Adding release notes for mult-nic feature

Author: jaydeokar

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## v1.20.0
+* Feature - Adding support in CNI for managing multiple network interface card on the instance in #3347,#3349
+* Dependency - Bump helm.sh/helm/v3 from 3.18.1 to 3.18.4 in #3346
+* Dependency - Bump aws-dependencies in #3337
+* Improvement - Build CNI plugins from source in #3343
+* Fix - Fix error when Network policy agent GRPC call fails in #3320
+* Fix - Fix race condition when force deleting pod using a security group for pod feature in #3304
+* Improvement - Add latency metrics for ipamd init in #3301
+
 ## v1.19.6
 * Dependency - Bump k8s.io/apimachinery from 0.32.3 to 0.33.0 by @dependabot in #3279
 * Dependency - Bump golang.org/x/sys from 0.31.0 to 0.32.0 in /test/agent in #3280

README.md

@@ -757,6 +757,32 @@ Default: `false`
 Setting `ENABLE_IMDS_ONLY_MODE` to `true` enables the CNI plugin to operate in environments with strict VPC or IAM restrictions where EC2 API access is limited or unavailable. In this mode, the CNI plugin relies solely on the Instance Metadata Service (IMDS) to retrieve information about ENIs (Elastic Network Interfaces) and determine IP addresses to assign. These ENIs are only discovered at startup, so ENIs and IPs must be pre-attached and pre-assigned before CNI plugin starts up.
 Enabling this mode automatically sets `DISABLE_NETWORK_RESOURCE_PROVISIONING` and `DISABLE_LEAKED_ENI_CLEANUP` to `true`, as the CNI plugin will not make any EC2 API calls during operation.
 
+
+#### `ENABLE_MULTI_NIC` (v1.20.0+)
+
+Type: Boolean as a String
+
+Default: `false`
+
+The CNI plugin by default only manages network card 0 and assigns a single IP address to each Pod. Setting `ENABLE_MULTI_NIC` to `true` enables the Amazon VPC CNI plugin to manage all eligible network cards on supported multi-card instance types.
+
+A network card will be managed if at least one of the following conditions is met:
+
+a. The network card does not have any devices attached to it
+b. The network card has an `efa` OR an `ena` device attached to it
+c. The network card has an `efa-only` AND an `ena` device attached to it
+
+## Annotations
+
+#### Multi Homed Pods (v1.20.0+)
+
+The `k8s.amazonaws.com/nicConfig: multi-nic-attachment` annotation enables multi-homing for a pod, allowing it to receive an IP address from each managed network card on the node. While this provides multiple network paths, applications must explicitly utilize these interfaces to take advantage of the additional bandwidth. To enable this feature, set `ENABLE_MULTI_NIC` to `true` in the Amazon VPC CNI configuration and schedule the pod on an instance type that supports multiple network cards. If you are using the AWS VPC CNI implementation of network policies, these policies are applied symmetrically to all interfaces of the pod.
+
+Note -
+Downgrade considerations
+1. If the feature is enabled and you plan to downgrade the plugin from v1.20.0+, ensure that all multi-homed pods are removed first to prevent IP leaks and then set the `ENABLE_MULTI_NIC` to `false`.
+2. Drain and remove the nodes to clean up any additional ENIs created by the Amazon VPC CNI plugin on network cards with index > 0
+
 ### VPC CNI Feature Matrix
 
