Release 1.5.7

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+# v1.5.7
+
+* Improvement - [New AL2 image with iptables-1.8.2](https://github.com/aws/amazon-vpc-cni-k8s/pull/894) (@mogren)
+* Improvement - [Enable the `-buildmode=pie` flag for the binaries](https://github.com/aws/amazon-vpc-cni-k8s/pull/894) (@mogren)
+* Improvement - [Disable IPv6 RA and ICMP redirects on host-side veth](https://github.com/aws/amazon-vpc-cni-k8s/pull/894) (@anguslees)
+
+# v1.5.6
+
+* ARM64 preview custom build only
+
 # v1.5.5
 
 * Bug fix - [Revert "Return delete success for pods that never got scheduled"](https://github.com/aws/amazon-vpc-cni-k8s/pull/672/commits/474479d7455f41c514ffcd58390a2a3ebae26de5) (#672, @mogren)

Makefile

@@ -15,7 +15,7 @@
 .PHONY: all build-linux clean docker docker-build lint unit-test vet download-portmap build-docker-test build-metrics docker-metrics metrics-unit-test docker-metrics-test docker-vet
 
 IMAGE   ?= amazon/amazon-k8s-cni
-VERSION ?= $(shell git describe --tags --always --dirty)
+export VERSION ?= $(shell git describe --tags --always --dirty || echo "unknown")
 LDFLAGS ?= -X main.version=$(VERSION)
 
 ARCH ?= $(shell uname -m)
@@ -30,9 +30,9 @@ endif
 
 # Default to build the Linux binary
 build-linux:
-	GOOS=linux GOARCH=$(ARCH) CGO_ENABLED=0 go build -o aws-k8s-agent -ldflags "-s -w $(LDFLAGS)"
-	GOOS=linux GOARCH=$(ARCH) CGO_ENABLED=0 go build -o aws-cni -ldflags " -s -w $(LDFLAGS)" ./plugins/routed-eni/
-	GOOS=linux GOARCH=$(ARCH) CGO_ENABLED=0 go build -o grpc_health_probe -ldflags "-s -w $(LDFLAGS)" ./client/health-check/
+	GOOS=linux GOARCH=$(ARCH) CGO_ENABLED=0 go build -buildmode=pie -o aws-k8s-agent -ldflags "-s -w $(LDFLAGS)"
+	GOOS=linux GOARCH=$(ARCH) CGO_ENABLED=0 go build -buildmode=pie -o aws-cni -ldflags " -s -w $(LDFLAGS)" ./plugins/routed-eni/
+	GOOS=linux GOARCH=$(ARCH) CGO_ENABLED=0 go build -buildmode=pie -o grpc_health_probe -ldflags "-s -w $(LDFLAGS)" ./client/health-check/
 
 # Download portmap plugin
 download-portmap:
@@ -95,7 +95,7 @@ docker-metrics-test:
 	docker run -v $(shell pwd):/usr/src/app/src/github.com/aws/amazon-vpc-cni-k8s \
 		--workdir=/usr/src/app/src/github.com/aws/amazon-vpc-cni-k8s \
 		--env GOPATH=/usr/src/app \
-		golang:1.10 make metrics-unit-test
+		golang:1.12 make metrics-unit-test
 
 # Build both CNI and metrics helper
 all: docker docker-metrics

config/v1.5/aws-k8s-cni-1.10.yaml

@@ -69,7 +69,7 @@ spec:
       tolerations:
         - operator: Exists
       containers:
-        - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.5.5
+        - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.5.7
           imagePullPolicy: Always
           ports:
             - containerPort: 61678

config/v1.5/aws-k8s-cni.yaml

@@ -8,7 +8,6 @@ rules:
       - crd.k8s.amazonaws.com
     resources:
       - "*"
-      - namespaces
     verbs:
       - "*"
   - apiGroups: [""]
@@ -54,6 +53,8 @@ metadata:
 spec:
   updateStrategy:
     type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: "10%"
   selector:
     matchLabels:
       k8s-app: aws-node
@@ -76,12 +77,16 @@ spec:
                     operator: In
                     values:
                       - amd64
+                  - key: eks.amazonaws.com/compute-type
+                    operator: NotIn
+                    values:
+                      - fargate
       serviceAccountName: aws-node
       hostNetwork: true
       tolerations:
         - operator: Exists
       containers:
-        - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.5.5
+        - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.5.7
           imagePullPolicy: Always
           ports:
             - containerPort: 61678
@@ -108,6 +113,8 @@ spec:
               name: log-dir
             - mountPath: /var/run/docker.sock
               name: dockersock
+            - mountPath: /var/run/dockershim.sock
+              name: dockershim
       volumes:
         - name: cni-bin-dir
           hostPath:
@@ -121,6 +128,9 @@ spec:
         - name: dockersock
           hostPath:
             path: /var/run/docker.sock
+        - name: dockershim
+          hostPath:
+            path: /var/run/dockershim.sock
 
