aws · jchen6585 · Dec 13, 2023 · Dec 14, 2023 · Dec 15, 2023 · Dec 15, 2023
@@ -1,5 +1,12 @@
 # Changelog
 
+## v1.15.5
+
+* Bug - [Add watch permission for CNINode resource](https://github.com/aws/amazon-vpc-cni-k8s/pull/2681) (@jdn5126 )
+* Improvement - [Upgrade go from 1.21.4 to 1.21.5](https://github.com/aws/amazon-vpc-cni-k8s/pull/2707) (@jchen6585 )
+* Improvement - [Dependabot Golang updates, test agent fix](https://github.com/aws/amazon-vpc-cni-k8s/pull/2698) (@jdn5126 )
+* Improvement - [Bump aws-sdk-go to v1.48.2](https://github.com/aws/amazon-vpc-cni-k8s/pull/2674) (@jchen6585 )
+
 ## v1.15.4
 
 * Documentation - [Update prefix-and-ip-target.md](https://github.com/aws/amazon-vpc-cni-k8s/pull/2658) (@nicolajknudsen )

@@ -274,7 +274,7 @@ docker-metrics-test:     ## Run metrics helper unit test suite in a container.
 		make metrics-unit-test
 
 # Fetch the CNI plugins
-plugins: FETCH_VERSION=1.3.0
+plugins: FETCH_VERSION=1.4.0
 plugins: FETCH_URL=https://github.com/containernetworking/plugins/releases/download/v$(FETCH_VERSION)/cni-plugins-$(GOOS)-$(GOARCH)-v$(FETCH_VERSION).tgz
 plugins: VISIT_URL=https://github.com/containernetworking/plugins/tree/v$(FETCH_VERSION)/plugins/
 plugins:   ## Fetch the CNI plugins

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: aws-vpc-cni
-version: 1.15.4
-appVersion: "v1.15.4"
+version: 1.15.5
+appVersion: "v1.15.5"
 description: A Helm chart for the AWS VPC CNI
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

@@ -42,16 +42,21 @@ The following table lists the configurable parameters for this chart and their d
 | `env`                   | List of environment variables. See [here](https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables) for options | (see `values.yaml`) |
 | `enableWindowsIpam`     | Enable windows support for your cluster                 | `false`                             |
 | `enableNetworkPolicy`   | Enable Network Policy Controller and Agent for your cluster | `false`                         |
+| `enableWindowsPrefixDelegation` | Enable windows prefix delegation support for your cluster | `false`                   |
+| `warmWindowsPrefixTarget` | Warm prefix target value for Windows prefix delegation | `0`                                |
+| `warmWindowsIPTarget`   | Warm IP target value for Windows prefix delegation      | `1`                                 |
+| `minimumWindowsIPTarget`| Minimum IP target value for Windows prefix delegation   | `3`                                 |
+| `branchENICooldown`     | Number of seconds that branch ENIs remain in cooldown   | `60`                                |
 | `fullnameOverride`      | Override the fullname of the chart                      | `aws-node`                          |
-| `image.tag`             | Image tag                                               | `v1.15.4`                           |
+| `image.tag`             | Image tag                                               | `v1.15.5`                           |
 | `image.domain`          | ECR repository domain                                   | `amazonaws.com`                     |
 | `image.region`          | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `image.endpoint`        | ECR repository endpoint to use.                         | `ecr`                               |
 | `image.account`         | ECR repository account number                           | `602401143452`                      |
 | `image.pullPolicy`      | Container pull policy                                   | `IfNotPresent`                      |
 | `image.override`        | A custom docker image to use                            | `nil`                               |
 | `imagePullSecrets`      | Docker registry pull secret                             | `[]`                                |
-| `init.image.tag`        | Image tag                                               | `v1.15.4`                           |
+| `init.image.tag`        | Image tag                                               | `v1.15.5`                           |
 | `init.image.domain`     | ECR repository domain                                   | `amazonaws.com`                     |
 | `init.image.region`     | ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `init.image.endpoint`   | ECR repository endpoint to use.                         | `ecr`                               |
@@ -64,7 +69,7 @@ The following table lists the configurable parameters for this chart and their d
 | `originalMatchLabels`   | Use the original daemonset matchLabels                  | `false`                             |
 | `nameOverride`          | Override the name of the chart                          | `aws-node`                          |
 | `nodeAgent.enabled`     | If the Node Agent container should be created           | `true`                              |
-| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.0.6`                            |
+| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.0.7`                            |
 | `nodeAgent.image.domain`| ECR repository domain                                   | `amazonaws.com`                     |
 | `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `nodeAgent.image.endpoint`   | ECR repository endpoint to use.                    | `ecr`                               |
@@ -75,6 +80,7 @@ The following table lists the configurable parameters for this chart and their d
 | `nodeAgent.enablePolicyEventLogs` | Enable policy decision logs for Node Agent    | `false`                             |
 | `nodeAgent.metricsBindAddr` | Node Agent port for metrics                         | `8162`                              |
 | `nodeAgent.healthProbeBindAddr` | Node Agent port for health probes               | `8163`                              |
+| `nodeAgent.conntrackCacheCleanupPeriod` | Cleanup interval for network policy agent conntrack cache | 300               |
 | `nodeAgent.enableIpv6`  | Enable IPv6 support for Node Agent                      | `false`                             |
 | `nodeAgent.resources`   | Node Agent resources, will defualt to .Values.resources if not set | `{}`                     |
 | `extraVolumes`          | Array to add extra volumes                              | `[]`                                |

