-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update aws-node from 1.12.6 to 1.18.1 #7756
Conversation
1.18.1 is recommended for EKS clusters, where its documented that "For all Kubernetes releases, we recommend installing the latest VPC CNI release." as read at https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#recommended-version. The latest available addon for various k8s minor versions are listed at https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-add-on, and it currently sais 1.18.1 for k8s 1.23 to 1.29.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello consideRatio 👋 Thank you for opening a Pull Request in eksctl
project. The team will review the Pull Request and aim to respond within 1-10 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl
on our website
A key confusion point is why Maybe the way forward isn't to bump this, but to help users transition to using |
Ideally we'd have our github actions workflow that opens a PR with the latest version of aws-node weekly. That's not working as intended unfortunately. I think the reason why |
I pushed an update meant to fix the unit tests -- we now have two containers instead of just one in the aws-node pod. The added container relates to NetworkPolicy enforcement - which is disabled by default in the daemonset, and doesn't seem to get functional after enabling it either. It would be great if networkpolicy enforcement could be configured and enabled successfully, but it could be considered separate from this PR as well of course. I lack the knowledge in eksctl to drive this work =/ |
pkg/addons/default/aws_node_test.go
Outdated
Expect(awsNode.Spec.Template.Spec.Containers[0].Image).To( | ||
Equal("602401143452.dkr.ecr.us-east-1.amazonaws.com/amazon-k8s-cni:v1.18.1"), | ||
) | ||
Expect(awsNode.Spec.Template.Spec.Containers[1].Image).To( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm working on a script that automatically updates the unit test as-well as part of the workflow. Let's remove this assertion, the one above should be enough for the purpose of testing
Thank you @TiberiuGC! For reference about the network policy stuff, the steps to enable it are listed here under "self-managed add-on" I think - I've followed them and failed to see a result so far though |
* Update aws-node from 1.12.6 to 1.18.1 1.18.1 is recommended for EKS clusters, where its documented that "For all Kubernetes releases, we recommend installing the latest VPC CNI release." as read at https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#recommended-version. The latest available addon for various k8s minor versions are listed at https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-add-on, and it currently sais 1.18.1 for k8s 1.23 to 1.29. * Update tests for aws-node 1.18.1 * Reduce complexity of aws-node test
* Update aws-node from 1.12.6 to 1.18.1 1.18.1 is recommended for EKS clusters, where its documented that "For all Kubernetes releases, we recommend installing the latest VPC CNI release." as read at https://github.com/aws/amazon-vpc-cni-k8s?tab=readme-ov-file#recommended-version. The latest available addon for various k8s minor versions are listed at https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-add-on, and it currently sais 1.18.1 for k8s 1.23 to 1.29. * Update tests for aws-node 1.18.1 * Reduce complexity of aws-node test
eksctl utils update-aws-node
downgraded aws-node significantly instead of upgrading it #77551.18.1 is recommended for EKS clusters, where its documented in aws/amazon-vpc-cni that "For all Kubernetes releases, we recommend installing the latest VPC CNI release."
The latest available addon for various k8s minor versions are listed here, and it currently sais 1.18.1 for k8s 1.23 to 1.29.
This PR mimics what was done in #6692 that updated this version from 1.11 to 1.12 before.
NetworkPolicy enforcement (not enabled by default, and doesn't work if enabled)
A noteworthy change introduced with this newer version of aws-node / amazon-vpc-cni is that NetworkPolicy resources are meant to become enforced as I understand it, this was introduced in v1.14.0 according to changelog.
I tested the network policy enforcement, and it didn't get enabled by the change in this PR by default. In a blogpost we see that they also configure the addon like:
I don't understand why there is a
aws-node.yaml
in this project with a hardcoded version and why its separate from using an EKS addon - but in this case sinceeksctl utils update-aws-node
doesn't relate to the listedaddons
, I'm not sure how we would do the equivalent configuration.A container in the
aws-node
daemonset has the followingargs
, so I figure we would then toggle--enable-network-policy=false
to=true
.I tested changing this, but network policy remained not-enforced.
eksctl utils update-aws-node
testedI tested building an eksctl binary on top of this commit, and I used it to successfully update from 1.12.6 to 1.18.1 in a cluster. The
aws-node
pod entered a running state successfully and the cluster's workload behaved as expected still.