = [module.sg.id, module.eks.cluster_primary_security_group_id]
   create_iam_instance_profile = true
   iam_role_description        = "IAM role for EC2 instance"
   iam_role_policies = {
@@ -30,6 +30,12 @@ module "bastion" {
     http_tokens                 = "required"
     http_put_response_hop_limit = 2
   }
+  user_data = <<EOF
+#!/bin/bash
+curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
+chmod 755 kubectl
+mv kubectl /usr/local/bin/
+EOF
 }
 
 module "sg" {
diff --git a/examples/eks-managed-nodegroup/main.tf b/examples/eks-managed-nodegroup/main.tf
index 03f6aca..1eca844 100644
--- a/examples/eks-managed-nodegroup/main.tf
+++ b/examples/eks-managed-nodegroup/main.tf
@@ -16,7 +16,7 @@ module "eks" {
 
   cluster_name                   = "lab-ken2026-eks01"
   cluster_endpoint_public_access = true
-  cluster_version                = "1.28"
+  cluster_version                = "1.27"
 
   cluster_addons = {
     coredns = {