Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I use AWS Systems Manager Automation to update and apply security patches to my Amazon EKS worker node AMIs?
I want to use AWS Systems Manager Automation to apply security patches to Amazon Elastic Kubernetes Service (Amazon EKS) worker node Amazon Machine Images (AMIs).
Resolution
Use AWS Systems Manager Automation runbooks to apply security patches to your Amazon EKS worker nodes. Use runbooks to apply new versions and to automate security patching and version upgrades for managed node groups or self-managed nodes.
Use AWS Systems Manager Automation for managed node groups
To run the AWS-UpdateEKSManagedNodeGroup runbook, complete the following steps:
- Open the AWS Management Console.
- Select the AWS Region where your Amazon EKS cluster is located.
- Open the AWS Systems Manager console.
- In the navigation pane, choose Automation.
- Choose Execute runbook.
- In the Automation runbook search field, enter AWS-UpdateEKSManagedNodeGroup, and then choose the AWS-UpdateEKSManagedNodeGroup runbook.
Note: The runbook details tab opens in a new browser window. - Choose Execute automation.
Note: The Execute automation runbook tab opens in a new browser window. - Under Input parameters, enter the following parameters:
For ClusterName, enter the name of your Amazon EKS cluster that contains the node group.
For NodeGroupName, enter the name of the node group that you want to update.
For UpdateType, choose Update Node Group Version.
For ForceUpdate, choose True if the existing node group's pods can't be drained because of a pod disruption budget issue. Otherwise, choose False.
(Optional) For AutomationAssumeRole, enter the AWS Identity and Access Management (IAM) role Amazon Resource Name (ARN) for Systems Manager Automation to perform actions on your behalf. If you don't specify a role, then Systems Manager Automation uses the permissions of the user who starts the runbook. - If you didn't create your node group from a launch template, then specify the following parameters:
(Optional) For KubernetesVersion, enter the Kubernetes version to update the node group to. For example, enter 1.30.
(Optional) For AMIReleaseVersion, enter the version of the Amazon EKS optimized AMI that you want to use. For example, enter 1.30.2-20240828. The system uses the latest version by default. - If you created your node group from a launch template, then can specify the following parameters:
(Optional) For LaunchTemplateId, enter the ID of the launch template.
(Optional) For LaunchTemplateName, enter the name of the launch template. - Choose Execute.
Use AWS Systems Manager Automation for self-managed node groups
Important: If your cluster uses auto scaling, then you must scale down the cluster-autoscaler deployment to two replicas before you run the runbook. To scale down the cluster-autoscaler deployment, run the following command:
kubectl scale deployments/cluster-autoscaler --replicas=2 -n kube-system
To run the AWS-UpdateEKSSelfManagedLinuxNodeGroups runbook, complete the following steps:
- Open the AWS Management Console.
- Select the AWS Region where your Amazon EKS cluster is located.
- Open the AWS Systems Manager console.
- In the navigation pane, choose Automation.
- Choose Execute runbook.
- In the Automation runbook search field, enter AWS-UpdateEKSSelfManagedLinuxNodeGroups, and then choose the AWS-UpdateEKSSelfManagedLinuxNodeGroups runbook.
Note: The runbook details tab opens in a new browser window. - Choose Execute automation.
Note: The Execute automation runbook tab opens in a new browser window. - Under Input parameters, enter the following parameters:
(Optional) For AutomationAssumeRole, enter the IAM role ARN for Systems Manager Automation to perform actions on your behalf. If you don't specify a role, then Systems Manager Automation uses the permissions of the user who starts the runbook.
For StackName, enter the name of the AWS CloudFormation stack for the self-managed node.
For NodeAutoScalingGroupDesiredCapacity, enter the number of nodes that the node group maintains.
For NodeAutoScalingGroupMaxSize, enter the maximum number of nodes for your node Auto Scaling group.
For NodeInstanceType, enter the instance type to use for the node group.
For NodeImageIdSSMParam, enter the Parameter Store path for your node group AMI.
(Optional) For NodeImageId, enter the AMI ID for your node group to override any value specified for NodeImageIdSSMParam.
For DisableIMDSv1, select whether to turn off IMDSv1.
For WaitForStackUpdateProgress, enter the duration in seconds that the automation waits to provide time for launch template stack updates and for rolling updates to begin before assessing the stack status. - Choose Execute.
- After the update completes, to scale the cluster-autoscaler deployment back to the desired number of replicas, run the following command:
Note: Replace number with the number of replicas that you want to use.kubectl scale deployments/cluster-autoscaler --replicas=number -n kube-system
Related information
Update a managed node group for your cluster
- Topics
- Containers
- Language
- English
Relevant content
- asked 3 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 5 months ago