 

charts/aws-vpc-cni/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: aws-vpc-cni
-version: 1.19.6
-appVersion: "v1.19.6"
+version: 1.20.0
+appVersion: "v1.20.0" 
 description: A Helm chart for the AWS VPC CNI
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

charts/aws-vpc-cni/README.md

@@ -48,15 +48,15 @@ The following table lists the configurable parameters for this chart and their d
 | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation   | `3`                                 |
 | `branchENICooldown`     | Number of seconds that branch ENIs remain in cooldown   | `60`                                |
 | `fullnameOverride`      | Override the fullname of the chart                      | `aws-node`                          |
-| `image.tag`             | Image tag                                               | `v1.19.6`                           |
+| `image.tag`             | Image tag                                               | `v1.20.0`                           |
 | `image.domain`          | ECR repository domain                                   | `amazonaws.com`                     |
 | `image.region`          | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `image.endpoint`        | ECR repository endpoint to use.                         | `ecr`                               |
 | `image.account`         | ECR repository account number                           | `602401143452`                      |
 | `image.pullPolicy`      | Container pull policy                                   | `IfNotPresent`                      |
 | `image.override`        | A custom docker image to use                            | `nil`                               |
 | `imagePullSecrets`      | Docker registry pull secret                             | `[]`                                |
-| `init.image.tag`        | Image tag                                               | `v1.19.6`                           |
+| `init.image.tag`        | Image tag                                               | `v1.20.0`                           |
 | `init.image.domain`     | ECR repository domain                                   | `amazonaws.com`                     |
 | `init.image.region`     | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `init.image.endpoint`   | ECR repository endpoint to use.                         | `ecr`                               |
@@ -69,7 +69,7 @@ The following table lists the configurable parameters for this chart and their d
 | `originalMatchLabels`   | Use the original daemonset matchLabels                  | `false`                             |
 | `nameOverride`          | Override the name of the chart                          | `aws-node`                          |
 | `nodeAgent.enabled`     | If the Node Agent container should be created           | `true`                              |
-| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.2.2`                            |
+| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.2.3`                            |
 | `nodeAgent.image.domain`| ECR repository domain                                   | `amazonaws.com`                     |
 | `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `nodeAgent.image.endpoint`   | ECR repository endpoint to use.                    | `ecr`                               |

charts/aws-vpc-cni/values.yaml

@@ -8,7 +8,7 @@ nameOverride: aws-node
 
 init:
   image:
-    tag: v1.19.6
+    tag: v1.20.0
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -27,7 +27,7 @@ init:
 nodeAgent:
   enabled: true
   image:
-    tag: v1.2.2
+    tag: v1.2.3
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -52,7 +52,7 @@ nodeAgent:
   resources: {}
 
 image:
-  tag: v1.19.6
+  tag: v1.20.0
   domain: amazonaws.com
   region: us-west-2
   endpoint: ecr
@@ -86,9 +86,10 @@ env:
   ENABLE_IPv4: "true"
   ENABLE_IPv6: "false"
   ENABLE_SUBNET_DISCOVERY: "true"
-  VPC_CNI_VERSION: "v1.19.6"
+  VPC_CNI_VERSION: "v1.20.0"
   NETWORK_POLICY_ENFORCING_MODE: "standard"
   ENABLE_IMDS_ONLY_MODE: "false"
+  ENABLE_MULTI_NIC: "false"
 
 # Add env from configMap or from secrets
 # - name: ENV_VAR1

charts/cni-metrics-helper/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cni-metrics-helper
-version: 1.19.6
-appVersion: v1.19.6
+version: 1.20.0
+appVersion: v1.20.0
 description: A Helm chart for the AWS VPC CNI Metrics Helper
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

charts/cni-metrics-helper/README.md

@@ -60,7 +60,7 @@ The following table lists the configurable parameters for this chart and their d
 | -------------------------------|---------------------------------------------------------------|-------------------------------------|
 | `affinity`                     | Map of node/pod affinities                                    | `{}`                                |
 | `fullnameOverride`             | Override the fullname of the chart                            | `cni-metrics-helper`                |
-| `image.tag`                    | Image tag                                                     | `v1.19.6`                           |
+| `image.tag`                    | Image tag                                                     | `v1.20.0`                           |
 | `image.domain`                 | ECR repository domain                                         | `amazonaws.com`                     |
 | `image.region`                 | ECR repository region to use. Should match your cluster       | `us-west-2`                         |
 | `image.account`                | ECR repository account number                                 | `602401143452`                      |

