Merge pull request #15945 from hakman/karpenter-0.30.0

Update Karpenter to v0.30.0

pkg/model/components/karpenter.go

@@ -36,7 +36,7 @@ func (b *KarpenterOptionsBuilder) BuildOptions(o interface{}) error {
 	}
 
 	if c.Image == "" {
-		c.Image = "public.ecr.aws/karpenter/controller:v0.28.1"
+		c.Image = "public.ecr.aws/karpenter/controller:v0.30.0"
 	}
 
 	if c.LogEncoding == "" {

tests/e2e/kubetest2-kops/deployer/up.go

@@ -261,14 +261,8 @@ func (d *deployer) updateCluster(yes bool) error {
 func (d *deployer) IsUp() (bool, error) {
 	wait := d.ValidationWait
 	if wait == 0 {
-		if d.TerraformVersion != "" || d.CloudProvider == "digitalocean" {
-			// `--target terraform` doesn't precreate the API DNS records,
-			// so kops is more likely to hit negative TTLs during validation.
-			// Digital Ocean also occasionally takes longer to validate.
-			wait = time.Duration(20) * time.Minute
-		} else {
-			wait = time.Duration(15) * time.Minute
-		}
+		// kOps is more likely to hit negative TTLs for API DNS during validation.
+		wait = time.Duration(20) * time.Minute
 	}
 	args := []string{
 		d.KopsBinaryPath, "validate", "cluster",

tests/integration/update_cluster/karpenter/data/aws_s3_object_cluster-completed.spec_content

@@ -57,7 +57,7 @@ spec:
   karpenter:
     cpuRequest: 100m
     enabled: true
-    image: public.ecr.aws/karpenter/controller:v0.28.1
+    image: public.ecr.aws/karpenter/controller:v0.30.0
     logEncoding: console
     logLevel: debug
     memoryLimit: 2Gi

tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -120,7 +120,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.19
     manifest: karpenter.sh/k8s-1.19.yaml
-    manifestHash: 83732936b11b5830020d8af7bf0955c4b6334c7a1ba93bf051b40bb79294075d
+    manifestHash: 4d98502de7554ba20b42fd19517a874e79df1db60336e72d9ecfefaa5e980c78
     name: karpenter.sh
     prune:
       kinds:
@@ -168,11 +168,13 @@ spec:
         kind: Role
         labelSelector: addon.kops.k8s.io/name=karpenter.sh,app.kubernetes.io/managed-by=kops
         namespaces:
+        - kube-node-lease
         - kube-system
       - group: rbac.authorization.k8s.io
         kind: RoleBinding
         labelSelector: addon.kops.k8s.io/name=karpenter.sh,app.kubernetes.io/managed-by=kops
         namespaces:
+        - kube-node-lease
         - kube-system
     selector:
       k8s-addon: karpenter.sh

tests/integration/update_cluster/karpenter/data/aws_s3_object_minimal.example.com-addons-karpenter.sh-k8s-1.19_content

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: karpenter.sh
@@ -20,7 +20,15 @@ spec:
     singular: provisioner
   scope: Cluster
   versions:
-  - name: v1alpha5
+  - additionalPrinterColumns:
+    - jsonPath: .spec.providerRef.name
+      name: Template
+      type: string
+    - jsonPath: .spec.weight
+      name: Weight
+      priority: 1
+      type: string
+    name: v1alpha5
     schema:
       openAPIV3Schema:
         description: Provisioner is the Schema for the Provisioners API
@@ -382,7 +390,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: karpenter.sh
@@ -702,7 +710,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   labels:
     addon.kops.k8s.io/name: karpenter.sh
@@ -1068,8 +1076,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter
   namespace: kube-system
@@ -1091,8 +1099,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter
   namespace: kube-system
@@ -1108,8 +1116,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter-cert
   namespace: kube-system
@@ -1151,8 +1159,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: config-logging
   namespace: kube-system
@@ -1161,6 +1169,9 @@ metadata:
 
