I have some questions about a notice that I received from AWS: “A software update has been deployed to AWS Fargate which includes important security patches and critical updates. To complete this software update process, EKS Fargate will be evicting pods launched before [date]."
Q: What do I do to avoid service downtime when AWS applies patches and updates to my AWS Fargate Pod?
It's a best practice to restart your Fargate Pod before the deadline that's mentioned in the notice. If your Pod belongs to a deployment or StatefulSet, then run one of the following commands to gracefully restart the entire deployment or StatefulSet with no downtime:
kubectl rollout restart deployment-name -n test-namespace
-or-
kubectl rollout restart sts-name -n test-namespace
Note: In the deployment command, replace deployment-name with the name of your deployment. In the StatefulSet command, replace sts-name with the name of your StatefulSet. In both commands, replace test-namespace with the name of your namespace.
For more information, see Deployments and StatefulSets on the Kubernetes website.
If your Pod is a standalone Pod, then complete the following steps:
- Create a replacement Pod with identical specifications.
- Update the endpoint or IP address of the Pod in other applications, as needed.
- Delete your standalone Pod.
Q: What happens if I fail to restart my Pod before the date that's specified in the notice?
Amazon Elastic Kubernetes Service (Amazon EKS) evicts the Fargate Pod by Availability Zone based on the Pod disruption budgets (PDBs) that you set. If the eviction succeeds, then Amazon EKS applies the latest patch on the new Pod. You don't need to take any further action.
Q: Do I get notified about Pod eviction failures or node termination?
When Pod eviction fails, AWS sends a notification about the eviction failure. If you don't take action until the scheduled termination, then Amazon EKS terminates the existing Pods and underlying nodes without any notification. After the termination, the new Pods have the latest patch.
Q. How does Amazon EKS manage patches for an application Pod that I configured with PDBs?
When Amazon EKS patches Fargate Pods, it doesn't abruptly terminate Pods that you configured with PDBs. For more information, see Pod disruption budgets on the Kubernetes website. When Amazon EKS updates the underlying node, it considers PDBs. To avoid downtime, it's a best practice to configure PDBs for your Pods. However, aggressive PDBs can cause eviction failures and node terminations.
Q. Can I postpone patching or eviction because I can't take actions that avoid the downtime?
For security purposes, Amazon EKS automatically applies patches in batches on multiple clusters. Because some common vulnerabilities and exposures (CVEs) are critical and need immediate attention, you can't postpone patching. If you need an exception, then submit a technical support case to the Amazon EKS team with a detailed justification.
Q. How often does Amazon EKS patch the OS on Fargate nodes?
Amazon EKS patches the operating system (OS) on Fargate nodes at regular intervals. It also applies patches for bug fixes and security updates that can't be determined ahead of time.
Q. Where can I find information about the exact time and date when the patches are applied?
Amazon EKS notifies you about the patch process in advance. However, the application of patches doesn't have a set date and time. Because Amazon EKS automatically applies the patches, the patch can occur at any time on or after the date that's specified in the notification.
Q. Where do I check for security update-related notifications from Amazon EKS?
Amazon EKS sends an email notification about security patches to the primary email address on your AWS account and the AWS Health Dashboard. You can use Amazon EventBridge to forward these notifications to other AWS services or third-party tools.