Node OS updates

Keeping your Kubernetes cluster nodes up-to-date with the latest operating system (OS) security patches is crucial for maintaining a secure and compliant environment. The Node OS Update feature in CAST AI provides a comprehensive overview of your nodes' OS update status and enables you to automate the update process, ensuring that worker nodes always run the latest available OS image.

You can find the Node OS updates feature in the main menu of the CAST AI console, under the Security tab in the sidebar:

Alt text

How CAST AI streamlines your OS updates

OS vendors regularly release security patches to fix known vulnerabilities. Keeping your OS up-to-date reduces the risk of breaches and data compromises in Kubernetes clusters.

Moreover, regulatory and compliance requirements like SOC2 often require updating K8s environments with the latest security patches to ensure data protection and system integrity.

The CAST AI security feature addressed these challenges in two ways:

  1. Node OS update report offers a comprehensive node OS update status overview: It provides information on your nodes’ age, the OS image installed, the service provider responsible for node provisioning, and if any scheduled node OS updates are enabled. This report helps you demonstrate compliance with regulatory or internal security policy requirements.

    Moreover, it immediately proves that your organization complies with regulatory or internal security policy requirements.

  2. Automation of node OS updates: CAST AI enables you to schedule automated node OS updates, ensuring that worker nodes always run the latest available OS image. This automation aids in patching vulnerabilities and maintaining node security.

How to use the node OS update report

The Node OS Update report is the first view you see when you enter the Node OS Update tab in the main menu.

The report identifies your organization's nodes and provides an overview of their age, the percentage of nodes managed by CAST AI, and the number of nodes with scheduled OS or rebalancing updates.

Alt text

Below the overview, you'll find a detailed list of nodes, including information such as node name, creation date, OS name and version, and the node provisioning provider.

πŸ“˜

Useful tip:

Each column in the node list allows you to order nodes based on the cluster they belong to, the vendor managing them, and their scheduled update status (enabled or disabled).

Alt text

How to understand the Updates column

The Updates column in the node list indicates whether you have enabled the node OS update automation provided by CAST AI:

  • ON: the node has an assigned update schedule, and CAST AI will replace current nodes with nodes containing the latest available OS image version according to the defined schedule.
  • OFF: the node's cluster is onboarded and managed by the CAST AI autoscaler, but no update schedules are assigned.
  • UNKNOWN: CAST AI doesn't manage the cluster or node and lacks visibility into whether node OS updates are enabled through your cloud service provider (CSP) or other automation tools.

How to automate node OS updates

With CAST AI, you can automate the process of updating node OS to the latest version provided by your CSP, ensuring compatibility with your workers' Kubernetes version.

You can customize settings such as the nodes to update, the update period duration, execution time, and the batch size to update simultaneously.

The following sections dive deeper into enabling and setting the node OS update automation to match your needs.

Before you enable automation

The node OS update automation feature is only available to users with onboarded clusters. For more details, refer to the Getting started section.

Node OS update automation follows the logic of Scheduled Rebalancing, so review the preparation activities to handle potentially problematic workloads and minimize disruption.

Step 1: Create your update schedule

Once your clusters are onboarded, you can start scheduling worker nodes' OS updates. The first step is to create an update schedule. Click on the Schedule updates button in the top right to

Alt text

Alternatively, hover over the OFF in the Updates column of the Node OS report and use the Create update schedule option:

Alt text

This step opens a node OS update schedule creator, which allows you to specify your settings:

Alt text

Here's an explanation of each setting:

SettingValueRequired?
Update schedule nameAdd the name of the update schedule. We recommend naming your node OS update schedules meaningfully to distinguish them from rebalancing schedules efficiently.Yes
Specify lifecycleSpecify the node's lifecycle: spot, on-demand, or any.Yes
Target using labelsSelect nodes based on their labels. Key-value pairs are provided as NodeSelector terms. If you provide multiple labels, CAST AI uses the AND logic, targeting only the nodes satisfying all listed selector terms.No
Minimum node ageSpecify the minimum period between node creation and targeting it with automated schedules. Enter the number of days per your regulatory or security policy requirements for node OS patching. 0 means that CAST AI considers nodes of any age.Yes
Evict nodes gracefullyDecide what happens to nodes that fail to drain until a predefined timeout of 20 minutes. If checked, they receive a rebalancing.cast.ai/status=drain-failed annotation instead of being forcefully drained.No
Maximum batch sizeSpecify the maximum number of nodes for updating in one operation. 0 indicates that CAST AI selects all nodes in the cluster.No
Execution timeAdjust execution time by providing a timezone or a crontab expression.Yes

After configuring the settings and saving your schedule, you can assign it to clusters.

Step 2: Assign the schedule to your clusters

Once you have created an update schedule, you can assign it to clusters to enable automated node OS updates. You can do this immediately or at a later time.

Access your saved schedules by clicking the View schedules button in the Node OS Updates view:

Alt text

Click on the name of the schedule you want to use and navigate to the Assigned to tab, where you can select the clusters in which you want the schedule to run:

Alt text

Refer to the Updates column in the node OS update report to see all nodes assigned to a schedule.

πŸ“˜

Note

One node can have multiple schedules assigned. Hover over the ON status in the report to view the assigned scheduled updates and their expected execution times.

Alt text