charts/cni-metrics-helper/values.yaml

@@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper
 
 image:
   region: us-west-2
-  tag: v1.19.6
+  tag: v1.20.0
   account: "602401143452"
   domain: "amazonaws.com"
   # Set to use custom image

config/master/aws-k8s-cni-cn.yaml

@@ -300,7 +300,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 ---
 # Source: aws-vpc-cni/templates/configmap.yaml
 apiVersion: v1
@@ -312,7 +312,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 data:
   enable-windows-ipam: "false"
   enable-network-policy-controller: "false"
@@ -331,7 +331,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 rules:
   - apiGroups:
       - crd.k8s.amazonaws.com
@@ -377,7 +377,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -397,7 +397,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 spec:
   updateStrategy:
     rollingUpdate:
@@ -418,7 +418,7 @@ spec:
       hostNetwork: true
       initContainers:
       - name: aws-vpc-cni-init
-        image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:v1.19.6
+        image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:v1.20.0
         imagePullPolicy: Always
         env:
           - name: DISABLE_TCP_EARLY_DEMUX
@@ -440,7 +440,7 @@ spec:
         {}
       containers:
         - name: aws-node
-          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni:v1.19.6
+          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni:v1.20.0
           ports:
             - containerPort: 61678
               name: metrics
@@ -497,6 +497,8 @@ spec:
               value: "true"
             - name: ENABLE_IPv6
               value: "false"
+            - name: ENABLE_MULTI_NIC
+              value: "false"
             - name: ENABLE_POD_ENI
               value: "false"
             - name: ENABLE_PREFIX_DELEGATION
@@ -506,7 +508,7 @@ spec:
             - name: NETWORK_POLICY_ENFORCING_MODE
               value: "standard"
             - name: VPC_CNI_VERSION
-              value: "v1.19.6"
+              value: "v1.20.0"
             - name: WARM_ENI_TARGET
               value: "1"
             - name: WARM_PREFIX_TARGET
@@ -541,7 +543,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.2.2
+          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.2.3
           imagePullPolicy: Always
           ports:
             - containerPort: 8162

config/master/aws-k8s-cni-us-gov-east-1.yaml

@@ -300,7 +300,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 ---
 # Source: aws-vpc-cni/templates/configmap.yaml
 apiVersion: v1
@@ -312,7 +312,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 data:
   enable-windows-ipam: "false"
   enable-network-policy-controller: "false"
@@ -331,7 +331,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 rules:
   - apiGroups:
       - crd.k8s.amazonaws.com
@@ -377,7 +377,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -397,7 +397,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.6"
+    app.kubernetes.io/version: "v1.20.0"
 spec:
   updateStrategy:
     rollingUpdate:
@@ -418,7 +418,7 @@ spec:
       hostNetwork: true
       initContainers:
       - name: aws-vpc-cni-init
-        image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:v1.19.6
+        image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:v1.20.0
         imagePullPolicy: Always
         env:
           - name: DISABLE_TCP_EARLY_DEMUX
@@ -440,7 +440,7 @@ spec:
         {}
       containers:
         - name: aws-node
-          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni:v1.19.6
+          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni:v1.20.0
           ports:
             - containerPort: 61678
               name: metrics
@@ -497,6 +497,8 @@ spec:
               value: "true"
             - name: ENABLE_IPv6
               value: "false"
+            - name: ENABLE_MULTI_NIC
+              value: "false"
             - name: ENABLE_POD_ENI
               value: "false"
             - name: ENABLE_PREFIX_DELEGATION
@@ -506,7 +508,7 @@ spec:
             - name: NETWORK_POLICY_ENFORCING_MODE
               value: "standard"
             - name: VPC_CNI_VERSION
-              value: "v1.19.6"
+              value: "v1.20.0"
             - name: WARM_ENI_TARGET
               value: "1"
             - name: WARM_PREFIX_TARGET
@@ -541,7 +543,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.2
+          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.3
           imagePullPolicy: Always
           ports:
             - containerPort: 8162