Adding release notes and chart update (#3313)

Author: yash97

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## v1.19.6
+* Dependency - Bump k8s.io/apimachinery from 0.32.3 to 0.33.0 by @dependabot in #3279
+* Dependency - Bump golang.org/x/sys from 0.31.0 to 0.32.0 in /test/agent in #3280
+* Fix - fixed integration test script by @viveksb007 in #3282 
+* Fix - Adding CVE fixes and remove pinned dependencies by @jaydeokar  in #3283
+* Dependency - Updating netlink to v1.3.1 by @jaydeokar in #3286
+* Feature - adding ENABLE_IMDS_ONLY_MODE configuration so ipamd will not interact with EC2 for node init and reconcile by @bhaoz in #3287
+
 ## v1.19.5
 * Fix - fixed node init failure when using custom networking and SGPP @oliviassss in #3277
 

charts/aws-vpc-cni/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: aws-vpc-cni
-version: 1.19.5
-appVersion: "v1.19.5"
+version: 1.19.6
+appVersion: "v1.19.6"
 description: A Helm chart for the AWS VPC CNI
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

charts/aws-vpc-cni/README.md

@@ -48,15 +48,15 @@ The following table lists the configurable parameters for this chart and their d
 | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation   | `3`                                 |
 | `branchENICooldown`     | Number of seconds that branch ENIs remain in cooldown   | `60`                                |
 | `fullnameOverride`      | Override the fullname of the chart                      | `aws-node`                          |
-| `image.tag`             | Image tag                                               | `v1.19.5`                           |
+| `image.tag`             | Image tag                                               | `v1.19.6`                           |
 | `image.domain`          | ECR repository domain                                   | `amazonaws.com`                     |
 | `image.region`          | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `image.endpoint`        | ECR repository endpoint to use.                         | `ecr`                               |
 | `image.account`         | ECR repository account number                           | `602401143452`                      |
 | `image.pullPolicy`      | Container pull policy                                   | `IfNotPresent`                      |
 | `image.override`        | A custom docker image to use                            | `nil`                               |
 | `imagePullSecrets`      | Docker registry pull secret                             | `[]`                                |
-| `init.image.tag`        | Image tag                                               | `v1.19.5`                           |
+| `init.image.tag`        | Image tag                                               | `v1.19.6`                           |
 | `init.image.domain`     | ECR repository domain                                   | `amazonaws.com`                     |
 | `init.image.region`     | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `init.image.endpoint`   | ECR repository endpoint to use.                         | `ecr`                               |
@@ -69,7 +69,7 @@ The following table lists the configurable parameters for this chart and their d
 | `originalMatchLabels`   | Use the original daemonset matchLabels                  | `false`                             |
 | `nameOverride`          | Override the name of the chart                          | `aws-node`                          |
 | `nodeAgent.enabled`     | If the Node Agent container should be created           | `true`                              |
-| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.2.1`                            |
+| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.2.2`                            |
 | `nodeAgent.image.domain`| ECR repository domain                                   | `amazonaws.com`                     |
 | `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `nodeAgent.image.endpoint`   | ECR repository endpoint to use.                    | `ecr`                               |
@@ -84,6 +84,7 @@ The following table lists the configurable parameters for this chart and their d
 | `nodeAgent.conntrackCacheCleanupPeriod` | Cleanup interval for network policy agent conntrack cache | 300               |
 | `nodeAgent.enableIpv6`  | Enable IPv6 support for Node Agent                      | `false`                             |
 | `nodeAgent.resources`   | Node Agent resources, will defualt to .Values.resources if not set | `{}`                     |
+| `nodeAgent.logLevel`    | Node Agent logging verbosity level.                     | `debug`                             |
 | `extraVolumes`          | Array to add extra volumes                              | `[]`                                |
 | `extraVolumeMounts`     | Array to add extra mount                                | `[]`                                |
 | `nodeSelector`          | Node labels for pod assignment                          | `{}`                                |

charts/aws-vpc-cni/templates/daemonset.yaml

@@ -151,6 +151,7 @@ spec:
             - --metrics-bind-addr={{ include "aws-vpc-cni.nodeAgentMetricsBindAddr" . }}
             - --health-probe-bind-addr={{ include "aws-vpc-cni.nodeAgentHealthProbeBindAddr" . }}
             - --conntrack-cache-cleanup-period={{ .Values.nodeAgent.conntrackCacheCleanupPeriod }}
+            - --log-level={{ .Values.nodeAgent.logLevel }}
           {{- with default .Values.resources .Values.nodeAgent.resources }}
           resources:
             {{- toYaml . | nindent 12 }}

charts/aws-vpc-cni/values.yaml

@@ -8,7 +8,7 @@ nameOverride: aws-node
 
 init:
   image:
-    tag: v1.19.5
+    tag: v1.19.6
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -27,7 +27,7 @@ init:
 nodeAgent:
   enabled: true
   image:
-    tag: v1.2.1
+    tag: v1.2.2
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -48,10 +48,11 @@ nodeAgent:
   metricsBindAddr: "8162"
   healthProbeBindAddr: "8163"
   conntrackCacheCleanupPeriod: 300
+  logLevel: "debug"
   resources: {}
 
 image:
-  tag: v1.19.5
+  tag: v1.19.6
   domain: amazonaws.com
   region: us-west-2
   endpoint: ecr
@@ -85,8 +86,9 @@ env:
   ENABLE_IPv4: "true"
   ENABLE_IPv6: "false"
   ENABLE_SUBNET_DISCOVERY: "true"
-  VPC_CNI_VERSION: "v1.19.5"
+  VPC_CNI_VERSION: "v1.19.6"
   NETWORK_POLICY_ENFORCING_MODE: "standard"
+  ENABLE_IMDS_ONLY_MODE: "false"
 
