v1.18.1

v1.18.1

Release Notes

None

Changes since v1.18.0

• Bug - Mount /run/xtables.lock as FileOrCreate in Helm chart (@kwohlfahrt)
• Cleanup - remove unused Dockerfile (@sushrk)
• Dependency - Bump github.com/containernetworking/plugins from 1.4.0 to 1.4.1 (@dependabot)
• Dependency - Bump golang.org/x/sys from 0.17.0 to 0.18.0 in /test/agent (@dependabot)
• Dependency - Bump helm.sh/helm/v3 from 3.14.2 to 3.14.3 (@dependabot)
• Dependency - Bump github.com/prometheus/common from 0.48.0 to 0.52.2 (@dependabot)
• Dependency - Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (@dependabot)
• Dependency - Bump github.com/onsi/ginkgo/v2 from 2.14.0 to 2.17.1 (@dependabot)
• Enhancement - Update .go-version to 1.22.2 to fix CVE reports. (@orsenthil)

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.1/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.1/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.1/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.1/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.18.1/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.18.1
amazon-k8s-cni:v1.18.1
amazon/aws-network-policy-agent:v1.1.1

v1.18.0

v1.18.0

Release Notes

VPC-CNI now supports enhanced subnet discovery - A default mode in which pod IP addresses are allocated from all tagged and available subnets. This is aimed at helping increase the number of available IPv4 addresses and scale your workloads in IP constrained environments.

Changes since v1.17.1

• Cleanup - run make generate-limits (@jaydeokar)
• Dependency - Bump github.com/docker/docker from 24.0.7+incompatible to 24.0.9+incompatible (@dependabot)
• Dependency - upgrade golang to 1.21.8 (@jchen6585)
• Dependency - Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (@dependabot)
• Feature - Enhance subnet selection (@jchen6585)
• Improvement - Add vpc-id to leaked eni filters (@jchen6585)
• Testing - Add missing params to authorize ingress (@jchen6585)
• Testing - Integration test suite for Custom Networking + Security Groups for Pods (@jdn5126)
• Testing - Fix coredns failing during custom networking tests (@jchen6585)

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.0/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.0/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.0/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.0/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.18.0/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.18.0
amazon-k8s-cni:v1.18.0
amazon/aws-network-policy-agent:v1.1.0

v1.17.1

v1.17.1

Release Notes

Network Policy agent now supports a strict mode for network policy enforcement.

Changes since v1.16.4

• Feature - Send pod name/ns to nodeagent for strict mode (@jayanthvn)
• Feature - gRPC call for networkpolicy agent (@jayanthvn)
• Improvement - Bump golang.org/x/sys from 0.16.0 to 0.17.0 in /test/agent (@dependabot)
• Improvement - Bump google.golang.org/grpc from 1.61.0 to 1.62.0 (@dependabot)
• Improvement - Bump google.golang.org/grpc from 1.61.0 to 1.62.0 (@dependabot)
• Improvement - Bump github.com/aws/aws-sdk-go from 1.49.13 to 1.50.29 (@dependabot)
• Improvement - Bump k8s.io/apimachinery from 0.29.0 to 0.29.2 (@dependabot)
• Improvement - make generate; make generate-limits; remove soak tests (@jdn5126)
• Improvement - Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 (@dependabot)
• Improvement - Make vpc cni as master CNI in multus-daemonset-thick.yml (@raghs-aws)
• Improvement - Bump github.com/prometheus/client_model from 0.5.0 to 0.6.0 (@dependabot)
• Improvement - Repo controlled build go version (@xdu31)

