diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml index 34a897482..74b639a05 100644 --- a/stable/aws-load-balancer-controller/Chart.yaml +++ b/stable/aws-load-balancer-controller/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: aws-load-balancer-controller description: AWS Load Balancer Controller Helm chart for Kubernetes -version: 1.3.0 +version: 1.3.2 appVersion: v2.3.0 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png diff --git a/stable/aws-load-balancer-controller/README.md b/stable/aws-load-balancer-controller/README.md index 7b5744e75..a5d4ec620 100644 --- a/stable/aws-load-balancer-controller/README.md +++ b/stable/aws-load-balancer-controller/README.md @@ -209,3 +209,7 @@ The default values set by the application itself can be confirmed [here](https:/ | `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | | `updateStrategy` | Defines the update strategy for the deployment | `{}` | | `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template | `false` | +| `enableEndpointSlices` | If enabled, controller uses k8s EndpointSlices instead of Endpoints for IP targets | `false` | +| `enableBackendSecurityGroup` | If enabled, controller uses shared security group for backend traffic | `true` | +| `backendSecurityGroup` | Backend security group to use instead of auto created one if the feature is enabled | `` | +| `disableRestrictedSecurityGroupRules` | If disabled, controller will not specify port range restriction in the backend security group rules | `true` | diff --git a/stable/aws-load-balancer-controller/templates/deployment.yaml b/stable/aws-load-balancer-controller/templates/deployment.yaml index dd23bd39e..ae2b3a967 100644 --- a/stable/aws-load-balancer-controller/templates/deployment.yaml +++ b/stable/aws-load-balancer-controller/templates/deployment.yaml @@ -119,6 +119,18 @@ spec: {{- if .Values.defaultTags }} - --default-tags={{ include "aws-load-balancer-controller.convert-map-to-csv" .Values.defaultTags | trimSuffix "," }} {{- end }} + {{- if kindIs "bool" .Values.enableEndpointSlices }} + - --enable-endpoint-slices={{ .Values.enableEndpointSlices }} + {{- end }} + {{- if kindIs "bool" .Values.enableBackendSecurityGroup }} + - --enable-backend-security-group={{ .Values.enableBackendSecurityGroup }} + {{- end }} + {{- if .Values.backendSecurityGroup }} + - --backend-security-group={{ .Values.backendSecurityGroup }} + {{- end }} + {{- if kindIs "bool" .Values.disableRestrictedSecurityGroupRules }} + - --disable-restricted-sg-rules={{ .Values.disableRestrictedSecurityGroupRules }} + {{- end }} {{- if .Values.env }} env: {{- range $key, $value := .Values.env }} diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml index 6d0048c04..b5bcee072 100644 --- a/stable/aws-load-balancer-controller/values.yaml +++ b/stable/aws-load-balancer-controller/values.yaml @@ -213,3 +213,15 @@ podDisruptionBudget: {} # externalManagedTags is the list of tag keys on AWS resources that will be managed externally externalManagedTags: [] + +# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false) +enableEndpointSlices: + +# enableBackendSecurityGroup enables shared security group for backend traffic (default true) +enableBackendSecurityGroup: + +# backendSecurityGroup specifies backend security group id (default controller auto create backend security group) +backendSecurityGroup: + +# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic +disableRestrictedSecurityGroupRules: true \ No newline at end of file diff --git a/stable/aws-node-termination-handler/Chart.yaml b/stable/aws-node-termination-handler/Chart.yaml index dae8179ad..652b3f50e 100644 --- a/stable/aws-node-termination-handler/Chart.yaml +++ b/stable/aws-node-termination-handler/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: aws-node-termination-handler description: A Helm chart for the AWS Node Termination Handler -version: 0.15.4 -appVersion: 1.13.4 +version: 0.16.0 +appVersion: 1.14.0 home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png