Updating your operating system is crucial for addressing security vulnerabilities. The node OS update feature delivers a status overview of this process and lets you automate it to ensure worker nodes always run the latest available OS image.
You can find it in the main menu, under the Security tab:
OS vendors regularly release security patches to fix known vulnerabilities. Keeping your OS up-to-date reduces the risk of breaches and data compromises in Kubernetes clusters.
Moreover, regulatory and compliance requirements like SOC2 often require updating K8s environments with the latest security patches to ensure data protection and system integrity.
The CAST AI security feature addressed these challenges in two ways:
Node OS update report offers a comprehensive node OS update status overview. It provides information on your nodes’ age, the OS image installed, the service provider responsible for node provisioning, and if any scheduled node OS updates are enabled.
Moreover, it immediately proves that your organization complies with regulatory or internal security policy requirements.
Automation of node OS updates. Scheduled updates ensure that worker nodes always run the latest available OS image to aid in patching and maintaining node security.
The report is the first thing you see when you enter the node OS update tab in the main menu.
It identifies your organization's nodes, specifying their age, the percentage of items managed by CAST AI, and the number of them with scheduled node OS or rebalancing updates.
The node list below presents details of each node, including its name, the date when it was created, the operating system (OS) name and version, and the node provisioning provider.
Each column lets you filter the nodes according to the cluster they belong to, the vendor managing them, and their scheduled update status (enabled or disabled).
The last column – Updates – indicates if you have enabled the node OS update automation provided by CAST AI. Here’s how to understand it:
ONmeans that the node has an update schedule assigned, so CAST AI replaces current nodes with nodes containing the latest available OS image version, in line with your defined schedule.
OFFmeans that your node's cluster is onboarded and managed by the CAST AI autoscaler, but it doesn’t have any schedules assigned.
UNKNOWNmeans that CAST AI doesn't manage the cluster or node and lacks visibility if you enable the node OS update through your CSP or other automation tools.
With CAST AI, you can automate the process of updating node OS to the latest version provided by your cloud service provider and make this update compatible with your workers' K8s version.
You can specify settings like the nodes you wish to update, the length of the update period, its execution time, or the batch size to update at once.
The following sections dive deeper into enabling and setting the node OS update automation to match your specific needs.
The node OS update automation feature is available to users with onboarded clusters – please refer to this tutorial for more details.
This feature follows the logic of Scheduled Rebalancing, so please refer to preparation activities to learn how to deal with potentially problematic workloads and minimize disruption.
Once you onboard clusters, you can start scheduling the worker nodes' OS updates. The process consists of two steps: creating an update schedule and assigning it to clusters.
Alternatively, hover over the OFF in the Updates column of the Node OS report and use the Create update schedule option:
This step opens a node OS update schedule creator, which allows you to specify your settings:
Here’s how to understand each setting:
|The update schedule name
|Add the name of the update schedule. We recommend naming your node OS update schedules meaningfully to distinguish them from rebalancing schedules efficiently.
|This field refers to your node’s lifecycle: spot, on-demand, or any.
|Target using labels
|Select nodes based on their labels. Key-value pairs are provided as NodeSelector terms. If you provide multiple labels, CAST AI uses the AND logic, targeting only the nodes satisfying all listed selector terms.
|Minimum node age
|Specify the minimum period between the node creation and targeting it with automated schedules. Enter the number of days per your regulatory or security policy requirements for node OS patching. '0' means that CAST AI considers nodes of any age.
|Evict nodes gracefully
|Decide what happens to nodes that fail to get drained until a predefined timeout of 20 minutes. If you check this option, they get a
rebalancing.cast.ai/status=drain-failed annotation instead of being forcefully drained.
|Maximum batch size
|Specify the maximum number of nodes for updating in one operation. '0' indicates that CAST AI selects all nodes in the cluster.
|Adjust execution time by providing a timezone or a crontab expression.
When you configure all settings and save your schedule, you can assign it to clusters.
You are ready to assign the schedule to clusters to enable automated node OS updates. You can do it immediately or at a later time.
You can access all your saved schedules when you click the 'View schedules' button in the Node OS updates view:
Click the name of the schedule you wish to use and move to
Assigned to, where you can decide in which clusters you want it to run:
Refer to the Updates column in the node OS update report to see all nodes assigned to a schedule.
One node may have multiple schedules assigned. Hover over the
ON status in the report to view the assigned scheduled updates and their expected execution times:
Updated 29 days ago