@@ -19,3 +19,8 @@ metadata:
 data:
   enable-windows-ipam: {{ .Values.enableWindowsIpam | quote }}
   enable-network-policy-controller: {{ .Values.enableNetworkPolicy | quote }}
+  enable-windows-prefix-delegation: {{ .Values.enableWindowsPrefixDelegation | quote }}
+  warm-prefix-target: {{ .Values.warmWindowsPrefixTarget | quote }}
+  warm-ip-target: {{ .Values.warmWindowsIPTarget | quote }}
+  minimum-ip-target: {{ .Values.minimumWindowsIPTarget | quote }}
+  branch-eni-cooldown: {{ .Values.branchENICooldown | quote }}
@@ -136,6 +136,7 @@ spec:
             - --enable-policy-event-logs={{ .Values.nodeAgent.enablePolicyEventLogs }}
             - --metrics-bind-addr={{ include "aws-vpc-cni.nodeAgentMetricsBindAddr" . }}
             - --health-probe-bind-addr={{ include "aws-vpc-cni.nodeAgentHealthProbeBindAddr" . }}
+            - --conntrack-cache-cleanup-period={{ .Values.nodeAgent.conntrackCacheCleanupPeriod }}
           {{- with default .Values.resources .Values.nodeAgent.resources }}
           resources:
             {{- toYaml . | nindent 12 }}

@@ -8,7 +8,7 @@ nameOverride: aws-node
 
 init:
   image:
-    tag: v1.15.4
+    tag: v1.15.5
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -27,7 +27,7 @@ init:
 nodeAgent:
   enabled: true
   image:
-    tag: v1.0.6
+    tag: v1.0.7
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr
@@ -46,10 +46,11 @@ nodeAgent:
   enableIpv6: "false"
   metricsBindAddr: "8162"
   healthProbeBindAddr: "8163"
+  conntrackCacheCleanupPeriod: 300
   resources: {}
 
 image:
-  tag: v1.15.4
+  tag: v1.15.5
   domain: amazonaws.com
   region: us-west-2
   endpoint: ecr
@@ -82,14 +83,24 @@ env:
   DISABLE_NETWORK_RESOURCE_PROVISIONING: "false"
   ENABLE_IPv4: "true"
   ENABLE_IPv6: "false"
-  VPC_CNI_VERSION: "v1.15.4"
+  VPC_CNI_VERSION: "v1.15.5"
 
