aws · orsenthil · Apr 3, 2024 · Apr 3, 2024 · Apr 3, 2024 · Apr 3, 2024
@@ -23,7 +23,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -16,7 +16,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           go install golang.org/x/lint/golint@latest
@@ -50,7 +50,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Build CNI images
         run: make multi-arch-cni-build
       - name: Build CNI Init images

@@ -29,7 +29,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Generate CNI YAML
         run: make generate-cni-yaml
       - name: Create eks-charts PR

@@ -23,7 +23,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod
@@ -53,8 +53,9 @@ jobs:
           ROLE_ARN: ${{ secrets.EKS_CLUSTER_ROLE_ARN }}
           RUN_CNI_INTEGRATION_TESTS: false
           RUN_KOPS_TEST: true
-          K8S_VERSION: 1.29.0-alpha.3
-          KOPS_VERSION: v1.29.0-alpha.3
+          K8S_VERSION: 1.30.0-beta.0
+          KOPS_VERSION: v1.28.4
+          KOPS_RUN_TOO_NEW_VERSION: 1
         run: |
           ./scripts/run-integration-tests.sh
         if: always()

@@ -1 +1 @@
-1.21.8
+1.22.3
@@ -1,5 +1,29 @@
 # Changelog
 
+## v1.18.1
+
+* Bug - [Mount /run/xtables.lock as FileOrCreate in Helm chart](https://github.com/aws/amazon-vpc-cni-k8s/pull/2841) (@kwohlfahrt)
+* Enhancement - [Update .go-version to 1.22.2 to fix CVE reports.](https://github.com/aws/amazon-vpc-cni-k8s/pull/2870) (@orsenthil)
+* Cleanup - [remove unused Dockerfile](https://github.com/aws/amazon-vpc-cni-k8s/pull/2869) (@sushrk)
+* Dependency - [Bump github.com/containernetworking/plugins from 1.4.0 to 1.4.1](https://github.com/aws/amazon-vpc-cni-k8s/pull/2860) (@dependabot)
+* Dependency - [Bump golang.org/x/sys from 0.17.0 to 0.18.0 in /test/agent](https://github.com/aws/amazon-vpc-cni-k8s/pull/2859) (@dependabot)
+* Dependency - [Bump helm.sh/helm/v3 from 3.14.2 to 3.14.3](https://github.com/aws/amazon-vpc-cni-k8s/pull/2862) (@dependabot)
+* Dependency - [Bump github.com/prometheus/common from 0.48.0 to 0.52.2](https://github.com/aws/amazon-vpc-cni-k8s/pull/2866) (@dependabot)
+* Dependency - [Bump github.com/stretchr/testify from 1.8.4 to 1.9.0](https://github.com/aws/amazon-vpc-cni-k8s/pull/2863) (@dependabot)
+* Dependency - [Bump github.com/onsi/ginkgo/v2 from 2.14.0 to 2.17.1](https://github.com/aws/amazon-vpc-cni-k8s/pull/2864) (@dependabot)
+
+## v1.18.0
+
+* Cleanup - [run make generate-limits](https://github.com/aws/amazon-vpc-cni-k8s/pull/2835) (@jaydeokar)
+* Dependency - [Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible](https://github.com/aws/amazon-vpc-cni-k8s/pull/2855) (@dependabot)
+* Dependency - [upgrade golang to 1.21.8](https://github.com/aws/amazon-vpc-cni-k8s/pull/2847) (@jchen6585)
+* Dependency - [Bump google.golang.org/protobuf from 1.32.0 to 1.33.0](https://github.com/aws/amazon-vpc-cni-k8s/pull/2848) (@dependabot)
+* Feature - [Enhance subnet selection](https://github.com/aws/amazon-vpc-cni-k8s/pull/2714) (@jchen6585)
+* Improvement - [Add vpc-id to leaked eni filters](https://github.com/aws/amazon-vpc-cni-k8s/pull/2856) (@jchen6585)
+* Testing - [Add missing params to authorize ingress](https://github.com/aws/amazon-vpc-cni-k8s/pull/2849) (@jchen6585)
+* Testing - [Integration test suite for Custom Networking + Security Groups for Pods](https://github.com/aws/amazon-vpc-cni-k8s/pull/2818) (@jdn5126)
+* Testing - [Fix coredns failing during custom networking tests](https://github.com/aws/amazon-vpc-cni-k8s/pull/2844) (@jchen6585)
+
 ## v1.17.1
 
