[EKS] [request]: Automatically updating and/or protecting core kube-system components

[arminc]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Currently, after upgrading EKS we need to manually upgrade coredns/kube-proxy/cni plugin, as stated here https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html. Besides that, it is possible to change them in the cluster.

The advantages of this are that it is possible to adjust things and add custom information without the interference of AWS. Using an internal docker registry, for example, is possible.

Disadvantages are a manual upgrading process but also the fact that people can change anything and therefore break the cluster or run incompatible versions of components.

I am not saying locking the components completely down is the best way to do it but having a fully automated upgrade process would be much cleaner. But one can't go without the other, if they leave everything open but upgrade automatically then all changes might get lost. Maybe locking down the components but allowing certain things to be configured could be a compromise.

Note: I think it's good to get an understanding of why AWS hasn't protected these components and if they are planning to change this?

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Upgrading a cluster means manual work on upgrading core kube-system components, this should be automatically done when EKS is upgraded.

[tabern]

This will be delivered as part of #252