EKS Upgrade Readiness Assessment

Readiness Score: 59% — NOT READY

Karpenter 1.0.2 is incompatible with Kubernetes 1.33 (requires >= 1.5). This is a hard blocker — node provisioning will break after the control plane upgrade. You must upgrade Karpenter to >= 1.5 before upgrading the control plane. All other checks pass cleanly; once Karpenter is resolved, this cluster is in good shape.

Score Breakdown

Hard Blocker: Karpenter 1.0.2 incompatible with target → score capped at 59%

Blockers & Critical Actions

Karpenter 1.0.2 Incompatible with Kubernetes 1.33

• Severity: CRITICAL (Hard Blocker)
• What we found: Karpenter v1.0.2 is deployed in the karpenter namespace. The official compatibility matrix requires Karpenter >= 1.5 for Kubernetes 1.33.
• Impact if not addressed: After the control plane upgrades to 1.33, Karpenter will fail to provision new nodes. Existing nodes continue running but new capacity requests (scale-up, spot interruption replacements, consolidation) will fail. The cluster will effectively lose autoscaling.
• Remediation:

Upgrade Karpenter before the control plane upgrade. The 1.0.x → 1.5+ jump crosses the v1 API boundary — verify your NodePool and EC2NodeClass CRDs are on v1 APIs (not v1beta1):

  # 1. Check current Karpenter version
  kubectl get deployment karpenter -n karpenter -o jsonpath='{.spec.template.spec.containers[0].image}'

  # 2. Verify NodePool CRDs are v1 (not v1beta1)
  kubectl get nodepools.karpenter.sh -o yaml | grep apiVersion

  # 3. Upgrade Karpenter via Helm (adjust version to latest >= 1.5)
  helm upgrade karpenter oci://public.ecr.aws/karpenter/karpenter \
    --namespace karpenter \
    --version 1.5.0 \
    --set clusterName=ex-karpenter-test \
    --set clusterEndpoint=$(aws eks describe-cluster --name ex-karpenter-test --query cluster.endpoint --output text --region us-west-2) \
    --wait

  # 4. Verify Karpenter is healthy after upgrade
  kubectl get pods -n karpenter
  kubectl logs -n karpenter -l app.kubernetes.io/name=karpenter --tail=20

• Reference: https://karpenter.sh/docs/upgrading/compatibility/

Extended Support Cost Impact

• Severity: HIGH
• What we found: Cluster is on v1.32 which entered Extended Support on March 23, 2026. You are currently paying the extended support rate.
• Impact: Extended support costs $0.60/hr vs $0.10/hr for standard support. Monthly cost: $0.60 x 730 = $438/month (vs $73/month on standard). Extra cost: $0.50 x 730 = $365/month.
• Remediation: Upgrading to 1.33 (standard support until July 29, 2026) returns you to standard pricing.

Recommended Actions

Single-Replica Deployment: singleton-app

• Severity: MEDIUM
• What we found: default/singleton-app runs with 1 replica. During node drain (Karpenter consolidation or upgrade), this workload will experience downtime.
• Remediation: Scale to 2+ replicas if the workload requires availability, or accept brief downtime during upgrades.

Missing Readiness Probes

• Severity: MEDIUM
• What we found: 2 workloads lack readiness probes:
• default/inflate (3 replicas)
• default/singleton-app (1 replica)
• Remediation: Add readiness probes so Kubernetes knows when pods are ready to receive traffic. Without probes, traffic may be sent to pods that aren't ready after rescheduling.

Missing PDB for Multi-Replica Deployment: inflate

• Severity: MEDIUM
• What we found: default/inflate has 3 replicas but no PodDisruptionBudget. During node drain, all 3 pods could be evicted simultaneously.
• Remediation:

  kubectl create pdb inflate-pdb --namespace default \
    --selector app=inflate --min-available 2

Missing Memory Request: inflate

• Severity: MEDIUM
• What we found: The inflate container in default/inflate has a CPU request but no memory request. Without memory requests, the scheduler cannot make optimal placement decisions during rescheduling.
• Remediation: Add resources.requests.memory to the container spec.

