Node OS updates

Updating your operating system is crucial for addressing security vulnerabilities. The node OS update feature delivers a status overview of this process and lets you automate it to ensure worker nodes always run the latest available OS image.

You can find it in the main menu, under the Security tab:

Alt text

How CAST AI streamlines your OS updates

OS vendors regularly release security patches to fix known vulnerabilities. Keeping your OS up-to-date reduces the risk of breaches and data compromises in Kubernetes clusters.

Moreover, regulatory and compliance requirements like SOC2 often require updating K8s environments with the latest security patches to ensure data protection and system integrity.

The CAST AI security feature addressed these challenges in two ways:

  1. Node OS update report offers a comprehensive node OS update status overview. It provides information on your nodes’ age, the OS image installed, the service provider responsible for node provisioning, and if any scheduled node OS updates are enabled.

    Moreover, it immediately proves that your organization complies with regulatory or internal security policy requirements.

  2. Automation of node OS updates. Scheduled updates ensure that worker nodes always run the latest available OS image to aid in patching and maintaining node security.

How to use the node OS update report

The report is the first thing you see when you enter the node OS update tab in the main menu.

It identifies your organization's nodes, specifying their age, the percentage of items managed by CAST AI, and the number of them with scheduled node OS or rebalancing updates.

Alt text

The node list below presents details of each node, including its name, the date when it was created, the operating system (OS) name and version, and the node provisioning provider.


Useful tip:

Each column lets you filter the nodes according to the cluster they belong to, the vendor managing them, and their scheduled update status (enabled or disabled).

Alt text

How to understand the Updates column

The last column – Updates – indicates if you have enabled the node OS update automation provided by CAST AI. Here’s how to understand it:

  • ON means that the node has an update schedule assigned, so CAST AI replaces current nodes with nodes containing the latest available OS image version, in line with your defined schedule.
  • OFF means that your node's cluster is onboarded and managed by the CAST AI autoscaler, but it doesn’t have any schedules assigned.
  • UNKNOWN means that CAST AI doesn't manage the cluster or node and lacks visibility if you enable the node OS update through your CSP or other automation tools.

How to automate node OS updates

With CAST AI, you can automate the process of updating node OS to the latest version provided by your cloud service provider and make this update compatible with your workers' K8s version.

You can specify settings like the nodes you wish to update, the length of the update period, its execution time, or the batch size to update at once.

The following sections dive deeper into enabling and setting the node OS update automation to match your specific needs.

Before you enable automation

The node OS update automation feature is available to users with onboarded clusters – please refer to this tutorial for more details.

This feature follows the logic of Scheduled Rebalancing, so please refer to preparation activities to learn how to deal with potentially problematic workloads and minimize disruption.

Once you onboard clusters, you can start scheduling the worker nodes' OS updates. The process consists of two steps: creating an update schedule and assigning it to clusters.

Step 1: Create your update schedule

Alt text

Alternatively, hover over the OFF in the Updates column of the Node OS report and use the Create update schedule option:

Alt text

This step opens a node OS update schedule creator, which allows you to specify your settings:

Alt text

Here’s how to understand each setting:

The update schedule nameAdd the name of the update schedule. We recommend naming your node OS update schedules meaningfully to distinguish them from rebalancing schedules efficiently.Yes
Specify lifecycleThis field refers to your node’s lifecycle: spot, on-demand, or any.Yes
Target using labelsSelect nodes based on their labels. Key-value pairs are provided as NodeSelector terms. If you provide multiple labels, CAST AI uses the AND logic, targeting only the nodes satisfying all listed selector terms.No
Minimum node ageSpecify the minimum period between the node creation and targeting it with automated schedules. Enter the number of days per your regulatory or security policy requirements for node OS patching. '0' means that CAST AI considers nodes of any age.Yes
Evict nodes gracefullyDecide what happens to nodes that fail to get drained until a predefined timeout of 20 minutes. If you check this option, they get a annotation instead of being forcefully drained.No
Maximum batch sizeSpecify the maximum number of nodes for updating in one operation. '0' indicates that CAST AI selects all nodes in the cluster.No
Execution timeAdjust execution time by providing a timezone or a crontab expression.Yes

When you configure all settings and save your schedule, you can assign it to clusters.

Step 2: Assign the schedule to your clusters

You are ready to assign the schedule to clusters to enable automated node OS updates. You can do it immediately or at a later time.

You can access all your saved schedules when you click the 'View schedules' button in the Node OS updates view:

Alt text

Click the name of the schedule you wish to use and move to Assigned to, where you can decide in which clusters you want it to run:

Alt text

Refer to the Updates column in the node OS update report to see all nodes assigned to a schedule.

One node may have multiple schedules assigned. Hover over the ON status in the report to view the assigned scheduled updates and their expected execution times:

Alt text