 apiVersion: v1
 data:
+  aws.assumeRoleARN: ""
+  aws.assumeRoleDuration: 15m
+  aws.clusterCABundle: ""
   aws.clusterEndpoint: https://api.internal.minimal.example.com
   aws.clusterName: minimal.example.com
   aws.defaultInstanceProfile: ""
@@ -1171,6 +1182,7 @@ data:
   aws.vmMemoryOverheadPercent: "0.075"
   batchIdleDuration: 1s
   batchMaxDuration: 10s
+  featureGates.driftEnabled: "false"
 kind: ConfigMap
 metadata:
   creationTimestamp: null
@@ -1179,8 +1191,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter-global-settings
   namespace: kube-system
@@ -1196,8 +1208,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
   name: karpenter-admin
@@ -1239,8 +1251,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter-core
 rules:
@@ -1307,12 +1319,20 @@ rules:
 - apiGroups:
   - karpenter.sh
   resources:
-  - provisioners/status
   - machines
   - machines/status
   verbs:
   - create
   - delete
+  - update
+  - patch
+- apiGroups:
+  - karpenter.sh
+  resources:
+  - provisioners
+  - provisioners/status
+  verbs:
+  - update
   - patch
 - apiGroups:
   - ""
@@ -1356,8 +1376,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter
 rules:
@@ -1388,6 +1408,7 @@ rules:
 - apiGroups:
   - karpenter.k8s.aws
   resources:
+  - awsnodetemplates
   - awsnodetemplates/status
   verbs:
   - patch
@@ -1404,8 +1425,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter-core
 roleRef:
@@ -1428,8 +1449,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter
 roleRef:
@@ -1452,8 +1473,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter
   namespace: kube-system
@@ -1531,8 +1552,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter-dns
   namespace: kube-system
@@ -1548,6 +1569,38 @@ rules:
 
 ---
 
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  labels:
+    addon.kops.k8s.io/name: karpenter.sh
+    app.kubernetes.io/instance: karpenter
+    app.kubernetes.io/managed-by: kops
+    app.kubernetes.io/name: karpenter
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
+    k8s-addon: karpenter.sh
+  name: karpenter-lease
+  namespace: kube-node-lease
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - delete
+
+---
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -1557,8 +1610,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter
   namespace: kube-system
@@ -1582,8 +1635,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter-dns
   namespace: kube-system
@@ -1598,6 +1651,31 @@ subjects:
 
 ---
 
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  labels:
+    addon.kops.k8s.io/name: karpenter.sh
+    app.kubernetes.io/instance: karpenter
+    app.kubernetes.io/managed-by: kops
+    app.kubernetes.io/name: karpenter
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
+    k8s-addon: karpenter.sh
+  name: karpenter-lease
+  namespace: kube-node-lease
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: karpenter-lease
+subjects:
+- kind: ServiceAccount
+  name: karpenter
+  namespace: kube-system
+
+---
+
 apiVersion: v1
 kind: Service
 metadata:
@@ -1607,19 +1685,19 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter
   namespace: kube-system
 spec:
   ports:
   - name: http-metrics
-    port: 8080
+    port: 8000
     protocol: TCP
     targetPort: http-metrics
   - name: https-webhook
-    port: 443
+    port: 8443
     protocol: TCP
     targetPort: https-webhook
   selector:
@@ -1638,8 +1716,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: karpenter
   namespace: kube-system
@@ -1718,7 +1796,7 @@ spec:
           value: arn:aws-test:iam::123456789012:role/karpenter.kube-system.sa.minimal.example.com
         - name: AWS_WEB_IDENTITY_TOKEN_FILE
           value: /var/run/secrets/amazonaws.com/token
-        image: public.ecr.aws/karpenter/controller:v0.28.1
+        image: public.ecr.aws/karpenter/controller:v0.30.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -1741,6 +1819,7 @@ spec:
           httpGet:
             path: /readyz
             port: http
+          initialDelaySeconds: 5
           timeoutSeconds: 30
         resources:
           limits:
@@ -1748,14 +1827,25 @@ spec:
           requests:
             cpu: 100m
             memory: 500Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /var/run/secrets/amazonaws.com/
           name: token-amazonaws-com
           readOnly: true
-      dnsPolicy: ClusterFirst
+      dnsPolicy: Default
       priorityClassName: system-cluster-critical
       securityContext:
-        fsGroup: 1000
+        fsGroup: 65536
+        runAsGroup: 65536
+        runAsNonRoot: true
+        runAsUser: 65536
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: karpenter
       tolerations:
       - key: node-role.kubernetes.io/master
@@ -1772,13 +1862,6 @@ spec:
         maxSkew: 1
         topologyKey: topology.kubernetes.io/zone
         whenUnsatisfiable: ScheduleAnyway
-      - labelSelector:
-          matchLabels:
-            app.kubernetes.io/instance: karpenter
-            app.kubernetes.io/name: karpenter
-        maxSkew: 1
-        topologyKey: kubernetes.io/hostname
-        whenUnsatisfiable: DoNotSchedule
       volumes:
       - name: token-amazonaws-com
         projected:
@@ -1800,8 +1883,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: defaulting.webhook.karpenter.k8s.aws
 webhooks:
@@ -1811,6 +1894,7 @@ webhooks:
     service:
       name: karpenter
       namespace: kube-system
+      port: 8443
   failurePolicy: Fail
   name: defaulting.webhook.karpenter.k8s.aws
   rules:
@@ -1848,8 +1932,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: validation.webhook.karpenter.sh
 webhooks:
@@ -1859,6 +1943,7 @@ webhooks:
     service:
       name: karpenter
       namespace: kube-system
+      port: 8443
   failurePolicy: Fail
   name: validation.webhook.karpenter.sh
   rules:
@@ -1885,8 +1970,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: validation.webhook.config.karpenter.sh
 webhooks:
@@ -1896,12 +1981,12 @@ webhooks:
     service:
       name: karpenter
       namespace: kube-system
+      port: 8443
   failurePolicy: Fail
   name: validation.webhook.config.karpenter.sh
   objectSelector:
     matchLabels:
-      app.kubernetes.io/instance: karpenter
-      app.kubernetes.io/name: karpenter
+      app.kubernetes.io/part-of: karpenter
   sideEffects: None
 