 * Feature - [Send pod name/ns to nodeagent for strict mode](https://github.com/aws/amazon-vpc-cni-k8s/pull/2790) (@jayanthvn)

@@ -40,7 +40,7 @@ See [here](./docs/iam-policy.md) for required IAM policies.
 * `unit-test`, `format`,`lint` and `vet` provide ways to run the respective tests/tools and should be run before submitting a PR.
 * `make docker` will create a docker container using `docker buildx` that contains the finished binaries, with a tag of `amazon/amazon-k8s-cni:latest`
 * `make docker-unit-tests` uses a docker container to run all unit tests.
-* builds for all build and test actions run in docker containers based on `golang:1.21.5-6-gcc-al2` unless a different `GOLANG_IMAGE` tag is passed in.
+* Builds for all build and test actions run in docker containers based on `.go-version` unless a different `GOLANG_IMAGE` tag is passed in.
 
 ## Components
 

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: aws-vpc-cni
-version: 1.17.1
-appVersion: "v1.17.1"
+version: 1.18.1
+appVersion: "v1.18.1"
 description: A Helm chart for the AWS VPC CNI
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

@@ -48,15 +48,15 @@ The following table lists the configurable parameters for this chart and their d
 | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation   | `3`                                 |
 | `branchENICooldown`     | Number of seconds that branch ENIs remain in cooldown   | `60`                                |
 | `fullnameOverride`      | Override the fullname of the chart                      | `aws-node`                          |
-| `image.tag`             | Image tag                                               | `v1.17.1`                           |
+| `image.tag`             | Image tag                                               | `v1.18.1`                           |
 | `image.domain`          | ECR repository domain                                   | `amazonaws.com`                     |
 | `image.region`          | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `image.endpoint`        | ECR repository endpoint to use.                         | `ecr`                               |
 | `image.account`         | ECR repository account number                           | `602401143452`                      |
 | `image.pullPolicy`      | Container pull policy                                   | `IfNotPresent`                      |
 | `image.override`        | A custom docker image to use                            | `nil`                               |
 | `imagePullSecrets`      | Docker registry pull secret                             | `[]`                                |
-| `init.image.tag`        | Image tag                                               | `v1.17.1`                           |
+| `init.image.tag`        | Image tag                                               | `v1.18.1`                           |
 | `init.image.domain`     | ECR repository domain                                   | `amazonaws.com`                     |
 | `init.image.region`     | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `init.image.endpoint`   | ECR repository endpoint to use.                         | `ecr`                               |
@@ -69,7 +69,7 @@ The following table lists the configurable parameters for this chart and their d
 | `originalMatchLabels`   | Use the original daemonset matchLabels                  | `false`                             |
 | `nameOverride`          | Override the name of the chart                          | `aws-node`                          |
 | `nodeAgent.enabled`     | If the Node Agent container should be created           | `true`                              |
-| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.1.0`                            |
+| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.1.1`                            |
 | `nodeAgent.image.domain`| ECR repository domain                                   | `amazonaws.com`                     |
 | `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `nodeAgent.image.endpoint`   | ECR repository endpoint to use.                    | `ecr`                               |

