2

Do AWS EKS managed nodes receive security patching automatically or is it the owner's responsibility to patch?

vkoukou
  • 23
  • 3

1 Answers1

1

This is likely to depend on exactly how your worker nodes are provisioned in the cluster.

If you're using unmanaged node groups then the AWS documentation here recommends that the customer upgrade their nodes manually.

If you're using managed node groups , AWS manage the node lifecyle as detailed here which I would take to mean that they will be patched and upgraded by AWS.

Of course if you're using workloads in EKS based on Fargate, the underlying hosts are managed fully by AWS, meaning you don't have to worry about patching them.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Thank you for the quick and prompt response! – vkoukou Jan 17 '20 at 14:30
  • 1
    Based on my reading of the *current* documentation, I'm not so sure I agree with you. This section may have been added since your original answer. Bolding below is my own. > When managed nodes run an Amazon EKS optimized AMI, Amazon EKS is responsible for building patched versions of the AMI when bugs or issues are reported. We can publish a fix. **However, you're responsible for deploying these patched AMI versions to your managed node groups**. – Liam Sep 06 '21 at 09:04
  • 1
    A similar comment from AWS is found here: https://www.eksworkshop.com/intermediate/320_eks_upgrades/ "In addition to upgrades to Kuberentes, there are other related upgrades to think about with your cluster as well: The Amazon Machine Image (AMI) of your Nodes - including not just the portion of Kubernetes that is part of the image, the kubelet, but everything else there (OS, containerd, etc.)" – DonBecker Jan 27 '22 at 21:41