Informational Findings

• Endpoints API deprecated in 1.33: The Endpoints API is deprecated in favor of EndpointSlices (discovery.k8s.io/v1). The 3 endpoints found (karpenter/karpenter, kube-system/eks-extension-metrics-api, kube-system/kube-dns) are auto-managed by their Services — no user action needed.
• Containerd 1.7.x on Bottlerocket node: Node ip-10-0-x-x runs containerd 1.7.31. This is fine for 1.33 but containerd 1.x support ends in Kubernetes 1.35. Plan to update before targeting 1.35.
• Extended Support: Cluster is on Extended Support ($365/month premium). Upgrading to 1.33 returns to standard pricing.

Evidence

Add-on Inventory

Node Group Summary

Karpenter NodePools:

Subnet Capacity:

Workload Risk Summary

Master Workload Table (non-system namespaces):

Risk Findings:

AWS Upgrade Insights

Upgrade Plan

Do NOT proceed until the Karpenter blocker is resolved.

Pre-Upgrade Checklist

• [ ] Upgrade Karpenter to >= 1.5 (hard blocker)
• [ ] Verify NodePool/EC2NodeClass CRDs are on v1 APIs after Karpenter upgrade
• [ ] Add readiness probes to inflate and singleton-app
• [ ] Add PDB for inflate deployment
• [ ] Consider scaling singleton-app to 2+ replicas
• [ ] Take etcd snapshot / backup

Step 1: Upgrade Karpenter (MUST DO FIRST)

# Check current CRD API versions
kubectl get nodepools.karpenter.sh -o yaml | grep apiVersion
kubectl get ec2nodeclasses.karpenter.k8s.aws -o yaml | grep apiVersion

# Upgrade Karpenter (adjust to latest stable >= 1.5)
helm upgrade karpenter oci://public.ecr.aws/karpenter/karpenter \
  --namespace karpenter \
  --version 1.5.0 \
  --set clusterName=ex-karpenter-test \
  --set clusterEndpoint=$(aws eks describe-cluster --name ex-karpenter-test --query cluster.endpoint --output text --region us-west-2) \
  --wait

# Verify Karpenter is healthy
kubectl get pods -n karpenter
kubectl get nodepools.karpenter.sh

Step 2: Update EKS Managed Add-ons (optional, already compatible)

# Check for latest compatible versions
aws eks describe-addon-versions --addon-name vpc-cni --kubernetes-version 1.33 --query 'addons[0].addonVersions[0].addonVersion' --region us-west-2
aws eks describe-addon-versions --addon-name kube-proxy --kubernetes-version 1.33 --query 'addons[0].addonVersions[0].addonVersion' --region us-west-2
aws eks describe-addon-versions --addon-name eks-pod-identity-agent --kubernetes-version 1.33 --query 'addons[0].addonVersions[0].addonVersion' --region us-west-2

Step 3: Upgrade Control Plane

aws eks update-cluster-version \
  --name ex-karpenter-test \
  --kubernetes-version 1.33 \
  --region us-west-2

Step 4: Monitor Upgrade Progress

# Get the update ID from the output of Step 3, then:
aws eks describe-update \
  --name ex-karpenter-test \
  --update-id <UPDATE_ID> \
  --region us-west-2

# Or watch cluster status
watch -n 30 'aws eks describe-cluster --name ex-karpenter-test --query "cluster.{status:status,version:version}" --output table --region us-west-2'

Step 5: Update Node Groups (Karpenter-managed)

Karpenter nodes will be replaced automatically based on your NodePool expireAfter (720h) and disruption settings. To force immediate rotation:

# Option A: Trigger drift detection (Karpenter detects version mismatch and replaces nodes)
# This happens automatically after control plane upgrade

# Option B: Force immediate replacement
kubectl delete node <node-name>

Step 6: Update Fargate Pods

Fargate pods must be recycled to pick up the new platform version:

# Delete and let the controller recreate them
kubectl rollout restart deployment -n <namespace> <deployment-name>

Step 7: Verify

kubectl get nodes -o wide
kubectl get pods -A | grep -v Running | grep -v Completed
aws eks describe-cluster --name ex-karpenter-test --query "cluster.version" --region us-west-2

AWS Reference Links

• EKS Kubernetes Versions: https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html
• EKS Add-on Versions: https://docs.aws.amazon.com/eks/latest/userguide/managing-add-ons.html
• Karpenter Compatibility: https://karpenter.sh/docs/upgrading/compatibility/
• Karpenter Upgrade Guide: https://karpenter.sh/docs/upgrading/upgrade-guide/
• EKS Best Practices — Upgrades: https://docs.aws.amazon.com/eks/latest/best-practices/cluster-upgrades.html
• EKS Platform Versions: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html