 ---
@@ -1915,8 +2000,8 @@ metadata:
     app.kubernetes.io/instance: karpenter
     app.kubernetes.io/managed-by: kops
     app.kubernetes.io/name: karpenter
-    app.kubernetes.io/version: 0.28.1
-    helm.sh/chart: karpenter-v0.28.1
+    app.kubernetes.io/version: 0.30.0
+    helm.sh/chart: karpenter-v0.30.0
     k8s-addon: karpenter.sh
   name: validation.webhook.karpenter.k8s.aws
 webhooks:
@@ -1926,6 +2011,7 @@ webhooks:
     service:
       name: karpenter
       namespace: kube-system
+      port: 8443
   failurePolicy: Fail
   name: validation.webhook.karpenter.k8s.aws
   rules:

upup/models/cloudup/resources/addons/karpenter.sh/k8s-1.19.yaml.template

@@ -1,7 +1,7 @@
 # helm template karpenter oci://public.ecr.aws/karpenter/karpenter-crd \
-#  --version v0.28.1
+#  --version v0.30.0
 # helm template karpenter oci://public.ecr.aws/karpenter/karpenter \
-#  --version v0.28.1 \
+#  --version v0.30.0 \
 #  --namespace kube-system \
 #  --set controller.resources.requests.cpu=500m \
 #  --set controller.resources.requests.memory=1Gi \
@@ -12,8 +12,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: provisioners.karpenter.sh
 spec:
   group: karpenter.sh
@@ -26,7 +25,15 @@ spec:
     singular: provisioner
   scope: Cluster
   versions:
-  - name: v1alpha5
+  - additionalPrinterColumns:
+    - jsonPath: .spec.providerRef.name
+      name: Template
+      type: string
+    - jsonPath: .spec.weight
+      name: Weight
+      priority: 1
+      type: string
+    name: v1alpha5
     schema:
       openAPIV3Schema:
         description: Provisioner is the Schema for the Provisioners API
@@ -387,8 +394,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: awsnodetemplates.karpenter.k8s.aws
 spec:
   group: karpenter.k8s.aws
@@ -702,8 +708,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: machines.karpenter.sh
 spec:
   group: karpenter.sh
@@ -1060,10 +1065,10 @@ metadata:
   name: karpenter
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   maxUnavailable: 1
@@ -1079,10 +1084,10 @@ metadata:
   name: karpenter
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: karpenter/templates/secret-webhook-cert.yaml
@@ -1092,10 +1097,10 @@ metadata:
   name: karpenter-cert
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 # data: {} # Injected by karpenter-webhook
 ---
@@ -1106,10 +1111,10 @@ metadata:
   name: config-logging
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 data:
   # https://github.com/uber-go/zap/blob/aa3e73ec0896f8b066ddf668597a02f89628ee50/config.go
@@ -1146,12 +1151,15 @@ metadata:
   name: karpenter-global-settings
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 data:
+    "aws.assumeRoleARN": ""
+    "aws.assumeRoleDuration": "15m"
+    "aws.clusterCABundle": ""
     "aws.clusterEndpoint": "https://{{ APIInternalName }}"
     "aws.clusterName": "{{ ClusterName }}"
     "aws.defaultInstanceProfile": ""
@@ -1166,6 +1174,7 @@ data:
     "aws.vmMemoryOverheadPercent": "0.075"
     "batchIdleDuration": "1s"
     "batchMaxDuration": "10s"
+    "featureGates.driftEnabled": "false"
 ---
 # Source: karpenter/templates/aggregate-clusterrole.yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1174,10 +1183,10 @@ metadata:
   name: karpenter-admin
   labels:
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups: ["karpenter.sh"]
@@ -1193,10 +1202,10 @@ kind: ClusterRole
 metadata:
   name: karpenter-core
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 rules:
   # Read
@@ -1220,8 +1229,11 @@ rules:
     verbs: [ "get", "list", "watch" ]
