Merge pull request #13672 from hakman/calico-3.23.1

Update Calico and Canal to v3.23.1
2022-05-25 19:05:22 -07:00 · 2022-05-25 19:05:22 -07:00 · 4c8523a93f
parent 0ea261cc61 b5f908be0b
commit 4c8523a93f
43 changed files with 2274 additions and 602 deletions
--- a/cmd/kops/integration_test.go
+++ b/cmd/kops/integration_test.go
@ -181,11 +181,13 @@ func (i *integrationTest) withAddons(addons ...string) *integrationTest {
 }
 const (
 	dnsControllerAddon  = "dns-controller.addons.k8s.io-k8s-1.12"
 	awsCCMAddon         = "aws-cloud-controller.addons.k8s.io-k8s-1.18"
 	awsEBSCSIAddon      = "aws-ebs-csi-driver.addons.k8s.io-k8s-1.17"
-	leaderElectionAddon = "leader-migration.rbac.addons.k8s.io-k8s-1.23"
+	calicoAddon         = "networking.projectcalico.org-k8s-1.23"
 	certManagerAddon    = "certmanager.io-k8s-1.16"
 	ciliumAddon         = "networking.cilium.io-k8s-1.16"
 	dnsControllerAddon  = "dns-controller.addons.k8s.io-k8s-1.12"
 	leaderElectionAddon = "leader-migration.rbac.addons.k8s.io-k8s-1.23"
 )
 // TestMinimal runs the test on a minimum configuration, similar to kops create cluster minimal.example.com --zones us-west-1a
@ -325,7 +327,7 @@ func TestMinimalIPv6Private(t *testing.T) {
 // TestMinimalIPv6Calico runs the test on a minimum IPv6 configuration with Calico
 func TestMinimalIPv6Calico(t *testing.T) {
 	newIntegrationTest("minimal-ipv6.example.com", "minimal-ipv6-calico").
-		withAddons(awsCCMAddon, awsEBSCSIAddon, calicoAddon, dnsControllerAddon).
+		withAddons(calicoAddon, awsCCMAddon, awsEBSCSIAddon, dnsControllerAddon, leaderElectionAddon).
 		runTestTerraformAWS(t)
 	newIntegrationTest("minimal-ipv6.example.com", "minimal-ipv6-calico").runTestCloudformation(t)
 }
@ -405,21 +407,17 @@ func TestPrivateFlannel(t *testing.T) {
 		runTestTerraformAWS(t)
 }
 const calicoAddon = "networking.projectcalico.org-k8s-1.16"
 // TestPrivateCalico runs the test on a configuration with private topology, calico networking
 func TestPrivateCalico(t *testing.T) {
 	newIntegrationTest("privatecalico.example.com", "privatecalico").
 		withPrivate().
-		withAddons(calicoAddon, dnsControllerAddon).
+		withAddons(calicoAddon, awsCCMAddon, awsEBSCSIAddon, dnsControllerAddon, leaderElectionAddon).
 		runTestTerraformAWS(t)
 	newIntegrationTest("privatecalico.example.com", "privatecalico").
 		withPrivate().
 		runTestCloudformation(t)
 }
 const ciliumAddon = "networking.cilium.io-k8s-1.16"
 func TestPrivateCilium(t *testing.T) {
 	newIntegrationTest("privatecilium.example.com", "privatecilium").
 		withPrivate().
--- a/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json
@ -33,26 +33,21 @@
            "Value": "master-us-test-1a.masters.minimal-ipv6.example.com",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup",
            "Value": "master-us-test-1a",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki",
            "Value": "",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
            "Value": "master",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane",
            "Value": "",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master",
            "Value": "",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers",
            "Value": "",
@ -111,8 +106,8 @@
            ]
          }
        },
-        "MaxSize": "2",
+        "MaxSize": "1",
-        "MinSize": "2",
+        "MinSize": "1",
        "VPCZoneIdentifier": [
          {
            "Ref": "AWSEC2Subnetustest1aminimalipv6examplecom"
@ -130,8 +125,8 @@
            "PropagateAtLaunch": true
          },
          {
-            "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
+            "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup",
-            "Value": "node",
+            "Value": "nodes",
            "PropagateAtLaunch": true
          },
          {
@ -250,10 +245,6 @@
                "DeleteOnTermination": true,
                "Encrypted": true
              }
            },
            {
              "DeviceName": "/dev/sdc",
              "VirtualName": "ephemeral0"
            }
          ],
          "IamInstanceProfile": {
@ -262,11 +253,11 @@
            }
          },
          "ImageId": "ami-12345678",
-          "InstanceType": "m3.medium",
+          "InstanceType": "t3.medium",
          "KeyName": "kubernetes.minimal-ipv6.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57",
          "MetadataOptions": {
            "HttpPutResponseHopLimit": 1,
-            "HttpTokens": "optional"
+            "HttpTokens": "required"
          },
          "Monitoring": {
            "Enabled": false
@ -296,22 +287,18 @@
                  "Key": "Name",
                  "Value": "master-us-test-1a.masters.minimal-ipv6.example.com"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup",
                  "Value": "master-us-test-1a"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
                  "Value": "master"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers",
                  "Value": ""
@ -341,22 +328,18 @@
                  "Key": "Name",
                  "Value": "master-us-test-1a.masters.minimal-ipv6.example.com"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup",
                  "Value": "master-us-test-1a"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
                  "Value": "master"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers",
                  "Value": ""
@ -404,11 +387,11 @@
            }
          },
          "ImageId": "ami-12345678",
-          "InstanceType": "t2.medium",
+          "InstanceType": "t3.medium",
          "KeyName": "kubernetes.minimal-ipv6.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57",
          "MetadataOptions": {
-            "HttpPutResponseHopLimit": 1,
+            "HttpPutResponseHopLimit": 3,
-            "HttpTokens": "optional"
+            "HttpTokens": "required"
          },
          "Monitoring": {
            "Enabled": false
@ -439,8 +422,8 @@
                  "Value": "nodes.minimal-ipv6.example.com"
                },
                {
-                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
+                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup",
-                  "Value": "node"
+                  "Value": "nodes"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node",
@ -472,8 +455,8 @@
                  "Value": "nodes.minimal-ipv6.example.com"
                },
                {
-                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
+                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup",
-                  "Value": "node"
+                  "Value": "nodes"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node",
@ -1423,13 +1406,6 @@
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "ec2:AssignIpv6Addresses",
                "ec2:AttachVolume",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteRoute",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteVolume",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
@ -1443,20 +1419,20 @@
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVpcs",
                "ec2:DetachVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyNetworkInterfaceAttribute",
-                "ec2:ModifyVolume",
+                "ecr:BatchCheckLayerAvailability",
-                "elasticloadbalancing:AddTags",
+                "ecr:BatchGetImage",
-                "elasticloadbalancing:CreateListener",
+                "ecr:DescribeRepositories",
-                "elasticloadbalancing:CreateTargetGroup",
+                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:RegisterTargets",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates",
                "kms:DescribeKey",
@ -1576,6 +1552,13 @@
                "ec2:DescribeInstances",
                "ec2:DescribeRegions",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:DescribeRepositories",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates",
                "kms:GenerateRandom"
--- a/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json.extracted.yaml
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/cloudformation.json.extracted.yaml
@ -135,15 +135,15 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalipv6examplecom.Propert
  containerRuntime: containerd
  containerd:
    logLevel: info
-    version: 1.4.12
+    version: 1.6.4
  docker:
    skipInstall: true
  encryptionConfig: null
  etcdClusters:
    events:
-      version: 3.4.13
+      version: 3.5.4
    main:
-      version: 3.4.13
+      version: 3.5.4
  kubeAPIServer:
    allowPrivileged: true
    anonymousAuth: false
@ -170,7 +170,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalipv6examplecom.Propert
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
-    image: registry.k8s.io/kube-apiserver:v1.21.0
+    image: registry.k8s.io/kube-apiserver:v1.24.0
    kubeletPreferredAddressTypes:
    - InternalIP
    - Hostname
@ -201,20 +201,20 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalipv6examplecom.Propert
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
-    image: registry.k8s.io/kube-controller-manager:v1.21.0
+    image: registry.k8s.io/kube-controller-manager:v1.24.0
    leaderElection:
      leaderElect: true
    logLevel: 2
    useServiceAccountCredentials: true
  kubeProxy:
    cpuRequest: 100m
-    image: registry.k8s.io/kube-proxy:v1.21.0
+    image: registry.k8s.io/kube-proxy:v1.24.0
    logLevel: 2
  kubeScheduler:
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
-    image: registry.k8s.io/kube-scheduler:v1.21.0
+    image: registry.k8s.io/kube-scheduler:v1.24.0
    leaderElection:
      leaderElect: true
    logLevel: 2
@ -232,9 +232,9 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalipv6examplecom.Propert
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
  masterKubelet:
@ -251,9 +251,9 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalipv6examplecom.Propert
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    registerSchedulable: false
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
@ -265,7 +265,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersminimalipv6examplecom.Propert
  ConfigBase: memfs://clusters.example.com/minimal-ipv6.example.com
  InstanceGroupName: master-us-test-1a
  InstanceGroupRole: Master
-  NodeupConfigHash: MK0ADjiimAJft3zga357N1BVO5pDNmYLFsWDE8ejK2Q=
+  NodeupConfigHash: MBtPdYem3jr0OrwuTXnCWCDdA1tVBlNyFRg7sn26fds=
  __EOF_KUBE_ENV
@ -408,12 +408,12 @@ Resources.AWSEC2LaunchTemplatenodesminimalipv6examplecom.Properties.LaunchTempla
  containerRuntime: containerd
  containerd:
    logLevel: info
-    version: 1.4.12
+    version: 1.6.4
  docker:
    skipInstall: true
  kubeProxy:
    cpuRequest: 100m
-    image: registry.k8s.io/kube-proxy:v1.21.0
+    image: registry.k8s.io/kube-proxy:v1.24.0
    logLevel: 2
  kubelet:
    anonymousAuth: false
@ -429,9 +429,9 @@ Resources.AWSEC2LaunchTemplatenodesminimalipv6examplecom.Properties.LaunchTempla
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
@ -442,7 +442,7 @@ Resources.AWSEC2LaunchTemplatenodesminimalipv6examplecom.Properties.LaunchTempla
  ConfigBase: memfs://clusters.example.com/minimal-ipv6.example.com
  InstanceGroupName: nodes
  InstanceGroupRole: Node
-  NodeupConfigHash: jycf2UcZw5xd4lE+V/y/LowQ7qd9dg7399iHXUaYxF0=
+  NodeupConfigHash: bj/aCfw/GsuQbjywSyLjG0xl9bAo8+ZXkgr+63Q5l9s=
  __EOF_KUBE_ENV
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_masters.minimal-ipv6.example.com_policy
@ -170,13 +170,6 @@
        "autoscaling:DescribeLaunchConfigurations",
        "autoscaling:DescribeTags",
        "ec2:AssignIpv6Addresses",
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:DeleteRoute",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteVolume",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeInstances",
@ -190,20 +183,20 @@
        "ec2:DescribeVolumes",
        "ec2:DescribeVolumesModifications",
        "ec2:DescribeVpcs",
        "ec2:DetachVolume",
        "ec2:ModifyInstanceAttribute",
        "ec2:ModifyNetworkInterfaceAttribute",
-        "ec2:ModifyVolume",
+        "ecr:BatchCheckLayerAvailability",
-        "elasticloadbalancing:AddTags",
+        "ecr:BatchGetImage",
-        "elasticloadbalancing:CreateListener",
+        "ecr:DescribeRepositories",
-        "elasticloadbalancing:CreateTargetGroup",
+        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "elasticloadbalancing:DescribeLoadBalancerPolicies",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:RegisterTargets",
        "iam:GetServerCertificate",
        "iam:ListServerCertificates",
        "kms:DescribeKey",
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_nodes.minimal-ipv6.example.com_policy
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_iam_role_policy_nodes.minimal-ipv6.example.com_policy
@ -32,6 +32,13 @@
        "ec2:DescribeInstances",
        "ec2:DescribeRegions",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages",
        "iam:GetServerCertificate",
        "iam:ListServerCertificates",
        "kms:GenerateRandom"
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_master-us-test-1a.masters.minimal-ipv6.example.com_user_data
@ -134,15 +134,15 @@ cloudConfig:
 containerRuntime: containerd
 containerd:
  logLevel: info
-  version: 1.4.12
+  version: 1.6.4
 docker:
  skipInstall: true
 encryptionConfig: null
 etcdClusters:
  events:
-    version: 3.4.13
+    version: 3.5.4
  main:
-    version: 3.4.13
+    version: 3.5.4
 kubeAPIServer:
  allowPrivileged: true
  anonymousAuth: false
@ -169,7 +169,7 @@ kubeAPIServer:
  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
-  image: registry.k8s.io/kube-apiserver:v1.21.0
+  image: registry.k8s.io/kube-apiserver:v1.24.0
  kubeletPreferredAddressTypes:
  - InternalIP
  - Hostname
@ -200,20 +200,20 @@ kubeControllerManager:
  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
-  image: registry.k8s.io/kube-controller-manager:v1.21.0
+  image: registry.k8s.io/kube-controller-manager:v1.24.0
  leaderElection:
    leaderElect: true
  logLevel: 2
  useServiceAccountCredentials: true
 kubeProxy:
  cpuRequest: 100m
-  image: registry.k8s.io/kube-proxy:v1.21.0
+  image: registry.k8s.io/kube-proxy:v1.24.0
  logLevel: 2
 kubeScheduler:
  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
-  image: registry.k8s.io/kube-scheduler:v1.21.0
+  image: registry.k8s.io/kube-scheduler:v1.24.0
  leaderElection:
    leaderElect: true
  logLevel: 2
@ -231,9 +231,9 @@ kubelet:
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
 masterKubelet:
@ -250,9 +250,9 @@ masterKubelet:
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  registerSchedulable: false
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
@ -264,7 +264,7 @@ CloudProvider: aws
 ConfigBase: memfs://clusters.example.com/minimal-ipv6.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: Master
-NodeupConfigHash: MK0ADjiimAJft3zga357N1BVO5pDNmYLFsWDE8ejK2Q=
+NodeupConfigHash: MBtPdYem3jr0OrwuTXnCWCDdA1tVBlNyFRg7sn26fds=
 __EOF_KUBE_ENV
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_launch_template_nodes.minimal-ipv6.example.com_user_data
@ -134,12 +134,12 @@ cloudConfig:
 containerRuntime: containerd
 containerd:
  logLevel: info
-  version: 1.4.12
+  version: 1.6.4
 docker:
  skipInstall: true
 kubeProxy:
  cpuRequest: 100m
-  image: registry.k8s.io/kube-proxy:v1.21.0
+  image: registry.k8s.io/kube-proxy:v1.24.0
  logLevel: 2
 kubelet:
  anonymousAuth: false
@ -155,9 +155,9 @@ kubelet:
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
@ -168,7 +168,7 @@ CloudProvider: aws
 ConfigBase: memfs://clusters.example.com/minimal-ipv6.example.com
 InstanceGroupName: nodes
 InstanceGroupRole: Node
-NodeupConfigHash: jycf2UcZw5xd4lE+V/y/LowQ7qd9dg7399iHXUaYxF0=
+NodeupConfigHash: bj/aCfw/GsuQbjywSyLjG0xl9bAo8+ZXkgr+63Q5l9s=
 __EOF_KUBE_ENV
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_cluster-completed.spec_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_cluster-completed.spec_content
@ -24,7 +24,8 @@ spec:
    clusterCIDR: ::/0
    clusterName: minimal-ipv6.example.com
    configureCloudRoutes: false
-    image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.21.0-alpha.0
+    enableLeaderMigration: true
    image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.24.0
    leaderElection:
      leaderElect: true
  cloudProvider: aws
@ -34,7 +35,7 @@ spec:
  containerRuntime: containerd
  containerd:
    logLevel: info
-    version: 1.4.12
+    version: 1.6.4
  dnsZone: Z1AFAKE1ZON3YO
  docker:
    skipInstall: true
@ -45,17 +46,18 @@ spec:
    - instanceGroup: master-us-test-1a
      name: us-test-1a
    name: main
-    version: 3.4.13
+    version: 3.5.4
  - backups:
      backupStore: memfs://clusters.example.com/minimal-ipv6.example.com/backups/etcd/events
    etcdMembers:
    - instanceGroup: master-us-test-1a
      name: us-test-1a
    name: events
-    version: 3.4.13
+    version: 3.5.4
  externalDns:
    provider: dns-controller
  iam:
    allowContainerRegistry: true
    legacy: false
  keyStore: memfs://clusters.example.com/minimal-ipv6.example.com/pki
  kubeAPIServer:
@ -84,7 +86,7 @@ spec:
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
-    image: registry.k8s.io/kube-apiserver:v1.21.0
+    image: registry.k8s.io/kube-apiserver:v1.24.0
    kubeletPreferredAddressTypes:
    - InternalIP
    - Hostname
@ -115,7 +117,7 @@ spec:
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
-    image: registry.k8s.io/kube-controller-manager:v1.21.0
+    image: registry.k8s.io/kube-controller-manager:v1.24.0
    leaderElection:
      leaderElect: true
    logLevel: 2
@ -138,13 +140,13 @@ spec:
    - fd00:ec2::253
  kubeProxy:
    cpuRequest: 100m
-    image: registry.k8s.io/kube-proxy:v1.21.0
+    image: registry.k8s.io/kube-proxy:v1.24.0
    logLevel: 2
  kubeScheduler:
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
-    image: registry.k8s.io/kube-scheduler:v1.21.0
+    image: registry.k8s.io/kube-scheduler:v1.24.0
    leaderElection:
      leaderElect: true
    logLevel: 2
@ -162,15 +164,15 @@ spec:
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
  kubernetesApiAccess:
  - 0.0.0.0/0
  - ::/0
-  kubernetesVersion: 1.21.0
+  kubernetesVersion: 1.24.0
  masterInternalName: api.internal.minimal-ipv6.example.com
  masterKubelet:
    anonymousAuth: false
@ -186,9 +188,9 @@ spec:
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    registerSchedulable: false
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_etcd-cluster-spec-events_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_etcd-cluster-spec-events_content
@ -1,4 +1,4 @@
 {
  "memberCount": 1,
-  "etcdVersion": "3.4.13"
+  "etcdVersion": "3.5.4"
 }
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_etcd-cluster-spec-main_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_etcd-cluster-spec-main_content
@ -1,4 +1,4 @@
 {
  "memberCount": 1,
-  "etcdVersion": "3.4.13"
+  "etcdVersion": "3.5.4"
 }
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content
@ -36,6 +36,7 @@ spec:
        - --cluster-cidr=::/0
        - --cluster-name=minimal-ipv6.example.com
        - --configure-cloud-routes=false
        - --enable-leader-migration=true
        - --leader-elect=true
        - --v=2
        - --cloud-provider=aws
@ -44,7 +45,7 @@ spec:
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: 127.0.0.1
-        image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.21.0-alpha.0
+        image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.24.0
        imagePullPolicy: IfNotPresent
        name: aws-cloud-controller-manager
        resources:
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-bootstrap_content
@ -6,7 +6,7 @@ spec:
  addons:
  - id: k8s-1.16
    manifest: kops-controller.addons.k8s.io/k8s-1.16.yaml
-    manifestHash: 5b7e53ee665b7e270177015b871983a7007453b46ea1f2a2f22065599f84acc8
+    manifestHash: e821fd386a318a8c09073db77ec873aa0d886b3d696ecdd0457098c6df415749
    name: kops-controller.addons.k8s.io
    needsRollingUpdate: control-plane
    selector:
@ -32,6 +32,13 @@ spec:
    selector:
      k8s-addon: kubelet-api.rbac.addons.k8s.io
    version: 9.99.0
  - id: k8s-1.23
    manifest: leader-migration.rbac.addons.k8s.io/k8s-1.23.yaml
    manifestHash: b9c91e09c0f28c9b74ff140b8395d611834c627d698846d625c10975a74a48c4
    name: leader-migration.rbac.addons.k8s.io
    selector:
      k8s-addon: leader-migration.rbac.addons.k8s.io
    version: 9.99.0
  - manifest: limit-range.addons.k8s.io/v1.5.0.yaml
    manifestHash: 2d55c3bc5e354e84a3730a65b42f39aba630a59dc8d32b30859fcce3d3178bc2
    name: limit-range.addons.k8s.io
@ -52,16 +59,16 @@ spec:
    selector:
      k8s-addon: storage-aws.addons.k8s.io
    version: 9.99.0
-  - id: k8s-1.16
+  - id: k8s-1.23
-    manifest: networking.projectcalico.org/k8s-1.16.yaml
+    manifest: networking.projectcalico.org/k8s-1.23.yaml
-    manifestHash: d58f4bf07be4093602410eeffd47a37125a74dfb2afd654a6d154c5017010e7a
+    manifestHash: 5c8d7e98d34e92f128508c2d00efed7e866251aec643309cbbdf0f9934a95f82
    name: networking.projectcalico.org
    selector:
      role.kubernetes.io/networking: "1"
    version: 9.99.0
  - id: k8s-1.18
    manifest: aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml
-    manifestHash: b81b968335bd806a35ab6a455a7a682cb03b6723fcf0a0061b1206661d1163ba
+    manifestHash: f0de0a1dc002589f04dfd37c587f2ab60c37389ad8377cc4bd00ccfa178a00a6
    name: aws-cloud-controller.addons.k8s.io
    selector:
      k8s-addon: aws-cloud-controller.addons.k8s.io
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content
@ -1,7 +1,7 @@
 apiVersion: v1
 data:
  config.yaml: |
-    {"cloud":"aws","configBase":"memfs://clusters.example.com/minimal-ipv6.example.com","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["nodes.minimal-ipv6.example.com"],"Region":"us-test-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["kubernetes-ca"],"certNames":["kubelet","kubelet-server","kube-proxy"]},"enableCloudIPAM":true}
+    {"cloud":"aws","configBase":"memfs://clusters.example.com/minimal-ipv6.example.com","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["nodes.minimal-ipv6.example.com"],"Region":"us-test-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["kubernetes-ca"],"certNames":["kubelet","kubelet-server","kube-proxy"],"useInstanceIDForNodeName":true},"enableCloudIPAM":true}
 kind: ConfigMap
 metadata:
  creationTimestamp: null
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-leader-migration.rbac.addons.k8s.io-k8s-1.23_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-leader-migration.rbac.addons.k8s.io-k8s-1.23_content
@ -0,0 +1,52 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: leader-migration.rbac.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: leader-migration.rbac.addons.k8s.io
  name: system::leader-locking-migration
  namespace: kube-system
 rules:
 - apiGroups:
  - coordination.k8s.io
  resourceNames:
  - cloud-provider-extraction-migration
  resources:
  - leases
  verbs:
  - create
  - list
  - get
  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: leader-migration.rbac.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: leader-migration.rbac.addons.k8s.io
  name: system::leader-locking-migration
  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: system::leader-locking-migration
 subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:kube-controller-manager
 - kind: ServiceAccount
  name: kube-controller-manager
  namespace: kube-system
 - kind: ServiceAccount
  name: aws-cloud-controller-manager
  namespace: kube-system
 - kind: ServiceAccount
  name: cloud-controller-manager
  namespace: kube-system
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.23_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.23_content
@ -17,7 +17,7 @@ data:
              "assign_ipv4": "false",
              "assign_ipv6": "true",
              "type": "host-local",
-              "ranges": [[{ "subnet": "usePodCidr" }]]
+              "ranges": [[{ "subnet": "usePodCidrIPv6" }]]
          },
          "policy": {
              "type": "k8s"
@ -94,6 +94,12 @@ spec:
                  64512]'
                format: int32
                type: integer
              bindMode:
                description: BindMode indicates whether to listen for BGP connections
                  on all addresses (None) or only on the node's canonical IP address
                  Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
                  for BGP connections on all addresses.