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.17.1/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.17.1/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.17.1/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.17.1/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.17.1/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.17.1
amazon-k8s-cni:v1.17.1
amazon/aws-network-policy-agent:v1.1.0

v1.16.4

v1.16.4

Release Notes

None

Changes since v1.16.3

• Bug - Revert #2744 to prevent livelock when attempting to increase datastore pool (@jdn5126 )
• Bug - Do not allocate IPs or prefixes to trunk ENIs; enable Custom Networking before Security Groups for Pods (@jdn5126 )
• Bug - Ignore non-zero cards (@jchen6585 )
• Documentation - Added description to list of metrics reported by cni-metrics-helper (@zachdorame )
• Enhancement - Bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 (@dependabot )
• Enhancement - Add validation for MTU, update ANNOTATE_POD_IP README (@jdn5126 )
• Enhancement - Update Golang version to 1.21.7; update aws-vpc-cni chart README (@jdn5126 )
• Enhancement - Bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 (@jdn5126 )
• Feature - Pod MTU (@jchen6585 )

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.4/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.4/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.4/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.4/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.16.4/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.16.4
amazon-k8s-cni:v1.16.4
amazon/aws-network-policy-agent:v1.0.8

v1.16.3

v1.16.3

IMPORTANT: v1.16.3 contains a regression (#2807) that may lead to high CPU consumption by the aws-node pod when the maximum number of ENIs have been attached to a node. This bug is being addressed in v1.16.4.

Release Notes

• With this release, the Network Policy agent image is updated to v1.0.8.
• With this release, the VPC CNI now supports IPv4 clusters where only a subset of nodes enable IPv6 egress (instead of all).

Changes since v1.16.2

• Dependency - Dependabot updates (@jdn5126 )
• Dependency - Upgrade Golang version to 1.21.6 (@jdn5126 )
• Improvement - Enable ENABLE_V6_EGRESS on Clusters with Mixed IPv6/IPv4 Subnets (@sergeylanzman )
• Improvement - cni-metrics-helper add podAnnotation value (@prysmakou )
• Improvement - Track max pods, simplify warm IP pool management (@jdn5126 )
• Improvement - Faster eni scaleup (@jchen6585 )

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.3/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.3/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.3/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.3/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.16.3/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.16.3
amazon-k8s-cni:v1.16.3
amazon/aws-network-policy-agent:v1.0.8

v1.16.2

v1.16.2

Release Notes

• The VPC CNI has reverted the CNI spec to 0.4.0 in order to maintain compatibility with EKS 1.23: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.16.2/misc/10-aws.conflist
• With this release, the VPC CNI can now support up to 50 CIDRs in nftables mode.

Changes since v1.16.0

• Bug - Refactor IPTable Rules (@jchen6585 )
• Bug - log for DelNetworkReply now differentiates between IPv4 and IPv6 addr… (@zachdorame )
• Dependency - revert CNI spec to 0.4.0 (@jdn5126 )
• Dependency - update crypto to patch CVE-2023-48795 (@haouc )
• Dependency - Dependabot updates: aws-sdk-go, containernetworking/plugins, go-logr, grpc, k8s.io/cli-runtime (@jdn5126 )
• Enhancement - Iptables mock (@jchen6585 )

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.2/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.2/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.2/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.2/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.16.2/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.16.2
amazon-k8s-cni:v1.16.2
amazon/aws-network-policy-agent:v1.0.7

v1.16.0

v1.16.0

Release Notes

• The VPC CNI now uses CNI spec 1.0.0: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.16.0/misc/10-aws.conflist
• With VPC CNI v1.16.0, Security Groups for Pods is now supported on IPv6 clusters.
  • One caveat to be aware of compared to IPv4 is that ICMPv6 Neighbor Discovery must be allowed in EC2 security groups in order for pods to properly resolve IPv6 addresses to MAC addresses.

