How do I use Systems Manager Automation to update and apply security patches to my Amazon EKS worker node AMIs?

Short description

Use Systems Manager Automation runbooks to automatically apply security patches to your Amazon EKS worker nodes. You can also use these runbooks to apply new versions to your worker nodes. Depending on your node group type, use the following runbooks to automate security patching and version upgrade tasks:

Managed node groups: AWS-UpdateEKSManagedNodeGroup

Self-managed node groups: AWS-UpdateEKSSelfManagedLinuxNodeGroups

Resolution

Managed node groups

Complete the following steps:

1. Open the AWS Management Console. Then, select the AWS Region where the Amazon EKS cluster that contains the node group that you want to manage is.

2. Open Systems Manager console.

3. Choose Execute automation.

4. In the search field, type "AWS-UpdateEKSManagedNodeGroup". Then, in the results, select the AWS-UpdateeksManagedNodeGroup runbook. The runbook details page opens in a new browser window or tab.

5. Choose Execute automation. The Execute automation runbook page opens in a new browser window or tab.

6. Specify the following parameters:
   Note: This runbook can also update node group configuration. There are more parameters than what's included in the following list, but not all of them are required when you upgrade node groups.

   Parameter	Required or optional	Description
   ClusterName	Required	The name of the Amazon EKS cluster that has the node group.
   NodeGroupName	Required	The name of the node group that you want to update.
   UpdateType	Required	The update type. Specify the Update Node Group Version.
   ForceUpdate	Required	Specify "true" if the existing node group's pods can drain because of a pod disruption budget (PDB) issue.
   AutomationAssumeRole	Optional	The AWS Identity and Access Management (IAM) role Amazon Resource Name (ARN) that allows Systems Manager Automation to perform actions on your behalf. If you don't specify a role, then Systems Manager Automation uses the permissions of the user who starts the runbook.

   If your node group wasn't created from a launch template, then you can also specify the following parameters:

   Parameter	Required or optional	Description
   KubernetesVersion	Optional	The Kubernetes version to update the node group to. For example, 1.30.
   AMIReleaseVersion	Optional	The version of the Amazon EKS optimized AMI that you want to use. For example, 1.30.2-20240828. By default, the system uses the latest version.

   If your node group was created from a launch template, then you can also specify the following parameters:

   Parameter	Required or optional	Description
   LaunchTemplateId	Optional	The ID of the launch template.
   LaunchTemplateName	Optional	The name of the launch template.
   LaunchTemplateVersion	Optional	The version of the launch template.

7. Choose Execute.

Self-managed node groups

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Complete the following steps:

1. If your cluster uses auto scaling, then it's a best practice to scale down the deployment to two replicas. Run the following command:

   kubectl scale deployments/cluster-autoscaler --replicas=2 -n kube-system

2. Open the AWS Management Console. Then, select the Region where the Amazon EKS cluster that contains the node group that you want to manage is.

3. Open the Systems Manager console.

4. Choose Execute automation. The Execute automation runbook page opens in a new browser window or tab.

5. In the search field, type "AWS-UpdateEKSSelfManagedLinuxNodeGroups". Then, in the results, select the AWS-UpdateEKSSelfManagedLinuxNodeGroups runbook. The runbook details page opens in a new browser window.

6. Choose Execute automation. The Execute automation runbook page opens in a new browser window or tab.

7. Specify the following parameters:

   Parameter	Required or optional	Description
   AutomationAssumeRole	Optional	The IAM role ARN that allows Systems Manager Automation to perform actions on your behalf. If you don't specify a role, then Systems Manager Automation uses the permissions of the user who starts the runbook.
   StackName	Required	The name of the AWS CloudFormation stack that manages the self-managed node.
   NodeAutoScalingGroupDesiredCapacity	Required	The number of nodes that the node group must maintain.
   NodeAutoScalingGroupMaxSize	Required	The maximum number of nodes that your node Auto Scaling group can scale to.
   NodeInstanceType	Required	The instance type to use for the node group.
   NodeImageIdSSMParam	Required	The public Systems Manager parameter for the AMI that you want the node group to use.
   NodeImageID	Optional	The AMI ID that you want the node group to use. This value overrides any value specified for "NodeImageIdSSMParam".
   DisableIMDSv1	Required	A value that indicates whether IMDSv1 is turned off.
   WaitForStackUpdateProgress	Required	A value that indicates the duration that the automation sleeps. This value also provides the time for launch template stack updates, and when an update begins before the system assesses the status of the stack.

8. Choose Execute.

9. If you previously scaled down the deployment, then when the update completes, scale the deployment back to the desired number of replicas. Run the following command:

   $ kubectl scale deployments/cluster-autoscaler —replicas=number -n kube-system

   Note: Replace number with the number of replicas that you want the system to assess the stack status of.