Published by jaydeokar 30 days ago
What's Changed
- Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 by @dependabot in https://github.com/aws/aws-network-policy-agent/pull/274
- Configure conntrack cache table size by @jayanthvn in https://github.com/aws/aws-network-policy-agent/pull/280
- Rule sorting/Strict mode fix by @jchen6585 in https://github.com/aws/aws-network-policy-agent/pull/289
- docs: Fix typo arg name for conntrack-cache-table-size by @younsl in https://github.com/aws/aws-network-policy-agent/pull/287
- Bump github.com/aws/aws-sdk-go from 1.50.30 to 1.55.3 by @dependabot in https://github.com/aws/aws-network-policy-agent/pull/291
- Update SDK and pass byte array by @jayanthvn in https://github.com/aws/aws-network-policy-agent/pull/299
- Fix race condition in strict mode by @Pavani-Panakanti in https://github.com/aws/aws-network-policy-agent/pull/306
- Bump k8s.io/apimachinery from 0.29.3 to 0.31.0 by @dependabot in https://github.com/aws/aws-network-policy-agent/pull/300
- Bump github.com/aws/amazon-vpc-cni-k8s from 1.18.1 to 1.18.3 by @dependabot in https://github.com/aws/aws-network-policy-agent/pull/295
- Bump k8s.io/client-go from 0.31.0 to 0.31.1 by @dependabot in https://github.com/aws/aws-network-policy-agent/pull/309
Full Changelog: https://github.com/aws/aws-network-policy-agent/compare/v1.1.2...v1.1.3
To manually apply this release:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.4/config/master/aws-k8s-cni.yaml
Note that the following regions use different manifests:
us-gov-east-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.4/config/master/aws-k8s-cni-us-gov-east-1.yaml
us-gov-west-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.4/config/master/aws-k8s-cni-us-gov-west-1.yaml
cn:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.4/config/master/aws-k8s-cni-cn.yaml
To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.18.4/charts/aws-vpc-cni/README.md#installing-the-chart
Verify the update:
$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3
amazon-k8s-cni-init:v1.18.4
amazon-k8s-cni:v1.18.4
amazon/aws-network-policy-agent:v1.1.3
v1.1.2
Release Notes
None
Major Changes since v1.1.1
- Fix - Refactor conntrack cleanup for v4 and v6 (@jayanthvn)
- Fix - Remove callSkip to prevent Logger.check error(@ryota-sakamoto)
- Fix - Allow pods with
.in it's name to be reconciled by network policy (@zachdorame ) - Fix - Handle PolicyEndpoint slice deletion gracefully (@achevuru)
- Dependency - Update ebpf SDK to v1.0.8(@jayanthvn)
- Dependency - Update ginkgo to 2.17.2 (@dependabot)
- Dependency - Update amazon-vpc-cni-k8s from 1.18.0 to 1.18.1 (@dependabot)
- Dependency - Update gomega to 1.33.0 (@dependabot)
- Dependency - Bump golang/x/sys from 1.18.0 to 1.19.0 (@dependabot)
To manually apply this release:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.2/config/master/aws-k8s-cni.yaml
Note that the following regions use different manifests:
us-gov-east-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.2/config/master/aws-k8s-cni-us-gov-east-1.yaml
us-gov-west-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.2/config/master/aws-k8s-cni-us-gov-west-1.yaml
cn:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.2/config/master/aws-k8s-cni-cn.yaml
To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.18.2/charts/aws-vpc-cni/README.md#installing-the-chart
Verify the update:
$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3
amazon-k8s-cni-init:v1.18.2
amazon-k8s-cni:v1.18.2
amazon/aws-network-policy-agent:v1.1.2
Published by jchen6585 6 months ago
v1.1.1
Release Notes
None
Major Changes since v1.1.0
- Testing - Verify test results from all retries instead of just the last one (@jaydeokar)
- Dependency - update golang protobuf to 1.33.0 (@haouc)
- Dependency - Bump k8s.io/apimachinery from 0.29.1 to 0.29.3 (@dependabot)
- Dependency - Update env variable to enable strict mode for Network Policy (@jaydeokar)
- Dependency - Update env variable for kube config path (@jaydeokar)
- Dependency - Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (@dependabot)
- Dependency - Bump github.com/google/uuid from 1.4.0 to 1.6.0 (@dependabot)
- Dependency - Bump github.com/aws/aws-sdk-go from 1.50.9 to 1.50.30 (@dependabot)
- Dependency - Bump go.uber.org/zap from 1.26.0 to 1.27.0 (@dependabot)
- Dependency - Bump sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.2 (@dependabot)
- Dependency - Update golang to 1.21.9 (@jchen6585)
- Enhancement - Repo controlled build go version (@xdu31)
To manually apply this release:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.1/config/master/aws-k8s-cni.yaml
Note that the following regions use different manifests:
us-gov-east-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.1/config/master/aws-k8s-cni-us-gov-east-1.yaml
us-gov-west-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.1/config/master/aws-k8s-cni-us-gov-west-1.yaml
cn:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.18.1/config/master/aws-k8s-cni-cn.yaml
To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.18.1/charts/aws-vpc-cni/README.md#installing-the-chart
Verify the update:
$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3
amazon-k8s-cni-init:v1.18.1
amazon-k8s-cni:v1.18.1
amazon/aws-network-policy-agent:v1.1.1
Published by jaydeokar 7 months ago
v1.1.0
Release Notes
Network Policy agent now supports a strict mode for network policy enforcement.
