I'm curious about EKS and the classification of its components. If I'm not using Fargate, does that mean EKS isn't serverless? I understand the K8s control plane operates as SaaS, but my worker nodes are IaaS. If my company mandates certain hardening practices for EC2 instances, do I still need to apply those to the worker nodes in my EKS cluster?
4 Answers
Absolutely, yes!
To break it down: EKS functions as a serverless control plane, while Fargate is the serverless data plane, and EC2 operates as an IaaS data plane.
If you're using EKS in Auto mode, AWS actually uses a hardened Bottlerocket AMI and rotates your nodes every 21 days, so there's no need for manual patching! That's a pretty neat automated feature.
If Auto mode doesn't fit your needs, you can look into Karpenter Drift with those disruption budgets and Bottlerocket AMIs for similar results.
Just a heads-up, Karpenter is mainly the one handling that, not the auto mode itself.
Yes, but there's an exception for BottlerocketOS nodes since they're designed specifically to run containers. They come hardened with SELinux enforced right out of the box and don’t require SSH access, so you don’t need typical EC2 hardening.
Got it, thanks for clarifying!
I've been using Bottlerocket for over a year, and honestly, I don't see the need for a config management tool!
Thanks for the confirmation!