aws · jaydeokar · Mar 18, 2024 · Mar 18, 2024 · jayanthvn · Mar 18, 2024
@@ -1,5 +1,20 @@
 # Changelog
 
+## v1.17.1
+
+* Feature - [Send pod name/ns to nodeagent for strict mode](https://github.com/aws/amazon-vpc-cni-k8s/pull/2790) (@jayanthvn)
+* Feature - [gRPC call for networkpolicy agent](https://github.com/aws/amazon-vpc-cni-k8s/pull/2785)(@jayanthvn)
+* Improvement - [Bump golang.org/x/sys from 0.16.0 to 0.17.0 in /test/agent](https://github.com/aws/amazon-vpc-cni-k8s/pull/2822) (@dependabot)
+* Improvement - [Bump google.golang.org/grpc from 1.61.0 to 1.62.0](https://github.com/aws/amazon-vpc-cni-k8s/pull/2827) (@dependabot)
+* Improvement - [Bump google.golang.org/grpc from 1.61.0 to 1.62.0](https://github.com/aws/amazon-vpc-cni-k8s/pull/2827) (@dependabot)
+* Improvement - [Bump github.com/aws/aws-sdk-go from 1.49.13 to 1.50.29](https://github.com/aws/amazon-vpc-cni-k8s/pull/2826) (@dependabot)
+* Improvement - [Bump k8s.io/apimachinery from 0.29.0 to 0.29.2](https://github.com/aws/amazon-vpc-cni-k8s/pull/2825) (@dependabot)
+* Improvement - [make generate; make generate-limits; remove soak tests](https://github.com/aws/amazon-vpc-cni-k8s/pull/2819) (@dependabot)
+* Improvement - [Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0](https://github.com/aws/amazon-vpc-cni-k8s/pull/2824) (@dependabot)
+* Improvement - [Make vpc cni as master CNI in multus-daemonset-thick.yml](https://github.com/aws/amazon-vpc-cni-k8s/pull/2828) (@raghs-aws)
+* Improvement - [Bump github.com/prometheus/client_model from 0.5.0 to 0.6.0](https://github.com/aws/amazon-vpc-cni-k8s/pull/2829) (@dependabot)
+* Improvement - [Repo controlled build go version](https://github.com/aws/amazon-vpc-cni-k8s/pull/2831) (@xdu31)
+
 ## v1.16.4
 
 * Bug - [Revert #2744 to prevent livelock when attempting to increase datastore pool](https://github.com/aws/amazon-vpc-cni-k8s/pull/2810) (@jdn5126 )

@@ -720,6 +720,15 @@ Container runtimes such as `containerd` will enable IPv6 in newly created contai
 
 Note that if you set this while using Multus, you must ensure that any chained plugins do not depend on IPv6 networking. You must also ensure that chained plugins do not also modify these sysctls.
 
+
+#### `NETWORK_POLICY_ENFORCING_MODE` (v1.17.1+)
+
+Type: String
+
+Default: `standard`
+
+Network Policy agent now supports two modes for Network Policy enforcement - Strict and Standard. By default, the Amazon VPC CNI plugin for Kubernetes configures network policies for pods in parallel with the pod provisioning. In the `standard` mode, until all of the policies are configured for the new pod, containers in the new pod will start with a default allow policy. A default allow policy means that all ingress and egress traffic is allowed to and from the new pods. However, in the `strict` mode, a new pod will be blocked from Egress and Ingress connections till a qualifying Network Policy is applied. In Strict Mode, you must have a network policy defined for every pod in your cluster. Host Networking pods are exempted from this requirement.
+
 ### VPC CNI Feature Matrix
 
 

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: aws-vpc-cni
-version: 1.16.4
-appVersion: "v1.16.4"
+version: 1.17.1
+appVersion: "v1.17.1"
 description: A Helm chart for the AWS VPC CNI
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