                type: string
              communities:
                description: Communities is a list of BGP community values and their
                  arbitrary names for tagging routes.
@ -124,6 +130,37 @@ spec:
                description: 'LogSeverityScreen is the log severity above which logs
                  are sent to the stdout. [Default: INFO]'
                type: string
              nodeMeshMaxRestartTime:
                description: Time to allow for software restart for node-to-mesh peerings.  When
                  specified, this is configured as the graceful restart timeout.  When
                  not specified, the BIRD default of 120s is used. This field can
                  only be set on the default BGPConfiguration instance and requires
                  that NodeMesh is enabled
                type: string
              nodeMeshPassword:
                description: Optional BGP password for full node-to-mesh peerings.
                  This field can only be set on the default BGPConfiguration instance
                  and requires that NodeMesh is enabled
                properties:
                  secretKeyRef:
                    description: Selects a key of a secret in the node pod's namespace.
                    properties:
                      key:
                        description: The key of the secret to select from.  Must be
                          a valid secret key.
                        type: string
                      name:
                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                          TODO: Add other useful fields. apiVersion, kind, uid?'
                        type: string
                      optional:
                        description: Specify whether the Secret or its key must be
                          defined
                        type: boolean
                    required:
                    - key
                    type: object
                type: object
              nodeToNodeMeshEnabled:
                description: 'NodeToNodeMeshEnabled sets whether full node to node
                  BGP mesh is enabled. [Default: true]'
@ -261,6 +298,12 @@ spec:
                description: Selector for the nodes that should have this peering.  When
                  this is set, the Node field must be empty.
                type: string
              numAllowedLocalASNumbers:
                description: Maximum number of local AS numbers that are allowed in
                  the AS path for received routes. This removes BGP loop prevention
                  and should only be used if absolutely necesssary.
                format: int32
                type: integer
              password:
                description: Optional BGP password for the peerings generated by this
                  BGPPeer resource.
@ -808,6 +851,11 @@ spec:
                description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
                  [Default: false]'
                type: boolean
              bpfEnforceRPF:
                description: 'BPFEnforceRPF enforce strict RPF on all interfaces with
                  BPF programs regardless of what is the per-interfaces or global
                  setting. Possible values are Disabled or Strict. [Default: Strict]'
                type: string
              bpfExtToServiceConnmark:
                description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
                  mark that is set on connections from an external client to a local
@ -847,6 +895,51 @@ spec:
                  logs are emitted to the BPF trace pipe, accessible with the command
                  `tc exec bpf debug`. [Default: Off].'
                type: string
              bpfMapSizeConntrack:
                description: 'BPFMapSizeConntrack sets the size for the conntrack
                  map.  This map must be large enough to hold an entry for each active
                  connection.  Warning: changing the size of the conntrack map can
                  cause disruption.'
                type: integer
              bpfMapSizeIPSets:
                description: BPFMapSizeIPSets sets the size for ipsets map.  The IP
                  sets map must be large enough to hold an entry for each endpoint
                  matched by every selector in the source/destination matches in network
                  policy.  Selectors such as "all()" can result in large numbers of
                  entries (one entry per endpoint in that case).
                type: integer
              bpfMapSizeNATAffinity:
                type: integer
              bpfMapSizeNATBackend:
                description: BPFMapSizeNATBackend sets the size for nat back end map.
                  This is the total number of endpoints. This is mostly more than
                  the size of the number of services.
                type: integer
              bpfMapSizeNATFrontend:
                description: BPFMapSizeNATFrontend sets the size for nat front end
                  map. FrontendMap should be large enough to hold an entry for each
                  nodeport, external IP and each port in each service.
                type: integer
              bpfMapSizeRoute:
                description: BPFMapSizeRoute sets the size for the routes map.  The
                  routes map should be large enough to hold one entry per workload
                  and a handful of entries per host (enough to cover its own IPs and
                  tunnel IPs).
                type: integer
              bpfPSNATPorts:
                anyOf:
                - type: integer
                - type: string
                description: 'BPFPSNATPorts sets the range from which we randomly
                  pick a port if there is a source port collision. This should be
                  within the ephemeral range as defined by RFC 6056 (1024–65535) and
                  preferably outside the  ephemeral ranges used by common operating
                  systems. Linux uses 32768–60999, while others mostly use the IANA
                  defined range 49152–65535. It is not necessarily a problem if this
                  range overlaps with the operating systems. Both ends of the range
                  are inclusive. [Default: 20000:29999]'
                pattern: ^.*
                x-kubernetes-int-or-string: true
              chainInsertMode:
                description: 'ChainInsertMode controls whether Felix hooks the kernel''s
                  top-level iptables chains by inserting a rule at the top of the
@ -857,6 +950,15 @@ spec:
                  Calico policy will be bypassed. [Default: insert]'
                type: string
              dataplaneDriver:
                description: DataplaneDriver filename of the external dataplane driver
                  to use.  Only used if UseInternalDataplaneDriver is set to false.
                type: string
              dataplaneWatchdogTimeout:
                description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
                  used for Felix''s (internal) dataplane driver. Increase this value
                  if you experience spurious non-ready or non-live events when Felix
                  is under heavy load. Decrease the value to get felix to report non-live
                  or non-ready more quickly. [Default: 90s]'
                type: string
              debugDisableLogDropping:
                type: boolean
@ -885,9 +987,14 @@ spec:
                  routes, by default this will be RTPROT_BOOT when left blank.
                type: integer
              deviceRouteSourceAddress:
-                description: This is the source address to use on programmed device
+                description: This is the IPv4 source address to use on programmed
-                  routes. By default the source address is left blank, leaving the
+                  device routes. By default the source address is left blank, leaving
-                  kernel to choose the source address used.
+                  the kernel to choose the source address used.
                type: string
              deviceRouteSourceAddressIPv6:
                description: This is the IPv6 source address to use on programmed
                  device routes. By default the source address is left blank, leaving
                  the kernel to choose the source address used.
                type: string
              disableConntrackInvalidCheck:
                type: boolean
@ -961,6 +1068,14 @@ spec:
                  "true" or "false" will force the feature, empty or omitted values
                  are auto-detected.
                type: string
              floatingIPs:
                default: Disabled
                description: FloatingIPs configures whether or not Felix will program
                  floating IP addresses.
                enum:
                - Enabled
                - Disabled
                type: string
              genericXDPEnabled:
                description: 'GenericXDPEnabled enables Generic XDP so network cards
                  that don''t support XDP offload or driver modes can use XDP. This
@ -998,6 +1113,9 @@ spec:
                  disabled by setting the interval to 0.
                type: string
              ipipEnabled:
                description: 'IPIPEnabled overrides whether Felix should configure
                  an IPIP interface on the host. Optional as Felix determines this
                  based on the existing IP pools. [Default: nil (unset)]'
                type: boolean
              ipipMTU:
                description: 'IPIPMTU is the MTU to set on the tunnel device. See
@ -1064,6 +1182,8 @@ spec:
                  usage. [Default: 10s]'
                type: string
              ipv6Support:
                description: IPv6Support controls whether Felix enables support for
                  IPv6 (if supported by the in-use dataplane).
                type: boolean
              kubeNodePortRanges:
                description: 'KubeNodePortRanges holds list of port ranges used for
@ -1077,6 +1197,12 @@ spec:
                  pattern: ^.*
                  x-kubernetes-int-or-string: true
                type: array
              logDebugFilenameRegex:
                description: LogDebugFilenameRegex controls which source code files
                  have their Debug log output included in the logs. Only logs from
                  files with names that match the given regular expression are included.  The
                  filter only applies to Debug level logs.
                type: string
              logFilePath:
                description: 'LogFilePath is the full path to the Felix log. Set to
                  none to disable file logging. [Default: /var/log/calico/felix.log]'
@ -1206,9 +1332,9 @@ spec:
                  routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
                type: string
              routeTableRange:
-                description: Calico programs additional Linux route tables for various
+                description: Deprecated in favor of RouteTableRanges. Calico programs
-                  purposes.  RouteTableRange specifies the indices of the route tables
+                  additional Linux route tables for various purposes. RouteTableRange
-                  that Calico should use.
+                  specifies the indices of the route tables that Calico should use.
                properties:
                  max:
                    type: integer
@ -1218,6 +1344,21 @@ spec:
                - max
                - min
                type: object
              routeTableRanges:
                description: Calico programs additional Linux route tables for various
                  purposes. RouteTableRanges specifies a set of table index ranges
                  that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
                items:
                  properties:
                    max:
                      type: integer
                    min:
                      type: integer
                  required:
                  - max
                  - min
                  type: object
                type: array
              serviceLoopPrevention:
                description: 'When service IP advertisement is enabled, prevent routing
                  loops to service IPs that are not in use, by dropping or rejecting
@ -1245,12 +1386,22 @@ spec:
                  Felix makes reports. [Default: 86400s]'
                type: string
              useInternalDataplaneDriver:
                description: UseInternalDataplaneDriver, if true, Felix will use its
                  internal dataplane programming logic.  If false, it will launch
                  an external dataplane driver and communicate with it over protobuf.
                type: boolean
              vxlanEnabled:
                description: 'VXLANEnabled overrides whether Felix should create the
                  VXLAN tunnel device for VXLAN networking. Optional as Felix determines
                  this based on the existing IP pools. [Default: nil (unset)]'
                type: boolean
              vxlanMTU:
-                description: 'VXLANMTU is the MTU to set on the tunnel device. See
+                description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
-                  Configuring MTU [Default: 1440]'
+                  device. See Configuring MTU [Default: 1410]'
                type: integer
              vxlanMTUV6:
                description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
                  device. See Configuring MTU [Default: 1390]'
                type: integer
              vxlanPort:
                type: integer
@ -1268,6 +1419,10 @@ spec:
                description: 'WireguardInterfaceName specifies the name to use for
                  the Wireguard interface. [Default: wg.calico]'
                type: string
              wireguardKeepAlive:
                description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
                  option. Set 0 to disable. [Default: 0]'
                type: string
              wireguardListeningPort:
                description: 'WireguardListeningPort controls the listening port used
                  by Wireguard. [Default: 51820]'
@ -1280,6 +1435,12 @@ spec:
                description: 'WireguardRoutingRulePriority controls the priority value
                  to use for the Wireguard routing rule. [Default: 99]'
                type: integer
              workloadSourceSpoofing:
                description: WorkloadSourceSpoofing controls whether pods can use
                  the allowedSourcePrefixes annotation to send traffic with a source
                  IP address that is not theirs. This is disabled by default. When
                  set to "Any", pods can request any prefix.
                type: string
              xdpEnabled:
                description: 'XDPEnabled enables XDP acceleration for suitable untracked
                  incoming deny rules. [Default: true]'
@ -2376,13 +2537,25 @@ spec:
              resource.
            properties:
              affinity:
                description: Affinity of the block, if this block has one. If set,
                  it will be of the form "host:<hostname>". If not set, this block
                  is not affine to a host.
                type: string
              allocations:
                description: Array of allocations in-use within this block. nil entries
                  mean the allocation is free. For non-nil entries at index i, the
                  index is the ordinal of the allocation within this block and the
                  value is the index of the associated attributes in the Attributes
                  array.
                items:
                  nullable: true
                  type: integer
                type: array
              attributes:
                description: Attributes is an array of arbitrary metadata associated
                  with allocations in the block. To find attributes for a given allocation,
                  use the value of the allocation's entry in the Allocations array
                  as the index of the element in this array.
                items:
                  properties:
                    handle_id:
@ -2394,12 +2567,38 @@ spec:
                  type: object
                type: array
              cidr:
                description: The block's CIDR.
                type: string
              deleted:
                description: Deleted is an internal boolean used to workaround a limitation
                  in the Kubernetes API whereby deletion will not return a conflict
                  error if the block has been updated. It should not be set manually.
                type: boolean
              sequenceNumber:
                default: 0
                description: We store a sequence number that is updated each time
                  the block is written. Each allocation will also store the sequence
                  number of the block at the time of its creation. When releasing
                  an IP, passing the sequence number associated with the allocation
                  allows us to protect against a race condition and ensure the IP
                  hasn't been released and re-allocated since the release request.
                format: int64
                type: integer
              sequenceNumberForAllocation:
                additionalProperties:
                  format: int64
                  type: integer
                description: Map of allocated ordinal within the block to sequence
                  number of the block at the time of allocation. Kubernetes does not
                  allow numerical keys for maps, so the key is cast to a string.
                type: object
              strictAffinity:
                description: StrictAffinity on the IPAMBlock is deprecated and no
                  longer used by the code. Use IPAMConfig StrictAffinity instead.
                type: boolean
              unallocated:
                description: Unallocated is an ordered list of allocations which are
                  free in the block.
                items:
                  type: integer
                type: array
@ -2591,13 +2790,13 @@ spec:
                type: array
              blockSize:
                description: The block size to use for IP address assignments from
-                  this pool. Defaults to 26 for IPv4 and 112 for IPv6.