 ---
 apiVersion: apiextensions.k8s.io/v1beta1

config/v1.5/cni-metrics-helper.yaml

@@ -77,7 +77,7 @@ spec:
     spec:
       serviceAccountName: cni-metrics-helper
       containers:
-      - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:v1.5.5
+      - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:v1.5.7
         imagePullPolicy: Always
         name: cni-metrics-helper
         env:

pkg/networkutils/network.go

@@ -35,6 +35,7 @@ import (
 
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/netlinkwrapper"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/nswrapper"
+	"github.com/aws/amazon-vpc-cni-k8s/pkg/procsyswrapper"
 )
 
 const (
@@ -117,7 +118,7 @@ type linuxNetwork struct {
 	ns          nswrapper.NS
 	newIptables func() (iptablesIface, error)
 	mainENIMark uint32
-	openFile    func(name string, flag int, perm os.FileMode) (stringWriteCloser, error)
+	procSys     procsyswrapper.ProcSys
 }
 
 type iptablesIface interface {
@@ -155,9 +156,7 @@ func New() NetworkAPIs {
 			ipt, err := iptables.New()
 			return ipt, err
 		},
-		openFile: func(name string, flag int, perm os.FileMode) (stringWriteCloser, error) {
-			return os.OpenFile(name, flag, perm)
-		},
+		procSys: procsyswrapper.NewProcSys(),
 	}
 }
 
@@ -221,11 +220,11 @@ func (n *linuxNetwork) SetupHostNetwork(vpcCIDR *net.IPNet, vpcCIDRs []*string,
 		// - Thus, it finds the source-based route that leaves via the secondary ENI.
 		// - In "strict" mode, the RPF check fails because the return path uses a different interface to the incoming
 		//   packet.  In "loose" mode, the check passes because some route was found.
-		primaryIntfRPFilter := "/proc/sys/net/ipv4/conf/" + primaryIntf + "/rp_filter"
+		primaryIntfRPFilter := "net/ipv4/conf/" + primaryIntf + "/rp_filter"
 		const rpFilterLoose = "2"
 
 		log.Debugf("Setting RPF for primary interface: %s", primaryIntfRPFilter)
-		err = n.setProcSys(primaryIntfRPFilter, rpFilterLoose)
+		err = n.procSys.Set(primaryIntfRPFilter, rpFilterLoose)
 		if err != nil {
 			return errors.Wrapf(err, "failed to configure %s RPF check", primaryIntf)
 		}
@@ -397,20 +396,6 @@ func containChainExistErr(err error) bool {
 	return strings.Contains(err.Error(), "Chain already exists")
 }
 
-func (n *linuxNetwork) setProcSys(key, value string) error {
-	f, err := n.openFile(key, os.O_WRONLY, 0644)
-	if err != nil {
-		return err
-	}
-	_, err = f.WriteString(value)
-	if err != nil {
-		// If the write failed, just close
-		_ = f.Close()
-		return err
-	}
-	return f.Close()
-}
-
 type iptablesRule struct {
 	name         string
 	shouldExist  bool

pkg/networkutils/network_test.go

@@ -17,7 +17,6 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"os"
 	"reflect"
 	"testing"
 	"time"
@@ -34,6 +33,7 @@ import (
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/netlinkwrapper/mock_netlink"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/netlinkwrapper/mocks"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/nswrapper/mocks"
+	mock_procsyswrapper "github.com/aws/amazon-vpc-cni-k8s/pkg/procsyswrapper/mocks"
 )
 
 const (
@@ -63,17 +63,19 @@ func setup(t *testing.T) (*gomock.Controller,
 	*mock_netlinkwrapper.MockNetLink,
 	*mocks_ip.MockIP,
 	*mock_nswrapper.MockNS,
-	*mockIptables) {
+	*mockIptables,
+	*mock_procsyswrapper.MockProcSys) {
 	ctrl := gomock.NewController(t)
 	return ctrl,
 		mock_netlinkwrapper.NewMockNetLink(ctrl),
 		mocks_ip.NewMockIP(ctrl),
 		mock_nswrapper.NewMockNS(ctrl),
-		newMockIptables()
+		newMockIptables(),
+		mock_procsyswrapper.NewMockProcSys(ctrl)
 }
 
 func TestSetupENINetwork(t *testing.T) {
-	ctrl, mockNetLink, _, _, _ := setup(t)
+	ctrl, mockNetLink, _, _, _, _ := setup(t)
 	defer ctrl.Finish()
 
 	hwAddr, err := net.ParseMAC(testMAC1)
@@ -129,7 +131,7 @@ func TestSetupENINetwork(t *testing.T) {
 }
 
 func TestSetupENINetworkMACFail(t *testing.T) {
-	ctrl, mockNetLink, _, _, _ := setup(t)
+	ctrl, mockNetLink, _, _, _, _ := setup(t)
 	defer ctrl.Finish()
 
 	// Emulate a delay attaching the ENI so a retry is necessary
@@ -143,15 +145,15 @@ func TestSetupENINetworkMACFail(t *testing.T) {
 }
 
 func TestSetupENINetworkPrimary(t *testing.T) {
-	ctrl, mockNetLink, _, _, _ := setup(t)
+	ctrl, mockNetLink, _, _, _, _ := setup(t)
 	defer ctrl.Finish()
 
 	err := setupENINetwork(testeniIP, testMAC2, 0, testeniSubnet, mockNetLink, 0*time.Second)
 	assert.NoError(t, err)
 }
 
 func TestSetupHostNetworkNodePortDisabled(t *testing.T) {
-	ctrl, mockNetLink, _, mockNS, mockIptables := setup(t)
+	ctrl, mockNetLink, _, mockNS, mockIptables, _ := setup(t)
 	defer ctrl.Finish()
 
 	ln := &linuxNetwork{
@@ -178,7 +180,7 @@ func TestSetupHostNetworkNodePortDisabled(t *testing.T) {
 }
 
 func TestUpdateRuleListBySrc(t *testing.T) {
-	ctrl, mockNetLink, _, _, _ := setup(t)
+	ctrl, mockNetLink, _, _, _, _ := setup(t)
 	defer ctrl.Finish()
 
 	ln := &linuxNetwork{netLink: mockNetLink}
@@ -250,10 +252,9 @@ func TestUpdateRuleListBySrc(t *testing.T) {
 }
 
 func TestSetupHostNetworkNodePortEnabled(t *testing.T) {
-	ctrl, mockNetLink, _, mockNS, mockIptables := setup(t)
+	ctrl, mockNetLink, _, mockNS, mockIptables, mockProcSys := setup(t)
 	defer ctrl.Finish()
 
-	var mockRPFilter mockFile
 	ln := &linuxNetwork{
 		useExternalSNAT:        true,
 		nodePortSupportEnabled: true,
@@ -264,9 +265,7 @@ func TestSetupHostNetworkNodePortEnabled(t *testing.T) {
 		newIptables: func() (iptablesIface, error) {
 			return mockIptables, nil
 		},
-		openFile: func(name string, flag int, perm os.FileMode) (stringWriteCloser, error) {
-			return &mockRPFilter, nil
-		},
+		procSys: mockProcSys,
 	}
 
 	var hostRule netlink.Rule
@@ -277,6 +276,8 @@ func TestSetupHostNetworkNodePortEnabled(t *testing.T) {
 	mockNetLink.EXPECT().RuleDel(&mainENIRule)
 	mockNetLink.EXPECT().RuleAdd(&mainENIRule)
 
+	mockProcSys.EXPECT().Set("net/ipv4/conf/lo/rp_filter", "2").Return(nil)
+
 	var vpcCIDRs []*string
 
 	// loopback for primary device is a little bit hacky. But the test is stable and it should be
@@ -302,14 +303,12 @@ func TestSetupHostNetworkNodePortEnabled(t *testing.T) {
 			},
 		},
 	}, mockIptables.dataplaneState)
-	assert.Equal(t, mockFile{closed: true, data: "2"}, mockRPFilter)
 }
 
 func TestSetupHostNetworkMultipleCIDRs(t *testing.T) {
-	ctrl, mockNetLink, _, mockNS, mockIptables := setup(t)
+	ctrl, mockNetLink, _, mockNS, mockIptables, mockProcSys := setup(t)
 	defer ctrl.Finish()
 
-	var mockRPFilter mockFile
 	ln := &linuxNetwork{
 		useExternalSNAT:        true,
 		nodePortSupportEnabled: true,
@@ -320,9 +319,7 @@ func TestSetupHostNetworkMultipleCIDRs(t *testing.T) {
 		newIptables: func() (iptablesIface, error) {
 			return mockIptables, nil
 		},
-		openFile: func(name string, flag int, perm os.FileMode) (stringWriteCloser, error) {
-			return &mockRPFilter, nil
-		},
+		procSys: mockProcSys,
 	}
 
 	var hostRule netlink.Rule
@@ -333,6 +330,8 @@ func TestSetupHostNetworkMultipleCIDRs(t *testing.T) {
 	mockNetLink.EXPECT().RuleDel(&mainENIRule)
 	mockNetLink.EXPECT().RuleAdd(&mainENIRule)
 
+	mockProcSys.EXPECT().Set("net/ipv4/conf/lo/rp_filter", "2").Return(nil)
+
 	var vpcCIDRs []*string
 	vpcCIDRs = []*string{aws.String("10.10.0.0/16"), aws.String("10.11.0.0/16")}
 	err := ln.SetupHostNetwork(testENINetIPNet, vpcCIDRs, "", &testENINetIP)

pkg/procsyswrapper/generate_mocks.go

@@ -0,0 +1,16 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package procsyswrapper
+
+//go:generate go run ../../scripts/mockgen.go github.com/aws/amazon-vpc-cni-k8s/pkg/procsyswrapper ProcSys mocks/procsys_mocks.go