@@ -48,15 +48,15 @@ The following table lists the configurable parameters for this chart and their d
 | `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation   | `3`                                 |
 | `branchENICooldown`     | Number of seconds that branch ENIs remain in cooldown   | `60`                                |
 | `fullnameOverride`      | Override the fullname of the chart                      | `aws-node`                          |
-| `image.tag`             | Image tag                                               | `v1.16.4`                           |
+| `image.tag`             | Image tag                                               | `v1.17.1`                           |
 | `image.domain`          | ECR repository domain                                   | `amazonaws.com`                     |
 | `image.region`          | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `image.endpoint`        | ECR repository endpoint to use.                         | `ecr`                               |
 | `image.account`         | ECR repository account number                           | `602401143452`                      |
 | `image.pullPolicy`      | Container pull policy                                   | `IfNotPresent`                      |
 | `image.override`        | A custom docker image to use                            | `nil`                               |
 | `imagePullSecrets`      | Docker registry pull secret                             | `[]`                                |
-| `init.image.tag`        | Image tag                                               | `v1.16.4`                           |
+| `init.image.tag`        | Image tag                                               | `v1.17.1`                           |
 | `init.image.domain`     | ECR repository domain                                   | `amazonaws.com`                     |
 | `init.image.region`     | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `init.image.endpoint`   | ECR repository endpoint to use.                         | `ecr`                               |
@@ -69,7 +69,7 @@ The following table lists the configurable parameters for this chart and their d
 | `originalMatchLabels`   | Use the original daemonset matchLabels                  | `false`                             |
 | `nameOverride`          | Override the name of the chart                          | `aws-node`                          |
 | `nodeAgent.enabled`     | If the Node Agent container should be created           | `true`                              |
-| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.0.8`                            |
+| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.1.0`                            |
 | `nodeAgent.image.domain`| ECR repository domain                                   | `amazonaws.com`                     |
 | `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `nodeAgent.image.endpoint`   | ECR repository endpoint to use.                    | `ecr`                               |

@@ -8,7 +8,7 @@ nameOverride: aws-node
 
 init:
   image:
-    tag: v1.16.4
+    tag: v1.17.1
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -27,7 +27,7 @@ init:
 nodeAgent:
   enabled: true
   image:
-    tag: v1.0.8
+    tag: v1.1.0
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -50,7 +50,7 @@ nodeAgent:
   resources: {}
 
 image:
-  tag: v1.16.4
+  tag: v1.17.1
   domain: amazonaws.com
   region: us-west-2
   endpoint: ecr
@@ -83,7 +83,8 @@ env:
   DISABLE_NETWORK_RESOURCE_PROVISIONING: "false"
   ENABLE_IPv4: "true"
   ENABLE_IPv6: "false"
-  VPC_CNI_VERSION: "v1.16.4"
+  VPC_CNI_VERSION: "v1.17.1"
+  NETWORK_POLICY_ENFORCING_MODE: "standard"
 
 # this flag enables you to use the match label that was present in the original daemonset deployed by EKS
 # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cni-metrics-helper
-version: 1.16.4
-appVersion: v1.16.4
+version: 1.17.1
+appVersion: v1.17.1
 description: A Helm chart for the AWS VPC CNI Metrics Helper
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

@@ -47,7 +47,7 @@ The following table lists the configurable parameters for this chart and their d
 |------------------------------|---------------------------------------------------------------|--------------------|
 | fullnameOverride             | Override the fullname of the chart                            | cni-metrics-helper |
 | image.region                 | ECR repository region to use. Should match your cluster       | us-west-2          |
-| image.tag                    | Image tag                                                     | v1.16.4            |
+| image.tag                    | Image tag                                                     | v1.17.1            |
 | image.account                | ECR repository account number                                 | 602401143452       |
 | image.domain                 | ECR repository domain                                         | amazonaws.com      |
 | env.USE_CLOUDWATCH           | Whether to export CNI metrics to CloudWatch                   | true               |

@@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper
 
 image:
   region: us-west-2
-  tag: v1.16.4
+  tag: v1.17.1
   account: "602401143452"
   domain: "amazonaws.com"
   # Set to use custom image

