If you are using an Amazon EKS optimized AMI, AWS automatically applies the latest security patches and operating system updates as part of the latest AMI release version.
The new Amazon EKS optimized AMIs are released on a frequent basis. For example, there were seven (7) EKS optimized AMI releases for k8s 1.19.6
It is a good practice to replace the nodes in your node group with the new AMI to ensure the underlying OS and software packages for the worker nodes are kept current, patched and up to date from a security PoV.
The controller provides a single click workflow for AMI upgrades. The workflow is identical to "k8s version upgrades" and therefore there is nothing new for the administrator to learn.
- For self managed node groups, the controller automatically checks for latest AMI
- For managed node groups, the controller automatically checks for the latest release version.
The administrator is provided with a visible notification when an updated AMI is available. Once the administrator initiates the AMI upgrade and the controller upgrades the worker node to the new AMI.
Organizations that use a "Custom AMI" can also use the same workflow to upgrade their worker nodes to an updated version of their custom AMI.
An audit trail of the administrator initiated action is generated (who performed it, when was it performed) and the upgrade status and history is available for inspection and review.