 # this flag enables you to use the match label that was present in the original daemonset deployed by EKS
 # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release
 originalMatchLabels: false
 
-enableWindowsIpam: "false"
+# Settings for aws-vpc-cni ConfigMap
+# - Network Policy settings
 enableNetworkPolicy: "false"
+# - Windows settings
+enableWindowsIpam: "false"
+# - Windows Prefix Delegation settings
+enableWindowsPrefixDelegation: "false"
+warmWindowsPrefixTarget: 0
+warmWindowsIPTarget: 1
+minimumWindowsIPTarget: 3
+# - Security Groups for Pods settings
+branchENICooldown: 60
 
 cniConfig:
   enabled: false

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cni-metrics-helper
-version: 1.15.4
-appVersion: v1.15.4
+version: 1.15.5
+appVersion: v1.15.5
 description: A Helm chart for the AWS VPC CNI Metrics Helper
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 home: https://github.com/aws/amazon-vpc-cni-k8s

@@ -47,7 +47,7 @@ The following table lists the configurable parameters for this chart and their d
 |------------------------------|---------------------------------------------------------------|--------------------|
 | fullnameOverride             | Override the fullname of the chart                            | cni-metrics-helper |
 | image.region                 | ECR repository region to use. Should match your cluster       | us-west-2          |
-| image.tag                    | Image tag                                                     | v1.15.4            |
+| image.tag                    | Image tag                                                     | v1.15.5            |
 | image.account                | ECR repository account number                                 | 602401143452       |
 | image.domain                 | ECR repository domain                                         | amazonaws.com      |
 | env.USE_CLOUDWATCH           | Whether to export CNI metrics to CloudWatch                   | true               |

@@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper
 
 image:
   region: us-west-2
-  tag: v1.15.4
+  tag: v1.15.5
   account: "602401143452"
   domain: "amazonaws.com"
   # Set to use custom image

@@ -117,10 +117,7 @@ func configureIPv6Settings(procSys procsyswrapper.ProcSys, primaryIF string) err
 	// Check if IPv6 egress support is enabled in IPv4 cluster.
 	ipv6EgressEnabled := utils.GetBoolAsStringEnvVar(envEgressV6, defaultEnableIPv6Egress)
 	if enableIPv6 || ipv6EgressEnabled {
-		// For IPv6, the following sysctls are set:
-		// 1. forwarding defaults to 1
-		// 2. accept_ra defaults to 2
-		// 3. accept_redirects defaults to 1
+		// Enable IPv6 forwarding on all interfaces by default
 		entry := "net/ipv6/conf/all/forwarding"
 		err = procSys.Set(entry, "1")
 		if err != nil {
@@ -129,25 +126,6 @@ func configureIPv6Settings(procSys procsyswrapper.ProcSys, primaryIF string) err
 		val, _ := procSys.Get(entry)
 		log.Infof("Updated %s to %s", entry, val)
 
-		// accept_ra must be set to 2 so that RA routes are installed by the kernel on secondary ENIs
-		// For IPv6, this setting must be inherited by the trunk ENI. It must be set here as IPAMD does
-		// not have permission to set sysctl values.
-		entry = "net/ipv6/conf/default/accept_ra"
-		err = procSys.Set(entry, "2")
-		if err != nil {
-			return errors.Wrap(err, "Failed to set IPv6 accept Router Advertisements to 2")
-		}
-		val, _ = procSys.Get(entry)
-		log.Infof("Updated %s to %s", entry, val)
-
-		entry = "net/ipv6/conf/default/accept_redirects"
-		err = procSys.Set(entry, "1")
-		if err != nil {
-			return errors.Wrap(err, "Failed to enable IPv6 accept redirects")
-		}
-		val, _ = procSys.Get(entry)
-		log.Infof("Updated %s to %s", entry, val)
-
 		// For the primary ENI in IPv6, sysctls are set to:
 		// 1. forwarding=1
 		// 2. accept_ra=2