@@ -134,6 +134,7 @@ spec:
             - --enable-network-policy={{ .Values.enableNetworkPolicy }}
             - --enable-cloudwatch-logs={{ .Values.nodeAgent.enableCloudWatchLogs }}
             - --enable-policy-event-logs={{ .Values.nodeAgent.enablePolicyEventLogs }}
+            - --log-file={{ .Values.nodeAgent.networkPolicyAgentLogFileLocation }}
             - --metrics-bind-addr={{ include "aws-vpc-cni.nodeAgentMetricsBindAddr" . }}
             - --health-probe-bind-addr={{ include "aws-vpc-cni.nodeAgentHealthProbeBindAddr" . }}
             - --conntrack-cache-cleanup-period={{ .Values.nodeAgent.conntrackCacheCleanupPeriod }}
@@ -183,6 +184,7 @@ spec:
       - name: xtables-lock
         hostPath:
           path: /run/xtables.lock
+          type: FileOrCreate
       {{- with .Values.extraVolumes  }}
       {{- toYaml .| nindent 6 }}
       {{- end }}

@@ -8,7 +8,7 @@ nameOverride: aws-node
 
 init:
   image:
-    tag: v1.17.1
+    tag: v1.18.1
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -27,7 +27,7 @@ init:
 nodeAgent:
   enabled: true
   image:
-    tag: v1.1.0
+    tag: v1.1.1
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -43,14 +43,15 @@ nodeAgent:
     privileged: true
   enableCloudWatchLogs: "false"
   enablePolicyEventLogs: "false"
+  networkPolicyAgentLogFileLocation: "/var/log/aws-routed-eni/network-policy-agent.log"
   enableIpv6: "false"
   metricsBindAddr: "8162"
   healthProbeBindAddr: "8163"
   conntrackCacheCleanupPeriod: 300
   resources: {}
 
 image:
-  tag: v1.17.1
+  tag: v1.18.1
   domain: amazonaws.com
   region: us-west-2
   endpoint: ecr
@@ -84,7 +85,7 @@ env:
   ENABLE_IPv4: "true"
   ENABLE_IPv6: "false"
   ENABLE_SUBNET_DISCOVERY: "true"
-  VPC_CNI_VERSION: "v1.17.1"
+  VPC_CNI_VERSION: "v1.18.1"
   NETWORK_POLICY_ENFORCING_MODE: "standard"
 
 # this flag enables you to use the match label that was present in the original daemonset deployed by EKS

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cni-metrics-helper
-version: 1.17.1
-appVersion: v1.17.1
+version: 1.18.1
+appVersion: v1.18.1
 description: A Helm chart for the AWS VPC CNI Metrics Helper
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

@@ -12,10 +12,22 @@ This chart provides a Kubernetes deployment for the Amazon VPC CNI Metrics Helpe
 First add the EKS repository to Helm:
 
 ```shell
-helm repo add eks https://aws.github.io/eks-charts
+$ helm repo add eks https://aws.github.io/eks-charts
 ```
 