+                  this pool. Defaults to 26 for IPv4 and 122 for IPv6.
                type: integer
              cidr:
                description: The pool CIDR.
                type: string
              disableBGPExport:
-                description: 'Disable exporting routes from this IP Pool’s CIDR over
+                description: 'Disable exporting routes from this IP Pool''s CIDR over
                  BGP. [Default: false]'
                type: boolean
              disabled:
@ -2664,6 +2863,8 @@ status:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
    controller-gen.kubebuilder.io/version: (devel)
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: networking.projectcalico.org
@ -2824,6 +3025,11 @@ spec:
                        type: string
                    type: object
                type: object
              debugProfilePort:
                description: DebugProfilePort configures the port to serve memory
                  and cpu profiles on. If not specified, profiling is disabled.
                format: int32
                type: integer
              etcdV3CompactionPeriod:
                description: 'EtcdV3CompactionPeriod is the period between etcdv3
                  compaction requests. Set to 0 to disable. [Default: 10m]'
@ -2934,6 +3140,11 @@ spec:
                            type: string
                        type: object
                    type: object
                  debugProfilePort:
                    description: DebugProfilePort configures the port to serve memory
                      and cpu profiles on. If not specified, profiling is disabled.
                    format: int32
                    type: integer
                  etcdV3CompactionPeriod:
                    description: 'EtcdV3CompactionPeriod is the period between etcdv3
                      compaction requests. Set to 0 to disable. [Default: 10m]'
@ -3895,7 +4106,6 @@ rules:
 - apiGroups:
  - crd.projectcalico.org
  resources:
  - ippools
  - ipreservations
  verbs:
  - list
@ -3912,6 +4122,13 @@ rules:
  - update
  - delete
  - watch
 - apiGroups:
  - crd.projectcalico.org
  resources:
  - ippools
  verbs:
  - list
  - watch
 - apiGroups:
  - crd.projectcalico.org
  resources:
@ -3928,8 +4145,10 @@ rules:
  - clusterinformations
  verbs:
  - get
  - list
  - create
  - update
  - watch
 - apiGroups:
  - crd.projectcalico.org
  resources:
@ -4248,7 +4467,7 @@ spec:
        - configMapRef:
            name: kubernetes-services-endpoint
            optional: true
-        image: docker.io/calico/node:v3.21.5
+        image: docker.io/calico/node:v3.23.1
        lifecycle:
          preStop:
            exec:
@ -4320,7 +4539,7 @@ spec:
        - configMapRef:
            name: kubernetes-services-endpoint
            optional: true
-        image: docker.io/calico/cni:v3.21.5
+        image: docker.io/calico/cni:v3.23.1
        name: upgrade-ipam
        securityContext:
          privileged: true
@ -4354,7 +4573,7 @@ spec:
        - configMapRef:
            name: kubernetes-services-endpoint
            optional: true
-        image: docker.io/calico/cni:v3.21.5
+        image: docker.io/calico/cni:v3.23.1
        name: install-cni
        securityContext:
          privileged: true
@ -4363,13 +4582,6 @@ spec:
          name: cni-bin-dir
        - mountPath: /host/etc/cni/net.d
          name: cni-net-dir
      - image: docker.io/calico/pod2daemon-flexvol:v3.21.5
        name: flexvol-driver
        securityContext:
          privileged: true
        volumeMounts:
        - mountPath: /host/driver
          name: flexvol-driver-host
      nodeSelector:
        kubernetes.io/os: linux
      priorityClassName: system-node-critical
@ -4416,10 +4628,6 @@ spec:
          path: /var/run/nodeagent
          type: DirectoryOrCreate
        name: policysync
      - hostPath:
          path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
          type: DirectoryOrCreate
        name: flexvol-driver-host
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
@ -4473,7 +4681,7 @@ spec:
          value: node
        - name: DATASTORE_TYPE
          value: kubernetes
-        image: docker.io/calico/kube-controllers:v3.21.5
+        image: docker.io/calico/kube-controllers:v3.23.1
        livenessProbe:
          exec:
            command:
@ -4517,7 +4725,7 @@ metadata:
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  creationTimestamp: null
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
@ -25,7 +25,7 @@ APIServerConfig:
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
-    image: registry.k8s.io/kube-apiserver:v1.21.0
+    image: registry.k8s.io/kube-apiserver:v1.24.0
    kubeletPreferredAddressTypes:
    - InternalIP
    - Hostname
@ -55,17 +55,19 @@ APIServerConfig:
    -----END RSA PUBLIC KEY-----
 Assets:
  amd64:
-  - 681c81b7934ae2bf38b9f12d891683972d1fbbf6d7d97e50940a47b139d41b35@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubelet
+  - 3d98ac8b4fb8dc99f9952226f2565951cc366c442656a889facc5b1b2ec2ba52@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/amd64/kubelet
-  - 9f74f2fa7ee32ad07e17211725992248470310ca1988214518806b39b1dad9f0@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl
+  - 94d686bb6772f6fb59e3a32beff908ab406b79acdfb2427abdc4ac3ce1bb98d7@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/amd64/kubectl
-  - 977824932d5667c7a37aa6a3cbba40100a6873e7bd97e83e8be837e3e7afd0a8@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.7/cni-plugins-linux-amd64-v0.8.7.tgz
+  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
-  - f6120552408175ca332fd3b5d31c5edd115d8426d6731664e4ea3951c5eee3b4@https://github.com/containerd/containerd/releases/download/v1.4.12/cri-containerd-cni-1.4.12-linux-amd64.tar.gz
+  - f23c8ac914d748f85df94d3e82d11ca89ca9fe19a220ce61b99a05b070044de0@https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-amd64.tar.gz
  - e0436dfc5d26ca88f00e84cbdab5801dd9829b1e5ded05dcfc162ce5718c32ce@https://github.com/opencontainers/runc/releases/download/v1.1.2/runc.amd64
  - f90ed6dcef534e6d1ae17907dc7eb40614b8945ad4af7f0e98d2be7cde8165c6@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-amd64
  - 9992e7eb2a2e93f799e5a9e98eb718637433524bc65f630357201a79f49b13d0@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-amd64
  arm64:
-  - 17832b192be5ea314714f7e16efd5e5f65347974bbbf41def6b02f68931380c4@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/arm64/kubelet
+  - 8f066c9a048dd1704bf22ccf6e994e2fa2ea1175c9768a786f6cb6608765025e@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/arm64/kubelet
-  - a4dd7100f547a40d3e2f83850d0bab75c6ea5eb553f0a80adcf73155bef1fd0d@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/arm64/kubectl
+  - 449278789de283648e4076ade46816da249714f96e71567e035e9d17e1fff06d@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/arm64/kubectl
-  - ae13d7b5c05bd180ea9b5b68f44bdaa7bfb41034a2ef1d68fd8e1259797d642f@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.7/cni-plugins-linux-arm64-v0.8.7.tgz
+  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
-  - 87a4219c54552797ffd38790b72832372a90eceb7c8e451c36a682093d57dae6@https://download.docker.com/linux/static/stable/aarch64/docker-20.10.11.tgz
+  - 0205bd1907154388dc85b1afeeb550cbb44c470ef4a290cb1daf91501c85cae6@https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-arm64.tar.gz
  - 6ebd968d46d00a3886e9a0cae2e0a7b399e110cf5d7b26e63ce23c1d81ea10ef@https://github.com/opencontainers/runc/releases/download/v1.1.2/runc.arm64
  - 2f599c3d54f4c4bdbcc95aaf0c7b513a845d8f9503ec5b34c9f86aa1bc34fc0c@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-arm64
  - 9d842e3636a95de2315cdea2be7a282355aac0658ef0b86d5dc2449066538f13@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-arm64
 CAs:
@ -247,15 +249,14 @@ KubeletConfig:
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  nodeLabels:
    kops.k8s.io/instancegroup: master-us-test-1a
    kops.k8s.io/kops-controller-pki: ""
    kubernetes.io/role: master
    node-role.kubernetes.io/control-plane: ""
    node-role.kubernetes.io/master: ""
    node.kubernetes.io/exclude-from-external-load-balancers: ""
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  registerSchedulable: false
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
@ -264,10 +265,11 @@ channels:
 - memfs://clusters.example.com/minimal-ipv6.example.com/addons/bootstrap-channel.yaml
 containerdConfig:
  logLevel: info
-  version: 1.4.12
+  version: 1.6.4
 etcdManifests:
 - memfs://clusters.example.com/minimal-ipv6.example.com/manifests/etcd/main.yaml
 - memfs://clusters.example.com/minimal-ipv6.example.com/manifests/etcd/events.yaml
 staticManifests:
 - key: kube-apiserver-healthcheck
  path: manifests/static/kube-apiserver-healthcheck.yaml
 useInstanceIDForNodeName: true
--- a/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_nodeupconfig-nodes_content
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/data/aws_s3_object_nodeupconfig-nodes_content
@ -1,14 +1,16 @@
 Assets:
  amd64:
-  - 681c81b7934ae2bf38b9f12d891683972d1fbbf6d7d97e50940a47b139d41b35@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubelet
+  - 3d98ac8b4fb8dc99f9952226f2565951cc366c442656a889facc5b1b2ec2ba52@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/amd64/kubelet
-  - 9f74f2fa7ee32ad07e17211725992248470310ca1988214518806b39b1dad9f0@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl
+  - 94d686bb6772f6fb59e3a32beff908ab406b79acdfb2427abdc4ac3ce1bb98d7@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/amd64/kubectl
-  - 977824932d5667c7a37aa6a3cbba40100a6873e7bd97e83e8be837e3e7afd0a8@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.7/cni-plugins-linux-amd64-v0.8.7.tgz
+  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
-  - f6120552408175ca332fd3b5d31c5edd115d8426d6731664e4ea3951c5eee3b4@https://github.com/containerd/containerd/releases/download/v1.4.12/cri-containerd-cni-1.4.12-linux-amd64.tar.gz
+  - f23c8ac914d748f85df94d3e82d11ca89ca9fe19a220ce61b99a05b070044de0@https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-amd64.tar.gz
  - e0436dfc5d26ca88f00e84cbdab5801dd9829b1e5ded05dcfc162ce5718c32ce@https://github.com/opencontainers/runc/releases/download/v1.1.2/runc.amd64
  arm64:
-  - 17832b192be5ea314714f7e16efd5e5f65347974bbbf41def6b02f68931380c4@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/arm64/kubelet
+  - 8f066c9a048dd1704bf22ccf6e994e2fa2ea1175c9768a786f6cb6608765025e@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/arm64/kubelet
-  - a4dd7100f547a40d3e2f83850d0bab75c6ea5eb553f0a80adcf73155bef1fd0d@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/arm64/kubectl
+  - 449278789de283648e4076ade46816da249714f96e71567e035e9d17e1fff06d@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/arm64/kubectl
-  - ae13d7b5c05bd180ea9b5b68f44bdaa7bfb41034a2ef1d68fd8e1259797d642f@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.7/cni-plugins-linux-arm64-v0.8.7.tgz
+  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
-  - 87a4219c54552797ffd38790b72832372a90eceb7c8e451c36a682093d57dae6@https://download.docker.com/linux/static/stable/aarch64/docker-20.10.11.tgz
+  - 0205bd1907154388dc85b1afeeb550cbb44c470ef4a290cb1daf91501c85cae6@https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-arm64.tar.gz
  - 6ebd968d46d00a3886e9a0cae2e0a7b399e110cf5d7b26e63ce23c1d81ea10ef@https://github.com/opencontainers/runc/releases/download/v1.1.2/runc.arm64
 CAs:
  kubernetes-ca: |
    -----BEGIN CERTIFICATE-----
@ -51,12 +53,12 @@ KubeletConfig:
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  nodeLabels:
-    kubernetes.io/role: node
+    kops.k8s.io/instancegroup: nodes
    node-role.kubernetes.io/node: ""
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
 UpdatePolicy: automatic
@ -64,4 +66,5 @@ channels:
 - memfs://clusters.example.com/minimal-ipv6.example.com/addons/bootstrap-channel.yaml
 containerdConfig:
  logLevel: info
-  version: 1.4.12
+  version: 1.6.4
 useInstanceIDForNodeName: true
--- a/tests/integration/update_cluster/minimal-ipv6-calico/in-v1alpha2.yaml
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/in-v1alpha2.yaml
@ -8,12 +8,6 @@ spec:
    loadBalancer:
      type: Public
      class: Network
  kubernetesApiAccess:
  - 0.0.0.0/0
  - ::/0
  sshAccess:
  - 0.0.0.0/0
  - ::/0
  channel: stable
  cloudConfig:
    awsEBSCSIDriver:
@ -30,25 +24,33 @@ spec:
    - instanceGroup: master-us-test-1a
      name: us-test-1a
    name: events
-  iam: {}
+  iam:
    allowContainerRegistry: true
    legacy: false
  kubelet:
    anonymousAuth: false
-  kubernetesVersion: v1.21.0
+  kubernetesApiAccess:
  - 0.0.0.0/0
  - ::/0
  kubernetesVersion: v1.24.0
  masterInternalName: api.internal.minimal-ipv6.example.com
  masterPublicName: api.minimal-ipv6.example.com
  networkCIDR: 172.20.0.0/16
  networking:
    calico: {}
  nonMasqueradeCIDR: ::/0
-  topology:
+  sshAccess:
-    masters: public
+  - 0.0.0.0/0
-    nodes: public
+  - ::/0
  subnets:
  - cidr: 172.20.32.0/19
    ipv6CIDR: 2001:db8:0:111::/64
    name: us-test-1a
    type: Public
    zone: us-test-1a
  topology:
    masters: public
    nodes: public
 ---
@ -56,34 +58,42 @@ apiVersion: kops.k8s.io/v1alpha2
 kind: InstanceGroup
 metadata:
  creationTimestamp: "2016-12-10T22:42:28Z"
  name: nodes
  labels:
    kops.k8s.io/cluster: minimal-ipv6.example.com
 spec:
  associatePublicIp: true
  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
  machineType: t2.medium
  maxSize: 2
  minSize: 2
  role: Node
  subnets:
  - us-test-1a
 ---
 apiVersion: kops.k8s.io/v1alpha2
 kind: InstanceGroup
 metadata:
  creationTimestamp: "2016-12-10T22:42:28Z"
  name: master-us-test-1a
  labels:
    kops.k8s.io/cluster: minimal-ipv6.example.com
 spec:
  associatePublicIp: true
  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
-  machineType: m3.medium
+  instanceMetadata:
    httpPutResponseHopLimit: 1
    httpTokens: required
  machineType: t3.medium
  maxSize: 1
  minSize: 1
  nodeLabels:
    kops.k8s.io/instancegroup: master-us-test-1a
  role: Master
  subnets:
  - us-test-1a
 ---
 apiVersion: kops.k8s.io/v1alpha2
 kind: InstanceGroup
 metadata:
  creationTimestamp: "2016-12-10T22:42:28Z"
  labels:
    kops.k8s.io/cluster: minimal-ipv6.example.com
  name: nodes
 spec:
  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
  instanceMetadata:
    httpPutResponseHopLimit: 3
    httpTokens: required
  machineType: t3.medium
  maxSize: 1
  minSize: 1
  nodeLabels:
    kops.k8s.io/instancegroup: nodes
  role: Node
  subnets:
  - us-test-1a
--- a/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf
+++ b/tests/integration/update_cluster/minimal-ipv6-calico/kubernetes.tf
@ -111,26 +111,21 @@ resource "aws_autoscaling_group" "master-us-test-1a-masters-minimal-ipv6-example
    propagate_at_launch = true
    value               = "master-us-test-1a.masters.minimal-ipv6.example.com"
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup"
    propagate_at_launch = true
    value               = "master-us-test-1a"
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki"
    propagate_at_launch = true
    value               = ""
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"
    propagate_at_launch = true
    value               = "master"
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane"
    propagate_at_launch = true
    value               = ""
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master"
    propagate_at_launch = true
    value               = ""
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers"
    propagate_at_launch = true
@ -161,9 +156,9 @@ resource "aws_autoscaling_group" "nodes-minimal-ipv6-example-com" {
    id      = aws_launch_template.nodes-minimal-ipv6-example-com.id
    version = aws_launch_template.nodes-minimal-ipv6-example-com.latest_version
  }
-  max_size              = 2
+  max_size              = 1
  metrics_granularity   = "1Minute"
-  min_size              = 2
+  min_size              = 1
  name                  = "nodes.minimal-ipv6.example.com"
  protect_from_scale_in = false
  tag {
@ -177,9 +172,9 @@ resource "aws_autoscaling_group" "nodes-minimal-ipv6-example-com" {
    value               = "nodes.minimal-ipv6.example.com"
  }
  tag {
-    key                 = "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"
+    key                 = "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup"
    propagate_at_launch = true
-    value               = "node"
+    value               = "nodes"
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node"
@ -328,15 +323,11 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
      volume_type           = "gp3"
    }
  }
  block_device_mappings {
    device_name  = "/dev/sdc"
    virtual_name = "ephemeral0"
  }
  iam_instance_profile {
    name = aws_iam_instance_profile.masters-minimal-ipv6-example-com.id
  }
  image_id      = "ami-12345678"
-  instance_type = "m3.medium"
+  instance_type = "t3.medium"
  key_name      = aws_key_pair.kubernetes-minimal-ipv6-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id
  lifecycle {
    create_before_destroy = true
@ -345,7 +336,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
    http_endpoint               = "enabled"
    http_protocol_ipv6          = "enabled"
    http_put_response_hop_limit = 1
-    http_tokens                 = "optional"
+    http_tokens                 = "required"
  }
  monitoring {
    enabled = false
@ -362,10 +353,9 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
    tags = {
      "KubernetesCluster"                                                                                     = "minimal-ipv6.example.com"
      "Name"                                                                                                  = "master-us-test-1a.masters.minimal-ipv6.example.com"
      "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup"                               = "master-us-test-1a"
      "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki"                         = ""
      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"                                      = "master"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane"                   = ""
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master"                          = ""
      "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = ""
      "k8s.io/role/master"                                                                                    = "1"
      "kops.k8s.io/instancegroup"                                                                             = "master-us-test-1a"
@ -377,10 +367,9 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
    tags = {
      "KubernetesCluster"                                                                                     = "minimal-ipv6.example.com"
      "Name"                                                                                                  = "master-us-test-1a.masters.minimal-ipv6.example.com"
      "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup"                               = "master-us-test-1a"
      "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki"                         = ""
      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"                                      = "master"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane"                   = ""
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master"                          = ""
      "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = ""
      "k8s.io/role/master"                                                                                    = "1"
      "kops.k8s.io/instancegroup"                                                                             = "master-us-test-1a"
@ -390,10 +379,9 @@ resource "aws_launch_template" "master-us-test-1a-masters-minimal-ipv6-example-c
  tags = {
    "KubernetesCluster"                                                                                     = "minimal-ipv6.example.com"
    "Name"                                                                                                  = "master-us-test-1a.masters.minimal-ipv6.example.com"
    "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup"                               = "master-us-test-1a"
    "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki"                         = ""
    "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"                                      = "master"
    "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane"                   = ""
    "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master"                          = ""
    "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = ""
    "k8s.io/role/master"                                                                                    = "1"
    "kops.k8s.io/instancegroup"                                                                             = "master-us-test-1a"