sources: diff --git a/stable/aws-node-termination-handler/README.md b/stable/aws-node-termination-handler/README.md index bc0ae6c0b..186109e57 100644 --- a/stable/aws-node-termination-handler/README.md +++ b/stable/aws-node-termination-handler/README.md @@ -4,7 +4,7 @@ AWS Node Termination Handler Helm chart for Kubernetes. For more information on ## Prerequisites -* Kubernetes >= 1.11 +* Kubernetes >= 1.14 ## Installing the Chart @@ -80,11 +80,6 @@ Parameter | Description | Default `enableProbesServer` | If true, start an http server exposing `/healthz` endpoint for probes. | `false` `probesServerPort` | Replaces the default HTTP port for exposing probes endpoint. | `8080` `probesServerEndpoint` | Replaces the default endpoint for exposing probes endpoint. | `/healthz` -`podMonitor.create` | If `true`, create a PodMonitor | `false` -`podMonitor.interval` | Prometheus scrape interval | `30s` -`podMonitor.sampleLimit` | Number of scraped samples accepted | `5000` -`podMonitor.labels` | Additional PodMonitor metadata labels | `{}` -`podMonitor.namespace` | Override podMonitor Helm release namespace | `{{ .Release.Namespace }}` `emitKubernetesEvents` | If `true`, Kubernetes events will be emitted when interruption events are received and when actions are taken on Kubernetes nodes. In IMDS Processor mode a default set of annotations with all the node metadata gathered from IMDS will be attached to each event. More information [here](https://github.com/aws/aws-node-termination-handler/blob/main/docs/kubernetes_events.md) | `false` `kubernetesExtraEventsAnnotations` | A comma-separated list of `key=value` extra annotations to attach to all emitted Kubernetes events. Example: `first=annotation,sample.annotation/number=two"` | None @@ -100,6 +95,11 @@ Parameter | Description | Default `workers` | The maximum amount of parallel event processors | `10` `replicas` | The number of replicas in the NTH deployment when using queue-processor mode (NOTE: increasing replicas may cause duplicate webhooks since NTH pods are stateless) | `1` `podDisruptionBudget` | Limit the disruption for controller pods, requires at least 2 controller replicas | `{}` +`serviceMonitor.create` | If `true`, create a ServiceMonitor (this requires enableSqsTerminationDraining and enablePrometheusServer to be set) | `false` +`serviceMonitor.interval` | Prometheus scrape interval | `30s` +`serviceMonitor.sampleLimit` | Number of scraped samples accepted | `5000` +`serviceMonitor.labels` | Additional ServiceMonitor metadata labels | `{}` +`serviceMonitor.namespace` | Override ServiceMonitor Helm release namespace | `{{ .Release.Namespace }}` ### AWS Node Termination Handler - IMDS Mode Configuration @@ -110,6 +110,11 @@ Parameter | Description | Default `enableRebalanceDraining` | If true, drain nodes when the rebalance recommendation notice is received | `false` `enableRebalanceMonitoring` | If true, cordon nodes when the rebalance recommendation notice is received. If you'd like to drain the node in addition to cordoning, then also set `enableRebalanceDraining`. | `false` `useHostNetwork` | If `true`, enables `hostNetwork` for the Linux DaemonSet. NOTE: setting this to `false` may cause issues accessing IMDSv2 if your account is not configured with an IP hop count of 2 | `true` +`podMonitor.create` | If `true`, create a PodMonitor (this requires enableSqsTerminationDraining to not be set and enablePrometheusServer to be set) | `false` +`podMonitor.interval` | Prometheus scrape interval | `30s` +`podMonitor.sampleLimit` | Number of scraped samples accepted | `5000` +`podMonitor.labels` | Additional PodMonitor metadata labels | `{}` +`podMonitor.namespace` | Override PodMonitor Helm release namespace | `{{ .Release.Namespace }}` ### Kubernetes Configuration @@ -142,8 +147,8 @@ Parameter | Description | Default `serviceAccount.annotations` | Specifies the annotations for ServiceAccount | `{}` `securityContext.runAsUserID` | User ID to run the container | `1000` `securityContext.runAsGroupID` | Group