Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Kubernetes Cluster Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EKS-002

Ensure that your Amazon Elastic Kubernetes Service (EKS) clusters are using the latest supported version of the Kubernetes. This will allow you to receive the latest Kubernetes features, design updates, and bug fixes, benefit from improved security and performance, and maintain low costs with standard support. The community releases new Kubernetes minor versions, such as 1.30, approximately every four months, and each minor version is supported for about one year after its initial release. Upgrading to the latest Kubernetes version on Amazon EKS with standard support also saves costs because it allows you to avoid the $0.60 per hour extended support fee. Standard support is more affordable at $0.10 per hour.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Security
Performance
efficiency
Reliability

Kubernetes, the container orchestration system, receives frequent version updates that introduce new features, bug fixes, security patches, and performance improvements. When new versions are available in Amazon EKS, we recommend upgrading your EKS clusters to the latest supported version, unless your applications require a specific Kubernetes version. This ensures you benefit from the latest features and security enhancements, while avoiding high costs associated with extended support for older versions.


Audit

To determine if your Amazon EKS clusters are using the latest supported version of Kubernetes, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EKS available console at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to examine.

05 Check the Kubernetes version attribute value listed in the Cluster info section to determine the Kubernetes version used by the selected EKS cluster.

06 Check the Amazon EKS Kubernetes release calendar to identify the latest stable version of Kubernetes supported by Amazon EKS. Compare this version with the one installed on the selected EKS cluster, identified in the previous step. If Amazon EKS supports a newer version, update the Kubernetes version installed on the selected cluster before the end of support date.

07 Repeat steps no. 4 – 6 for each Amazon EKS cluster available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) with custom query filters to list the names of all Amazon EKS clusters available in the selected AWS region:

aws eks list-clusters
  --region us-east-1
  --output table
  --query 'clusters'

02 The command output should return a table with the requested EKS cluster identifiers:

-------------------------
|     ListClusters      |
+-----------------------+
|  cc-eks-mobile-app    |
|  cc-eks-kube-stack    |
+-----------------------+

03 Run describe-cluster command (OSX/Linux/UNIX) with the name of the Amazon EKS cluster that you want to examine as the identifier parameter to describe the Kubernetes version installed on the selected cluster:

aws eks describe-cluster
  --region us-east-1
  --name cc-eks-mobile-app
  --query 'cluster.version'

04 The command output should return the Kubernetes version installed on the selected EKS cluster:

"1.21"

05 Check the Amazon EKS Kubernetes release calendar to identify the latest stable version of Kubernetes supported by Amazon EKS. Compare this version with the one installed on the selected EKS cluster, returned by the describe-cluster command output at the previous step. If Amazon EKS supports a newer version, update the Kubernetes version installed on the selected cluster before the end of support date.

06 Repeat steps no. 3 – 5 for each Amazon EKS cluster available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

As new Kubernetes versions become available for the Amazon EKS service, you can proactively update your EKS clusters to use the latest available version. To update the Kubernetes version for your existing Amazon EKS clusters, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EKS available console at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon Elastic Kubernetes Service, choose Clusters.

04 Click on the name (link) of the Amazon EKS cluster that you want to update, and choose Update now.

05 In the Update cluster version: \ configuration box, select the latest Kubernetes version supported by your Amazon EKS cluster from the Kubernetes version dropdown list, and choose Update to apply the changes. If required, repeat this step until the latest Kubernetes version supported by Amazon EKS is installed on your cluster. The update process should take a few minutes. During this process the cluster status should be Updating.

06 Repeat steps no. 4 and 5 for each Amazon EKS cluster that you want to update, available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-cluster-version command (OSX/Linux/UNIX) with the name of the Amazon EKS cluster that you want to update as the identifier parameter and the latest Kubernetes version supported by Amazon EKS for the --kubernetes-version parameter value, to update the Kubernetes version for the selected cluster:

aws eks update-cluster-version
  --region us-east-1
  --name cc-eks-mobile-app
  --kubernetes-version 1.30

02 The command output should return the information resulted from the update process:

{
	"update": {
		"status": "InProgress",
		"errors": [],
		"params": [
			{
				"type": "Version",
				"value": "1.30"
			}
		],
		"type": "VersionUpdate",
		"id": "abcd1234-abcd-1234-abcd-1234abcd1234"
	}
}

03 Run describe-update command (OSX/Linux/UNIX) to confirm the configuration changes performed at the previous step. The Kubernetes version update is complete when the update process status is set to "Successful":

aws eks describe-update
  --region us-east-1
  --name cc-eks-mobile-app
  --update-id abcd1234-abcd-abcd-abcd-1234abcd1234
  --query 'update.status'

04 The command output should return the requested update status:

"Successful"

05 Repeat steps no. 1 – 4 for each Amazon EKS cluster that you want to update, available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 11, 2019