EKS Node AMI and Patch Management

While EKS Control Plane updates are managed by AWS, Data Plane (Worker Nodes) updates are your responsibility. Your nodes' operating system (Amazon Linux 2, Bottlerocket) must receive security patches and stay up-to-date.

Node update strategies on Amazon EKS are:

1. Managed Node Groups (Easy Way)

If you are using Managed Node Groups, an "Update now" button appears in the EKS console when AWS releases a new AMI.

• When you click this button (or trigger via API), AWS automatically launches a new node, drains the pods on the old one, and shuts down the old node (Rolling Update).
• Caution: Make sure your pods' PodDisruptionBudget settings are correct, otherwise downtime may occur.

2. Self-Managed Node Groups (Hard Way)

If you manage nodes yourself (Custom Launch Template), the process is more manual.

1. Find the new AMI ID.
2. Update the Launch Template of the Auto Scaling Group (ASG).
3. Start instance-refresh. This process refreshes nodes sequentially.

3. Automation (Karpenter)

Karpenter also manages the node lifecycle. Thanks to the drift feature, when the AMI in the Launch Template changes or the node expires due to security (TTL), Karpenter automatically refreshes the node.

Bottlerocket OS

If you don't want to deal with security patches, use Bottlerocket, the read-only operating system specially designed by AWS for containers. Updates are done as atomic image replacements, not packages.