ID to run the container | `1000` -`nodeSelectorTermsOs` | Operating System Node Selector Key | >=1.14: `kubernetes.io/os`, <1.14: `beta.kubernetes.io/os` -`nodeSelectorTermsArch` | CPU Architecture Node Selector Key | >=1.14: `kubernetes.io/arch`, <1.14: `beta.kubernetes.io/arch` +`nodeSelectorTermsOs` | Operating System Node Selector Key | `kubernetes.io/os` +`nodeSelectorTermsArch` | CPU Architecture Node Selector Key | `kubernetes.io/arch` `targetNodeOs` | Space separated list of node OS's to target, e.g. "linux", "windows", "linux windows". Note: Windows support is experimental. | `"linux"` `updateStrategy` | Update strategy for the all DaemonSets (Linux and Windows) | `type=RollingUpdate,rollingUpdate.maxUnavailable=1` `linuxUpdateStrategy` | Update strategy for the Linux DaemonSet | `type=RollingUpdate,rollingUpdate.maxUnavailable=1` diff --git a/stable/aws-node-termination-handler/templates/_helpers.tpl b/stable/aws-node-termination-handler/templates/_helpers.tpl index 56f94eeb7..249a9c984 100644 --- a/stable/aws-node-termination-handler/templates/_helpers.tpl +++ b/stable/aws-node-termination-handler/templates/_helpers.tpl @@ -72,13 +72,9 @@ Create the name of the service account to use {{/* Get the default node selector term prefix. - -In 1.14 "beta.kubernetes.io" was deprecated and is scheduled for removal in 1.18. -See https://v1-14.docs.kubernetes.io/docs/setup/release/notes/#deprecations */}} {{- define "aws-node-termination-handler.defaultNodeSelectorTermsPrefix" -}} - {{- $k8sVersion := printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor | replace "+" "" -}} - {{- semverCompare "<1.14" $k8sVersion | ternary "beta.kubernetes.io" "kubernetes.io" -}} +kubernetes.io {{- end -}} {{/* diff --git a/stable/aws-node-termination-handler/templates/podmonitor.yaml b/stable/aws-node-termination-handler/templates/podmonitor.yaml index 47ae26fb3..1c497d68d 100644 --- a/stable/aws-node-termination-handler/templates/podmonitor.yaml +++ b/stable/aws-node-termination-handler/templates/podmonitor.yaml @@ -1,4 +1,4 @@ -{{- if .Values.podMonitor.create }} +{{- if and (not .Values.enableSqsTerminationDraining) (and .Values.enablePrometheusServer .Values.podMonitor.create) -}} apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: @@ -17,13 +17,17 @@ spec: jobLabel: {{ include "aws-node-termination-handler.name" . }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ .Release.Namespace }} podMetricsEndpoints: - - interval: {{ .Values.podMonitor.interval }} - path: /metrics - port: http-metrics - sampleLimit: {{ .Values.podMonitor.sampleLimit }} + - port: http-metrics + path: /metrics + {{- with .Values.podMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.podMonitor.sampleLimit }} + sampleLimit: {{ . }} + {{- end }} selector: matchLabels: {{- include "aws-node-termination-handler.selectorLabels" . | nindent 6 }} -{{- end }} +{{- end -}} diff --git a/stable/aws-node-termination-handler/templates/service.yaml b/stable/aws-node-termination-handler/templates/service.yaml new file mode 100644 index 000000000..5534b0bb2 --- /dev/null +++ b/stable/aws-node-termination-handler/templates/service.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.enableSqsTerminationDraining .Values.enablePrometheusServer -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "aws-node-termination-handler.fullname" . }} + labels: + {{- include "aws-node-termination-handler.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + {{- include "aws-node-termination-handler.selectorLabels" . | nindent 4 }} + ports: + - name: http-metrics + port: {{ .Values.prometheusServerPort }} + targetPort: http-metrics + protocol: TCP +{{- end -}} diff --git a/stable/aws-node-termination-handler/templates/servicemonitor.yaml b/stable/aws-node-termination-handler/templates/servicemonitor.yaml new file mode 100644 index 000000000..52ff799d8 --- /dev/null +++ b/stable/aws-node-termination-handler/templates/servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.enableSqsTerminationDraining (and .Values.enablePrometheusServer .Values.serviceMonitor.create) -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "aws-node-termination-handler.fullname" . }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "aws-node-termination-handler.