From 8e05b289bdc61d211add9859748fa7f8e3a06606 Mon Sep 17 00:00:00 2001 From: Relk Li Date: Tue, 26 Dec 2023 14:48:52 +0800 Subject: [PATCH] feat: upgrade aws-vpc-cni to v1.16.0 and support network-policy-agent --- docs/variables/master.md | 1 + network-plugins.tf | 13 +++++----- .../amazon-vpc/aws-vpc-cni.yaml.tpl | 26 ++++++++++++------- variables.tf | 6 +++++ variables_defaults.tf | 10 +++---- 5 files changed, 35 insertions(+), 21 deletions(-) diff --git a/docs/variables/master.md b/docs/variables/master.md index e05104a..253c298 100644 --- a/docs/variables/master.md +++ b/docs/variables/master.md @@ -85,6 +85,7 @@ This document gives an overview of variables used in the Ignition of the Kuberne | [enable\_eni\_prefix](#input\_enable\_eni\_prefix) | (Optional) assign prefix to AWS EC2 network interface | `bool` | `true` | no | | [enable\_iam\_auth](#input\_enable\_iam\_auth) | Enable AWS IAM authenticator or not. | `bool` | `false` | no | | [enable\_irsa](#input\_enable\_irsa) | Enable AWS IAM role service account or not. | `bool` | `false` | no | +| [enable\_network\_policy](#input\_enable\_network\_policy) | (Optional) enable network policy or not | `bool` | `false` | no | | [encryption\_secret](#input\_encryption\_secret) | The secret key for encrypting | `string` | `""` | no | | [etcd\_endpoints](#input\_etcd\_endpoints) | The comma separated list of etcd endpoints (e.g., 'http://etcd1:2379,http://etcd2:2379'). | `string` | `""` | no | | [external\_snat](#input\_external\_snat) | (Optional) [AWS VPC CNI] Specifies whether an external NAT gateway should be used to provide SNAT of secondary ENI IP addresses. If set to true, the SNAT iptables rule and off-VPC IP rule are not applied, and these rules are removed if they have already been applied. | `bool` | `false` | no | diff --git a/network-plugins.tf b/network-plugins.tf index 1d4c371..911a6cc 100644 --- a/network-plugins.tf +++ b/network-plugins.tf @@ -12,12 +12,13 @@ data "ignition_file" "aws_vpc_cni_yaml" { init_image = "${local.containers["vpc_cni_init"].repo}:${local.containers["vpc_cni_init"].tag}" node_agent_image = "${local.containers["aws_network_policy_agent"].repo}:${local.containers["aws_network_policy_agent"].tag}" # vpc cni config - annotate_pod_ip = var.annotate_pod_ip - cni_version = local.containers["vpc_cni"].tag - cluster_endpoint = var.internal_endpoint - enable_eni_prefix = var.enable_eni_prefix - external_snat = var.external_snat - log_level = var.log_level["aws_vpc_cni"] + annotate_pod_ip = var.annotate_pod_ip + cni_version = local.containers["vpc_cni"].tag + cluster_endpoint = var.internal_endpoint + enable_eni_prefix = var.enable_eni_prefix + enable_network_policy = var.enable_network_policy + external_snat = var.external_snat + log_level = var.log_level["aws_vpc_cni"] }) mime = "text/yaml" } diff --git a/templates/network-plugins/amazon-vpc/aws-vpc-cni.yaml.tpl b/templates/network-plugins/amazon-vpc/aws-vpc-cni.yaml.tpl index d2cf93a..9880e18 100644 --- a/templates/network-plugins/amazon-vpc/aws-vpc-cni.yaml.tpl +++ b/templates/network-plugins/amazon-vpc/aws-vpc-cni.yaml.tpl @@ -1,6 +1,6 @@ -# Vendored from https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.1/config/master/aws-k8s-cni.yaml +# Vendored from https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.0/config/master/aws-k8s-cni.yaml --- -# Source: crds/customresourcedefinition.yaml +# Source: aws-vpc-cni/crds/customresourcedefinition.