When it comes to running AKS, it's a good idea to familiarize yourself with the various update processes. Updates to Kubernetes are released frequently. If you don't stay on top of things, you'll quickly find yourself on an unsupported version.
Updates to AKS ecosystem come in 3 different forms:
Daily Node OS Patches
Weekly Node Images updates
Kubernetes Version updates
This post is going to discuss the 3 update options and the differences between them. This post will NOT go into detail on how to actually perform the updates.
Daily Node OS Patches
Daily Node OS Patches are for Linux Nodes only, they don't apply to Windows Nodes.
By default, Linux Nodes automatically receive security patches every evening. These patches come from the distro update channel and include OS security updates or kernel updates.
Some of these patches will require a reboot of the Node. However, the Nodes will not reboot themselves automatically, that responsibility falls onto you. You will know when a Node requires a reboot because it will create a new file on its disk named /var/run/reboot-required.
There is a commonly used, open-source tool called “kured” that is helpful in this situation. Kured stands for KUbernetes REboot Daemon. As the name suggests, it is deployed into your cluster as a DaemonSet, which means it will run one Pod on each Node.
Kured will automatically scan each Node for the existence of the file /var/run/reboot-required. When kured finds this file, it will initiate the process to reboot the Node. Kured does the reboot process in a safe manner. It ensures that only one Node reboots at a time. It also cordons and drains each Node before the reboot. Finally, after the reboot is complete it will uncordon the Node.
Weekly Node Image Updates
The disk images used to build your AKS Nodes are updated on a weekly basis. They include OS patches, kernel updates, Kubernetes security updates, newer versions of binaries (like kubelet), and new versions of components.
Node Images are not tied to Kubernetes versions. It is possible to update your Nodes to the latest Node Image without changing the version of Kubernetes running on those Nodes.
Node Images are updated by Microsoft on a weekly basis. As stated before, these images can include various things. But, if we were to isolate just OS patches:
For Linux Node Images, they include new OS patches every week
For Windows Node Images, they only include new OS patches once a month
Remember from earlier, that Windows nodes do not receive daily OS security patches. So, Node Image upgrades are the primary way to patch your Windows Nodes and make sure they receive the latest security updates.
You can configure Automatic Node Image Upgrades on your cluster. The options are:
None: your Node images are not automatically updated. You must manually update yourself
Unmanaged: the daily Node OS patches for Linux will apply, and you must manually reboot the Nodes as required
SecurityPatch: the daily Node OS patches for Linux will apply, however they will be done as a full Node Image update
NodeImage: the weekly Node Images will be automatically applied
Some helpful links:
You can find out what’s been updated in each Node Image by reading the release notes here: https://github.com/Azure/AKS/releases
It may take up to a week for a new Node Image to be rolled out to all Azure Regions. You can use the AKS Release Tracker to find out which Node Image is currently available in each Region: https://releases.aks.azure.com/webpage/index.html
Kubernetes Version Updates
Quick recap on semantic versioning
In the following example version number: 1.22.6
1 is the Major version
22 is the Minor version
6 is the Patch version
AKS Minor Version Support
Microsoft supports AKS minor versions using an N-2 standard. That means they will support the current Minor version, as well as the previous 2 Minor versions. For example:
1.23.x = Latest supported minor version
1.22.x = Supported (N-1)
1.21.x = Supported (N-2)
1.20.x = No longer supported
It is important to note that you cannot skip Minor versions when doing upgrades. You must go from 1.21 to 1.22, and then from 1.22 to 1.23. You cannot upgrade directly from 1.21 to 1.23. However, there is one exception to this rule: if you are on a really old version of Kubernetes that is not supported, then you may skip versions and upgrade directly to a supported version of Kubernetes.
AKS Patch Version Support
Microsoft supports AKS patch versions using an N-1 standard. That means they will support the current Patch version, as well as the previous Patch version. For example:
1.23.9 = Latest supported patch version
1.23.8 = Supported (N-1)
1.23.7 = No longer supported
AKS Cluster Auto-Upgrade
You can configure AKS Cluster Auto-Upgrade. The options are:
None: always keeps the cluster at its current AKS version. You must manually upgrade yourself
Patch: automatically updates to the latest supported AKS Patch version within your current Minor version
Stable: automatically updates the AKS Minor version, always keeping you at N-1 (one Minor version behind)
Rapid: automatically updates the AKS Minor version, always keeping you on the most current Minor version (latest and greatest)
Node-Image: automatically updates your AKS Node Images as they are released (usually weekly). This does not perform AKS version upgrades / it keeps your AKS version the same.
Note: Preview versions are not used with Auto-Upgrade
Sources
Comentarios