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ include "aws-node-termination-handler.name" . }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: http-metrics + path: /metrics + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.sampleLimit }} + sampleLimit: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "aws-node-termination-handler.selectorLabels" . | nindent 6 }} +{{- end -}} diff --git a/stable/aws-node-termination-handler/values.yaml b/stable/aws-node-termination-handler/values.yaml index c97eef361..125e27008 100644 --- a/stable/aws-node-termination-handler/values.yaml +++ b/stable/aws-node-termination-handler/values.yaml @@ -4,7 +4,7 @@ image: repository: public.ecr.aws/aws-ec2/aws-node-termination-handler - tag: v1.13.4 + tag: v1.14.0 pullPolicy: IfNotPresent pullSecrets: [] @@ -192,16 +192,33 @@ dnsPolicy: "" podMonitor: # Specifies whether PodMonitor should be created + # this needs enableSqsTerminationDraining: false + # and enablePrometheusServer: true create: false - # The Prometheus scrape interval + # Specifies whether the PodMonitor should be created in a different namespace than + # the Helm release + namespace: + # Additional labels to add to the metadata + labels: {} + # The Prometheus scrape interval interval: 30s # The number of scraped samples that will be accepted sampleLimit: 5000 - # Additional labels to add to the metadata - labels: {} - # Specifies whether a pod monitor should be created in a different namespace than + +serviceMonitor: + # Specifies whether ServiceMonitor should be created + # this needs enableSqsTerminationDraining: rue + # and enablePrometheusServer: true + create: false + # Specifies whether the ServiceMonitor should be created in a different namespace than # the Helm release - # namespace: monitoring + namespace: + # Additional labels to add to the metadata + labels: {} + # The Prometheus scrape interval + interval: 30s + # The number of scraped samples that will be accepted + sampleLimit: 5000 # K8s DaemonSet update strategy. updateStrategy: diff --git a/stable/aws-vpc-cni/Chart.yaml b/stable/aws-vpc-cni/Chart.yaml index 74d24d0cc..c504d5cb4 100644 --- a/stable/aws-vpc-cni/Chart.yaml +++ b/stable/aws-vpc-cni/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-vpc-cni -version: 1.1.10 -appVersion: "v1.9.3" +version: 1.1.12 +appVersion: "v1.10.1" description: A Helm chart for the AWS VPC CNI icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/aws-vpc-cni/templates/clusterrole.yaml b/stable/aws-vpc-cni/templates/clusterrole.yaml index f9db311ae..d87820309 100644 --- a/stable/aws-vpc-cni/templates/clusterrole.yaml +++ b/stable/aws-vpc-cni/templates/clusterrole.yaml @@ -14,10 +14,17 @@ rules: resources: - namespaces verbs: ["list", "watch", "get"] +{{- if .Values.env.ANNOTATE_POD_IP }} - apiGroups: [""] resources: - pods verbs: ["list", "watch", "get", "patch"] +{{- else }} + - apiGroups: [""] + resources: + - pods + verbs: ["list", "watch", "get"] +{{- end }} - apiGroups: [""] resources: - nodes diff --git a/stable/aws-vpc-cni/templates/customresourcedefinition.yaml b/stable/aws-vpc-cni/templates/customresourcedefinition.yaml index 2385fb3a7..bda35b9ed 100644 --- a/stable/aws-vpc-cni/templates/customresourcedefinition.yaml +++ b/stable/aws-vpc-cni/templates/customresourcedefinition.yaml @@ -8,6 +8,7 @@ metadata: spec: scope: Cluster group: crd.k8s.amazonaws.com + preserveUnknownFields: false versions: - name: v1alpha1 served: true diff --git a/stable/aws-vpc-cni/templates/daemonset.yaml b/stable/aws-vpc-cni/templates/daemonset.yaml index ebe61e963..5154670cc 100644 --- a/stable/aws-vpc-cni/templates/daemonset.yaml +++ b/stable/aws-vpc-cni/templates/daemonset.yaml @@ -2,6 +2,7 @@ kind: DaemonSet apiVersion: apps/v1 metadata: name: {{ include "aws-vpc-cni.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{ include "aws-vpc-cni.labels" . | indent 4 }} spec: @@ -39,8 +40,7 @@ spec: hostNetwork: true initContainers: - name: aws-vpc-cni-init - image: "{{- if .Values.init.image.override }}{{- .Values.init.image.override }}{{- else }}602401143452.dkr.ecr.{{- .Values.init.image.region }}.amazonaws.com/amazon-k8s-cni-init:{{- .Values.init.image.tag }}{{- end}}" - imagePullPolicy: {{ .Values.init.image.pullPolicy }} + image: "{{- if .Values.init.image.override }}{{- .Values.init.image.override }}{{- else }}{{- .Values.init.image.account }}.dkr.ecr.{{- .Values.init.image.region }}.{{- .Values.init.image.domain }}/amazon-k8s-cni-init:{{- .Values.init.image.tag }}{{- end}}" env: {{- range $key, $value := .Values.init.env }} - name: {{ $key }} @@ -62,15 +62,16 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: aws-node - image: "{{- if .Values.image.override }}{{- .Values.image.override }}{{- else }}602401143452.dkr.ecr.{{- .Values.image.region }}.amazonaws.com/amazon-k8s-cni:{{- .Values.image.tag }}{{- end}}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + image: "{{- if .Values.image.override }}{{- .Values.image.override }}{{- else }}{{- .Values.image.account }}.dkr.ecr.{{- .Values.image.region }}.{{- .Values.image.domain }}/amazon-k8s-cni:{{- .Values.image.tag }}{{- end}}" ports: - containerPort: 61678 name: metrics livenessProbe: {{ toYaml .Values.livenessProbe | indent 12 }} + timeoutSeconds: {{ .Values.livenessProbeTimeoutSeconds }} readinessProbe: {{ toYaml .Values.readinessProbe | indent 12 }} + timeoutSeconds: {{ .Values.readinessProbeTimeoutSeconds }} env: {{- range $key, $value := .Values.env }} - name: {{ $key }} diff --git a/stable/aws-vpc-cni/templates/serviceaccount.yaml b/stable/aws-vpc-cni/templates/serviceaccount.yaml index 885156699..7e75506f6 100644 --- a/stable/aws-vpc-cni/templates/serviceaccount.yaml +++ b/stable/aws-vpc-cni/templates/serviceaccount.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ template "aws-vpc-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} {{- with .Values.serviceAccount.annotations }} annotations: {{ toYaml . | indent 4 }} diff --git a/stable/aws-vpc-cni/values.yaml b/stable/aws-vpc-cni/values.yaml index 35626d2ac..101f93717 100644 --- a/stable/aws-vpc-cni/values.yaml +++ b/stable/aws-vpc-cni/values.yaml @@ -8,19 +8,24 @@ nameOverride: aws-node init: image: - tag: v1.9.3 + tag: v1.10.1 region: us-west-2 + account: "602401143452" pullPolicy: Always + domain: "amazonaws.com" # Set to use custom image # override: "repo/org/image:tag" env: DISABLE_TCP_EARLY_DEMUX: "false" + ENABLE_IPv6: "false" securityContext: privileged: true image: region: us-west-2 - tag: v1.9.3 + tag: v1.10.1 + account: "602401143452" + domain: "amazonaws.com" pullPolicy: Always # Set to use custom image # override: "repo/org/image:tag" @@ -47,6 +52,8 @@ env: WARM_ENI_TARGET: "1" WARM_PREFIX_TARGET: "1" DISABLE_NETWORK_RESOURCE_PROVISIONING: "false" + ENABLE_IPv4: "true" + ENABLE_IPv6: "false" # this flag enables you to use the match label that was present in the original daemonset deployed by EKS # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release @@ -90,15 +97,23 @@ livenessProbe: command: - /app/grpc-health-probe - '-addr=:50051' + - '-connect-timeout=5s' + - '-rpc-timeout=5s' initialDelaySeconds: 60 +livenessProbeTimeoutSeconds: 10 + readinessProbe: exec: command: - /app/grpc-health-probe - '-addr=:50051' + - '-connect-timeout=5s' + - '-rpc-timeout=5s' initialDelaySeconds: 1 +readinessProbeTimeoutSeconds: 10 + resources: requests: cpu: 10m @@ -116,20 +131,6 @@ affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: "beta.kubernetes.io/os" - operator: In - values: - - linux - - key: "beta.kubernetes.io/arch" - operator: In - values: - - amd64 - - arm64 - - key: "eks.amazonaws.com/compute-type" - operator: NotIn - values: - - fargate - matchExpressions: - key: "kubernetes.io/os" operator: In