The core feature of AWS EKS is the provision of managed hosting for the Kubernetes control plane.
The control plane is a collection of services that govern the entire Kubernetes cluster, including the:
Managing these services directly adds a no insignificant maintenance burden, so AWS EKS simplifies this by handling the infrastructure and provisioning of the control plane for you.
The control plane itself is stable and rarely changes across clusters; most control plane installations operate the same way and remain unaltered. Differences in clusters solely exist between workload and data differences rather than changes to the control plane.
As the Control Plane oversees the entire cluster, the control plane determines which version of Kubernetes your cluster is running. AWS EKS allows you to manage these Kubernetes version updates by managing the EKS cluster resource. However, it’s the user’s responsibility to keep clusters up to date so that breaking changes between the Kubernetes versions are managed by the customer in line with the cluster’s workloads.
Whilst it’s possible to continue running outdated Kubernetes versions, AWS will eventually force updates to the cluster which can result in broken Kubernetes resources and services. Outdated clusters also incur additional fees from AWS, providing an incentive to keep them updated. If your EKS cluster contains business-critical workloads, it’s essential to maintain regular updates to avoid outages and business impacts.
Additionally, if your Kubernetes API is publicly accessible (even with firewalls), keeping it updated is crucial for security. Kubernetes updates include important security patches and features, and running an outdated API can expose the entire cluster to vulnerabilities. Since the API acts as the gateway to all cluster resources, a compromised API could jeopardize the entire cluster, making timely updates a key part of maintaining both functionality and security.
Our advice is to make frequent and regular updates to your Kubernetes clusters to ensure that they stay updated. This removes the time pressure that comes from Cloud Providers to update your cluster as well as spreads out changes to your cluster required by updates to the Kubernetes software stack.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Updating Kubernetes can vary significantly depending on both the current and target versions. Many breaking changes have been introduced across different Kubernetes versions, requiring analysis of each specific version and its upgrade requirements. Some of these changes may not impact your cluster resources, while others might, so it’s also important to fully understand which resources are being used in your cluster.
Additionally, maintaining uptime during the update can be challenging, as some services may need to be repackaged and re-released to be compatible with both the current and future Kubernetes versions. This process can be technically complex, and it’s advisable to seek professional support, especially if your organization’s services are critical.