   # Write
   - apiGroups: ["karpenter.sh"]
-    resources: ["provisioners/status", "machines", "machines/status"]
-    verbs: ["create", "delete", "patch"]
+    resources: ["machines", "machines/status"]
+    verbs: ["create", "delete", "update", "patch"]
+  - apiGroups: ["karpenter.sh"]
+    resources: ["provisioners", "provisioners/status"]
+    verbs: ["update", "patch"]
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "patch"]
@@ -1242,10 +1254,10 @@ kind: ClusterRole
 metadata:
   name: karpenter
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 rules:
   # Read
@@ -1262,7 +1274,7 @@ rules:
     resourceNames: ["defaulting.webhook.karpenter.k8s.aws"]
   # Write
   - apiGroups: ["karpenter.k8s.aws"]
-    resources: ["awsnodetemplates/status"]
+    resources: ["awsnodetemplates", "awsnodetemplates/status"]
     verbs: ["patch", "update"]
 ---
 # Source: karpenter/templates/clusterrole-core.yaml
@@ -1271,10 +1283,10 @@ kind: ClusterRoleBinding
 metadata:
   name: karpenter-core
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -1291,10 +1303,10 @@ kind: ClusterRoleBinding
 metadata:
   name: karpenter
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -1312,10 +1324,10 @@ metadata:
   name: karpenter
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 rules:
   # Read
@@ -1361,10 +1373,10 @@ metadata:
   name: karpenter-dns
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 rules:
   # Read
@@ -1373,6 +1385,28 @@ rules:
     resourceNames: ["kube-dns"]
     verbs: ["get"]
 ---
+# Source: karpenter/templates/role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: karpenter-lease
+  namespace: kube-node-lease
+  labels:
+    helm.sh/chart: karpenter-v0.30.0
+    app.kubernetes.io/name: karpenter
+    app.kubernetes.io/instance: karpenter
+    app.kubernetes.io/version: "0.30.0"
+    app.kubernetes.io/managed-by: Helm
+rules:
+  # Read
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "watch"]
+  # Write
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["delete"]
+---
 # Source: karpenter/templates/rolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -1380,10 +1414,10 @@ metadata:
   name: karpenter
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -1401,10 +1435,10 @@ metadata:
   name: karpenter-dns
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -1415,6 +1449,27 @@ subjects:
     name: karpenter
     namespace: kube-system
 ---
+# Source: karpenter/templates/rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: karpenter-lease
+  namespace: kube-node-lease
+  labels:
+    helm.sh/chart: karpenter-v0.30.0
+    app.kubernetes.io/name: karpenter
+    app.kubernetes.io/instance: karpenter
+    app.kubernetes.io/version: "0.30.0"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: karpenter-lease
+subjects:
+  - kind: ServiceAccount
+    name: karpenter
+    namespace: kube-system
+---
 # Source: karpenter/templates/service.yaml
 apiVersion: v1
 kind: Service
@@ -1422,20 +1477,20 @@ metadata:
   name: karpenter
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP
   ports:
     - name: http-metrics
-      port: 8080
+      port: 8000
       targetPort: http-metrics
       protocol: TCP
     - name: https-webhook
-      port: 443
+      port: 8443
       targetPort: https-webhook
       protocol: TCP
   selector:
@@ -1449,10 +1504,10 @@ metadata:
   name: karpenter
   namespace: kube-system
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: {{ ControlPlaneControllerReplicas false }}
@@ -1472,12 +1527,27 @@ spec:
     spec:
