top of page
  • Writer's pictureNathan

Patching and Updating Azure Kubernetes Service (AKS)

Updated: Feb 10

When it comes to running AKS, it's a good idea to familiarize yourself with the various update processes. Updates to Kubernetes are released frequently. If you don't stay on top of things, you'll quickly find yourself on an unsupported version.

Updates to AKS ecosystem come in 3 different forms:

  1. Daily Node OS Patches

  2. Weekly Node Images updates

  3. Kubernetes Version updates

This post is going to discuss the 3 update options and the differences between them. This post will NOT go into detail on how to actually perform the updates.


Daily Node OS Patches

Daily Node OS Patches are for Linux Nodes only, they don't apply to Windows Nodes.

By default, Linux Nodes automatically receive security patches every evening. These patches come from the distro update channel and include OS security updates or kernel updates.

Some of these patches will require a reboot of the Node. However, the Nodes will not reboot themselves automatically, that responsibility falls onto you. You will know when a Node requires a reboot because it will create a new file on its disk named /var/run/reboot-required.

There is a commonly used, open-source tool called “kured” that is helpful in this situation. Kured stands for KUbernetes REboot Daemon. As the name suggests, it is deployed into your cluster as a DaemonSet, which means it will run one Pod on each Node.

Kured will automatically scan each Node for the existence of the file /var/run/reboot-required. When kured finds this file, it will initiate the process to reboot the Node. Kured does the reboot process in a safe manner. It ensures that only one Node reboots at a time. It also cordons and drains each Node before the reboot. Finally, after the reboot is complete it will uncordon the Node.


Weekly Node Image Updates

The disk images used to build your AKS Nodes are updated on a weekly basis. They include OS patches, kernel updates, Kubernetes security updates, newer versions of binaries (like kubelet), and new versions of components.

Node Images are not tied to Kubernetes versions. It is possible to update your Nodes to the latest Node Image without changing the version of Kubernetes running on those Nodes.

Node Images are updated by Microsoft on a weekly basis. As stated before, these images can include various things. But, if we were to isolate just OS patches:

  • For Linux Node Images, they include new OS patches every week

  • For Windows Node Images, they only include new OS patches once a month

    • Remember from earlier, that Windows nodes do not receive daily OS security patches. So, Node Image upgrades are the primary way to patch your Windows Nodes and make sure they receive the latest security updates.

You can configure Automatic Node Image Upgrades on your cluster. The options are:

  • None: your Node images are not automatically updated. You must manually update yourself

  • Unmanaged: the daily Node OS patches for Linux will apply, and you must manually reboot the Nodes as required

  • SecurityPatch: the daily Node OS patches for Linux will apply, however they will be done as a full Node Image update

  • NodeImage: the weekly Node Images will be automatically applied

Some helpful links:


Kubernetes Version Updates

Quick recap on semantic versioning

In the following example version number: 1.22.6

  • 1 is the Major version

  • 22 is the Minor version

  • 6 is the Patch version

AKS Minor Version Support

Microsoft supports AKS minor versions using an N-2 standard. That means they will support the current Minor version, as well as the previous 2 Minor versions. For example:

  • 1.23.x = Latest supported minor version

  • 1.22.x = Supported (N-1)

  • 1.21.x = Supported (N-2)

  • 1.20.x = No longer supported

It is important to note that you cannot skip Minor versions when doing upgrades. You must go from 1.21 to 1.22, and then from 1.22 to 1.23. You cannot upgrade directly from 1.21 to 1.23. However, there is one exception to this rule: if you are on a really old version of Kubernetes that is not supported, then you may skip versions and upgrade directly to a supported version of Kubernetes.

AKS Patch Version Support

Microsoft supports AKS patch versions using an N-1 standard. That means they will support the current Patch version, as well as the previous Patch version. For example:

  • 1.23.9 = Latest supported patch version

  • 1.23.8 = Supported (N-1)

  • 1.23.7 = No longer supported

AKS Cluster Auto-Upgrade

You can configure AKS Cluster Auto-Upgrade. The options are:

  • None: always keeps the cluster at its current AKS version. You must manually upgrade yourself

  • Patch: automatically updates to the latest supported AKS Patch version within your current Minor version

  • Stable: automatically updates the AKS Minor version, always keeping you at N-1 (one Minor version behind)

  • Rapid: automatically updates the AKS Minor version, always keeping you on the most current Minor version (latest and greatest)

  • Node-Image: automatically updates your AKS Node Images as they are released (usually weekly). This does not perform AKS version upgrades / it keeps your AKS version the same.

Note: Preview versions are not used with Auto-Upgrade





bottom of page