@ -418,7 +406,7 @@ resource "aws_launch_template" "nodes-minimal-ipv6-example-com" {
    name = aws_iam_instance_profile.nodes-minimal-ipv6-example-com.id
  }
  image_id      = "ami-12345678"
-  instance_type = "t2.medium"
+  instance_type = "t3.medium"
  key_name      = aws_key_pair.kubernetes-minimal-ipv6-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id
  lifecycle {
    create_before_destroy = true
@ -426,8 +414,8 @@ resource "aws_launch_template" "nodes-minimal-ipv6-example-com" {
  metadata_options {
    http_endpoint               = "enabled"
    http_protocol_ipv6          = "enabled"
-    http_put_response_hop_limit = 1
+    http_put_response_hop_limit = 3
-    http_tokens                 = "optional"
+    http_tokens                 = "required"
  }
  monitoring {
    enabled = false
@ -444,7 +432,7 @@ resource "aws_launch_template" "nodes-minimal-ipv6-example-com" {
    tags = {
      "KubernetesCluster"                                                          = "minimal-ipv6.example.com"
      "Name"                                                                       = "nodes.minimal-ipv6.example.com"
-      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"           = "node"
+      "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup"    = "nodes"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = ""
      "k8s.io/role/node"                                                           = "1"
      "kops.k8s.io/instancegroup"                                                  = "nodes"
@ -456,7 +444,7 @@ resource "aws_launch_template" "nodes-minimal-ipv6-example-com" {
    tags = {
      "KubernetesCluster"                                                          = "minimal-ipv6.example.com"
      "Name"                                                                       = "nodes.minimal-ipv6.example.com"
-      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"           = "node"
+      "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup"    = "nodes"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = ""
      "k8s.io/role/node"                                                           = "1"
      "kops.k8s.io/instancegroup"                                                  = "nodes"
@ -466,7 +454,7 @@ resource "aws_launch_template" "nodes-minimal-ipv6-example-com" {
  tags = {
    "KubernetesCluster"                                                          = "minimal-ipv6.example.com"
    "Name"                                                                       = "nodes.minimal-ipv6.example.com"
-    "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"           = "node"
+    "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/instancegroup"    = "nodes"
    "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = ""
    "k8s.io/role/node"                                                           = "1"
    "kops.k8s.io/instancegroup"                                                  = "nodes"
@ -724,6 +712,14 @@ resource "aws_s3_object" "minimal-ipv6-example-com-addons-kubelet-api-rbac-addon
  server_side_encryption = "AES256"
 }
 resource "aws_s3_object" "minimal-ipv6-example-com-addons-leader-migration-rbac-addons-k8s-io-k8s-1-23" {
  bucket                 = "testingBucket"
  content                = file("${path.module}/data/aws_s3_object_minimal-ipv6.example.com-addons-leader-migration.rbac.addons.k8s.io-k8s-1.23_content")
  key                    = "clusters.example.com/minimal-ipv6.example.com/addons/leader-migration.rbac.addons.k8s.io/k8s-1.23.yaml"
  provider               = aws.files
  server_side_encryption = "AES256"
 }
 resource "aws_s3_object" "minimal-ipv6-example-com-addons-limit-range-addons-k8s-io" {
  bucket                 = "testingBucket"
  content                = file("${path.module}/data/aws_s3_object_minimal-ipv6.example.com-addons-limit-range.addons.k8s.io_content")
@ -732,10 +728,10 @@ resource "aws_s3_object" "minimal-ipv6-example-com-addons-limit-range-addons-k8s
  server_side_encryption = "AES256"
 }
-resource "aws_s3_object" "minimal-ipv6-example-com-addons-networking-projectcalico-org-k8s-1-16" {
+resource "aws_s3_object" "minimal-ipv6-example-com-addons-networking-projectcalico-org-k8s-1-23" {
  bucket                 = "testingBucket"
-  content                = file("${path.module}/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.16_content")
+  content                = file("${path.module}/data/aws_s3_object_minimal-ipv6.example.com-addons-networking.projectcalico.org-k8s-1.23_content")
-  key                    = "clusters.example.com/minimal-ipv6.example.com/addons/networking.projectcalico.org/k8s-1.16.yaml"
+  key                    = "clusters.example.com/minimal-ipv6.example.com/addons/networking.projectcalico.org/k8s-1.23.yaml"
  provider               = aws.files
  server_side_encryption = "AES256"
 }
@ -989,7 +985,10 @@ resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" {
 resource "aws_subnet" "us-test-1a-minimal-ipv6-example-com" {
  availability_zone                              = "us-test-1a"
  cidr_block                                     = "172.20.32.0/19"
  enable_resource_name_dns_a_record_on_launch    = true
  enable_resource_name_dns_aaaa_record_on_launch = true
  ipv6_cidr_block                                = "2001:db8:0:111::/64"
  private_dns_hostname_type_on_launch            = "resource-name"
  tags = {
    "KubernetesCluster"                              = "minimal-ipv6.example.com"
    "Name"                                           = "us-test-1a.minimal-ipv6.example.com"
--- a/tests/integration/update_cluster/privatecalico/cloudformation.json
+++ b/tests/integration/update_cluster/privatecalico/cloudformation.json
@ -33,11 +33,6 @@
            "Value": "bastion.privatecalico.example.com",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
            "Value": "node",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node",
            "Value": "",
@ -119,21 +114,11 @@
            "Value": "",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
            "Value": "master",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane",
            "Value": "",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master",
            "Value": "",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers",
            "Value": "",
@ -210,11 +195,6 @@
            "Value": "nodes.privatecalico.example.com",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
            "Value": "node",
            "PropagateAtLaunch": true
          },
          {
            "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node",
            "Value": "",
@ -339,7 +319,7 @@
            }
          },
          "ImageId": "ami-12345678",
-          "InstanceType": "t2.micro",
+          "InstanceType": "t3.micro",
          "KeyName": "kubernetes.privatecalico.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57",
          "MetadataOptions": {
            "HttpPutResponseHopLimit": 1,
@ -373,10 +353,6 @@
                  "Key": "Name",
                  "Value": "bastion.privatecalico.example.com"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
                  "Value": "node"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node",
                  "Value": ""
@ -406,10 +382,6 @@
                  "Key": "Name",
                  "Value": "bastion.privatecalico.example.com"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
                  "Value": "node"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node",
                  "Value": ""
@ -449,10 +421,6 @@
                "DeleteOnTermination": true,
                "Encrypted": true
              }
            },
            {
              "DeviceName": "/dev/sdc",
              "VirtualName": "ephemeral0"
            }
          ],
          "IamInstanceProfile": {
@ -461,11 +429,11 @@
            }
          },
          "ImageId": "ami-12345678",
-          "InstanceType": "m3.medium",
+          "InstanceType": "t3.medium",
          "KeyName": "kubernetes.privatecalico.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57",
          "MetadataOptions": {
            "HttpPutResponseHopLimit": 1,
-            "HttpTokens": "optional"
+            "HttpTokens": "required"
          },
          "Monitoring": {
            "Enabled": false
@ -499,18 +467,10 @@
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
                  "Value": "master"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers",
                  "Value": ""
@ -544,18 +504,10 @@
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
                  "Value": "master"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master",
                  "Value": ""
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers",
                  "Value": ""
@ -603,11 +555,11 @@
            }
          },
          "ImageId": "ami-12345678",
-          "InstanceType": "t2.medium",
+          "InstanceType": "t3.medium",
          "KeyName": "kubernetes.privatecalico.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57",
          "MetadataOptions": {
-            "HttpPutResponseHopLimit": 1,
+            "HttpPutResponseHopLimit": 3,
-            "HttpTokens": "optional"
+            "HttpTokens": "required"
          },
          "Monitoring": {
            "Enabled": false
@ -637,10 +589,6 @@
                  "Key": "Name",
                  "Value": "nodes.privatecalico.example.com"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
                  "Value": "node"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node",
                  "Value": ""
@ -670,10 +618,6 @@
                  "Key": "Name",
                  "Value": "nodes.privatecalico.example.com"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role",
                  "Value": "node"
                },
                {
                  "Key": "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node",
                  "Value": ""
@ -957,6 +901,30 @@
        "CidrIp": "0.0.0.0/0"
      }
    },
    "AWSEC2SecurityGroupIngressfrom0ingresstcp22to22bastionelbprivatecalicoexamplecom": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
        "GroupId": {
          "Ref": "AWSEC2SecurityGroupbastionelbprivatecalicoexamplecom"
        },
        "FromPort": 22,
        "ToPort": 22,
        "IpProtocol": "tcp",
        "CidrIpv6": "::/0"
      }
    },
    "AWSEC2SecurityGroupIngressfrom0ingresstcp443to443apielbprivatecalicoexamplecom": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
        "GroupId": {
          "Ref": "AWSEC2SecurityGroupapielbprivatecalicoexamplecom"
        },
        "FromPort": 443,
        "ToPort": 443,
        "IpProtocol": "tcp",
        "CidrIpv6": "::/0"
      }
    },
    "AWSEC2SecurityGroupIngressfrombastionelbprivatecalicoexamplecomingresstcp22to22bastionprivatecalicoexamplecom": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
@ -1137,6 +1105,18 @@
        "CidrIp": "0.0.0.0/0"
      }
    },
    "AWSEC2SecurityGroupIngressicmpv6pmtuapielb0": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
        "GroupId": {
          "Ref": "AWSEC2SecurityGroupapielbprivatecalicoexamplecom"
        },
        "FromPort": -1,
        "ToPort": -1,
        "IpProtocol": "icmpv6",
        "CidrIpv6": "::/0"
      }
    },
    "AWSEC2SecurityGroupapielbprivatecalicoexamplecom": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
@ -1722,39 +1702,6 @@
                "*"
              ]
            },
            {
              "Action": "ec2:CreateTags",
              "Condition": {
                "StringEquals": {
                  "aws:RequestTag/KubernetesCluster": "privatecalico.example.com",
                  "ec2:CreateAction": [
                    "CreateSecurityGroup"
                  ]
                }
              },
              "Effect": "Allow",
              "Resource": [
                "arn:aws-test:ec2:*:*:security-group/*"
              ]
            },
            {
              "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
              ],
              "Condition": {
                "Null": {
                  "aws:RequestTag/KubernetesCluster": "true"
                },
                "StringEquals": {
                  "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com"
                }
              },
              "Effect": "Allow",
              "Resource": [
                "arn:aws-test:ec2:*:*:security-group/*"
              ]
            },
            {
              "Action": "ec2:CreateTags",
              "Condition": {
@ -1791,19 +1738,45 @@
                "arn:aws-test:ec2:*:*:snapshot/*"
              ]
            },
            {
              "Action": "ec2:CreateTags",
              "Condition": {
                "StringEquals": {
                  "aws:RequestTag/KubernetesCluster": "privatecalico.example.com",
                  "ec2:CreateAction": [
                    "CreateSecurityGroup"
                  ]
                }
              },
              "Effect": "Allow",
              "Resource": [
                "arn:aws-test:ec2:*:*:security-group/*"
              ]
            },
            {
              "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
              ],
              "Condition": {
                "Null": {
                  "aws:RequestTag/KubernetesCluster": "true"
                },
                "StringEquals": {
                  "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com"
                }
              },
              "Effect": "Allow",
              "Resource": [
                "arn:aws-test:ec2:*:*:security-group/*"
              ]
            },
            {
              "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "ec2:AttachVolume",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteRoute",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteVolume",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstances",
@ -1816,20 +1789,20 @@
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVpcs",
                "ec2:DetachVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyNetworkInterfaceAttribute",
-                "ec2:ModifyVolume",
+                "ecr:BatchCheckLayerAvailability",
-                "elasticloadbalancing:AddTags",
+                "ecr:BatchGetImage",
-                "elasticloadbalancing:CreateListener",
+                "ecr:DescribeRepositories",
-                "elasticloadbalancing:CreateTargetGroup",
+                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:RegisterTargets",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates",
                "kms:DescribeKey",
@ -1948,6 +1921,13 @@
                "ec2:DescribeInstances",
                "ec2:DescribeRegions",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:DescribeRepositories",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "iam:GetServerCertificate",
                "iam:ListServerCertificates",
                "kms:GenerateRandom"
--- a/tests/integration/update_cluster/privatecalico/cloudformation.json.extracted.yaml
+++ b/tests/integration/update_cluster/privatecalico/cloudformation.json.extracted.yaml
@ -127,20 +127,21 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope
  cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
  cloudConfig:
    awsEBSCSIDriver:
-      enabled: false
+      enabled: true
      version: v1.6.2
    manageStorageClasses: true
  containerRuntime: containerd
  containerd:
    logLevel: info
-    version: 1.4.12
+    version: 1.6.4
  docker:
    skipInstall: true
  encryptionConfig: null
  etcdClusters:
    events:
-      version: 3.4.13
+      version: 3.5.4
    main:
-      version: 3.4.13
+      version: 3.5.4
  kubeAPIServer:
    allowPrivileged: true
    anonymousAuth: false
@ -149,7 +150,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope
    apiServerCount: 1
    authorizationMode: AlwaysAllow
    bindAddress: 0.0.0.0
-    cloudProvider: aws
+    cloudProvider: external
    enableAdmissionPlugins:
    - NamespaceLifecycle
    - LimitRanger
@ -164,7 +165,10 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope
    - https://127.0.0.1:4001
    etcdServersOverrides:
    - /events#https://127.0.0.1:4002
-    image: registry.k8s.io/kube-apiserver:v1.21.0
+    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    image: registry.k8s.io/kube-apiserver:v1.24.0
    kubeletPreferredAddressTypes:
    - InternalIP
    - Hostname
@ -186,11 +190,14 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope
  kubeControllerManager:
    allocateNodeCIDRs: true
    attachDetachReconcileSyncPeriod: 1m0s
-    cloudProvider: aws
+    cloudProvider: external
    clusterCIDR: 100.96.0.0/11
    clusterName: privatecalico.example.com
    configureCloudRoutes: false
-    image: registry.k8s.io/kube-controller-manager:v1.21.0
+    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    image: registry.k8s.io/kube-controller-manager:v1.24.0
    leaderElection:
      leaderElect: true
    logLevel: 2
@ -198,10 +205,13 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope
  kubeProxy:
    clusterCIDR: 100.96.0.0/11
    cpuRequest: 100m
-    image: registry.k8s.io/kube-proxy:v1.21.0
+    image: registry.k8s.io/kube-proxy:v1.24.0
    logLevel: 2
  kubeScheduler:
-    image: registry.k8s.io/kube-scheduler:v1.21.0
+    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    image: registry.k8s.io/kube-scheduler:v1.24.0
    leaderElection:
      leaderElect: true
    logLevel: 2
@ -209,32 +219,38 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope
    anonymousAuth: false
    cgroupDriver: systemd
    cgroupRoot: /
-    cloudProvider: aws
+    cloudProvider: external
    clusterDNS: 100.64.0.10
    clusterDomain: cluster.local
    enableDebuggingHandlers: true
    evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
  masterKubelet:
    anonymousAuth: false
    cgroupDriver: systemd
    cgroupRoot: /
-    cloudProvider: aws
+    cloudProvider: external
    clusterDNS: 100.64.0.10
    clusterDomain: cluster.local
    enableDebuggingHandlers: true
    evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    registerSchedulable: false
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
@ -246,7 +262,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope
  ConfigBase: memfs://clusters.example.com/privatecalico.example.com
  InstanceGroupName: master-us-test-1a
  InstanceGroupRole: Master
-  NodeupConfigHash: XVQkcpAPIklkF28kVTF5iSiWwXvVDL1f6TBnOshBGa0=
+  NodeupConfigHash: oBkdCcM8vEDGJVKzTp/3baqw/4P+sUBmfaIk6xbYfBo=
  __EOF_KUBE_ENV
@ -380,33 +396,37 @@ Resources.AWSEC2LaunchTemplatenodesprivatecalicoexamplecom.Properties.LaunchTemp
  cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
  cloudConfig:
    awsEBSCSIDriver:
-      enabled: false
+      enabled: true
      version: v1.6.2
    manageStorageClasses: true
  containerRuntime: containerd
  containerd:
    logLevel: info
-    version: 1.4.12
+    version: 1.6.4
  docker:
    skipInstall: true
  kubeProxy:
    clusterCIDR: 100.96.0.0/11
    cpuRequest: 100m
-    image: registry.k8s.io/kube-proxy:v1.21.0
+    image: registry.k8s.io/kube-proxy:v1.24.0
    logLevel: 2
  kubelet:
    anonymousAuth: false
    cgroupDriver: systemd
    cgroupRoot: /
-    cloudProvider: aws
+    cloudProvider: external
    clusterDNS: 100.64.0.10
    clusterDomain: cluster.local
    enableDebuggingHandlers: true
    evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
@ -417,7 +437,7 @@ Resources.AWSEC2LaunchTemplatenodesprivatecalicoexamplecom.Properties.LaunchTemp
  ConfigBase: memfs://clusters.example.com/privatecalico.example.com
  InstanceGroupName: nodes
  InstanceGroupRole: Node
-  NodeupConfigHash: 1e6MWmZgviRMbJ/23fi0wWhbA6N8CRg2muOIaP6AxkI=
+  NodeupConfigHash: k5kw47uYPdJVPoEkZWvltC6/czS8iMhpjnT2bDwaS6k=
  __EOF_KUBE_ENV
--- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy
+++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_masters.privatecalico.example.com_policy
@ -94,39 +94,6 @@
        "*"
      ]
    },
    {
      "Action": "ec2:CreateTags",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/KubernetesCluster": "privatecalico.example.com",
          "ec2:CreateAction": [
            "CreateSecurityGroup"
          ]
        }
      },
      "Effect": "Allow",
      "Resource": [
        "arn:aws-test:ec2:*:*:security-group/*"
      ]
    },
    {
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/KubernetesCluster": "true"
        },
        "StringEquals": {
          "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com"
        }
      },
      "Effect": "Allow",
      "Resource": [
        "arn:aws-test:ec2:*:*:security-group/*"
      ]
    },
    {
      "Action": "ec2:CreateTags",
      "Condition": {
@ -163,19 +130,45 @@