       serviceAccountName: karpenter
       securityContext:
-        fsGroup: 1000
+        fsGroup: 65536
+        runAsUser: 65536
+        runAsGroup: 65536
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       priorityClassName: "system-cluster-critical"
+      {{ if not IsIPv6Only }}
+      dnsPolicy: Default
+      {{ else }}
       # Must use ClusterFirst on IPv6 clusters in order to get DNS64
       dnsPolicy: ClusterFirst
+      {{ end }}
       containers:
         - name: controller
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
           image: {{ .Karpenter.Image }}
           imagePullPolicy: IfNotPresent
           env:
@@ -1520,6 +1590,7 @@ spec:
               path: /healthz
               port: http
           readinessProbe:
+            initialDelaySeconds: 5
             timeoutSeconds: 30
             httpGet:
               path: /readyz
@@ -1570,13 +1641,6 @@ spec:
           maxSkew: 1
           topologyKey: topology.kubernetes.io/zone
           whenUnsatisfiable: ScheduleAnyway
-        - labelSelector:
-            matchLabels:
-              app.kubernetes.io/instance: karpenter
-              app.kubernetes.io/name: karpenter
-          maxSkew: 1
-          topologyKey: kubernetes.io/hostname
-          whenUnsatisfiable: DoNotSchedule
       tolerations:
         - key: node-role.kubernetes.io/master
           operator: Exists
@@ -1591,10 +1655,10 @@ kind: MutatingWebhookConfiguration
 metadata:
   name: defaulting.webhook.karpenter.k8s.aws
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 webhooks:
   - name: defaulting.webhook.karpenter.k8s.aws
@@ -1603,6 +1667,7 @@ webhooks:
       service:
         name: karpenter
         namespace: kube-system
+        port: 8443
     failurePolicy: Fail
     sideEffects: None
     rules:
@@ -1634,10 +1699,10 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: validation.webhook.karpenter.sh
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 webhooks:
   - name: validation.webhook.karpenter.sh
@@ -1646,6 +1711,7 @@ webhooks:
       service:
         name: karpenter
         namespace: kube-system
+        port: 8443
     failurePolicy: Fail
     sideEffects: None
     rules:
@@ -1666,10 +1732,10 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: validation.webhook.config.karpenter.sh
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 webhooks:
   - name: validation.webhook.config.karpenter.sh
@@ -1678,12 +1744,12 @@ webhooks:
       service:
         name: karpenter
         namespace: kube-system
+        port: 8443
     failurePolicy: Fail
     sideEffects: None
     objectSelector:
       matchLabels:
-        app.kubernetes.io/name: karpenter
-        app.kubernetes.io/instance: karpenter
+        app.kubernetes.io/part-of: karpenter
 ---
 # Source: karpenter/templates/webhooks.yaml
 apiVersion: admissionregistration.k8s.io/v1
@@ -1691,10 +1757,10 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: validation.webhook.karpenter.k8s.aws
   labels:
-    helm.sh/chart: karpenter-v0.28.1
+    helm.sh/chart: karpenter-v0.30.0
     app.kubernetes.io/name: karpenter
     app.kubernetes.io/instance: karpenter
-    app.kubernetes.io/version: "0.28.1"
+    app.kubernetes.io/version: "0.30.0"
     app.kubernetes.io/managed-by: Helm
 webhooks:
   - name: validation.webhook.karpenter.k8s.aws
@@ -1703,6 +1769,7 @@ webhooks:
       service:
         name: karpenter
         namespace: kube-system
+        port: 8443
     failurePolicy: Fail
     sideEffects: None
     rules: