Written by Lucas Marsala, DevOps Engineer at TrackIt
Contents
Why Update an EKS Cluster?
Updating an Amazon EKS cluster is essential for maintaining security, performance, and compatibility with the latest Kubernetes features. Newer versions often include critical security patches that mitigate vulnerabilities and protect workloads. Performance improvements and optimizations introduced in updates can enhance cluster efficiency, reducing resource overhead and operational costs. Additionally, staying up to date ensures continued support from AWS, as older Kubernetes versions eventually reach end-of-life and lose official support.
Starting with EKS Monitoring
In a previous article titled “Setting Up Monitoring for EKS Updates: Ensuring Efficient Lifecycle and Cost Management”, we outlined best practices for tracking EKS updates and understanding their impact. The article covers how proactive monitoring helps organizations anticipate necessary upgrades and assess potential risks before applying changes. It also details tools and strategies for managing the lifecycle of EKS clusters while optimizing costs. Readers interested in a more comprehensive approach to EKS maintenance can refer to that guide for further insights.
This guide outlines the key steps for updating an Amazon EKS cluster, highlighting both manual and automated methods. It also covers strategies for identifying potential issues in advance and ensuring a smooth transition to newer Kubernetes versions.
Methods for Updating EKS
Amazon EKS can be updated through the AWS Management Console or by using automation tools such as Terraform. In the example discussed below, Terraform was used with the module terraform-aws-modules/eks/aws.
Reviewing Kubernetes Patch Notes
Before an update, it is essential to review the Kubernetes Patch Notes. This page provides details on Kubernetes versions, including upgrade guides and potential migration considerations.
AWS Console Upgrade Insights
The AWS Management Console provides insights into potential risks associated with upgrading an EKS cluster. This information is accessible by navigating to the EKS section in the console and reviewing the Cluster Info panel (See screenshot below).
The Upgrade Insights section is updated daily and highlights potential risks or changes that should be considered before upgrading.
If no major issues are detected, EKS will indicate that the upgrade can proceed without complications. However, if a breaking change is detected, an error message will appear, providing further details upon selection. These warnings can help identify required modifications in advance.
To ensure a smooth upgrade, the insights from this panel should be compared with information from the Kubernetes patch notes. If an error is flagged, it may indicate deprecated APIs or configuration changes that need to be addressed before proceeding.
Resolving Deprecation Issues
During an upgrade, an issue was encountered due to the use of a deprecated API. No reference to the deprecated API was found within the existing EKS configuration files. However, further investigation revealed that an outdated EKS add-on was utilizing the deprecated API. Updating the add-on before proceeding with the cluster update resolved the issue successfully.
Updating Authentication Configuration
A configuration update was required due to the deprecation of the auth_configmap, which was initially used to manage cluster access. More details on this can be found here: EKS Authentication Configuration.
To update the authentication configuration:
- Navigate to the EKS control panel.
- Click on the Access section.
- Select Manage access under Access Configuration.
- The cluster will enter an Update state while changes are applied.
- Add the necessary role in the IAM Access entries panel by selecting Create access entry and specifying the ARN of the required IAM role.
- In the Add Access Policy section, select an appropriate policy while adhering to the principle of least privilege.
A reference for Amazon EKS preconfigured policies can be found here: EKS Access Policies. If configured correctly, users assuming the assigned role will have the necessary permissions. In this case, administrators were granted access to compute node clusters, which was not enabled by default.
Conclusion
This guide outlined the process of updating an Amazon EKS cluster. It emphasized the importance of reviewing Kubernetes patch notes and using AWS Upgrade Insights to identify potential issues before upgrading. Additionally, it provided steps for resolving deprecation-related errors and updating authentication configurations to ensure continued access control.
About TrackIt
TrackIt is an international AWS cloud consulting, systems integration, and software development firm headquartered in Marina del Rey, CA.
We have built our reputation on helping media companies architect and implement cost-effective, reliable, and scalable Media & Entertainment workflows in the cloud. These include streaming and on-demand video solutions, media asset management, and archiving, incorporating the latest AI technology to build bespoke media solutions tailored to customer requirements.
Cloud-native software development is at the foundation of what we do. We specialize in Application Modernization, Containerization, Infrastructure as Code and event-driven serverless architectures by leveraging the latest AWS services. Along with our Managed Services offerings which provide 24/7 cloud infrastructure maintenance and support, we are able to provide complete solutions for the media industry.