Major Changes since v1.0.8
- Enhancement - Network Policy Strict mode support (@achevuru)
- Enhancement - Use Minimal base image for Network Policy Agent & golang version update (@jdn5126 )
- Testing - [Updates to testing infra and E2E] (@jaydeokar)
To manually apply this release:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.17.1/config/master/aws-k8s-cni.yaml
Note that the following regions use different manifests:
us-gov-east-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.17.1/config/master/aws-k8s-cni-us-gov-east-1.yaml
us-gov-west-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.17.1/config/master/aws-k8s-cni-us-gov-west-1.yaml
cn:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.17.1/config/master/aws-k8s-cni-cn.yaml
To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.17.1/charts/aws-vpc-cni/README.md#installing-the-chart
Verify the update:
$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3
amazon-k8s-cni-init:v1.17.1
amazon-k8s-cni:v1.17.1
amazon/aws-network-policy-agent:v1.1.0
Published by jayanthvn 8 months ago
v1.0.8
Major Changes since v1.0.7
- Bug - Fix metrics logging error; Remove version log (@jdn5126)
- Bug - Add prefix to identify log stream for network policy events (@jaydeokar)
- Bug - Conntrack table enhancements and replica race conditions (@jayanthvn)
- Bug - Handle PE split cleanup and duplicate l4info (@jayanthvn)
- Enhancement - eBPF SDK upgrade (@jayanthvn)
- Testing - [Updates to testing infra and E2E] (@jaydeokar)
To manually apply this release:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.3/config/master/aws-k8s-cni.yaml
Note that the following regions use different manifests:
us-gov-east-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.3/config/master/aws-k8s-cni-us-gov-east-1.yaml
us-gov-west-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.3/config/master/aws-k8s-cni-us-gov-west-1.yaml
cn:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.16.3/config/master/aws-k8s-cni-cn.yaml
To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.16.3/charts/aws-vpc-cni/README.md#installing-the-chart
Verify the update:
$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3
amazon-k8s-cni-init:v1.16.3
amazon-k8s-cni:v1.16.3
amazon/aws-network-policy-agent:v1.0.8
Published by jaydeokar 10 months ago
v1.0.7
Major Changes since v1.0.6
- Bug - Ignore PE slices tied to same NP during clean up flow (@achevuru )
- Bug - Fixes an issue where under certain scenarios cidrs values are overwritten (@jayanthvn )
- Bug - Fixes the issue with
aws-eks-na-cliwhere it fails to get loaded-ebpfdata (@jayanthvn ) - Enhancement - Added a flag which defines the conntrack cache cleanup duration (@jayanthvn)
- Improvement - Updates golang version from v1.21.4 to v1.21.5 (@jaydeokar )
To manually upgrade to this release:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.5/config/master/aws-k8s-cni.yaml
Note that the following regions use different manifests:
us-gov-east-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.5/config/master/aws-k8s-cni-us-gov-east-1.yaml
us-gov-west-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.5/config/master/aws-k8s-cni-us-gov-west-1.yaml
cn:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.5/config/master/aws-k8s-cni-cn.yaml
To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.5/charts/aws-vpc-cni/README.md#installing-the-chart
Verify the update:
$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3
amazon-k8s-cni-init:v1.15.5
amazon-k8s-cni:v1.15.5
amazon/aws-network-policy-agent:v1.0.7
Published by jayanthvn 11 months ago
v1.0.6
Major Changes since v1.0.5
- Bug - Conntrack cleanup issue with v1.0.5 (@jayanthvn)
To manually upgrade to this release:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.4/config/master/aws-k8s-cni.yaml
Note that the following regions use different manifests:
us-gov-east-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.4/config/master/aws-k8s-cni-us-gov-east-1.yaml
us-gov-west-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.4/config/master/aws-k8s-cni-us-gov-west-1.yaml
cn:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.4/config/master/aws-k8s-cni-cn.yaml
To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.4/charts/aws-vpc-cni/README.md#installing-the-chart
Verify the update:
$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3
amazon-k8s-cni-init:v1.15.4
amazon-k8s-cni:v1.15.4
amazon/aws-network-policy-agent:v1.0.6
Published by jayanthvn 12 months ago
v1.0.5
Major Changes since v1.0.4
- Bug - Fix conntrack issue and increase supported port/protocol (@jayanthvn)
- Bug - Handle PolicyEndpoint split scenario when the target pods are paired (@achevuru)
- Bug - inherit firewall rules from larger cidrs(@jayanthvn)
- Enhancement - upgrade Go to 1.21.3 and upgrade dependencies (@jdn5126 )
- Enhancement - Handle for controller not adding prefix lens (@jayanthvn)
- Testing - Enhancements for testing packages and GitHub actions (@jaydeokar )
Please Note -
As part of this release, we have increased the number of supported unique ports and protocol combination from 8 in IPv4 and 4 in IPv6 to 24 for both IPv4 and IPv6.
To manually upgrade to this release:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.3/config/master/aws-k8s-cni.yaml
Note that the following regions use different manifests:
us-gov-east-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.3/config/master/aws-k8s-cni-us-gov-east-1.yaml
us-gov-west-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.3/config/master/aws-k8s-cni-us-gov-west-1.yaml
cn:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.3/config/master/aws-k8s-cni-cn.yaml
To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.3/charts/aws-vpc-cni/README.md#installing-the-chart
Verify the update:
$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3
amazon-k8s-cni-init:v1.15.3
amazon-k8s-cni:v1.15.3
amazon/aws-network-policy-agent:v1.0.5
Thanks to all our contributors! 😊
Published by jayanthvn about 1 year ago
v1.0.4
Major Changes since v1.0.2
- Bug - Ignore policy restrictions against Node IP (@achevuru )
- Bug - With catchALL honor "except" (@jayanthvn )
- Bug - Race condition with init and cw setup (@jayanthvn )
- Enhancement - V6 Optimizations(@jayanthvn )
- Enhancement - Add flag enable-policy-event-logs (@mycrEEpy )
- Enhancement - Modified Default Metrics Bind Port (@kareem-rady )
- Enhancement - Log rotate support (@achevuru )
- Testing - Enhancements for testing packages and GitHub actions (@jaydeokar )
Please Note -
- A new command line flag for the Network Policy Agent,
enable-policy-event-logs, has been added: https://github.com/aws/aws-network-policy-agent#enable-policy-event-logs. This flag is set to "false" by default i.e, if you need access logs then it has to be turned on (set to "true").
To manually upgrade to this release:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.1/config/master/aws-k8s-cni.yaml
Note that the following regions use different manifests:
us-gov-east-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.1/config/master/aws-k8s-cni-us-gov-east-1.yaml
us-gov-west-1:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.1/config/master/aws-k8s-cni-us-gov-west-1.yaml
cn:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.15.1/config/master/aws-k8s-cni-cn.yaml
To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.15.1/charts/aws-vpc-cni/README.md#installing-the-chart
Verify the update:
$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3
amazon-k8s-cni-init:v1.15.1
amazon-k8s-cni:v1.15.1
amazon/aws-network-policy-agent:v1.0.4
Thanks to all our contributors! 😊
Published by jayanthvn about 1 year ago
v1.0.2
Major Changes since v1.0.1
- Improvements - This updates the
aws-eks-nodeagentcontainer to address the race condition issue in SDK while generating access logs - Improvements - The helm chart now has two new flags added (
healthProbeBindAddr&metricsBindAddr) to make the metrics port configurable foraws-eks-nodeagent. By default it now binds to port8162and8163
Please refer to Amazon VPC CNI release notes for upgrade steps.
Published by achevuru about 1 year ago
Initial release of Amazon EKS Network Policy Agent. Network Policy Agent is a daemonset that is responsible for enforcing configured network policies on the cluster. Network policy support is a feature of the Amazon VPC CNI.
Network Policy Controller resolves the configured network policies and publishes the resolved endpoints via Custom CRD (PolicyEndpoints) resource. Network Policy agent derives the endpoints from PolicyEndpoint resources and enforces them via eBPF probes attached to pod's host Veth interface.
Starting with Amazon VPC CNI v1.14.0, Network Policy agent will be automatically installed. Review the instructions in the EKS User Guide.
Published by achevuru about 1 year ago
Alpha version of AWS Network Policy Agent