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -267,7 +267,7 @@ metadata: app.kubernetes.io/name: aws-node app.kubernetes.io/instance: aws-vpc-cni k8s-app: aws-node - app.kubernetes.io/version: "v1.15.1" + app.kubernetes.io/version: "v1.16.0" --- # Source: aws-vpc-cni/templates/configmap.yaml apiVersion: v1 @@ -279,10 +279,15 @@ metadata: app.kubernetes.io/name: aws-node app.kubernetes.io/instance: aws-vpc-cni k8s-app: aws-node - app.kubernetes.io/version: "v1.15.1" + app.kubernetes.io/version: "v1.16.0" data: enable-windows-ipam: "false" - enable-network-policy-controller: "false" # TODO: Support AWS VPC CNI Network Policy + enable-network-policy-controller: "${enable_network_policy}" + enable-windows-prefix-delegation: "false" + warm-prefix-target: "0" + warm-ip-target: "1" + minimum-ip-target: "3" + branch-eni-cooldown: "60" --- # Source: aws-vpc-cni/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -293,7 +298,7 @@ metadata: app.kubernetes.io/name: aws-node app.kubernetes.io/instance: aws-vpc-cni k8s-app: aws-node - app.kubernetes.io/version: "v1.15.1" + app.kubernetes.io/version: "v1.16.0" rules: - apiGroups: - crd.k8s.amazonaws.com @@ -334,7 +339,7 @@ rules: - vpcresources.k8s.aws resources: - cninodes - verbs: ["get", "list", "patch"] + verbs: ["get", "list", "watch", "patch"] --- # Source: aws-vpc-cni/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -345,7 +350,7 @@ metadata: app.kubernetes.io/name: aws-node app.kubernetes.io/instance: aws-vpc-cni k8s-app: aws-node - app.kubernetes.io/version: "v1.15.1" + app.kubernetes.io/version: "v1.16.0" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -365,7 +370,7 @@ metadata: app.kubernetes.io/name: aws-node app.kubernetes.io/instance: aws-vpc-cni k8s-app: aws-node - app.kubernetes.io/version: "v1.15.1" + app.kubernetes.io/version: "v1.16.0" spec: updateStrategy: rollingUpdate: @@ -517,11 +522,12 @@ spec: fieldPath: spec.nodeName args: - --enable-ipv6=false - - --enable-network-policy=false # TODO: Support AWS VPC CNI Network Policy + - --enable-network-policy=${enable_network_policy} - --enable-cloudwatch-logs=false - --enable-policy-event-logs=false - --metrics-bind-addr=:8162 - --health-probe-bind-addr=:8163 + - --conntrack-cache-cleanup-period=300 resources: requests: cpu: 25m diff --git a/variables.tf b/variables.tf index 172a65f..e7313cf 100644 --- a/variables.tf +++ b/variables.tf @@ -86,6 +86,12 @@ variable "external_snat" { default = false } +variable "enable_network_policy" { + description = "(Optional) enable network policy or not" + type = bool + default = false +} + variable "max_pods" { description = "(Optional) the max pod number in the node when enable eni prefix" type = string diff --git a/variables_defaults.tf b/variables_defaults.tf index b2588ea..c89f349 100644 --- a/variables_defaults.tf +++ b/variables_defaults.tf @@ -21,16 +21,16 @@ locals { tag = "1.11.1" } vpc_cni = { - repo = "quay.io/amis/amazon-k8s-cni" - tag = "v1.15.1" + repo = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni" + tag = "v1.16.0" } vpc_cni_init = { - repo = "quay.io/amis/amazon-k8s-cni-init" - tag = "v1.15.1" + repo = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init" + tag = "v1.16.0" } aws_network_policy_agent = { repo = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent" - tag = "v1.0.4" + tag = "v1.0.7" } flannel_cni = { repo = "quay.io/coreos/flannel"