🥳 aws-vpc-cni v1.21.2 Automated Release! 🥑

[eks-networking-bot]

aws-vpc-cni v1.21.2 Automated Chart Sync! 🤖🤖

Release Notes 📝:

What's Changed

• Amazon VPC CNI now propagates the EC2 security group idle connection tracking timeout settings from the instance's primary ENI to all secondary ENIs it creates, ensuring consistent connection tracking behavior across all network interfaces. To customize these settings on the primary ENI, use a custom launch template to configure the desired connection tracking timeout values.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#connection-tracking-timeouts

Features

• Replicate primary ENI connection tracking settings to secondary ENIs (Getting ENI settings from primary ENI and reusing it for secondary ENIs amazon-vpc-cni-k8s#3666, @jaydeokar)
• Add support for extra volume mounts in aws-vpc-cni-init container (feat: add support for extra volume mounts in aws-vpc-cni-init container amazon-vpc-cni-k8s#3633, @phbergsmann)
• Add conntrack-cache-table-size to helm chart (Added conntrack-cache-table-size to helm chart and fixed IMDS resource leak amazon-vpc-cni-k8s#3617, @viveksb007)

Bug Fixes

• Fix panic in air-gapped regions: use awshttp.BuildableClient instead of *http.Client for AWS SDK HTTP client (fix: use awshttp.BuildableClient to prevent panic in air-gapped regions amazon-vpc-cni-k8s#3672, @haouc)
• Add HTTP request timeout (10s) to AWS SDK clients to prevent indefinite hangs (Add aws sdk http timeout amazon-vpc-cni-k8s#3649, @haouc)
• Fix nil pointer panic in PodLogs when Stream fails (fix: prevent nil pointer panic in PodLogs when Stream fails amazon-vpc-cni-k8s#3671, @haouc)
• Fix missing timeout in DescribeNetworkInterfaces call (fix: add timeout in DescribeNetworkInterface call amazon-vpc-cni-k8s#3644, @cdirubbio)
• Fix context cancellation with DescribeNetworkInterfaces timeout (fix: add timeout in DescribeNetworkInterface call amazon-vpc-cni-k8s#3644, @cdirubbio)
• Fix IMDS resource leak (Added conntrack-cache-table-size to helm chart and fixed IMDS resource leak amazon-vpc-cni-k8s#3617, @viveksb007)
• Restore clobbered context in pkg/publisher (pkg/networkutils: fix dropped error amazon-vpc-cni-k8s#3595, @alrs)
• Fix dropped error in pkg/networkutils (pkg/networkutils: fix dropped error amazon-vpc-cni-k8s#3595, @alrs)
• Fix address issue [Document] Improve ENABLE_POD_ENI document section by including reference branch ENI limit lookup amazon-vpc-cni-k8s#3620 (Fix: [Document] Improve ENABLE_POD_ENI document section by including reference branch ENI limit lookup amazon-vpc-cni-k8s#3646, @gabrnavarro)
• Add userAgent to AWS API calls (fix: add userAgent to AWS API calls amazon-vpc-cni-k8s#3556, @cdirubbio)
• Fix image pull policy in helm chart (fix/image-pull-policy amazon-vpc-cni-k8s#3570, @OlTrenin)

Improvements

• Enhance logging in ipamd (Enhance logging in ipamd amazon-vpc-cni-k8s#3561, @supreeet)
• Improve custom networking integration tests (test: improve custom networking integration tests amazon-vpc-cni-k8s#3668, @yash97)
• Improve TestNew_SetsHTTPClientTimeout to assert timeout is set (test: improve TestNew_SetsHTTPClientTimeout to actually assert timeout amazon-vpc-cni-k8s#3670, @haouc)
• Build images in separate arch runner (@yash97)
• Pick up EKS CVE patched container plugin binaries for internal builds (To pick up EKS CVE patched container plugin binaries for internal builds amazon-vpc-cni-k8s#3571, @jupdec)
• Bundle internal binaries when available and add integration test cases (Update flag to bundle internal binarues and add IT cases amazon-vpc-cni-k8s#3627, @jupdec)

Full Changelog: aws/amazon-vpc-cni-k8s@v1.21.1...v1.21.2

To manually apply this release:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.21/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.21/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.21/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn:

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/refs/heads/release-1.21/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.21/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update:

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3

amazon-k8s-cni-init:v1.21.2
amazon-k8s-cni:v1.21.2
amazon/aws-network-policy-agent:v1.3.5

[jaydeokar]

lgtm

[Copilot]

Pull request overview

This PR syncs the stable/aws-vpc-cni Helm chart to the upstream aws-vpc-cni v1.21.2 release, updating default images/configuration to match the new release features and fixes.

Changes:

• Bump chart/app versions and default image tags to aws-vpc-cni v1.21.2 (and node agent to v1.3.5).
• Switch default container pull policies to IfNotPresent and wire imagePullPolicy for the aws-node container.
• Add support for extraVolumeMounts on the init container and introduce nodeAgent.conntrackCacheTableSize value + daemonset arg.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
stable/aws-vpc-cni/values.yaml	Updates default tags/pullPolicy; adds conntrackCacheTableSize; bumps VPC_CNI_VERSION.
stable/aws-vpc-cni/templates/daemonset.yaml	Adds init extraVolumeMounts, sets aws-node imagePullPolicy, and passes new node agent conntrack flag.
stable/aws-vpc-cni/README.md	Updates documented defaults and adds documentation for conntrackCacheTableSize.
stable/aws-vpc-cni/Chart.yaml	Bumps chart version/appVersion to 1.21.2.

Comments suppressed due to low confidence (2)

stable/aws-vpc-cni/README.md:92

• README table rows for nodeAgent.resources use the misspelling "defualt"; this should be "default" to avoid propagating typos into chart documentation.

| `nodeAgent.conntrackCacheTableSize` | Size of the conntrack cache table (valid range: 32K-1024K) | `524288`            |
| `nodeAgent.enableIpv6`  | Enable IPv6 support for Node Agent                      | `false`                             |
| `nodeAgent.resources`   | Node Agent resources, will defualt to .Values.resources if not set | `{}`                     |
| `nodeAgent.logLevel`    | Node Agent logging verbosity level.                     | `debug`                             |

stable/aws-vpc-cni/README.md:95

• README parameter description for extraVolumeMounts says "Array to add extra mount"; consider changing this to "mounts" (or "volume mounts") for correct grammar and clarity.

| `nodeAgent.logLevel`    | Node Agent logging verbosity level.                     | `debug`                             |
| `extraVolumes`          | Array to add extra volumes                              | `[]`                                |
| `extraVolumeMounts`     | Array to add extra mount                                | `[]`                                |
| `nodeSelector`          | Node labels for pod assignment                          | `{}`                                |

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.