Containers-roadmap: [EKS] [request]: Kubernetes 1.13 Patch Update (to 1.13.8)

Created on 11 Jul 2019  路  10Comments  路  Source: aws/containers-roadmap

Tell us about your request
Thanks for supporting kubernetes v1.13 on EKS!

This issue is to see if EKS can bump the Kubernetes patch version from v1.13.7 to v1.13.8.

Which service(s) is this request for?
EKS - both the control plane and eks-optimized AMIs

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Kubernetes 1.13.8 has an important fix (it fixes a regression that was introduced in v1.13) - especially pertaining to EKS' use of Amazon's VPC CNI plugin: when IP addresses are in the cooling period (30 seconds after pod termination when those IPs can't be used), this patch fixes the regression where kubelet no longer retries the sandbox creation on failure (regardless of the restart policy of the pod).

Are you currently working around this issue?
Until this is live, we have to revert to using EKS' Kubernetes 1.12 (which is less than ideal). Thanks for any updates here!

EKS
Source
picture schahal
👍16

Most helpful comment

@mogren Now that the control plane is on 1.13.8 since last weekend, would you please be able to release a new AMI with 1.13.8?

picture devkid on 8 Aug 2019
👍12

All 10 comments

As far as I can tell, this only affects the kubelet, right? So it would be sufficient to use version 1.13.8 of the kubelet to get the fix.

devkid picture devkid on 12 Jul 2019

Indeed, possibly similar to what EKS did with 1.11 I believe - their control plane is still on v1.11.8 while the worker nodes are on v1.11.9.

schahal picture schahal on 15 Jul 2019

I confirm that rebuilding the ami using kubelet v1.13.8 fixed the issue.

zanitete picture zanitete on 17 Jul 2019
👍2

@mogren Now that the control plane is on 1.13.8 since last weekend, would you please be able to release a new AMI with 1.13.8?

devkid picture devkid on 8 Aug 2019
👍12

FYI: the 1.13.8 AMI suddenly changed docker group id from 995 to 994, so you need to adjust your build scripts and Dockerfiles accordingly.

Tail of the /etc/group:

cgred:x:995:
docker:x:994:ec2-user
pawelprazak picture pawelprazak on 21 Aug 2019

@pawelprazak
Hi, you shouldn't rely the group id of specific user. (Is there an reason that u have to rely on that?)
BTW, the groupId is changed due to https://github.com/awslabs/amazon-eks-ami/commit/41f4dd905e8a2e9417293895741dae10964a9310, which occupied a groupID :D

M00nF1sh picture M00nF1sh on 23 Aug 2019
👍1

Yes, not relying on the docker GID would be best, but unfortunately that was the only way we found to enable building container images with docker command from inside the container (pod) that is run as non-root user.

pawelprazak picture pawelprazak on 23 Aug 2019

Looks like they need to get patches out for control-plane and worker images for security updates

https://www.bleepingcomputer.com/news/security/severe-flaws-in-kubernetes-expose-all-servers-to-dos-attacks/

1.13.10 in this case

cdenneen picture cdenneen on 23 Aug 2019
👍3

@aws would it be possible for you guys to publish eks node ami's as soon as patches come out? In case of 1.13.8 our autoscaling is not working as expected and in 1.13.10 it is clear that dos attacks can be a threat. Seems that we've to wait an additional month or two, which imho beats the purpose of patches.

andreamaruccia picture andreamaruccia on 24 Aug 2019
👍6

Closing this as EKS no longer supports Kubernetes v1.13.

tabern picture tabern on 15 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AndrewMcFarren picture AndrewMcFarren  路  3Comments
pauldougan picture pauldougan  路  3Comments
miztch picture miztch  路  3Comments
sarath9985 picture sarath9985  路  3Comments
yinshiua picture yinshiua  路  3Comments