@@ -266,7 +266,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 ---
 # Source: aws-vpc-cni/templates/configmap.yaml
 apiVersion: v1
@@ -278,7 +278,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 data:
   enable-windows-ipam: "false"
   enable-network-policy-controller: "false"
@@ -297,7 +297,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 rules:
   - apiGroups:
       - crd.k8s.amazonaws.com
@@ -343,7 +343,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -363,7 +363,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 spec:
   updateStrategy:
     rollingUpdate:
@@ -384,7 +384,7 @@ spec:
       hostNetwork: true
       initContainers:
       - name: aws-vpc-cni-init
-        image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:v1.16.4
+        image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:v1.17.1
         env:
           - name: DISABLE_TCP_EARLY_DEMUX
             value: "false"
@@ -405,7 +405,7 @@ spec:
         {}
       containers:
         - name: aws-node
-          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni:v1.16.4
+          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni:v1.17.1
           ports:
             - containerPort: 61678
               name: metrics
@@ -464,8 +464,10 @@ spec:
               value: "false"
             - name: ENABLE_PREFIX_DELEGATION
               value: "false"
+            - name: NETWORK_POLICY_ENFORCING_MODE
+              value: "standard"
             - name: VPC_CNI_VERSION
-              value: "v1.16.4"
+              value: "v1.17.1"
             - name: WARM_ENI_TARGET
               value: "1"
             - name: WARM_PREFIX_TARGET
@@ -500,7 +502,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.0.8
+          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.1.0
           env:
             - name: MY_NODE_NAME
               valueFrom:

@@ -266,7 +266,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 ---
 # Source: aws-vpc-cni/templates/configmap.yaml
 apiVersion: v1
@@ -278,7 +278,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 data:
   enable-windows-ipam: "false"
   enable-network-policy-controller: "false"
@@ -297,7 +297,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 rules:
   - apiGroups:
       - crd.k8s.amazonaws.com
@@ -343,7 +343,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -363,7 +363,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 spec:
   updateStrategy:
     rollingUpdate:
@@ -384,7 +384,7 @@ spec:
       hostNetwork: true
       initContainers:
       - name: aws-vpc-cni-init
-        image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:v1.16.4
+        image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:v1.17.1
         env:
           - name: DISABLE_TCP_EARLY_DEMUX
             value: "false"
@@ -405,7 +405,7 @@ spec:
         {}
       containers:
         - name: aws-node
-          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni:v1.16.4
+          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni:v1.17.1
           ports:
             - containerPort: 61678
               name: metrics
@@ -464,8 +464,10 @@ spec:
               value: "false"
             - name: ENABLE_PREFIX_DELEGATION
               value: "false"
+            - name: NETWORK_POLICY_ENFORCING_MODE
+              value: "standard"
             - name: VPC_CNI_VERSION
-              value: "v1.16.4"
+              value: "v1.17.1"
             - name: WARM_ENI_TARGET
               value: "1"
             - name: WARM_PREFIX_TARGET
@@ -500,7 +502,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.0.8
+          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.1.0
           env:
             - name: MY_NODE_NAME
               valueFrom:

@@ -266,7 +266,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 ---
 # Source: aws-vpc-cni/templates/configmap.yaml
 apiVersion: v1
@@ -278,7 +278,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 data:
   enable-windows-ipam: "false"
   enable-network-policy-controller: "false"
@@ -297,7 +297,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 rules:
   - apiGroups:
       - crd.k8s.amazonaws.com
@@ -343,7 +343,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -363,7 +363,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.16.4"
+    app.kubernetes.io/version: "v1.17.1"
 spec:
   updateStrategy:
     rollingUpdate:
@@ -384,7 +384,7 @@ spec:
       hostNetwork: true
       initContainers:
       - name: aws-vpc-cni-init
-        image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni-init:v1.16.4
+        image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni-init:v1.17.1
         env:
           - name: DISABLE_TCP_EARLY_DEMUX
             value: "false"
@@ -405,7 +405,7 @@ spec:
         {}
       containers:
         - name: aws-node
-          image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni:v1.16.4
+          image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni:v1.17.1
           ports:
             - containerPort: 61678
               name: metrics
@@ -464,8 +464,10 @@ spec:
               value: "false"
             - name: ENABLE_PREFIX_DELEGATION
               value: "false"
+            - name: NETWORK_POLICY_ENFORCING_MODE
+              value: "standard"
             - name: VPC_CNI_VERSION
-              value: "v1.16.4"
+              value: "v1.17.1"
             - name: WARM_ENI_TARGET
               value: "1"
             - name: WARM_PREFIX_TARGET
@@ -500,7 +502,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-network-policy-agent:v1.0.8
+          image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-network-policy-agent:v1.1.0
           env:
             - name: MY_NODE_NAME
               valueFrom: