Skip to main content

EKS AMI Auto-Update

Cloud service provider relevance: EKS

Operating an Amazon EKS cluster involves managing the compatibility between the Kubernetes control plane and the nodes, especially when upgrading the EKS cluster version. While the control plane and worker nodes don't need to run identical versions, keeping the worker nodes' version updated with the control plane is crucial for using the latest features and improvements in Kubernetes.

Additionally, running the latest AMIs on worker nodes is vital for maintaining cluster security. However, manually updating worker nodes after each control plane upgrade or security patch release is challenging, error-prone, and time-consuming.

Ocean EKS AMI Auto-Update addresses these challenges by automating AMI updates for nodes in the Ocean virtual node group whenever the control plane is upgraded or new security patches become available. This automation saves time, reduces errors, and enhances cluster security by ensuring nodes always run the most secure and compatible AMI version.

Ocean automatically detects when the EKS control plane is upgraded or new security patches are released and upgrades the nodes without manual intervention. You can configure a specific time for checking updates to ensure the update process doesn't cause unexpected disruptions.

important

To use EKS AMI Auto-Update for minor version upgrades, your Ocean controller version must be 1.0.99 or later. If updating the controller is not possible, make sure to restart the Ocean controller pod after upgrading the EKS control plane.

:::

In addition to updating the VNG AMI, the feature offers an optional, controlled rollout process. When enabled, the new AMI is applied in phases by dividing nodes into batches, minimizing cluster impact. You can monitor the update process and take action if issues occur.

EKS AMI Auto-Update also sends notifications when a new AMI is in use or when issues arise, providing transparency and control over your Ocean EKS environment.

How it Works

Ocean EKS AMI Auto-Update updates the virtual node groups' AMI:

  1. Matching the Kubernetes control plane version.
  2. Applies the latest security patches.

These are the limitations:

  • Public AMIs Only: Ocean EKS AMI Auto-Update applies only to public AMIs. Private AMIs do not trigger the auto-update process.
  • Single AMI Virtual Node Groups: The feature supports only virtual node groups that use a single AMI. Virtual node groups with dual AMIs are not compatible.

Enabling the Auto Update Feature

There are two options:

Option 1: Configuration in the Cluster

Add the new amiAutoUpdate object under ocean.scheduling.tasks.parameters. In this object, configure the patch and minor version parameters.

  • "patch": true - The auto-update process will update the virtual node groups' images with the latest security patches.
  • "minorVersion": true - The auto-update process will update the virtual node groups’ AMI with the AMI to match the Kubernetes control plane version.
  • "clusterRoll" (optional) - When configured, runs a cluster roll after the AMI update, enabling a seamless transition to the updated environment. When set to null, the cluster roll is not run.

Under scheduling.tasks, set isEnabled to true and the taskType to amiAutoUpdate to activate the process. You can also add a cron expression to control how often the auto-update runs. By default, the auto-update process runs every 24 hours.

Example of the JSON object:

  "scheduling": { 
      "tasks": [ 
        { 
          "isEnabled": true, 
          "taskType": "amiAutoUpdate", 
          "cronExpression": "0 * * * *", 
          "parameters": { 
            "amiAutoUpdate": { 
              "patch": true, 
              "minorVersion": true,
              "applyRoll": true,
              "clusterRoll": { 
                "batchSizePercentage": 20, 
                "comment": "this is just an example", 
                "batchMinHealthyPercentage": 100 
              } 
            } 
          } 
        } 
      ] 
    }

Option 2: Manual Trigger

Use the API to manually trigger the AMI auto-update process. The body of the API call should contain the following parameters:

  • "patch": true - The auto-update process will update the virtual node groups’ images with the latest security patches.
  • "minorVersion": true - The auto-update process will update the virtual node groups’ images with the AMI to match the Kubernetes control plane version.
  • "clusterRoll" - When configured, runs a cluster roll after the AMI update. When set to null, the cluster roll is not run.

Example of the JSON object for the API call:

{ 
    "amiAutoUpdate": { 
        "patch": true, 
        "minorVersion": true, 
        "applyRoll": true, 
        "clusterRoll": { 
            "batchSizePercentage": 20, 
            "comment": "this is just an example", 
            "batchMinHealthyPercentage": 100 
        } 
    } 
}

When a new AMI is available, the API call updates the virtual node groups with the new AMI and runs a cluster roll if configured.