feat: upgrade aws-vpc-cni to v1.16.0 and support network-policy-agent

getamis · Dec 26, 2023 · 8e05b28 · 8e05b28
1 parent 00b8a5a
commit 8e05b28
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 21 deletions.
diff --git a/docs/variables/master.md b/docs/variables/master.md
@@ -85,6 +85,7 @@ This document gives an overview of variables used in the Ignition of the Kuberne
 | <a name="input_enable_eni_prefix"></a> [enable\_eni\_prefix](#input\_enable\_eni\_prefix) | (Optional) assign prefix to AWS EC2 network interface | `bool` | `true` | no |
 | <a name="input_enable_iam_auth"></a> [enable\_iam\_auth](#input\_enable\_iam\_auth) | Enable AWS IAM authenticator or not. | `bool` | `false` | no |
 | <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Enable AWS IAM role service account or not. | `bool` | `false` | no |
+| <a name="input_enable_network_policy"></a> [enable\_network\_policy](#input\_enable\_network\_policy) | (Optional) enable network policy or not | `bool` | `false` | no |
 | <a name="input_encryption_secret"></a> [encryption\_secret](#input\_encryption\_secret) | The secret key for encrypting | `string` | `""` | no |
 | <a name="input_etcd_endpoints"></a> [etcd\_endpoints](#input\_etcd\_endpoints) | The comma separated list of etcd endpoints (e.g., 'http://etcd1:2379,http://etcd2:2379'). | `string` | `""` | no |
 | <a name="input_external_snat"></a> [external\_snat](#input\_external\_snat) | (Optional) [AWS VPC CNI] Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. | `bool` | `false` | no |

diff --git a/network-plugins.tf b/network-plugins.tf
@@ -12,12 +12,13 @@ data "ignition_file" "aws_vpc_cni_yaml" {
       init_image       = "${local.containers["vpc_cni_init"].repo}:${local.containers["vpc_cni_init"].tag}"
       node_agent_image = "${local.containers["aws_network_policy_agent"].repo}:${local.containers["aws_network_policy_agent"].tag}"
       # vpc cni config
-      annotate_pod_ip   = var.annotate_pod_ip
-      cni_version       = local.containers["vpc_cni"].tag
-      cluster_endpoint  = var.internal_endpoint
-      enable_eni_prefix = var.enable_eni_prefix
-      external_snat     = var.external_snat
-      log_level         = var.log_level["aws_vpc_cni"]
+      annotate_pod_ip       = var.annotate_pod_ip
+      cni_version           = local.containers["vpc_cni"].tag
+      cluster_endpoint      = var.internal_endpoint
+      enable_eni_prefix     = var.enable_eni_prefix
+      enable_network_policy = var.enable_network_policy
+      external_snat         = var.external_snat
+      log_level             = var.log_level["aws_vpc_cni"]
     })
     mime = "text/yaml"
   }

diff --git a/templates/network-plugins/amazon-vpc/aws-vpc-cni.yaml.tpl b/templates/network-plugins/amazon-vpc/aws-vpc-cni.yaml.tpl
@@ -1,6 +1,6 @@
-# Vendored from https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.1/config/master/aws-k8s-cni.yaml
+# Vendored from https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.0/config/master/aws-k8s-cni.yaml
 ---
-# Source: crds/customresourcedefinition.yaml
+# Source: aws-vpc-cni/crds/customresourcedefinition.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -267,7 +267,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.15.1"
+    app.kubernetes.io/version: "v1.16.0"
 ---
 # Source: aws-vpc-cni/templates/configmap.yaml
 apiVersion: v1
@@ -279,10 +279,15 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.15.1"
+    app.kubernetes.io/version: "v1.16.0"
 data:
   enable-windows-ipam: "false"
-  enable-network-policy-controller: "false" # TODO: Support AWS VPC CNI Network Policy
+  enable-network-policy-controller: "${enable_network_policy}"
+  enable-windows-prefix-delegation: "false"
+  warm-prefix-target: "0"
+  warm-ip-target: "1"
+  minimum-ip-target: "3"
+  branch-eni-cooldown: "60"
 ---
 # Source: aws-vpc-cni/templates/clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -293,7 +298,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.15.1"
+    app.kubernetes.io/version: "v1.16.0"
 rules:
   - apiGroups:
       - crd.k8s.amazonaws.com
@@ -334,7 +339,7 @@ rules:
       - vpcresources.k8s.aws
     resources:
       - cninodes
-    verbs: ["get", "list", "patch"]
+    verbs: ["get", "list", "watch", "patch"]
 ---
 # Source: aws-vpc-cni/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -345,7 +350,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.15.1"
+    app.kubernetes.io/version: "v1.16.0"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -365,7 +370,7 @@ metadata:
     app.kubernetes.io/name: aws-node
     app.kubernetes.io/instance: aws-vpc-cni
     k8s-app: aws-node
-    app.kubernetes.io/version: "v1.15.1"
+    app.kubernetes.io/version: "v1.16.0"
 spec:
   updateStrategy:
     rollingUpdate:
@@ -517,11 +522,12 @@ spec:
                   fieldPath: spec.nodeName
           args:
             - --enable-ipv6=false
-            - --enable-network-policy=false # TODO: Support AWS VPC CNI Network Policy
+            - --enable-network-policy=${enable_network_policy}
             - --enable-cloudwatch-logs=false
             - --enable-policy-event-logs=false
             - --metrics-bind-addr=:8162
             - --health-probe-bind-addr=:8163
+            - --conntrack-cache-cleanup-period=300
           resources:
             requests:
               cpu: 25m

diff --git a/variables.tf b/variables.tf
@@ -86,6 +86,12 @@ variable "external_snat" {
   default     = false
 }
 
+variable "enable_network_policy" {
+  description = "(Optional) enable network policy or not"
+  type        = bool
+  default     = false
+}
+
 variable "max_pods" {
   description = "(Optional) the max pod number in the node when enable eni prefix"
   type        = string

diff --git a/variables_defaults.tf b/variables_defaults.tf
@@ -21,16 +21,16 @@ locals {
       tag  = "1.11.1"
     }
     vpc_cni = {
-      repo = "quay.io/amis/amazon-k8s-cni"
-      tag  = "v1.15.1"
+      repo = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni"
+      tag  = "v1.16.0"
     }
     vpc_cni_init = {
-      repo = "quay.io/amis/amazon-k8s-cni-init"
-      tag  = "v1.15.1"
+      repo = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init"
+      tag  = "v1.16.0"
     }
     aws_network_policy_agent = {
       repo = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent"
-      tag  = "v1.0.4"
+      tag  = "v1.0.7"
     }
     flannel_cni = {
       repo = "quay.io/coreos/flannel"