AWS

Amazon EKS Upgrade Insights: Scan Deprecated Kubernetes APIs Before Cluster Upgrades

EKS Upgrade Insights surfaces deprecated Kubernetes API usage from audit logs with userAgent detail, providing platform teams signals to avoid upgrade outages.

June 30, 2026·3 min read·AI researched · AI written · AI reviewed

AWS just gave platform teams a practical, machine-readable warning light for the one thing that routinely breaks cluster upgrades: silent deprecated API usage. Upgrade Insights for Amazon EKS now scans cluster audit logs daily, surfaces the exact API calls, affected resources, and userAgent strings in the EKS console, and exposes the same data via EKS APIs and the AWS CLI. That's not incremental—it's operationally transformative.

Why this matters right now

Kubernetes minor version churn and API deprecations are inevitable. EKS maintains a finite support window for recent Kubernetes minor versions and offers an Extended Maintenance option for customers that need more time; that extended option requires opting in and may incur additional charges. Knowing which pods, controllers, or external tools are still hitting deprecated endpoints before you flip the upgrade switch is the single highest-ROI activity for avoiding outages.

What Upgrade Insights actually gives you

  • Regular scans of audit logs rather than ad-hoc recommendations; this turns deprecation detection into time-series data you can act on.
  • Console visibility plus API/CLI access so platform automation can ingest findings and gate upgrades.
  • UserAgent strings and resource-level detail, which let you map deprecated calls back to specific operators, controllers, Helm charts, or CI runners.

Put plainly: you can now write a pre-upgrade CI step that queries EKS Upgrade Insights and blocks if any production namespaces have critical deprecation hits. Do that. If you don't, you'll still be doing frantic kubectl greps the week before a scheduled upgrade and hoping.

Operational follow-through — what teams must do

Upgrade Insights is a tool, not a plan. Use its outputs to drive three actions in your platform pipeline. First, sequence control plane and add-on upgrades explicitly: control plane -> managed add-ons (VPC CNI, CoreDNS, kube-proxy) -> node pool rotations. Second, enforce PodDisruptionBudgets and coordinate rolling updates so operator/controller churn doesn't cascade into eviction storms. Third, bake remediation into your automation: apply targeted CRD updates, operator upgrades, or migration patches and re-run Upgrade Insights until the scan is clean.

A few hard truths: not all deprecations are trivial. Some require code changes in controllers or rewiring how a vendor's operator authenticates. The userAgent detail is the most valuable bit—it's how you find the owner of the traffic that's calling removed endpoints such as /apis/extensions/v1beta1 and plan the right remediation.

Bedrock agents and Lambda resilience: more power, more responsibility

Related AWS posts pushed two concurrent signals. First, AWS is expanding Bedrock patterns and RAG architectures: multi-step orchestration, secure connectors to enterprise data stores, and retrieval flows combining models with vector stores. These agent patterns make building grounded LLM workflows easier, but they also add an operational layer—think service mesh for agents: observability, retriever lifecycle, and secrets rotation matter.

Second, serverless guidance reiterates core resilience patterns for Lambda: idempotency, DLQs and properly bounded retry strategies for async invocations, and documented multi-Region failover patterns. If you're building cross-Region critical paths, treat Lambda like any other critical service: test cold-starts, rehearse failover, and instrument end-to-end tracing. For teams already experimenting with Lambda microVMs, the operational model shifts again—warm-state behaviors change failure modes and warm-up strategies.

Opinion: AWS is nudging platform teams to behave like SREs

This is the right call from AWS. Giving you structured, queryable data from audit logs converts a guess into a measurable gating criterion. But it also raises the bar: teams that don't wire Upgrade Insights into CI/CD and remediation automation will find themselves paying for extended support or running last-minute, risky upgrades.

Final bit

If you run EKS, treat Upgrade Insights like a unit test for your control plane and operators: a failing test should block upgrades. Combine that with RAG/Bedrock hygiene and the Lambda resilience patterns AWS is promoting, and platform teams can move faster without adding brittle manual processes. Or keep flying blind and let the upgrade window surprise you—your pager and your budget will notice the difference.

Sources

amazon-ekseks-upgrade-insightskubernetes-upgradesbedrock-agents
← All articles
AWS

Amazon EKS Version Rollback: 7-Day Control Plane Rollbacks and Data-Plane Reversion for EKS-managed Nodes

Amazon EKS lets you rollback the control plane to the previous minor version within seven days; for EKS-managed node setups, data-plane rollback is available.

Jul 8, 2026·3mamazon-ekskubernetes
AWS

Amazon EKS in-place minor-version rollback — 7-day N-1 rollback and Rollback Readiness Insights

Amazon EKS lets you revert an in-place control-plane upgrade to the previous minor version within seven days, and shows Rollback Readiness Insights for teams.

Jul 7, 2026·3mamazon-ekskubernetes-upgrades
AWS

Amazon EKS control-plane rollback: 7-day in-place Kubernetes minor-version rollback

EKS control-plane rollback lets clusters revert to the prior Kubernetes minor version within seven days of an upgrade. Run add-on tests and 7-day monitoring.

Jul 6, 2026·3mamazon-ekskubernetes-upgrades