        "arn:aws-test:ec2:*:*:snapshot/*"
      ]
    },
    {
      "Action": "ec2:CreateTags",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/KubernetesCluster": "privatecalico.example.com",
          "ec2:CreateAction": [
            "CreateSecurityGroup"
          ]
        }
      },
      "Effect": "Allow",
      "Resource": [
        "arn:aws-test:ec2:*:*:security-group/*"
      ]
    },
    {
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags"
      ],
      "Condition": {
        "Null": {
          "aws:RequestTag/KubernetesCluster": "true"
        },
        "StringEquals": {
          "aws:ResourceTag/KubernetesCluster": "privatecalico.example.com"
        }
      },
      "Effect": "Allow",
      "Resource": [
        "arn:aws-test:ec2:*:*:security-group/*"
      ]
    },
    {
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeAutoScalingInstances",
        "autoscaling:DescribeLaunchConfigurations",
        "autoscaling:DescribeTags",
        "ec2:AttachVolume",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:DeleteRoute",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteVolume",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeInstances",
@ -188,20 +181,20 @@
        "ec2:DescribeVolumes",
        "ec2:DescribeVolumesModifications",
        "ec2:DescribeVpcs",
        "ec2:DetachVolume",
        "ec2:ModifyInstanceAttribute",
        "ec2:ModifyNetworkInterfaceAttribute",
-        "ec2:ModifyVolume",
+        "ecr:BatchCheckLayerAvailability",
-        "elasticloadbalancing:AddTags",
+        "ecr:BatchGetImage",
-        "elasticloadbalancing:CreateListener",
+        "ecr:DescribeRepositories",
-        "elasticloadbalancing:CreateTargetGroup",
+        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancerAttributes",
        "elasticloadbalancing:DescribeLoadBalancerPolicies",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:RegisterTargets",
        "iam:GetServerCertificate",
        "iam:ListServerCertificates",
        "kms:DescribeKey",
--- a/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_nodes.privatecalico.example.com_policy
+++ b/tests/integration/update_cluster/privatecalico/data/aws_iam_role_policy_nodes.privatecalico.example.com_policy
@ -31,6 +31,13 @@
        "ec2:DescribeInstances",
        "ec2:DescribeRegions",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:ListImages",
        "iam:GetServerCertificate",
        "iam:ListServerCertificates",
        "kms:GenerateRandom"
--- a/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data
+++ b/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data
@ -125,20 +125,21 @@ ensure-install-dir
 cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
 cloudConfig:
  awsEBSCSIDriver:
-    enabled: false
+    enabled: true
    version: v1.6.2
  manageStorageClasses: true
 containerRuntime: containerd
 containerd:
  logLevel: info
-  version: 1.4.12
+  version: 1.6.4
 docker:
  skipInstall: true
 encryptionConfig: null
 etcdClusters:
  events:
-    version: 3.4.13
+    version: 3.5.4
  main:
-    version: 3.4.13
+    version: 3.5.4
 kubeAPIServer:
  allowPrivileged: true
  anonymousAuth: false
@ -147,7 +148,7 @@ kubeAPIServer:
  apiServerCount: 1
  authorizationMode: AlwaysAllow
  bindAddress: 0.0.0.0
-  cloudProvider: aws
+  cloudProvider: external
  enableAdmissionPlugins:
  - NamespaceLifecycle
  - LimitRanger
@ -162,7 +163,10 @@ kubeAPIServer:
  - https://127.0.0.1:4001
  etcdServersOverrides:
  - /events#https://127.0.0.1:4002
-  image: registry.k8s.io/kube-apiserver:v1.21.0
+  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
  image: registry.k8s.io/kube-apiserver:v1.24.0
  kubeletPreferredAddressTypes:
  - InternalIP
  - Hostname
@ -184,11 +188,14 @@ kubeAPIServer:
 kubeControllerManager:
  allocateNodeCIDRs: true
  attachDetachReconcileSyncPeriod: 1m0s
-  cloudProvider: aws
+  cloudProvider: external
  clusterCIDR: 100.96.0.0/11
  clusterName: privatecalico.example.com
  configureCloudRoutes: false
-  image: registry.k8s.io/kube-controller-manager:v1.21.0
+  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
  image: registry.k8s.io/kube-controller-manager:v1.24.0
  leaderElection:
    leaderElect: true
  logLevel: 2
@ -196,10 +203,13 @@ kubeControllerManager:
 kubeProxy:
  clusterCIDR: 100.96.0.0/11
  cpuRequest: 100m
-  image: registry.k8s.io/kube-proxy:v1.21.0
+  image: registry.k8s.io/kube-proxy:v1.24.0
  logLevel: 2
 kubeScheduler:
-  image: registry.k8s.io/kube-scheduler:v1.21.0
+  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
  image: registry.k8s.io/kube-scheduler:v1.24.0
  leaderElection:
    leaderElect: true
  logLevel: 2
@ -207,32 +217,38 @@ kubelet:
  anonymousAuth: false
  cgroupDriver: systemd
  cgroupRoot: /
-  cloudProvider: aws
+  cloudProvider: external
  clusterDNS: 100.64.0.10
  clusterDomain: cluster.local
  enableDebuggingHandlers: true
  evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
 masterKubelet:
  anonymousAuth: false
  cgroupDriver: systemd
  cgroupRoot: /
-  cloudProvider: aws
+  cloudProvider: external
  clusterDNS: 100.64.0.10
  clusterDomain: cluster.local
  enableDebuggingHandlers: true
  evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  registerSchedulable: false
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
@ -244,7 +260,7 @@ CloudProvider: aws
 ConfigBase: memfs://clusters.example.com/privatecalico.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: Master
-NodeupConfigHash: XVQkcpAPIklkF28kVTF5iSiWwXvVDL1f6TBnOshBGa0=
+NodeupConfigHash: oBkdCcM8vEDGJVKzTp/3baqw/4P+sUBmfaIk6xbYfBo=
 __EOF_KUBE_ENV
--- a/tests/integration/update_cluster/privatecalico/data/aws_launch_template_nodes.privatecalico.example.com_user_data
+++ b/tests/integration/update_cluster/privatecalico/data/aws_launch_template_nodes.privatecalico.example.com_user_data
@ -125,33 +125,37 @@ ensure-install-dir
 cat > conf/cluster_spec.yaml << '__EOF_CLUSTER_SPEC'
 cloudConfig:
  awsEBSCSIDriver:
-    enabled: false
+    enabled: true
    version: v1.6.2
  manageStorageClasses: true
 containerRuntime: containerd
 containerd:
  logLevel: info
-  version: 1.4.12
+  version: 1.6.4
 docker:
  skipInstall: true
 kubeProxy:
  clusterCIDR: 100.96.0.0/11
  cpuRequest: 100m
-  image: registry.k8s.io/kube-proxy:v1.21.0
+  image: registry.k8s.io/kube-proxy:v1.24.0
  logLevel: 2
 kubelet:
  anonymousAuth: false
  cgroupDriver: systemd
  cgroupRoot: /
-  cloudProvider: aws
+  cloudProvider: external
  clusterDNS: 100.64.0.10
  clusterDomain: cluster.local
  enableDebuggingHandlers: true
  evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
@ -162,7 +166,7 @@ CloudProvider: aws
 ConfigBase: memfs://clusters.example.com/privatecalico.example.com
 InstanceGroupName: nodes
 InstanceGroupRole: Node
-NodeupConfigHash: 1e6MWmZgviRMbJ/23fi0wWhbA6N8CRg2muOIaP6AxkI=
+NodeupConfigHash: k5kw47uYPdJVPoEkZWvltC6/czS8iMhpjnT2bDwaS6k=
 __EOF_KUBE_ENV
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_cluster-completed.spec_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_cluster-completed.spec_content
@ -13,8 +13,18 @@ spec:
  channel: stable
  cloudConfig:
    awsEBSCSIDriver:
-      enabled: false
+      enabled: true
      version: v1.6.2
    manageStorageClasses: true
  cloudControllerManager:
    allocateNodeCIDRs: true
    clusterCIDR: 100.64.0.0/10
    clusterName: privatecalico.example.com
    configureCloudRoutes: false
    enableLeaderMigration: true
    image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.24.0
    leaderElection:
      leaderElect: true
  cloudProvider: aws
  clusterDNSDomain: cluster.local
  configBase: memfs://clusters.example.com/privatecalico.example.com
@ -22,7 +32,7 @@ spec:
  containerRuntime: containerd
  containerd:
    logLevel: info
-    version: 1.4.12
+    version: 1.6.4
  dnsZone: Z1AFAKE1ZON3YO
  docker:
    skipInstall: true
@ -33,17 +43,18 @@ spec:
    - instanceGroup: master-us-test-1a
      name: us-test-1a
    name: main
-    version: 3.4.13
+    version: 3.5.4
  - backups:
      backupStore: memfs://clusters.example.com/privatecalico.example.com/backups/etcd/events
    etcdMembers:
    - instanceGroup: master-us-test-1a
      name: us-test-1a
    name: events
-    version: 3.4.13
+    version: 3.5.4
  externalDns:
    provider: dns-controller
  iam:
    allowContainerRegistry: true
    legacy: false
  keyStore: memfs://clusters.example.com/privatecalico.example.com/pki
  kubeAPIServer:
@ -54,7 +65,7 @@ spec:
    apiServerCount: 1
    authorizationMode: AlwaysAllow
    bindAddress: 0.0.0.0
-    cloudProvider: aws
+    cloudProvider: external
    enableAdmissionPlugins:
    - NamespaceLifecycle
    - LimitRanger
@ -69,7 +80,10 @@ spec:
    - https://127.0.0.1:4001
    etcdServersOverrides:
    - /events#https://127.0.0.1:4002
-    image: registry.k8s.io/kube-apiserver:v1.21.0
+    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    image: registry.k8s.io/kube-apiserver:v1.24.0
    kubeletPreferredAddressTypes:
    - InternalIP
    - Hostname
@ -91,11 +105,14 @@ spec:
  kubeControllerManager:
    allocateNodeCIDRs: true
    attachDetachReconcileSyncPeriod: 1m0s
-    cloudProvider: aws
+    cloudProvider: external
    clusterCIDR: 100.96.0.0/11
    clusterName: privatecalico.example.com
    configureCloudRoutes: false
-    image: registry.k8s.io/kube-controller-manager:v1.21.0
+    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    image: registry.k8s.io/kube-controller-manager:v1.24.0
    leaderElection:
      leaderElect: true
    logLevel: 2
@ -117,10 +134,13 @@ spec:
  kubeProxy:
    clusterCIDR: 100.96.0.0/11
    cpuRequest: 100m
-    image: registry.k8s.io/kube-proxy:v1.21.0
+    image: registry.k8s.io/kube-proxy:v1.24.0
    logLevel: 2
  kubeScheduler:
-    image: registry.k8s.io/kube-scheduler:v1.21.0
+    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    image: registry.k8s.io/kube-scheduler:v1.24.0
    leaderElection:
      leaderElect: true
    logLevel: 2
@ -128,36 +148,43 @@ spec:
    anonymousAuth: false
    cgroupDriver: systemd
    cgroupRoot: /
-    cloudProvider: aws
+    cloudProvider: external
    clusterDNS: 100.64.0.10
    clusterDomain: cluster.local
    enableDebuggingHandlers: true
    evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
  kubernetesApiAccess:
  - 0.0.0.0/0
-  kubernetesVersion: 1.21.0
+  - ::/0
  kubernetesVersion: 1.24.0
  masterInternalName: api.internal.privatecalico.example.com
  masterKubelet:
    anonymousAuth: false
    cgroupDriver: systemd
    cgroupRoot: /
-    cloudProvider: aws
+    cloudProvider: external
    clusterDNS: 100.64.0.10
    clusterDomain: cluster.local
    enableDebuggingHandlers: true
    evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    kubeconfigPath: /var/lib/kubelet/kubeconfig
    logLevel: 2
    networkPluginName: cni
    podInfraContainerImage: registry.k8s.io/pause:3.6
    podManifestPath: /etc/kubernetes/manifests
    protectKernelDefaults: true
    registerSchedulable: false
    shutdownGracePeriod: 30s
    shutdownGracePeriodCriticalPods: 10s
@ -172,6 +199,7 @@ spec:
  serviceClusterIPRange: 100.64.0.0/13
  sshAccess:
  - 0.0.0.0/0
  - ::/0
  subnets:
  - cidr: 172.20.32.0/19
    name: us-test-1a
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_etcd-cluster-spec-events_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_etcd-cluster-spec-events_content
@ -1,4 +1,4 @@
 {
  "memberCount": 1,
-  "etcdVersion": "3.4.13"
+  "etcdVersion": "3.5.4"
 }
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_etcd-cluster-spec-main_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_etcd-cluster-spec-main_content
@ -1,4 +1,4 @@
 {
  "memberCount": 1,
-  "etcdVersion": "3.4.13"
+  "etcdVersion": "3.5.4"
 }
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
@ -7,7 +7,7 @@ APIServerConfig:
    apiServerCount: 1
    authorizationMode: AlwaysAllow
    bindAddress: 0.0.0.0
-    cloudProvider: aws
+    cloudProvider: external
    enableAdmissionPlugins:
    - NamespaceLifecycle
    - LimitRanger
@ -22,7 +22,10 @@ APIServerConfig:
    - https://127.0.0.1:4001
    etcdServersOverrides:
    - /events#https://127.0.0.1:4002
-    image: registry.k8s.io/kube-apiserver:v1.21.0
+    featureGates:
      CSIMigrationAWS: "true"
      InTreePluginAWSUnregister: "true"
    image: registry.k8s.io/kube-apiserver:v1.24.0
    kubeletPreferredAddressTypes:
    - InternalIP
    - Hostname
@ -52,17 +55,19 @@ APIServerConfig:
    -----END RSA PUBLIC KEY-----
 Assets:
  amd64:
-  - 681c81b7934ae2bf38b9f12d891683972d1fbbf6d7d97e50940a47b139d41b35@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubelet
+  - 3d98ac8b4fb8dc99f9952226f2565951cc366c442656a889facc5b1b2ec2ba52@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/amd64/kubelet
-  - 9f74f2fa7ee32ad07e17211725992248470310ca1988214518806b39b1dad9f0@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl
+  - 94d686bb6772f6fb59e3a32beff908ab406b79acdfb2427abdc4ac3ce1bb98d7@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/amd64/kubectl
-  - 977824932d5667c7a37aa6a3cbba40100a6873e7bd97e83e8be837e3e7afd0a8@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.7/cni-plugins-linux-amd64-v0.8.7.tgz
+  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
-  - f6120552408175ca332fd3b5d31c5edd115d8426d6731664e4ea3951c5eee3b4@https://github.com/containerd/containerd/releases/download/v1.4.12/cri-containerd-cni-1.4.12-linux-amd64.tar.gz
+  - f23c8ac914d748f85df94d3e82d11ca89ca9fe19a220ce61b99a05b070044de0@https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-amd64.tar.gz
  - e0436dfc5d26ca88f00e84cbdab5801dd9829b1e5ded05dcfc162ce5718c32ce@https://github.com/opencontainers/runc/releases/download/v1.1.2/runc.amd64
  - f90ed6dcef534e6d1ae17907dc7eb40614b8945ad4af7f0e98d2be7cde8165c6@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-amd64
  - 9992e7eb2a2e93f799e5a9e98eb718637433524bc65f630357201a79f49b13d0@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/amd64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-amd64
  arm64:
-  - 17832b192be5ea314714f7e16efd5e5f65347974bbbf41def6b02f68931380c4@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/arm64/kubelet
+  - 8f066c9a048dd1704bf22ccf6e994e2fa2ea1175c9768a786f6cb6608765025e@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/arm64/kubelet
-  - a4dd7100f547a40d3e2f83850d0bab75c6ea5eb553f0a80adcf73155bef1fd0d@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/arm64/kubectl
+  - 449278789de283648e4076ade46816da249714f96e71567e035e9d17e1fff06d@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/arm64/kubectl
-  - ae13d7b5c05bd180ea9b5b68f44bdaa7bfb41034a2ef1d68fd8e1259797d642f@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.7/cni-plugins-linux-arm64-v0.8.7.tgz
+  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
-  - 87a4219c54552797ffd38790b72832372a90eceb7c8e451c36a682093d57dae6@https://download.docker.com/linux/static/stable/aarch64/docker-20.10.11.tgz
+  - 0205bd1907154388dc85b1afeeb550cbb44c470ef4a290cb1daf91501c85cae6@https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-arm64.tar.gz
  - 6ebd968d46d00a3886e9a0cae2e0a7b399e110cf5d7b26e63ce23c1d81ea10ef@https://github.com/opencontainers/runc/releases/download/v1.1.2/runc.arm64
  - 2f599c3d54f4c4bdbcc95aaf0c7b513a845d8f9503ec5b34c9f86aa1bc34fc0c@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/protokube,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/protokube-linux-arm64
  - 9d842e3636a95de2315cdea2be7a282355aac0658ef0b86d5dc2449066538f13@https://artifacts.k8s.io/binaries/kops/1.21.0-alpha.1/linux/arm64/channels,https://github.com/kubernetes/kops/releases/download/v1.21.0-alpha.1/channels-linux-arm64
 CAs:
@ -234,22 +239,23 @@ KubeletConfig:
  anonymousAuth: false
  cgroupDriver: systemd
  cgroupRoot: /
-  cloudProvider: aws
+  cloudProvider: external
  clusterDNS: 100.64.0.10
  clusterDomain: cluster.local
  enableDebuggingHandlers: true
  evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  nodeLabels:
    kops.k8s.io/kops-controller-pki: ""
    kubernetes.io/role: master
    node-role.kubernetes.io/control-plane: ""
    node-role.kubernetes.io/master: ""
    node.kubernetes.io/exclude-from-external-load-balancers: ""
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  registerSchedulable: false
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
@ -258,10 +264,11 @@ channels:
 - memfs://clusters.example.com/privatecalico.example.com/addons/bootstrap-channel.yaml
 containerdConfig:
  logLevel: info
-  version: 1.4.12
+  version: 1.6.4
 etcdManifests:
 - memfs://clusters.example.com/privatecalico.example.com/manifests/etcd/main.yaml
 - memfs://clusters.example.com/privatecalico.example.com/manifests/etcd/events.yaml
 staticManifests:
 - key: kube-apiserver-healthcheck
  path: manifests/static/kube-apiserver-healthcheck.yaml
 useInstanceIDForNodeName: true
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_nodeupconfig-nodes_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_nodeupconfig-nodes_content
@ -1,14 +1,16 @@
 Assets:
  amd64:
-  - 681c81b7934ae2bf38b9f12d891683972d1fbbf6d7d97e50940a47b139d41b35@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubelet
+  - 3d98ac8b4fb8dc99f9952226f2565951cc366c442656a889facc5b1b2ec2ba52@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/amd64/kubelet
-  - 9f74f2fa7ee32ad07e17211725992248470310ca1988214518806b39b1dad9f0@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl
+  - 94d686bb6772f6fb59e3a32beff908ab406b79acdfb2427abdc4ac3ce1bb98d7@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/amd64/kubectl
-  - 977824932d5667c7a37aa6a3cbba40100a6873e7bd97e83e8be837e3e7afd0a8@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.7/cni-plugins-linux-amd64-v0.8.7.tgz
+  - 962100bbc4baeaaa5748cdbfce941f756b1531c2eadb290129401498bfac21e7@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
-  - f6120552408175ca332fd3b5d31c5edd115d8426d6731664e4ea3951c5eee3b4@https://github.com/containerd/containerd/releases/download/v1.4.12/cri-containerd-cni-1.4.12-linux-amd64.tar.gz
+  - f23c8ac914d748f85df94d3e82d11ca89ca9fe19a220ce61b99a05b070044de0@https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-amd64.tar.gz
  - e0436dfc5d26ca88f00e84cbdab5801dd9829b1e5ded05dcfc162ce5718c32ce@https://github.com/opencontainers/runc/releases/download/v1.1.2/runc.amd64
  arm64:
-  - 17832b192be5ea314714f7e16efd5e5f65347974bbbf41def6b02f68931380c4@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/arm64/kubelet
+  - 8f066c9a048dd1704bf22ccf6e994e2fa2ea1175c9768a786f6cb6608765025e@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/arm64/kubelet
-  - a4dd7100f547a40d3e2f83850d0bab75c6ea5eb553f0a80adcf73155bef1fd0d@https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/arm64/kubectl
+  - 449278789de283648e4076ade46816da249714f96e71567e035e9d17e1fff06d@https://storage.googleapis.com/kubernetes-release/release/v1.24.0/bin/linux/arm64/kubectl
-  - ae13d7b5c05bd180ea9b5b68f44bdaa7bfb41034a2ef1d68fd8e1259797d642f@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.8.7/cni-plugins-linux-arm64-v0.8.7.tgz
+  - ef17764ffd6cdcb16d76401bac1db6acc050c9b088f1be5efa0e094ea3b01df0@https://storage.googleapis.com/k8s-artifacts-cni/release/v0.9.1/cni-plugins-linux-arm64-v0.9.1.tgz
-  - 87a4219c54552797ffd38790b72832372a90eceb7c8e451c36a682093d57dae6@https://download.docker.com/linux/static/stable/aarch64/docker-20.10.11.tgz
+  - 0205bd1907154388dc85b1afeeb550cbb44c470ef4a290cb1daf91501c85cae6@https://github.com/containerd/containerd/releases/download/v1.6.4/containerd-1.6.4-linux-arm64.tar.gz
  - 6ebd968d46d00a3886e9a0cae2e0a7b399e110cf5d7b26e63ce23c1d81ea10ef@https://github.com/opencontainers/runc/releases/download/v1.1.2/runc.arm64
 CAs:
  kubernetes-ca: |
    -----BEGIN CERTIFICATE-----
@ -41,19 +43,21 @@ KubeletConfig:
  anonymousAuth: false
  cgroupDriver: systemd
  cgroupRoot: /
-  cloudProvider: aws
+  cloudProvider: external
  clusterDNS: 100.64.0.10
  clusterDomain: cluster.local
  enableDebuggingHandlers: true
  evictionHard: memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5%
  featureGates:
    CSIMigrationAWS: "true"
    InTreePluginAWSUnregister: "true"
  kubeconfigPath: /var/lib/kubelet/kubeconfig
  logLevel: 2
  networkPluginName: cni
  nodeLabels:
    kubernetes.io/role: node
    node-role.kubernetes.io/node: ""
  podInfraContainerImage: registry.k8s.io/pause:3.6
  podManifestPath: /etc/kubernetes/manifests
  protectKernelDefaults: true
  shutdownGracePeriod: 30s
  shutdownGracePeriodCriticalPods: 10s
 UpdatePolicy: automatic
@ -61,4 +65,5 @@ channels:
 - memfs://clusters.example.com/privatecalico.example.com/addons/bootstrap-channel.yaml
 containerdConfig:
  logLevel: info
-  version: 1.4.12
+  version: 1.6.4
 useInstanceIDForNodeName: true
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content
@ -0,0 +1,238 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: aws-cloud-controller.addons.k8s.io
    k8s-app: aws-cloud-controller-manager
  name: aws-cloud-controller-manager