-To install the chart with the release name `cni-metrics-helper` and default configuration:
+Ensure helm repository up to date
+
+```shell
+$ helm repo update eks
+```
+
+To identify the version you are going to apply
+
+```shell
+$ helm search repo eks/cni-metrics-helper --versions
+```
+
+To install the latest chart with the release name `cni-metrics-helper` and default configuration:
 
 ```shell
 $ helm install cni-metrics-helper --namespace kube-system eks/cni-metrics-helper
@@ -43,26 +55,34 @@ $ helm uninstall cni-metrics-helper --namespace kube-system
 
 The following table lists the configurable parameters for this chart and their default values.
 
-| Parameter                    | Description                                                   | Default            |
-|------------------------------|---------------------------------------------------------------|--------------------|
-| fullnameOverride             | Override the fullname of the chart                            | cni-metrics-helper |
-| image.region                 | ECR repository region to use. Should match your cluster       | us-west-2          |
-| image.tag                    | Image tag                                                     | v1.17.1            |
-| image.account                | ECR repository account number                                 | 602401143452       |
-| image.domain                 | ECR repository domain                                         | amazonaws.com      |
-| env.USE_CLOUDWATCH           | Whether to export CNI metrics to CloudWatch                   | true               |
-| env.USE_PROMETHEUS           | Whether to export CNI metrics to Prometheus                   | false              |
-| env.AWS_CLUSTER_ID           | ID of the cluster to use when exporting metrics to CloudWatch | default            |
-| env.AWS_VPC_K8S_CNI_LOGLEVEL | Log verbosity level (ie. FATAL, ERROR, WARN, INFO, DEBUG)     | INFO               |
-| env.METRIC_UPDATE_INTERVAL   | Interval at which to update CloudWatch metrics, in seconds.   |                    |
-|                              | Metrics are published to CloudWatch at 2x the interval        | 30                 |
-| serviceAccount.name          | The name of the ServiceAccount to use                         | nil                |
-| serviceAccount.create        | Specifies whether a ServiceAccount should be created          | true               |
-| serviceAccount.annotations   | Specifies the annotations for ServiceAccount                  | {}                 |
-| podAnnotations               | Specifies the annotations for pods                            | {}                 |
-| revisionHistoryLimit         | The number of revisions to keep                               | 10                 |
-| podSecurityContext           | SecurityContext to set on the pod                             | {}                 |
-| containerSecurityContext     | SecurityContext to set on the container                       | {}                 |
+
+| Parameter                      | Description                                                   | Default                             |
+| -------------------------------|---------------------------------------------------------------|-------------------------------------|
+| `affinity`                     | Map of node/pod affinities                                    | `{}`                                |
+| `fullnameOverride`             | Override the fullname of the chart                            | `cni-metrics-helper`                |
+| `image.tag`                    | Image tag                                                     | `v1.18.1`                           |
+| `image.domain`                 | ECR repository domain                                         | `amazonaws.com`                     |
+| `image.region`                 | ECR repository region to use. Should match your cluster       | `us-west-2`                         |
+| `image.account`                | ECR repository account number                                 | `602401143452`                      |
+| `env.USE_CLOUDWATCH`           | Whether to export CNI metrics to CloudWatch                   | `true`                              |
+| `env.USE_PROMETHEUS`           | Whether to export CNI metrics to Prometheus                   | `false`                             |
+| `env.AWS_CLUSTER_ID`           | ID of the cluster to use when exporting metrics to CloudWatch | `default`                           |
+| `env.AWS_VPC_K8S_CNI_LOGLEVEL` | Log verbosity level (ie. FATAL, ERROR, WARN, INFO, DEBUG)     | `INFO`                              |
+| `env.METRIC_UPDATE_INTERVAL`   | Interval at which to update CloudWatch metrics, in seconds.   |                                     |
+|                                | Metrics are published to CloudWatch at 2x the interval        | `30`                                |
+| `serviceAccount.name`          | The name of the ServiceAccount to use                         | `nil`                               |
+| `serviceAccount.create`        | Specifies whether a ServiceAccount should be created          | `true`                              |
+| `serviceAccount.annotations`   | Specifies the annotations for ServiceAccount                  | `{}`                                |
+| `podAnnotations`               | Specifies the annotations for pods                            | `{}`                                |
+| `revisionHistoryLimit`         | The number of revisions to keep                               | `10`                                |
+| `podSecurityContext`           | SecurityContext to set on the pod                             | `{}`                                |
+| `containerSecurityContext`     | SecurityContext to set on the container                       | `{}`                                |
+| `tolerations`                  | Optional deployment tolerations                               | `[]`                                |
+| `updateStrategy`               | Optional update strategy                                      | `{}`                                |
+| `imagePullSecrets`             | Docker registry pull secret                                   | `[]`                                |
+| `nodeSelector`                 | Node labels for pod assignment                                | `{}`                                |
+| `tolerations`                  | Optional deployment tolerations                               | `[]`                                |
+
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install` or provide a YAML file containing the values for the above parameters:
 

@@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ include "cni-metrics-helper.fullname" . }}
+  labels:
+{{ include "cni-metrics-helper.labels" . | indent 4 }}
 rules:
   - apiGroups: [""]
     resources: