diff --git a/upup/models/bindata.go b/upup/models/bindata.go index e57c9b1e1d..bf53cdd1c1 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -3922,7 +3922,7 @@ func cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s112YamlTemplate() (*as return a, nil } -var _cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s116YamlTemplate = []byte(`# Vendored from https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.6.4/config/v1.6/aws-k8s-cni.yaml +var _cloudupResourcesAddonsNetworkingAmazonVpcRoutedEniK8s116YamlTemplate = []byte(`# Vendored from https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.7/config/v1.7/aws-k8s-cni.yaml --- apiVersion: rbac.authorization.k8s.io/v1 @@ -3939,9 +3939,12 @@ rules: - apiGroups: [""] resources: - pods - - nodes - namespaces verbs: ["list", "watch", "get"] +- apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch", "get", "update"] - apiGroups: ["extensions"] resources: - daemonsets @@ -3969,9 +3972,11 @@ subjects: namespace: kube-system --- -kind: DaemonSet apiVersion: apps/v1 +kind: DaemonSet metadata: + labels: + k8s-app: aws-node name: aws-node namespace: kube-system labels: @@ -4013,7 +4018,7 @@ spec: tolerations: - operator: Exists containers: - - image: "{{- or .Networking.AmazonVPC.ImageName "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.4" }}" + - image: "{{- or .Networking.AmazonVPC.ImageName "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.7.0" }}" imagePullPolicy: Always ports: - containerPort: 61678 @@ -4022,24 +4027,50 @@ spec: readinessProbe: exec: command: ["/app/grpc-health-probe", "-addr=:50051"] - initialDelaySeconds: 35 + initialDelaySeconds: 1 livenessProbe: exec: command: ["/app/grpc-health-probe", "-addr=:50051"] - initialDelaySeconds: 35 + initialDelaySeconds: 60 env: - name: CLUSTER_NAME value: {{ ClusterName }} - - name: AWS_VPC_K8S_CNI_LOGLEVEL - value: DEBUG - - name: AWS_VPC_K8S_CNI_VETHPREFIX - value: eni + - name: ADDITIONAL_ENI_TAGS + value: '{}' + - name: AWS_VPC_CNI_NODE_PORT_SUPPORT + value: "true" - name: AWS_VPC_ENI_MTU value: "9001" + - name: AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER + value: "false" + - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG + value: "false" + - name: AWS_VPC_K8S_CNI_EXTERNALSNAT + value: "false" + - name: AWS_VPC_K8S_CNI_LOGLEVEL + value: DEBUG + - name: AWS_VPC_K8S_CNI_LOG_FILE + value: /host/var/log/aws-routed-eni/ipamd.log + - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT + value: prng + - name: AWS_VPC_K8S_PLUGIN_LOG_FILE + value: /var/log/aws-routed-eni/plugin.log + - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL + value: DEBUG + - name: DISABLE_INTROSPECTION + value: "false" + - name: DISABLE_METRICS + value: "false" + - name: ENABLE_POD_ENI + value: "false" + - name: AWS_VPC_K8S_CNI_VETHPREFIX + value: eni - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName + - name: WARM_ENI_TARGET + value: "1" {{- range .Networking.AmazonVPC.Env }} - name: {{ .Name }} value: "{{ .Value }}" @@ -4048,34 +4079,50 @@ spec: requests: cpu: 10m securityContext: - privileged: true + capabilities: + add: + - NET_ADMIN volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir - - mountPath: /host/var/log + - mountPath: /host/var/log/aws-routed-eni name: log-dir - - mountPath: /var/run/docker.sock - name: dockersock + - mountPath: /var/run/aws-node + name: run-dir - mountPath: /var/run/dockershim.sock name: dockershim + initContainers: + - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.7.0 + imagePullPolicy: Always + name: aws-vpc-cni-init + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir volumes: - - name: cni-bin-dir - hostPath: + - hostPath: path: /opt/cni/bin - - name: cni-net-dir - hostPath: + name: cni-bin-dir + - hostPath: path: /etc/cni/net.d - - name: log-dir - hostPath: - path: /var/log - - name: dockersock - hostPath: - path: /var/run/docker.sock - - name: dockershim - hostPath: + name: cni-net-dir + - hostPath: path: /var/run/dockershim.sock + name: dockershim + - hostPath: + path: /var/log/aws-routed-eni + type: DirectoryOrCreate + name: log-dir + - hostPath: + path: /var/run/aws-node + type: DirectoryOrCreate + name: run-dir --- apiVersion: apiextensions.k8s.io/v1beta1 diff --git a/upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template index 9a4e70f9d2..5ea3b6424e 100644 --- a/upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.amazon-vpc-routed-eni/k8s-1.16.yaml.template @@ -1,4 +1,4 @@ -# Vendored from https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.6.4/config/v1.6/aws-k8s-cni.yaml +# Vendored from https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.7/config/v1.7/aws-k8s-cni.yaml --- apiVersion: rbac.authorization.k8s.io/v1 @@ -15,9 +15,12 @@ rules: - apiGroups: [""] resources: - pods - - nodes - namespaces verbs: ["list", "watch", "get"] +- apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch", "get", "update"] - apiGroups: ["extensions"] resources: - daemonsets @@ -45,9 +48,11 @@ subjects: namespace: kube-system --- -kind: DaemonSet apiVersion: apps/v1 +kind: DaemonSet metadata: + labels: + k8s-app: aws-node name: aws-node namespace: kube-system labels: @@ -89,7 +94,7 @@ spec: tolerations: - operator: Exists containers: - - image: "{{- or .Networking.AmazonVPC.ImageName "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.4" }}" + - image: "{{- or .Networking.AmazonVPC.ImageName "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.7.0" }}" imagePullPolicy: Always ports: - containerPort: 61678 @@ -98,24 +103,50 @@ spec: readinessProbe: exec: command: ["/app/grpc-health-probe", "-addr=:50051"] - initialDelaySeconds: 35 + initialDelaySeconds: 1 livenessProbe: exec: command: ["/app/grpc-health-probe", "-addr=:50051"] - initialDelaySeconds: 35 + initialDelaySeconds: 60 env: - name: CLUSTER_NAME value: {{ ClusterName }} - - name: AWS_VPC_K8S_CNI_LOGLEVEL - value: DEBUG - - name: AWS_VPC_K8S_CNI_VETHPREFIX - value: eni + - name: ADDITIONAL_ENI_TAGS + value: '{}' + - name: AWS_VPC_CNI_NODE_PORT_SUPPORT + value: "true" - name: AWS_VPC_ENI_MTU value: "9001" + - name: AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER + value: "false" + - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG + value: "false" + - name: AWS_VPC_K8S_CNI_EXTERNALSNAT + value: "false" + - name: AWS_VPC_K8S_CNI_LOGLEVEL + value: DEBUG + - name: AWS_VPC_K8S_CNI_LOG_FILE + value: /host/var/log/aws-routed-eni/ipamd.log + - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT + value: prng + - name: AWS_VPC_K8S_PLUGIN_LOG_FILE + value: /var/log/aws-routed-eni/plugin.log + - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL + value: DEBUG + - name: DISABLE_INTROSPECTION + value: "false" + - name: DISABLE_METRICS + value: "false" + - name: ENABLE_POD_ENI + value: "false" + - name: AWS_VPC_K8S_CNI_VETHPREFIX + value: eni - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName + - name: WARM_ENI_TARGET + value: "1" {{- range .Networking.AmazonVPC.Env }} - name: {{ .Name }} value: "{{ .Value }}" @@ -124,34 +155,50 @@ spec: requests: cpu: 10m securityContext: - privileged: true + capabilities: + add: + - NET_ADMIN volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir - - mountPath: /host/var/log + - mountPath: /host/var/log/aws-routed-eni name: log-dir - - mountPath: /var/run/docker.sock - name: dockersock + - mountPath: /var/run/aws-node + name: run-dir - mountPath: /var/run/dockershim.sock name: dockershim + initContainers: + - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.7.0 + imagePullPolicy: Always + name: aws-vpc-cni-init + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir volumes: - - name: cni-bin-dir - hostPath: + - hostPath: path: /opt/cni/bin - - name: cni-net-dir - hostPath: + name: cni-bin-dir + - hostPath: path: /etc/cni/net.d - - name: log-dir - hostPath: - path: /var/log - - name: dockersock - hostPath: - path: /var/run/docker.sock - - name: dockershim - hostPath: + name: cni-net-dir + - hostPath: path: /var/run/dockershim.sock + name: dockershim + - hostPath: + path: /var/log/aws-routed-eni + type: DirectoryOrCreate + name: log-dir + - hostPath: + path: /var/run/aws-node + type: DirectoryOrCreate + name: run-dir --- apiVersion: apiextensions.k8s.io/v1beta1 diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc/manifest.yaml index cd68ede5d9..d3cccf81d9 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc/manifest.yaml @@ -105,7 +105,7 @@ spec: - id: k8s-1.16 kubernetesVersion: '>=1.16.0' manifest: networking.amazon-vpc-routed-eni/k8s-1.16.yaml - manifestHash: a684d4e135aac56ad28d56570999e605317e870b + manifestHash: 8279e7bffce848b7cd30e87e5c7c5c64c5955e4c name: networking.amazon-vpc-routed-eni selector: role.kubernetes.io/networking: "1" diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc/networking.amazon-vpc-routed-eni-k8s-1.16.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc/networking.amazon-vpc-routed-eni-k8s-1.16.yaml index ea1475bb57..ab88e8b9f5 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc/networking.amazon-vpc-routed-eni-k8s-1.16.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/amazonvpc/networking.amazon-vpc-routed-eni-k8s-1.16.yaml @@ -13,12 +13,20 @@ rules: - "" resources: - pods - - nodes - namespaces verbs: - list - watch - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch + - get + - update - apiGroups: - extensions resources: @@ -90,28 +98,54 @@ spec: - env: - name: CLUSTER_NAME value: minimal.example.com - - name: AWS_VPC_K8S_CNI_LOGLEVEL - value: DEBUG - - name: AWS_VPC_K8S_CNI_VETHPREFIX - value: eni + - name: ADDITIONAL_ENI_TAGS + value: '{}' + - name: AWS_VPC_CNI_NODE_PORT_SUPPORT + value: "true" - name: AWS_VPC_ENI_MTU value: "9001" + - name: AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER + value: "false" + - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG + value: "false" + - name: AWS_VPC_K8S_CNI_EXTERNALSNAT + value: "false" + - name: AWS_VPC_K8S_CNI_LOGLEVEL + value: DEBUG + - name: AWS_VPC_K8S_CNI_LOG_FILE + value: /host/var/log/aws-routed-eni/ipamd.log + - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT + value: prng + - name: AWS_VPC_K8S_PLUGIN_LOG_FILE + value: /var/log/aws-routed-eni/plugin.log + - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL + value: DEBUG + - name: DISABLE_INTROSPECTION + value: "false" + - name: DISABLE_METRICS + value: "false" + - name: ENABLE_POD_ENI + value: "false" + - name: AWS_VPC_K8S_CNI_VETHPREFIX + value: eni - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName + - name: WARM_ENI_TARGET + value: "1" - name: WARM_IP_TARGET value: "10" - name: AWS_VPC_K8S_CNI_LOGLEVEL value: debug - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.6.4 + image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.7.0 imagePullPolicy: Always livenessProbe: exec: command: - /app/grpc-health-probe - -addr=:50051 - initialDelaySeconds: 35 + initialDelaySeconds: 60 name: aws-node ports: - containerPort: 61678 @@ -121,24 +155,38 @@ spec: command: - /app/grpc-health-probe - -addr=:50051 - initialDelaySeconds: 35 + initialDelaySeconds: 1 resources: requests: cpu: 10m securityContext: - privileged: true + capabilities: + add: + - NET_ADMIN volumeMounts: - mountPath: /host/opt/cni/bin name: cni-bin-dir - mountPath: /host/etc/cni/net.d name: cni-net-dir - - mountPath: /host/var/log + - mountPath: /host/var/log/aws-routed-eni name: log-dir - - mountPath: /var/run/docker.sock - name: dockersock + - mountPath: /var/run/aws-node + name: run-dir - mountPath: /var/run/dockershim.sock name: dockershim hostNetwork: true + initContainers: + - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.7.0 + imagePullPolicy: Always + name: aws-vpc-cni-init + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir priorityClassName: system-node-critical serviceAccountName: aws-node tolerations: @@ -150,15 +198,17 @@ spec: - hostPath: path: /etc/cni/net.d name: cni-net-dir - - hostPath: - path: /var/log - name: log-dir - - hostPath: - path: /var/run/docker.sock - name: dockersock - hostPath: path: /var/run/dockershim.sock name: dockershim + - hostPath: + path: /var/log/aws-routed-eni + type: DirectoryOrCreate + name: log-dir + - hostPath: + path: /var/run/aws-node + type: DirectoryOrCreate + name: run-dir updateStrategy: rollingUpdate: maxUnavailable: 10%