Changes since v1.15.5

• Bug - check if ipv4Addr or ipv6Addr is empty before calling AnnotatePod() (@zachdorame )
• Bug - Fix enabling of Metrics and Introspection Endpoint (@jdn5126 )
• Cleanup - swicth grpc deprecated method to new method (@Icarus9913 )
• Cleanup - swicth k8s deprecated method to new method (@Icarus9913 )
• Dependency - Update golang.org/x/crypto to v0.17.0 (@jdn5126 )
• Dependency - Bump github.com/containerd/containerd from 1.7.6 to 1.7.11 (@dependabot )
• Dependency - Update upstream CNI plugins to v1.4.0 (@jdn5126 )
• Documentation - Remove hard-coded comment for primary intf (@jdn5126 )
• Documentation - Fix Infof/Debugf/Errors to use correct function names (@dims )
• Feature - Add parameters for tuning revisionHistory and securityContext (@bodgit )
• Feature - Manifest for Multus 4.0.2 thick plugin support (@jdn5126 )
• Feature - IPv6 Security Groups for Pods Support (@jdn5126 )
• Feature - Prometheus metrics scraping from CNI metrics helper (@jayanthvn )
• Improvement - add instance types (@jchen6585 )
• Improvement - Update CHANGELOG, charts, and manifests for v1.15.5 release; update aws-vpc-cni ConfigMap default settings (@jdn5126 )
• Improvement - adding feature flags to configmap charts (@haouc )
• Improvement - No need to set accept_ra or accept_redirects for non-primary interfaces (@jdn5126 )
• Improvement - Simplify IPv6 Gateway Calculation (@jdn5126 )

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.0/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.0/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.0/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.0/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.16.0/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.16.0
amazon-k8s-cni:v1.16.0
amazon/aws-network-policy-agent:v1.0.7

v1.15.5

v1.15.5

Minor Changes since v1.15.4

• Bug - Add watch permission for CNINode resource (@jdn5126 )
• Improvement - Upgrade go from 1.21.4 to 1.21.5 (@jchen6585 )
• Improvement - Dependabot Golang updates, test agent fix (@jdn5126 )
• Improvement - Bump aws-sdk-go to v1.48.2 (@jchen6585 )

Note

• The bundled Network Policy agent image has been updated to v1.0.7. The --conntrack-cache-cleanup-period command line arg for the Network Policy agent container has been added to the helm chart.
• Pod identity credentials are supported starting in this release.

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.5/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.5/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.5/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.5/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.5/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.15.5
amazon-k8s-cni:v1.15.5
amazon/aws-network-policy-agent:v1.0.7

v1.15.4

v1.15.4

Minor Changes since v1.15.3

• Documentation - Update prefix-and-ip-target.md (@nicolajknudsen )
• Feature - Upgrade CNI spec from 0.4.0 to 1.0.0 (@jdn5126 )
• Improvement - Upgrade go from 1.21.3 to 1.21.4 (@jdn5126 )
• Improvement - Refactor AllocENI (#2640) (@jchen6585 )
• Improvement - Update Golang Dependencies (@jdn5126 )
• Improvement - generate-limits (@dougbyrne )

Note

• The bundled Network Policy agent image has been updated to v1.0.6.
• The VPC CNI still uses spec 0.4.0 by default: https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.4/misc/10-aws.conflist , but spec 1.0.0 is supported. The default spec version will be updated to 1.0.0 in the v1.16.0 release.

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.4/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.4/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.4/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.4/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.4/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.15.4
amazon-k8s-cni:v1.15.4
amazon/aws-network-policy-agent:v1.0.6

v1.15.3

v1.15.3

Major Changes since v1.15.1

• Bug - Fully address CVE-2023-44487 (@jdn5126 )
• Improvement - feat(chart): Made node agent optional (@stevehipwell )
• Improvement - Update Golang to 1.21.3 (@jdn5126 )
• Improvement - Go module updates and Golang builder image update (@jdn5126 )

Note

• The bundled Network Policy agent image has been updated to v1.0.5.
• The Network Policy agent container can now be removed from the Daemonset during helm installation by setting nodeAgent.enabled to false.

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.3/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.3/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.3/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.3/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:

Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.3/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3                                                 
amazon-k8s-cni-init:v1.15.3
amazon-k8s-cni:v1.15.3
amazon/aws-network-policy-agent:v1.0.5