 # Add env from configMap or from secrets
 # - name: ENV_VAR1

charts/cni-metrics-helper/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cni-metrics-helper
-version: 1.19.5
-appVersion: v1.19.5
+version: 1.19.6
+appVersion: v1.19.6
 description: A Helm chart for the AWS VPC CNI Metrics Helper
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

charts/cni-metrics-helper/README.md

@@ -60,7 +60,7 @@ The following table lists the configurable parameters for this chart and their d
 | -------------------------------|---------------------------------------------------------------|-------------------------------------|
 | `affinity`                     | Map of node/pod affinities                                    | `{}`                                |
 | `fullnameOverride`             | Override the fullname of the chart                            | `cni-metrics-helper`                |
-| `image.tag`                    | Image tag                                                     | `v1.19.5`                           |
+| `image.tag`                    | Image tag                                                     | `v1.19.6`                           |
 | `image.domain`                 | ECR repository domain                                         | `amazonaws.com`                     |
 | `image.region`                 | ECR repository region to use. Should match your cluster       | `us-west-2`                         |
 | `image.account`                | ECR repository account number                                 | `602401143452`                      |

charts/cni-metrics-helper/values.yaml

@@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper
 
 image:
   region: us-west-2
-  tag: v1.19.5
+  tag: v1.19.6
   account: "602401143452"
   domain: "amazonaws.com"
   # Set to use custom image

config/master/aws-k8s-cni-cn.yaml

@@ -300,7 +300,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 ---
 # Source: aws-vpc-cni/templates/configmap.yaml
 apiVersion: v1
@@ -312,7 +312,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 data:
   enable-windows-ipam: "false"
   enable-network-policy-controller: "false"
@@ -331,7 +331,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 rules:
   - apiGroups:
       - crd.k8s.amazonaws.com
@@ -377,7 +377,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -397,7 +397,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 spec:
   updateStrategy:
     rollingUpdate:
@@ -418,7 +418,7 @@ spec:
       hostNetwork: true
       initContainers:
       - name: aws-vpc-cni-init
-        image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:v1.19.5
+        image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:v1.19.6
         imagePullPolicy: Always
         env:
           - name: DISABLE_TCP_EARLY_DEMUX
@@ -440,7 +440,7 @@ spec:
         {}
       containers:
         - name: aws-node
-          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni:v1.19.5
+          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni:v1.19.6
           ports:
             - containerPort: 61678
               name: metrics
@@ -491,6 +491,8 @@ spec:
               value: "false"
             - name: DISABLE_NETWORK_RESOURCE_PROVISIONING
               value: "false"
+            - name: ENABLE_IMDS_ONLY_MODE
+              value: "false"
             - name: ENABLE_IPv4
               value: "true"
             - name: ENABLE_IPv6
@@ -504,7 +506,7 @@ spec:
             - name: NETWORK_POLICY_ENFORCING_MODE
               value: "standard"
             - name: VPC_CNI_VERSION
-              value: "v1.19.5"
+              value: "v1.19.6"
             - name: WARM_ENI_TARGET
               value: "1"
             - name: WARM_PREFIX_TARGET
@@ -539,7 +541,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.2.1
+          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.2.2
           imagePullPolicy: Always
           ports:
             - containerPort: 8162
@@ -559,6 +561,7 @@ spec:
             - --metrics-bind-addr=:8162
             - --health-probe-bind-addr=:8163
             - --conntrack-cache-cleanup-period=300
+            - --log-level=debug
           resources:
             requests:
               cpu: 25m

config/master/aws-k8s-cni-us-gov-east-1.yaml

@@ -300,7 +300,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 ---
 # Source: aws-vpc-cni/templates/configmap.yaml
 apiVersion: v1
@@ -312,7 +312,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 data:
   enable-windows-ipam: "false"
   enable-network-policy-controller: "false"
@@ -331,7 +331,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 rules:
   - apiGroups:
       - crd.k8s.amazonaws.com
@@ -377,7 +377,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -397,7 +397,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.19.5"
+    app.kubernetes.io/version: "v1.19.6"
 spec:
   updateStrategy:
     rollingUpdate:
@@ -418,7 +418,7 @@ spec:
       hostNetwork: true
       initContainers:
       - name: aws-vpc-cni-init
-        image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:v1.19.5
+        image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:v1.19.6
         imagePullPolicy: Always
         env:
           - name: DISABLE_TCP_EARLY_DEMUX
@@ -440,7 +440,7 @@ spec:
         {}
       containers:
         - name: aws-node
-          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni:v1.19.5
+          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni:v1.19.6
           ports:
             - containerPort: 61678
               name: metrics
@@ -491,6 +491,8 @@ spec:
               value: "false"
             - name: DISABLE_NETWORK_RESOURCE_PROVISIONING
               value: "false"
+            - name: ENABLE_IMDS_ONLY_MODE
+              value: "false"
             - name: ENABLE_IPv4
               value: "true"
             - name: ENABLE_IPv6
@@ -504,7 +506,7 @@ spec:
             - name: NETWORK_POLICY_ENFORCING_MODE
               value: "standard"
             - name: VPC_CNI_VERSION
-              value: "v1.19.5"
+              value: "v1.19.6"
             - name: WARM_ENI_TARGET
               value: "1"
             - name: WARM_PREFIX_TARGET
@@ -539,7 +541,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.1
+          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.2
           imagePullPolicy: Always
           ports:
             - containerPort: 8162
@@ -559,6 +561,7 @@ spec:
             - --metrics-bind-addr=:8162
             - --health-probe-bind-addr=:8163
             - --conntrack-cache-cleanup-period=300
+            - --log-level=debug
           resources:
             requests:
               cpu: 25m