  namespace: kube-system
 spec:
  selector:
    matchLabels:
      k8s-app: aws-cloud-controller-manager
  template:
    metadata:
      creationTimestamp: null
      labels:
        k8s-app: aws-cloud-controller-manager
        kops.k8s.io/managed-by: kops
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node-role.kubernetes.io/control-plane
                operator: Exists
            - matchExpressions:
              - key: node-role.kubernetes.io/master
                operator: Exists
      containers:
      - args:
        - --allocate-node-cidrs=true
        - --cluster-cidr=100.64.0.0/10
        - --cluster-name=privatecalico.example.com
        - --configure-cloud-routes=false
        - --enable-leader-migration=true
        - --leader-elect=true
        - --v=2
        - --cloud-provider=aws
        - --use-service-account-credentials=true
        - --cloud-config=/etc/kubernetes/cloud.config
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: 127.0.0.1
        image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.24.0
        imagePullPolicy: IfNotPresent
        name: aws-cloud-controller-manager
        resources:
          requests:
            cpu: 200m
        volumeMounts:
        - mountPath: /etc/kubernetes/cloud.config
          name: cloudconfig
          readOnly: true
      hostNetwork: true
      nodeSelector: null
      priorityClassName: system-cluster-critical
      serviceAccountName: aws-cloud-controller-manager
      tolerations:
      - effect: NoSchedule
        key: node.cloudprovider.kubernetes.io/uninitialized
        value: "true"
      - effect: NoSchedule
        key: node.kubernetes.io/not-ready
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      volumes:
      - hostPath:
          path: /etc/kubernetes/cloud.config
          type: ""
        name: cloudconfig
  updateStrategy:
    type: RollingUpdate
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: aws-cloud-controller.addons.k8s.io
  name: aws-cloud-controller-manager
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: aws-cloud-controller.addons.k8s.io
  name: cloud-controller-manager:apiserver-authentication-reader
  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: aws-cloud-controller-manager
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: aws-cloud-controller.addons.k8s.io
  name: system:cloud-controller-manager
 rules:
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
  - update
 - apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - '*'
 - apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch
 - apiGroups:
  - ""
  resources:
  - services
  verbs:
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - services/status
  verbs:
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - get
 - apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - create
  - get
  - list
  - watch
  - update
 - apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
  - get
  - list
  - watch
  - update
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - list
  - watch
 - apiGroups:
  - ""
  resourceNames:
  - node-controller
  - service-controller
  - route-controller
  resources:
  - serviceaccounts/token
  verbs:
  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-cloud-controller.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: aws-cloud-controller.addons.k8s.io
  name: system:cloud-controller-manager
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:cloud-controller-manager
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
  name: aws-cloud-controller-manager
  namespace: kube-system
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content
@ -0,0 +1,777 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-controller-sa
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-external-attacher-role
 rules:
 - apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
  - update
  - patch
 - apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - csi.storage.k8s.io
  resources:
  - csinodeinfos
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - watch
  - update
  - patch
 - apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments/status
  verbs:
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-external-provisioner-role
 rules:
 - apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
  - create
  - delete
 - apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
  - update
 - apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshots
  verbs:
  - get
  - list
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotcontents
  verbs:
  - get
  - list
 - apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - watch
  - list
  - delete
  - update
  - create
 - apiGroups:
  - storage.k8s.io
  resources:
  - volumeattachments
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-external-resizer-role
 rules:
 - apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
  - update
  - patch
 - apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - persistentvolumeclaims/status
  verbs:
  - update
  - patch
 - apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-external-snapshotter-role
 rules:
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - update
  - patch
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotclasses
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotcontents
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - delete
 - apiGroups:
  - snapshot.storage.k8s.io
  resources:
  - volumesnapshotcontents/status
  verbs:
  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-attacher-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ebs-external-attacher-role
 subjects:
 - kind: ServiceAccount
  name: ebs-csi-controller-sa
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-provisioner-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ebs-external-provisioner-role
 subjects:
 - kind: ServiceAccount
  name: ebs-csi-controller-sa
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-resizer-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ebs-external-resizer-role
 subjects:
 - kind: ServiceAccount
  name: ebs-csi-controller-sa
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-snapshotter-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ebs-external-snapshotter-role
 subjects:
 - kind: ServiceAccount
  name: ebs-csi-controller-sa
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-node-getter-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ebs-csi-node-role
 subjects:
 - kind: ServiceAccount
  name: ebs-csi-node-sa
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-node-role
 rules:
 - apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-node-sa
  namespace: kube-system
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-node
  namespace: kube-system
 spec:
  selector:
    matchLabels:
      app: ebs-csi-node
      app.kubernetes.io/instance: aws-ebs-csi-driver
      app.kubernetes.io/name: aws-ebs-csi-driver
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: ebs-csi-node
        app.kubernetes.io/instance: aws-ebs-csi-driver
        app.kubernetes.io/name: aws-ebs-csi-driver
        app.kubernetes.io/version: v1.6.2
        kops.k8s.io/managed-by: kops
    spec:
      containers:
      - args:
        - node
        - --endpoint=$(CSI_ENDPOINT)
        - --logtostderr
        - --v=2
        env:
        - name: CSI_ENDPOINT
          value: unix:/csi/csi.sock
        - name: CSI_NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.2
        livenessProbe:
          failureThreshold: 5
          httpGet:
            path: /healthz
            port: healthz
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 3
        name: ebs-plugin
        ports:
        - containerPort: 9808
          name: healthz
          protocol: TCP
        securityContext:
          privileged: true
        volumeMounts:
        - mountPath: /var/lib/kubelet
          mountPropagation: Bidirectional
          name: kubelet-dir
        - mountPath: /csi
          name: plugin-dir
        - mountPath: /dev
          name: device-dir
      - args:
        - --csi-address=$(ADDRESS)
        - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
        - --v=5
        env:
        - name: ADDRESS
          value: /csi/csi.sock
        - name: DRIVER_REG_SOCK_PATH
          value: /var/lib/kubelet/plugins/ebs.csi.aws.com/csi.sock
        image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.1.0
        lifecycle:
          preStop:
            exec:
              command:
              - /bin/sh
              - -c
              - rm -rf /registration/ebs.csi.aws.com-reg.sock /csi/csi.sock
        name: node-driver-registrar
        volumeMounts:
        - mountPath: /csi
          name: plugin-dir
        - mountPath: /registration
          name: registration-dir
      - args:
        - --csi-address=/csi/csi.sock
        image: registry.k8s.io/sig-storage/livenessprobe:v2.2.0
        name: liveness-probe
        volumeMounts:
        - mountPath: /csi
          name: plugin-dir
      nodeSelector:
        kubernetes.io/os: linux
      priorityClassName: system-node-critical
      serviceAccountName: ebs-csi-node-sa
      tolerations:
      - operator: Exists
      volumes:
      - hostPath:
          path: /var/lib/kubelet
          type: Directory
        name: kubelet-dir
      - hostPath:
          path: /var/lib/kubelet/plugins/ebs.csi.aws.com/
          type: DirectoryOrCreate
        name: plugin-dir
      - hostPath:
          path: /var/lib/kubelet/plugins_registry/
          type: Directory
        name: registration-dir
      - hostPath:
          path: /dev
          type: Directory
        name: device-dir
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-controller
  namespace: kube-system
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: ebs-csi-controller
      app.kubernetes.io/instance: aws-ebs-csi-driver
      app.kubernetes.io/name: aws-ebs-csi-driver
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: ebs-csi-controller
        app.kubernetes.io/instance: aws-ebs-csi-driver
        app.kubernetes.io/name: aws-ebs-csi-driver
        app.kubernetes.io/version: v1.6.2
        kops.k8s.io/managed-by: kops
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node-role.kubernetes.io/control-plane
                operator: Exists
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
            - matchExpressions:
              - key: node-role.kubernetes.io/master
                operator: Exists
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      containers:
      - args:
        - controller
        - --endpoint=$(CSI_ENDPOINT)
        - --logtostderr
        - --k8s-tag-cluster-id=privatecalico.example.com
        - --extra-tags=KubernetesCluster=privatecalico.example.com
        - --v=5
        env:
        - name: CSI_NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: CSI_ENDPOINT
          value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              key: key_id
              name: aws-secret
              optional: true
        - name: AWS_SECRET_ACCESS_KEY
          valueFrom:
            secretKeyRef:
              key: access_key
              name: aws-secret
              optional: true
        image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.6.2
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 5
          httpGet:
            path: /healthz
            port: healthz
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 3
        name: ebs-plugin
        ports:
        - containerPort: 9808
          name: healthz
          protocol: TCP
        volumeMounts:
        - mountPath: /var/lib/csi/sockets/pluginproxy/
          name: socket-dir
      - args:
        - --csi-address=$(ADDRESS)
        - --v=5
        - --feature-gates=Topology=true
        - --leader-election=true
        - --extra-create-metadata=true
        - --default-fstype=ext4
        env:
        - name: ADDRESS
          value: /var/lib/csi/sockets/pluginproxy/csi.sock
        image: registry.k8s.io/sig-storage/csi-provisioner:v2.2.0
        name: csi-provisioner
        volumeMounts:
        - mountPath: /var/lib/csi/sockets/pluginproxy/
          name: socket-dir
      - args:
        - --csi-address=$(ADDRESS)
        - --v=5
        - --leader-election=true
        env:
        - name: ADDRESS
          value: /var/lib/csi/sockets/pluginproxy/csi.sock
        image: registry.k8s.io/sig-storage/csi-attacher:v3.2.0
        name: csi-attacher
        volumeMounts:
        - mountPath: /var/lib/csi/sockets/pluginproxy/
          name: socket-dir
      - args:
        - --csi-address=$(ADDRESS)
        - --v=5
        env:
        - name: ADDRESS
          value: /var/lib/csi/sockets/pluginproxy/csi.sock
        image: registry.k8s.io/sig-storage/csi-resizer:v1.1.0
        imagePullPolicy: Always
        name: csi-resizer
        volumeMounts:
        - mountPath: /var/lib/csi/sockets/pluginproxy/
          name: socket-dir
      - args:
        - --csi-address=/csi/csi.sock
        image: registry.k8s.io/sig-storage/livenessprobe:v2.4.0
        name: liveness-probe
        volumeMounts:
        - mountPath: /csi
          name: socket-dir
      nodeSelector: null
      priorityClassName: system-cluster-critical
      serviceAccountName: ebs-csi-controller-sa
      tolerations:
      - operator: Exists
      topologySpreadConstraints:
      - labelSelector:
          matchLabels:
            app: ebs-csi-controller
            app.kubernetes.io/instance: aws-ebs-csi-driver
            app.kubernetes.io/name: aws-ebs-csi-driver
        maxSkew: 1
        topologyKey: topology.kubernetes.io/zone
        whenUnsatisfiable: ScheduleAnyway
      - labelSelector:
          matchLabels:
            app: ebs-csi-controller
            app.kubernetes.io/instance: aws-ebs-csi-driver
            app.kubernetes.io/name: aws-ebs-csi-driver
        maxSkew: 1
        topologyKey: kubernetes.io/hostname
        whenUnsatisfiable: DoNotSchedule
      volumes:
      - emptyDir: {}
        name: socket-dir
 ---
 apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs.csi.aws.com
 spec:
  attachRequired: true
  podInfoOnMount: false
 ---
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: aws-ebs-csi-driver.addons.k8s.io
    app.kubernetes.io/instance: aws-ebs-csi-driver
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-ebs-csi-driver
    app.kubernetes.io/version: v1.6.2
    k8s-addon: aws-ebs-csi-driver.addons.k8s.io
  name: ebs-csi-controller
  namespace: kube-system
 spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: ebs-csi-controller
      app.kubernetes.io/instance: aws-ebs-csi-driver
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content
@ -6,7 +6,7 @@ spec:
  addons:
  - id: k8s-1.16
    manifest: kops-controller.addons.k8s.io/k8s-1.16.yaml
-    manifestHash: e102ff9108d3c467a0af76145c537cca5c7e1214cb95b704063a97cc2f85092c
+    manifestHash: 07deb2be73150a97d3cf7f662e877771afceaf38cef66355aa3d474131183fc7
    name: kops-controller.addons.k8s.io
    needsRollingUpdate: control-plane
    selector:
@ -32,6 +32,13 @@ spec:
    selector:
      k8s-addon: kubelet-api.rbac.addons.k8s.io
    version: 9.99.0
  - id: k8s-1.23
    manifest: leader-migration.rbac.addons.k8s.io/k8s-1.23.yaml
    manifestHash: b9c91e09c0f28c9b74ff140b8395d611834c627d698846d625c10975a74a48c4
    name: leader-migration.rbac.addons.k8s.io
    selector:
      k8s-addon: leader-migration.rbac.addons.k8s.io
    version: 9.99.0
  - manifest: limit-range.addons.k8s.io/v1.5.0.yaml
    manifestHash: 2d55c3bc5e354e84a3730a65b42f39aba630a59dc8d32b30859fcce3d3178bc2
    name: limit-range.addons.k8s.io
@ -47,15 +54,29 @@ spec:
    version: 9.99.0
  - id: v1.15.0
    manifest: storage-aws.addons.k8s.io/v1.15.0.yaml
-    manifestHash: 065ae832ddac8d0931e9992d6a76f43a33a36975a38003b34f4c5d86a7d42780
+    manifestHash: 4e2cda50cd5048133aad1b5e28becb60f4629d3f9e09c514a2757c27998b4200
    name: storage-aws.addons.k8s.io
    selector:
      k8s-addon: storage-aws.addons.k8s.io
    version: 9.99.0
-  - id: k8s-1.16
+  - id: k8s-1.23
-    manifest: networking.projectcalico.org/k8s-1.16.yaml
+    manifest: networking.projectcalico.org/k8s-1.23.yaml
-    manifestHash: 7cce9988276da48e2c85f1c79a7871cd59d0ffff07048e9bc0b2a41914aaebfe
+    manifestHash: 73aec25bade185c9929399be7809330abd3f75d86fb7f36334f44d185f7981c0
    name: networking.projectcalico.org
    selector:
      role.kubernetes.io/networking: "1"
    version: 9.99.0
  - id: k8s-1.18
    manifest: aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml
    manifestHash: f8fd8d170f77a75cd976d77cbd9c9773e05bea0daf79d2a61486bcecd2354070
    name: aws-cloud-controller.addons.k8s.io
    selector:
      k8s-addon: aws-cloud-controller.addons.k8s.io
    version: 9.99.0
  - id: k8s-1.17
    manifest: aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml
    manifestHash: bd5514d9d74c87df012effac4d7c99aaea7109130857e797568d1aff9036a981
    name: aws-ebs-csi-driver.addons.k8s.io
    selector:
      k8s-addon: aws-ebs-csi-driver.addons.k8s.io
    version: 9.99.0
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-kops-controller.addons.k8s.io-k8s-1.16_content
@ -1,7 +1,7 @@
 apiVersion: v1
 data:
  config.yaml: |
-    {"cloud":"aws","configBase":"memfs://clusters.example.com/privatecalico.example.com","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["nodes.privatecalico.example.com"],"Region":"us-test-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["kubernetes-ca"],"certNames":["kubelet","kubelet-server","kube-proxy"]}}
+    {"cloud":"aws","configBase":"memfs://clusters.example.com/privatecalico.example.com","server":{"Listen":":3988","provider":{"aws":{"nodesRoles":["nodes.privatecalico.example.com"],"Region":"us-test-1"}},"serverKeyPath":"/etc/kubernetes/kops-controller/pki/kops-controller.key","serverCertificatePath":"/etc/kubernetes/kops-controller/pki/kops-controller.crt","caBasePath":"/etc/kubernetes/kops-controller/pki","signingCAs":["kubernetes-ca"],"certNames":["kubelet","kubelet-server","kube-proxy"],"useInstanceIDForNodeName":true}}
 kind: ConfigMap
 metadata:
  creationTimestamp: null
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-leader-migration.rbac.addons.k8s.io-k8s-1.23_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-leader-migration.rbac.addons.k8s.io-k8s-1.23_content
@ -0,0 +1,52 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: leader-migration.rbac.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: leader-migration.rbac.addons.k8s.io
  name: system::leader-locking-migration
  namespace: kube-system
 rules:
 - apiGroups:
  - coordination.k8s.io
  resourceNames:
  - cloud-provider-extraction-migration
  resources:
  - leases
  verbs:
  - create
  - list
  - get
  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: leader-migration.rbac.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: leader-migration.rbac.addons.k8s.io
  name: system::leader-locking-migration
  namespace: kube-system
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: system::leader-locking-migration
 subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:kube-controller-manager
 - kind: ServiceAccount
  name: kube-controller-manager
  namespace: kube-system
 - kind: ServiceAccount
  name: aws-cloud-controller-manager
  namespace: kube-system
 - kind: ServiceAccount
  name: cloud-controller-manager
  namespace: kube-system
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.23_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.23_content
@ -93,6 +93,12 @@ spec:
                  64512]'
                format: int32
                type: integer
              bindMode:
                description: BindMode indicates whether to listen for BGP connections
                  on all addresses (None) or only on the node's canonical IP address
                  Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen
                  for BGP connections on all addresses.
                type: string
              communities:
                description: Communities is a list of BGP community values and their
                  arbitrary names for tagging routes.
@ -123,6 +129,37 @@ spec:
                description: 'LogSeverityScreen is the log severity above which logs
                  are sent to the stdout. [Default: INFO]'
                type: string
              nodeMeshMaxRestartTime:
                description: Time to allow for software restart for node-to-mesh peerings.  When
                  specified, this is configured as the graceful restart timeout.  When
                  not specified, the BIRD default of 120s is used. This field can
                  only be set on the default BGPConfiguration instance and requires
                  that NodeMesh is enabled
                type: string
              nodeMeshPassword:
                description: Optional BGP password for full node-to-mesh peerings.
