Kubernetes Cluster Version

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: EKS-002

Ensure that your Amazon Elastic Kubernetes Service (EKS) clusters are using the latest stable version of Kubernetes container-orchestration system, in order to follow AWS best practices, receive the latest Kubernetes features, design updates and bug fixes, and benefit from better security and performance. The community releases new Kubernetes minor versions, such as 1.14, approximately every three months, and each minor version is supported for approximately one year after it is first released.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security
Performance
efficiency
Reliability

The Kubernetes container-orchestration system receives version updates regularly in order to introduce new software features, bug fixes, security patches and performance improvements. As new Kubernetes versions become available in Amazon EKS, unless your containerized applications require a specific version of Kubernetes, Cloud Conformity strongly recommends that you choose the latest available version of Kubernetes supported by Amazon Web Services for your EKS clusters in order to benefit from new features and enhancements.


Audit

To determine if your AWS EKS clusters are using the latest version of Kubernetes, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EKS dashboard at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon EKS, select Clusters.

04 Click on the name of the EKS cluster that you want to examine to access the resource configuration settings.

05 On the selected cluster settings page, within General configuration section, check the Kubernetes Version attribute value to determine the Kubernetes version used by the selected EKS cluster.

06 Access this URL to check for the latest stable version of Kubernetes supported by Amazon EKS service.

07 Compare the latest version of Kubernetes supported by Amazon Web Services with the version used by the selected EKS cluster. If there is a newer Kubernetes version released and supported by AWS EKS service, the Kubernetes version installed for the selected EKS cluster should be updated to receive the latest Kubernetes features, design updates and bug fixes, and benefit from all the security and performance improvements that come with the latest version.

08 Repeat steps no. 4 – 7 to determine the Kubernetes version for the rest of the Amazon EKS clusters available within the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run list-clusters command (OSX/Linux/UNIX) using custom query filters to list the names of all AWS EKS clusters available in the selected region:

aws eks list-clusters
	--region us-east-1
	--output table
	--query 'clusters'

02 The command output should return a table with the requested EKS cluster identifiers:

-------------------------
|     ListClusters      |
+-----------------------+
| cc-production-cluster |
| cc-project5-cluster   |
| cc-internal-app-stack |
+-----------------------+ 

03 Run describe-cluster command (OSX/Linux/UNIX) using the name of the EKS cluster that you want to examine as identifier parameter and custom query filters to expose the Kubernetes container-orchestration system version installed on the selected Amazon EKS cluster:

aws eks describe-cluster
	--region us-east-1
	--name cc-production-cluster
	--query 'cluster.version'

04 The command output should return the Kubernetes system version installed on the cluster:

"1.12"

05 Open this URL to check for the latest stable version of Kubernetes supported by Amazon EKS service.

06 Compare the latest version of Kubernetes supported by Amazon Web Services with the Kubernetes version returned by the describe-cluster command output at step no. 4. If there is a newer Kubernetes version released and supported by AWS EKS service, the Kubernetes version installed for the selected EKS cluster should be updated to receive the latest software features, design updates and bug fixes, and benefit from all the security and performance improvements that come with the latest version.

07 Repeat steps no. 3 – 6 to determine the Kubernetes version for the rest of the Amazon EKS clusters available in the selected region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the audit process for other regions.

Remediation / Resolution

As new Kubernetes versions become available for the EKS service, you can proactively update your EKS clusters to use the latest available version. To update the Kubernetes version for your existing Amazon EKS clusters, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EKS dashboard at https://console.aws.amazon.com/eks/.

03 In the left navigation panel, under Amazon EKS, select Clusters.

04 Click on the name of the EKS cluster that you want to reconfigure (see Audit section part I to identify the right EKS resource).

05 On the selected EKS cluster configuration page, click the Update cluster version button from the dashboard top-right menu to initiate the update process.

06 On the Update cluster version page, perform the following:

  1. Select the latest Kubernetes version that you want to install for the selected EKS cluster, from the Kubernetes version dropdown list.
  2. Click Update to apply the configuration changes.
  3. Inside Update Kubernetes version for cluster : <cluster-name> dialog box, type the name of your EKS cluster in the Cluster name box and choose Confirm to complete the update process. The Kubernetes version update for the selected cluster should take few minutes. During the update process the cluster status is set to UPDATING.

07 Repeat steps no. 4 – 6 to update the Kubernetes version for the rest of the Amazon EKS clusters available in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-cluster-version command (OSX/Linux/UNIX) using the name of the EKS cluster that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) and the latest stable version of Kubernetes supported by AWS as --kubernetes-version parameter value, to update the selected Amazon EKS cluster to the specified Kubernetes version:

aws eks update-cluster-version
	--region us-east-1
	--name cc-production-cluster
	--kubernetes-version 1.14

02 The command output should return the configuration metadata for the EKS cluster update process:

{
    "update": {
        "status": "InProgress",
        "errors": [],
        "params": [
            {
                "type": "Version",
                "value": "1.14"
            },
            {
                "type": "PlatformVersion",
                "value": "eks.4"
            }
        ],
        "type": "VersionUpdate",
        "id": "abcd1234-abcd-1234-abcd-1234abcd1234",
        "createdAt": 1567599553.853
    }
}

03 Run describe-update command (OSX/Linux/UNIX) using the EKS cluster name and the update ID returned at the previous step as identifier parameters to confirm the configuration changes performed at the previous step. The Kubernetes version update for the specified Amazon EKS cluster is complete when the status is set to "Successful":

aws eks describe-update
	--region us-east-1
	--name cc-production-cluster
	--update-id abcd1234-abcd-1234-abcd-1234abcd1234
	--query 'update.status'

04 The command output should return the requested update status:

"Successful"

05 Repeat steps no. 1 – 4 to update the Kubernetes version for the rest of the Amazon EKS clusters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Sep 11, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Kubernetes Cluster Version

Risk level: Low