                  This field can only be set on the default BGPConfiguration instance
                  and requires that NodeMesh is enabled
                properties:
                  secretKeyRef:
                    description: Selects a key of a secret in the node pod's namespace.
                    properties:
                      key:
                        description: The key of the secret to select from.  Must be
                          a valid secret key.
                        type: string
                      name:
                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                          TODO: Add other useful fields. apiVersion, kind, uid?'
                        type: string
                      optional:
                        description: Specify whether the Secret or its key must be
                          defined
                        type: boolean
                    required:
                    - key
                    type: object
                type: object
              nodeToNodeMeshEnabled:
                description: 'NodeToNodeMeshEnabled sets whether full node to node
                  BGP mesh is enabled. [Default: true]'
@ -260,6 +297,12 @@ spec:
                description: Selector for the nodes that should have this peering.  When
                  this is set, the Node field must be empty.
                type: string
              numAllowedLocalASNumbers:
                description: Maximum number of local AS numbers that are allowed in
                  the AS path for received routes. This removes BGP loop prevention
                  and should only be used if absolutely necesssary.
                format: int32
                type: integer
              password:
                description: Optional BGP password for the peerings generated by this
                  BGPPeer resource.
@ -807,6 +850,11 @@ spec:
                description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
                  [Default: false]'
                type: boolean
              bpfEnforceRPF:
                description: 'BPFEnforceRPF enforce strict RPF on all interfaces with
                  BPF programs regardless of what is the per-interfaces or global
                  setting. Possible values are Disabled or Strict. [Default: Strict]'
                type: string
              bpfExtToServiceConnmark:
                description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
                  mark that is set on connections from an external client to a local
@ -846,6 +894,51 @@ spec:
                  logs are emitted to the BPF trace pipe, accessible with the command
                  `tc exec bpf debug`. [Default: Off].'
                type: string
              bpfMapSizeConntrack:
                description: 'BPFMapSizeConntrack sets the size for the conntrack
                  map.  This map must be large enough to hold an entry for each active
                  connection.  Warning: changing the size of the conntrack map can
                  cause disruption.'
                type: integer
              bpfMapSizeIPSets:
                description: BPFMapSizeIPSets sets the size for ipsets map.  The IP
                  sets map must be large enough to hold an entry for each endpoint
                  matched by every selector in the source/destination matches in network
                  policy.  Selectors such as "all()" can result in large numbers of
                  entries (one entry per endpoint in that case).
                type: integer
              bpfMapSizeNATAffinity:
                type: integer
              bpfMapSizeNATBackend:
                description: BPFMapSizeNATBackend sets the size for nat back end map.
                  This is the total number of endpoints. This is mostly more than
                  the size of the number of services.
                type: integer
              bpfMapSizeNATFrontend:
                description: BPFMapSizeNATFrontend sets the size for nat front end
                  map. FrontendMap should be large enough to hold an entry for each
                  nodeport, external IP and each port in each service.
                type: integer
              bpfMapSizeRoute:
                description: BPFMapSizeRoute sets the size for the routes map.  The
                  routes map should be large enough to hold one entry per workload
                  and a handful of entries per host (enough to cover its own IPs and
                  tunnel IPs).
                type: integer
              bpfPSNATPorts:
                anyOf:
                - type: integer
                - type: string
                description: 'BPFPSNATPorts sets the range from which we randomly
                  pick a port if there is a source port collision. This should be
                  within the ephemeral range as defined by RFC 6056 (1024–65535) and
                  preferably outside the  ephemeral ranges used by common operating
                  systems. Linux uses 32768–60999, while others mostly use the IANA
                  defined range 49152–65535. It is not necessarily a problem if this
                  range overlaps with the operating systems. Both ends of the range
                  are inclusive. [Default: 20000:29999]'
                pattern: ^.*
                x-kubernetes-int-or-string: true
              chainInsertMode:
                description: 'ChainInsertMode controls whether Felix hooks the kernel''s
                  top-level iptables chains by inserting a rule at the top of the
@ -856,6 +949,15 @@ spec:
                  Calico policy will be bypassed. [Default: insert]'
                type: string
              dataplaneDriver:
                description: DataplaneDriver filename of the external dataplane driver
                  to use.  Only used if UseInternalDataplaneDriver is set to false.
                type: string
              dataplaneWatchdogTimeout:
                description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
                  used for Felix''s (internal) dataplane driver. Increase this value
                  if you experience spurious non-ready or non-live events when Felix
                  is under heavy load. Decrease the value to get felix to report non-live
                  or non-ready more quickly. [Default: 90s]'
                type: string
              debugDisableLogDropping:
                type: boolean
@ -884,9 +986,14 @@ spec:
                  routes, by default this will be RTPROT_BOOT when left blank.
                type: integer
              deviceRouteSourceAddress:
-                description: This is the source address to use on programmed device
+                description: This is the IPv4 source address to use on programmed
-                  routes. By default the source address is left blank, leaving the
+                  device routes. By default the source address is left blank, leaving
-                  kernel to choose the source address used.
+                  the kernel to choose the source address used.
                type: string
              deviceRouteSourceAddressIPv6:
                description: This is the IPv6 source address to use on programmed
                  device routes. By default the source address is left blank, leaving
                  the kernel to choose the source address used.
                type: string
              disableConntrackInvalidCheck:
                type: boolean
@ -960,6 +1067,14 @@ spec:
                  "true" or "false" will force the feature, empty or omitted values
                  are auto-detected.
                type: string
              floatingIPs:
                default: Disabled
                description: FloatingIPs configures whether or not Felix will program
                  floating IP addresses.
                enum:
                - Enabled
                - Disabled
                type: string
              genericXDPEnabled:
                description: 'GenericXDPEnabled enables Generic XDP so network cards
                  that don''t support XDP offload or driver modes can use XDP. This
@ -997,6 +1112,9 @@ spec:
                  disabled by setting the interval to 0.
                type: string
              ipipEnabled:
                description: 'IPIPEnabled overrides whether Felix should configure
                  an IPIP interface on the host. Optional as Felix determines this
                  based on the existing IP pools. [Default: nil (unset)]'
                type: boolean
              ipipMTU:
                description: 'IPIPMTU is the MTU to set on the tunnel device. See
@ -1063,6 +1181,8 @@ spec:
                  usage. [Default: 10s]'
                type: string
              ipv6Support:
                description: IPv6Support controls whether Felix enables support for
                  IPv6 (if supported by the in-use dataplane).
                type: boolean
              kubeNodePortRanges:
                description: 'KubeNodePortRanges holds list of port ranges used for
@ -1076,6 +1196,12 @@ spec:
                  pattern: ^.*
                  x-kubernetes-int-or-string: true
                type: array
              logDebugFilenameRegex:
                description: LogDebugFilenameRegex controls which source code files
                  have their Debug log output included in the logs. Only logs from
                  files with names that match the given regular expression are included.  The
                  filter only applies to Debug level logs.
                type: string
              logFilePath:
                description: 'LogFilePath is the full path to the Felix log. Set to
                  none to disable file logging. [Default: /var/log/calico/felix.log]'
@ -1205,9 +1331,9 @@ spec:
                  routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
                type: string
              routeTableRange:
-                description: Calico programs additional Linux route tables for various
+                description: Deprecated in favor of RouteTableRanges. Calico programs
-                  purposes.  RouteTableRange specifies the indices of the route tables
+                  additional Linux route tables for various purposes. RouteTableRange
-                  that Calico should use.
+                  specifies the indices of the route tables that Calico should use.
                properties:
                  max:
                    type: integer
@ -1217,6 +1343,21 @@ spec:
                - max
                - min
                type: object
              routeTableRanges:
                description: Calico programs additional Linux route tables for various
                  purposes. RouteTableRanges specifies a set of table index ranges
                  that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
                items:
                  properties:
                    max:
                      type: integer
                    min:
                      type: integer
                  required:
                  - max
                  - min
                  type: object
                type: array
              serviceLoopPrevention:
                description: 'When service IP advertisement is enabled, prevent routing
                  loops to service IPs that are not in use, by dropping or rejecting
@ -1244,12 +1385,22 @@ spec:
                  Felix makes reports. [Default: 86400s]'
                type: string
              useInternalDataplaneDriver:
                description: UseInternalDataplaneDriver, if true, Felix will use its
                  internal dataplane programming logic.  If false, it will launch
                  an external dataplane driver and communicate with it over protobuf.
                type: boolean
              vxlanEnabled:
                description: 'VXLANEnabled overrides whether Felix should create the
                  VXLAN tunnel device for VXLAN networking. Optional as Felix determines
                  this based on the existing IP pools. [Default: nil (unset)]'
                type: boolean
              vxlanMTU:
-                description: 'VXLANMTU is the MTU to set on the tunnel device. See
+                description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel
-                  Configuring MTU [Default: 1440]'
+                  device. See Configuring MTU [Default: 1410]'
                type: integer
              vxlanMTUV6:
                description: 'VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel
                  device. See Configuring MTU [Default: 1390]'
                type: integer
              vxlanPort:
                type: integer
@ -1267,6 +1418,10 @@ spec:
                description: 'WireguardInterfaceName specifies the name to use for
                  the Wireguard interface. [Default: wg.calico]'
                type: string
              wireguardKeepAlive:
                description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
                  option. Set 0 to disable. [Default: 0]'
                type: string
              wireguardListeningPort:
                description: 'WireguardListeningPort controls the listening port used
                  by Wireguard. [Default: 51820]'
@ -1279,6 +1434,12 @@ spec:
                description: 'WireguardRoutingRulePriority controls the priority value
                  to use for the Wireguard routing rule. [Default: 99]'
                type: integer
              workloadSourceSpoofing:
                description: WorkloadSourceSpoofing controls whether pods can use
                  the allowedSourcePrefixes annotation to send traffic with a source
                  IP address that is not theirs. This is disabled by default. When
                  set to "Any", pods can request any prefix.
                type: string
              xdpEnabled:
                description: 'XDPEnabled enables XDP acceleration for suitable untracked
                  incoming deny rules. [Default: true]'
@ -2375,13 +2536,25 @@ spec:
              resource.
            properties:
              affinity:
                description: Affinity of the block, if this block has one. If set,
                  it will be of the form "host:<hostname>". If not set, this block
                  is not affine to a host.
                type: string
              allocations:
                description: Array of allocations in-use within this block. nil entries
                  mean the allocation is free. For non-nil entries at index i, the
                  index is the ordinal of the allocation within this block and the
                  value is the index of the associated attributes in the Attributes
                  array.
                items:
                  nullable: true
                  type: integer
                type: array
              attributes:
                description: Attributes is an array of arbitrary metadata associated
                  with allocations in the block. To find attributes for a given allocation,
                  use the value of the allocation's entry in the Allocations array
                  as the index of the element in this array.
                items:
                  properties:
                    handle_id:
@ -2393,12 +2566,38 @@ spec:
                  type: object
                type: array
              cidr:
                description: The block's CIDR.
                type: string
              deleted:
                description: Deleted is an internal boolean used to workaround a limitation
                  in the Kubernetes API whereby deletion will not return a conflict
                  error if the block has been updated. It should not be set manually.
                type: boolean
              sequenceNumber:
                default: 0
                description: We store a sequence number that is updated each time
                  the block is written. Each allocation will also store the sequence
                  number of the block at the time of its creation. When releasing
                  an IP, passing the sequence number associated with the allocation
                  allows us to protect against a race condition and ensure the IP
                  hasn't been released and re-allocated since the release request.
                format: int64
                type: integer
              sequenceNumberForAllocation:
                additionalProperties:
                  format: int64
                  type: integer
                description: Map of allocated ordinal within the block to sequence
                  number of the block at the time of allocation. Kubernetes does not
                  allow numerical keys for maps, so the key is cast to a string.
                type: object
              strictAffinity:
                description: StrictAffinity on the IPAMBlock is deprecated and no
                  longer used by the code. Use IPAMConfig StrictAffinity instead.
                type: boolean
              unallocated:
                description: Unallocated is an ordered list of allocations which are
                  free in the block.
                items:
                  type: integer
                type: array
@ -2590,13 +2789,13 @@ spec:
                type: array
              blockSize:
                description: The block size to use for IP address assignments from
-                  this pool. Defaults to 26 for IPv4 and 112 for IPv6.
+                  this pool. Defaults to 26 for IPv4 and 122 for IPv6.
                type: integer
              cidr:
                description: The pool CIDR.
                type: string
              disableBGPExport:
-                description: 'Disable exporting routes from this IP Pool’s CIDR over
+                description: 'Disable exporting routes from this IP Pool''s CIDR over
                  BGP. [Default: false]'
                type: boolean
              disabled:
@ -2663,6 +2862,8 @@ status:
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
    controller-gen.kubebuilder.io/version: (devel)
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: networking.projectcalico.org
@ -2823,6 +3024,11 @@ spec:
                        type: string
                    type: object
                type: object
              debugProfilePort:
                description: DebugProfilePort configures the port to serve memory
                  and cpu profiles on. If not specified, profiling is disabled.
                format: int32
                type: integer
              etcdV3CompactionPeriod:
                description: 'EtcdV3CompactionPeriod is the period between etcdv3
                  compaction requests. Set to 0 to disable. [Default: 10m]'
@ -2933,6 +3139,11 @@ spec:
                            type: string
                        type: object
                    type: object
                  debugProfilePort:
                    description: DebugProfilePort configures the port to serve memory
                      and cpu profiles on. If not specified, profiling is disabled.
                    format: int32
                    type: integer
                  etcdV3CompactionPeriod:
                    description: 'EtcdV3CompactionPeriod is the period between etcdv3
                      compaction requests. Set to 0 to disable. [Default: 10m]'
@ -3894,7 +4105,6 @@ rules:
 - apiGroups:
  - crd.projectcalico.org
  resources:
  - ippools
  - ipreservations
  verbs:
  - list
@ -3911,6 +4121,13 @@ rules:
  - update
  - delete
  - watch
 - apiGroups:
  - crd.projectcalico.org
  resources:
  - ippools
  verbs:
  - list
  - watch
 - apiGroups:
  - crd.projectcalico.org
  resources:
@ -3927,8 +4144,10 @@ rules:
  - clusterinformations
  verbs:
  - get
  - list
  - create
  - update
  - watch
 - apiGroups:
  - crd.projectcalico.org
  resources:
@ -4243,7 +4462,7 @@ spec:
        - configMapRef:
            name: kubernetes-services-endpoint
            optional: true
-        image: docker.io/calico/node:v3.21.5
+        image: docker.io/calico/node:v3.23.1
        lifecycle:
          preStop:
            exec:
@ -4317,7 +4536,7 @@ spec:
        - configMapRef:
            name: kubernetes-services-endpoint
            optional: true
-        image: docker.io/calico/cni:v3.21.5
+        image: docker.io/calico/cni:v3.23.1
        name: upgrade-ipam
        securityContext:
          privileged: true
@ -4351,7 +4570,7 @@ spec:
        - configMapRef:
            name: kubernetes-services-endpoint
            optional: true
-        image: docker.io/calico/cni:v3.21.5
+        image: docker.io/calico/cni:v3.23.1
        name: install-cni
        securityContext:
          privileged: true
@ -4360,13 +4579,6 @@ spec:
          name: cni-bin-dir
        - mountPath: /host/etc/cni/net.d
          name: cni-net-dir
      - image: docker.io/calico/pod2daemon-flexvol:v3.21.5
        name: flexvol-driver
        securityContext:
          privileged: true
        volumeMounts:
        - mountPath: /host/driver
          name: flexvol-driver-host
      nodeSelector:
        kubernetes.io/os: linux
      priorityClassName: system-node-critical
@ -4413,10 +4625,6 @@ spec:
          path: /var/run/nodeagent
          type: DirectoryOrCreate
        name: policysync
      - hostPath:
          path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
          type: DirectoryOrCreate
        name: flexvol-driver-host
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
@ -4470,7 +4678,7 @@ spec:
          value: node
        - name: DATASTORE_TYPE
          value: kubernetes
-        image: docker.io/calico/kube-controllers:v3.21.5
+        image: docker.io/calico/kube-controllers:v3.23.1
        livenessProbe:
          exec:
            command:
@ -4514,7 +4722,7 @@ metadata:
 ---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  creationTimestamp: null
--- a/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content
+++ b/tests/integration/update_cluster/privatecalico/data/aws_s3_object_privatecalico.example.com-addons-storage-aws.addons.k8s.io-v1.15.0_content
@ -35,7 +35,7 @@ apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  annotations:
-    storageclass.kubernetes.io/is-default-class: "true"
+    storageclass.kubernetes.io/is-default-class: "false"
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: storage-aws.addons.k8s.io
@ -50,6 +50,26 @@ volumeBindingMode: WaitForFirstConsumer
 ---
 allowVolumeExpansion: true
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
  creationTimestamp: null
  labels:
    addon.kops.k8s.io/name: storage-aws.addons.k8s.io
    app.kubernetes.io/managed-by: kops
    k8s-addon: storage-aws.addons.k8s.io
  name: kops-csi-1-21
 parameters:
  encrypted: "true"
  type: gp3
 provisioner: ebs.csi.aws.com
 volumeBindingMode: WaitForFirstConsumer
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
--- a/tests/integration/update_cluster/privatecalico/in-v1alpha2.yaml
+++ b/tests/integration/update_cluster/privatecalico/in-v1alpha2.yaml
@ -4,9 +4,11 @@ metadata:
  creationTimestamp: "2016-12-12T04:13:14Z"
  name: privatecalico.example.com
 spec:
  kubernetesApiAccess:
  - 0.0.0.0/0
  channel: stable
  cloudConfig:
    awsEBSCSIDriver:
      enabled: true
  cloudControllerManager: {}
  cloudProvider: aws
  configBase: memfs://clusters.example.com/privatecalico.example.com
  etcdClusters:
@ -18,10 +20,15 @@ spec:
    - instanceGroup: master-us-test-1a
      name: us-test-1a
    name: events
-  iam: {}
+  iam:
    allowContainerRegistry: true
    legacy: false
  kubelet:
    anonymousAuth: false
-  kubernetesVersion: v1.21.0
+  kubernetesApiAccess:
  - 0.0.0.0/0
  - ::/0
  kubernetesVersion: v1.24.0
  masterInternalName: api.internal.privatecalico.example.com
  masterPublicName: api.privatecalico.example.com
  networkCIDR: 172.20.0.0/16
@ -30,9 +37,7 @@ spec:
  nonMasqueradeCIDR: 100.64.0.0/10
  sshAccess:
  - 0.0.0.0/0
-  topology:
+  - ::/0
    masters: private
    nodes: private
  subnets:
  - cidr: 172.20.32.0/19
    name: us-test-1a
@ -42,6 +47,9 @@ spec:
    name: utility-us-test-1a
    type: Utility
    zone: us-test-1a
  topology:
    masters: private
    nodes: private
 ---
@ -49,13 +57,15 @@ apiVersion: kops.k8s.io/v1alpha2
 kind: InstanceGroup
 metadata:
  creationTimestamp: "2016-12-12T04:13:15Z"
  name: master-us-test-1a
  labels:
    kops.k8s.io/cluster: privatecalico.example.com
  name: master-us-test-1a
 spec:
  associatePublicIp: true
  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
-  machineType: m3.medium
+  instanceMetadata:
    httpPutResponseHopLimit: 1
    httpTokens: required
  machineType: t3.medium
  maxSize: 1
  minSize: 1
  role: Master
@ -68,13 +78,15 @@ apiVersion: kops.k8s.io/v1alpha2
 kind: InstanceGroup
 metadata:
  creationTimestamp: "2016-12-12T04:13:15Z"
  name: nodes
  labels:
    kops.k8s.io/cluster: privatecalico.example.com
  name: nodes
 spec:
  associatePublicIp: true
  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
-  machineType: t2.medium
+  instanceMetadata:
    httpPutResponseHopLimit: 3
    httpTokens: required
  machineType: t3.medium
  maxSize: 2
  minSize: 2
  role: Node
@ -88,13 +100,13 @@ apiVersion: kops.k8s.io/v1alpha2
 kind: InstanceGroup
 metadata:
  creationTimestamp: "2016-12-14T15:32:41Z"
  name: bastion
  labels:
    kops.k8s.io/cluster: privatecalico.example.com
  name: bastion
 spec:
  associatePublicIp: true
  image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21
-  machineType: t2.micro
+  machineType: t3.micro
  maxSize: 1
  minSize: 1
  role: Bastion
--- a/tests/integration/update_cluster/privatecalico/kubernetes.tf
+++ b/tests/integration/update_cluster/privatecalico/kubernetes.tf
@ -137,11 +137,6 @@ resource "aws_autoscaling_group" "bastion-privatecalico-example-com" {
    propagate_at_launch = true
    value               = "bastion.privatecalico.example.com"
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"
    propagate_at_launch = true
    value               = "node"
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node"
    propagate_at_launch = true
@ -192,21 +187,11 @@ resource "aws_autoscaling_group" "master-us-test-1a-masters-privatecalico-exampl
    propagate_at_launch = true
    value               = ""
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"
    propagate_at_launch = true
    value               = "master"
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane"
    propagate_at_launch = true
    value               = ""
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master"
    propagate_at_launch = true
    value               = ""
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers"
    propagate_at_launch = true
@ -251,11 +236,6 @@ resource "aws_autoscaling_group" "nodes-privatecalico-example-com" {
    propagate_at_launch = true
    value               = "nodes.privatecalico.example.com"
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"
    propagate_at_launch = true
    value               = "node"
  }
  tag {
    key                 = "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node"
    propagate_at_launch = true
@ -486,7 +466,7 @@ resource "aws_launch_template" "bastion-privatecalico-example-com" {
    name = aws_iam_instance_profile.bastions-privatecalico-example-com.id
  }
  image_id      = "ami-12345678"
-  instance_type = "t2.micro"
+  instance_type = "t3.micro"
  key_name      = aws_key_pair.kubernetes-privatecalico-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id
  lifecycle {
    create_before_destroy = true
@ -512,7 +492,6 @@ resource "aws_launch_template" "bastion-privatecalico-example-com" {
    tags = {
      "KubernetesCluster"                                                          = "privatecalico.example.com"
      "Name"                                                                       = "bastion.privatecalico.example.com"
      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"           = "node"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = ""
      "k8s.io/role/bastion"                                                        = "1"
      "kops.k8s.io/instancegroup"                                                  = "bastion"
@ -524,7 +503,6 @@ resource "aws_launch_template" "bastion-privatecalico-example-com" {
    tags = {
      "KubernetesCluster"                                                          = "privatecalico.example.com"
      "Name"                                                                       = "bastion.privatecalico.example.com"
      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"           = "node"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = ""
      "k8s.io/role/bastion"                                                        = "1"
      "kops.k8s.io/instancegroup"                                                  = "bastion"
@ -534,7 +512,6 @@ resource "aws_launch_template" "bastion-privatecalico-example-com" {
  tags = {
    "KubernetesCluster"                                                          = "privatecalico.example.com"
    "Name"                                                                       = "bastion.privatecalico.example.com"
    "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"           = "node"
    "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = ""
    "k8s.io/role/bastion"                                                        = "1"
    "kops.k8s.io/instancegroup"                                                  = "bastion"
@ -554,15 +531,11 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatecalico-example-
      volume_type           = "gp3"
    }
  }
  block_device_mappings {
    device_name  = "/dev/sdc"
    virtual_name = "ephemeral0"
  }
  iam_instance_profile {
    name = aws_iam_instance_profile.masters-privatecalico-example-com.id
  }
  image_id      = "ami-12345678"
-  instance_type = "m3.medium"
+  instance_type = "t3.medium"
  key_name      = aws_key_pair.kubernetes-privatecalico-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id
  lifecycle {
    create_before_destroy = true
@ -571,7 +544,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatecalico-example-
    http_endpoint               = "enabled"
    http_protocol_ipv6          = "disabled"
    http_put_response_hop_limit = 1
-    http_tokens                 = "optional"
+    http_tokens                 = "required"
  }
  monitoring {
    enabled = false
@ -589,9 +562,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatecalico-example-
      "KubernetesCluster"                                                                                     = "privatecalico.example.com"
      "Name"                                                                                                  = "master-us-test-1a.masters.privatecalico.example.com"
      "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki"                         = ""
      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"                                      = "master"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane"                   = ""
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master"                          = ""
      "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = ""
      "k8s.io/role/master"                                                                                    = "1"
      "kops.k8s.io/instancegroup"                                                                             = "master-us-test-1a"
@ -604,9 +575,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatecalico-example-
      "KubernetesCluster"                                                                                     = "privatecalico.example.com"
      "Name"                                                                                                  = "master-us-test-1a.masters.privatecalico.example.com"
      "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki"                         = ""
      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"                                      = "master"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane"                   = ""
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master"                          = ""
      "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = ""
      "k8s.io/role/master"                                                                                    = "1"
      "kops.k8s.io/instancegroup"                                                                             = "master-us-test-1a"
@ -617,9 +586,7 @@ resource "aws_launch_template" "master-us-test-1a-masters-privatecalico-example-
    "KubernetesCluster"                                                                                     = "privatecalico.example.com"
    "Name"                                                                                                  = "master-us-test-1a.masters.privatecalico.example.com"
    "k8s.io/cluster-autoscaler/node-template/label/kops.k8s.io/kops-controller-pki"                         = ""
    "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"                                      = "master"
    "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/control-plane"                   = ""
    "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/master"                          = ""
    "k8s.io/cluster-autoscaler/node-template/label/node.kubernetes.io/exclude-from-external-load-balancers" = ""
    "k8s.io/role/master"                                                                                    = "1"
    "kops.k8s.io/instancegroup"                                                                             = "master-us-test-1a"
@ -644,7 +611,7 @@ resource "aws_launch_template" "nodes-privatecalico-example-com" {
    name = aws_iam_instance_profile.nodes-privatecalico-example-com.id
  }
  image_id      = "ami-12345678"
-  instance_type = "t2.medium"
+  instance_type = "t3.medium"
  key_name      = aws_key_pair.kubernetes-privatecalico-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id
  lifecycle {
    create_before_destroy = true
@ -652,8 +619,8 @@ resource "aws_launch_template" "nodes-privatecalico-example-com" {
  metadata_options {
    http_endpoint               = "enabled"
    http_protocol_ipv6          = "disabled"
-    http_put_response_hop_limit = 1
+    http_put_response_hop_limit = 3
-    http_tokens                 = "optional"
+    http_tokens                 = "required"
  }
  monitoring {
    enabled = false
@ -670,7 +637,6 @@ resource "aws_launch_template" "nodes-privatecalico-example-com" {
    tags = {
      "KubernetesCluster"                                                          = "privatecalico.example.com"
      "Name"                                                                       = "nodes.privatecalico.example.com"
      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"           = "node"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = ""
      "k8s.io/role/node"                                                           = "1"
      "kops.k8s.io/instancegroup"                                                  = "nodes"
@ -682,7 +648,6 @@ resource "aws_launch_template" "nodes-privatecalico-example-com" {
    tags = {
      "KubernetesCluster"                                                          = "privatecalico.example.com"
      "Name"                                                                       = "nodes.privatecalico.example.com"
      "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"           = "node"
      "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = ""
      "k8s.io/role/node"                                                           = "1"
      "kops.k8s.io/instancegroup"                                                  = "nodes"
@ -692,7 +657,6 @@ resource "aws_launch_template" "nodes-privatecalico-example-com" {
  tags = {
    "KubernetesCluster"                                                          = "privatecalico.example.com"
    "Name"                                                                       = "nodes.privatecalico.example.com"
    "k8s.io/cluster-autoscaler/node-template/label/kubernetes.io/role"           = "node"
    "k8s.io/cluster-autoscaler/node-template/label/node-role.kubernetes.io/node" = ""
    "k8s.io/role/node"                                                           = "1"
    "kops.k8s.io/instancegroup"                                                  = "nodes"
@ -842,6 +806,22 @@ resource "aws_s3_object" "nodeupconfig-nodes" {
  server_side_encryption = "AES256"
 }
 resource "aws_s3_object" "privatecalico-example-com-addons-aws-cloud-controller-addons-k8s-io-k8s-1-18" {
  bucket                 = "testingBucket"
  content                = file("${path.module}/data/aws_s3_object_privatecalico.example.com-addons-aws-cloud-controller.addons.k8s.io-k8s-1.18_content")
  key                    = "clusters.example.com/privatecalico.example.com/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml"
  provider               = aws.files
  server_side_encryption = "AES256"
 }
 resource "aws_s3_object" "privatecalico-example-com-addons-aws-ebs-csi-driver-addons-k8s-io-k8s-1-17" {
  bucket                 = "testingBucket"
  content                = file("${path.module}/data/aws_s3_object_privatecalico.example.com-addons-aws-ebs-csi-driver.addons.k8s.io-k8s-1.17_content")
  key                    = "clusters.example.com/privatecalico.example.com/addons/aws-ebs-csi-driver.addons.k8s.io/k8s-1.17.yaml"
  provider               = aws.files
  server_side_encryption = "AES256"
 }
 resource "aws_s3_object" "privatecalico-example-com-addons-bootstrap" {
  bucket                 = "testingBucket"
  content                = file("${path.module}/data/aws_s3_object_privatecalico.example.com-addons-bootstrap_content")
@ -890,6 +870,14 @@ resource "aws_s3_object" "privatecalico-example-com-addons-kubelet-api-rbac-addo
  server_side_encryption = "AES256"
 }
 resource "aws_s3_object" "privatecalico-example-com-addons-leader-migration-rbac-addons-k8s-io-k8s-1-23" {
  bucket                 = "testingBucket"
  content                = file("${path.module}/data/aws_s3_object_privatecalico.example.com-addons-leader-migration.rbac.addons.k8s.io-k8s-1.23_content")
  key                    = "clusters.example.com/privatecalico.example.com/addons/leader-migration.rbac.addons.k8s.io/k8s-1.23.yaml"
  provider               = aws.files
  server_side_encryption = "AES256"
 }
 resource "aws_s3_object" "privatecalico-example-com-addons-limit-range-addons-k8s-io" {
  bucket                 = "testingBucket"
  content                = file("${path.module}/data/aws_s3_object_privatecalico.example.com-addons-limit-range.addons.k8s.io_content")
@ -898,10 +886,10 @@ resource "aws_s3_object" "privatecalico-example-com-addons-limit-range-addons-k8
  server_side_encryption = "AES256"
 }
-resource "aws_s3_object" "privatecalico-example-com-addons-networking-projectcalico-org-k8s-1-16" {
+resource "aws_s3_object" "privatecalico-example-com-addons-networking-projectcalico-org-k8s-1-23" {
  bucket                 = "testingBucket"
-  content                = file("${path.module}/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.16_content")
+  content                = file("${path.module}/data/aws_s3_object_privatecalico.example.com-addons-networking.projectcalico.org-k8s-1.23_content")
-  key                    = "clusters.example.com/privatecalico.example.com/addons/networking.projectcalico.org/k8s-1.16.yaml"
+  key                    = "clusters.example.com/privatecalico.example.com/addons/networking.projectcalico.org/k8s-1.23.yaml"
  provider               = aws.files
  server_side_encryption = "AES256"
 }
@ -987,6 +975,24 @@ resource "aws_security_group_rule" "from-0-0-0-0--0-ingress-tcp-443to443-api-elb
  type              = "ingress"
 }
 resource "aws_security_group_rule" "from-__--0-ingress-tcp-22to22-bastion-elb-privatecalico-example-com" {
  from_port         = 22
  ipv6_cidr_blocks  = ["::/0"]
  protocol          = "tcp"
  security_group_id = aws_security_group.bastion-elb-privatecalico-example-com.id
  to_port           = 22
  type              = "ingress"
 }
 resource "aws_security_group_rule" "from-__--0-ingress-tcp-443to443-api-elb-privatecalico-example-com" {
  from_port         = 443
  ipv6_cidr_blocks  = ["::/0"]
  protocol          = "tcp"
  security_group_id = aws_security_group.api-elb-privatecalico-example-com.id
  to_port           = 443
  type              = "ingress"
 }
 resource "aws_security_group_rule" "from-api-elb-privatecalico-example-com-egress-all-0to0-0-0-0-0--0" {
  cidr_blocks       = ["0.0.0.0/0"]
  from_port         = 0
@ -1194,9 +1200,20 @@ resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" {
  type              = "ingress"
 }
 resource "aws_security_group_rule" "icmpv6-pmtu-api-elb-__--0" {
  from_port         = -1
  ipv6_cidr_blocks  = ["::/0"]
  protocol          = "icmpv6"
  security_group_id = aws_security_group.api-elb-privatecalico-example-com.id
  to_port           = -1
  type              = "ingress"
 }
 resource "aws_subnet" "us-test-1a-privatecalico-example-com" {
  availability_zone                           = "us-test-1a"
  cidr_block                                  = "172.20.32.0/19"
  enable_resource_name_dns_a_record_on_launch = true
  private_dns_hostname_type_on_launch         = "resource-name"
  tags = {
    "KubernetesCluster"                               = "privatecalico.example.com"
    "Name"                                            = "us-test-1a.privatecalico.example.com"
@ -1210,6 +1227,8 @@ resource "aws_subnet" "us-test-1a-privatecalico-example-com" {
 resource "aws_subnet" "utility-us-test-1a-privatecalico-example-com" {
  availability_zone                           = "us-test-1a"
  cidr_block                                  = "172.20.4.0/22"
  enable_resource_name_dns_a_record_on_launch = true
  private_dns_hostname_type_on_launch         = "resource-name"
  tags = {
    "KubernetesCluster"                               = "privatecalico.example.com"
    "Name"                                            = "utility-us-test-1a.privatecalico.example.com"
--- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content
+++ b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-bootstrap_content
@ -54,7 +54,7 @@ spec:
    version: 9.99.0
  - id: k8s-1.22
    manifest: networking.projectcalico.org.canal/k8s-1.22.yaml
-    manifestHash: e901520c95925f596ab91f42a0e1efba17690f1c3384f1263dd5017ee0cb78f4
+    manifestHash: ff8bbeaba0ec65a71b29563278683bcfe8130d023a388b5321f347b1ff932136
    name: networking.projectcalico.org.canal
    selector:
      role.kubernetes.io/networking: "1"
--- a/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-networking.projectcalico.org.canal-k8s-1.22_content
+++ b/tests/integration/update_cluster/privatecanal/data/aws_s3_object_privatecanal.example.com-addons-networking.projectcalico.org.canal-k8s-1.22_content
@ -4458,7 +4458,7 @@ spec:
        - configMapRef:
            name: kubernetes-services-endpoint
            optional: true
-        image: docker.io/calico/node:v3.23.0
+        image: docker.io/calico/node:v3.23.1
        lifecycle:
          preStop:
            exec:
@ -4571,7 +4571,7 @@ spec:
        - configMapRef:
            name: kubernetes-services-endpoint
            optional: true
-        image: docker.io/calico/cni:v3.23.0
+        image: docker.io/calico/cni:v3.23.1
        name: install-cni
        securityContext:
          privileged: true
@ -4697,7 +4697,7 @@ spec:
          value: node
        - name: DATASTORE_TYPE
          value: kubernetes
-        image: docker.io/calico/kube-controllers:v3.23.0
+        image: docker.io/calico/kube-controllers:v3.23.1
        livenessProbe:
          exec:
            command:
--- a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.22.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.22.yaml.template
@ -4358,7 +4358,7 @@ spec:
      securityContext:
        fsGroup: 65534
      containers:
-      - image: calico/typha:v3.23.0
+      - image: calico/typha:v3.23.1
        name: calico-typha
        ports:
        - containerPort: 5473
@ -4468,7 +4468,7 @@ spec:
        # This container installs the CNI binaries
        # and CNI network config file on each node.
        - name: install-cni
-          image: docker.io/calico/cni:v3.23.0
+          image: docker.io/calico/cni:v3.23.1
          command: ["/opt/cni/bin/install"]
          envFrom:
          - configMapRef:
@ -4511,7 +4511,7 @@ spec:
        # container programs network policy and routes on each
        # host.
        - name: calico-node
-          image: docker.io/calico/node:v3.23.0
+          image: docker.io/calico/node:v3.23.1
          envFrom:
          - configMapRef:
              # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
@ -4791,7 +4791,7 @@ spec:
      priorityClassName: system-cluster-critical
      containers:
        - name: calico-kube-controllers
-          image: docker.io/calico/kube-controllers:v3.23.0
+          image: docker.io/calico/kube-controllers:v3.23.1
          env:
            # Choose which controllers to run.
            - name: ENABLED_CONTROLLERS
--- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.23.yaml.template
+++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.23.yaml.template
@ -4359,7 +4359,7 @@ spec:
      securityContext:
        fsGroup: 65534
      containers:
-      - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.23.0" }}
+      - image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/typha:{{ or .Networking.Calico.Version "v3.23.1" }}
        name: calico-typha
        ports:
        - containerPort: 5473
@ -4480,7 +4480,7 @@ spec:
        # It can be deleted if this is a fresh installation, or if you have already
        # upgraded to use calico-ipam.
        - name: upgrade-ipam
-          image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.23.0" }}
+          image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.23.1" }}
          command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
          envFrom:
          - configMapRef:
@ -4507,7 +4507,7 @@ spec:
        # This container installs the CNI binaries
        # and CNI network config file on each node.
        - name: install-cni
-          image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.23.0" }}
+          image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/cni:{{ or .Networking.Calico.Version "v3.23.1" }}
          command: ["/opt/cni/bin/install"]
          envFrom:
          - configMapRef:
@ -4550,7 +4550,7 @@ spec:
        # container programs network policy and routes on each
        # host.
        - name: calico-node
-          image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.23.0" }}
+          image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/node:{{ or .Networking.Calico.Version "v3.23.1" }}
          envFrom:
          - configMapRef:
              # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
@ -4863,7 +4863,7 @@ spec:
      priorityClassName: system-cluster-critical
      containers:
        - name: calico-kube-controllers
-          image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.23.0" }}
+          image: {{ or .Networking.Calico.Registry "docker.io" }}/calico/kube-controllers:{{ or .Networking.Calico.Version "v3.23.1" }}
          env:
            # Choose which controllers to run.
            - name: ENABLED_CONTROLLERS