diff --git a/stable/aws-vpc-cni/Chart.yaml b/stable/aws-vpc-cni/Chart.yaml index e15c0f3b0..6496c7c92 100644 --- a/stable/aws-vpc-cni/Chart.yaml +++ b/stable/aws-vpc-cni/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: aws-vpc-cni -version: 1.13.4 -appVersion: "v1.13.4" +version: 1.14.0 +appVersion: "v1.14.0" description: A Helm chart for the AWS VPC CNI icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png home: https://github.com/aws/amazon-vpc-cni-k8s diff --git a/stable/aws-vpc-cni/README.md b/stable/aws-vpc-cni/README.md index 6c6f375a2..4bd98e392 100644 --- a/stable/aws-vpc-cni/README.md +++ b/stable/aws-vpc-cni/README.md @@ -40,8 +40,10 @@ The following table lists the configurable parameters for this chart and their d | `eniConfig.subnets.id` | The ID of the subnet within the AZ which will be used in the ENIConfig | `nil` | | `eniConfig.subnets.securityGroups` | The IDs of the security groups which will be used in the ENIConfig | `nil` | | `env` | List of environment variables. See [here](https://github.com/aws/amazon-vpc-cni-k8s#cni-configuration-variables) for options | (see `values.yaml`) | +| `enableWindowsIpam` | Enable windows support for your cluster | `false` | +| `enableNetworkPolicy` | Enable Network Policy Controller and Agent for your cluster | `false` | | `fullnameOverride` | Override the fullname of the chart | `aws-node` | -| `image.tag` | Image tag | `v1.13.4` | +| `image.tag` | Image tag | `v1.14.0` | | `image.domain` | ECR repository domain | `amazonaws.com` | | `image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -49,7 +51,7 @@ The following table lists the configurable parameters for this chart and their d | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.override` | A custom docker image to use | `nil` | | `imagePullSecrets` | Docker registry pull secret | `[]` | -| `init.image.tag` | Image tag | `v1.13.4` | +| `init.image.tag` | Image tag | `v1.14.0` | | `init.image.domain` | ECR repository domain | `amazonaws.com` | | `init.image.region` | ECR repository region to use. Should match your cluster | `us-west-2` | | `init.image.endpoint` | ECR repository endpoint to use. | `ecr` | @@ -60,6 +62,15 @@ The following table lists the configurable parameters for this chart and their d | `init.securityContext` | Init container Security context | `privileged: true` | | `originalMatchLabels` | Use the original daemonset matchLabels | `false` | | `nameOverride` | Override the name of the chart | `aws-node` | +| `nodeAgent.image.tag` | Image tag for Node Agent | `v1.0.1-eksbuild.1` | +| `nodeAgent.image.domain`| ECR repository domain | `amazonaws.com` | +| `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2` | +| `nodeAgent.image.endpoint` | ECR repository endpoint to use. | `ecr` | +| `nodeAgent.image.account` | ECR repository account number | `602401143452` | +| `nodeAgent.image.pullPolicy` | Container pull policy | `IfNotPresent` | +| `nodeAgent.securityContext` | Node Agent container Security context | `capabilities: add: - "NET_ADMIN" privileged: true` | +| `nodeAgent.enableCloudWatchLogs` | Enable CW logging for Node Agent | `false` | +| `nodeAgent.enableIpv6` | `extraVolumes` | Array to add extra volumes | `[]` | | `extraVolumeMounts` | Array to add extra mount | `[]` | | `nodeSelector` | Node labels for pod assignment | `{}` | diff --git a/stable/aws-vpc-cni/crds/customresourcedefinition.yaml b/stable/aws-vpc-cni/crds/customresourcedefinition.yaml index 306066449..e277aff87 100644 --- a/stable/aws-vpc-cni/crds/customresourcedefinition.yaml +++ b/stable/aws-vpc-cni/crds/customresourcedefinition.yaml @@ -18,3 +18,238 @@ spec: plural: eniconfigs singular: eniconfig kind: ENIConfig +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + labels: + app.kubernetes.io/name: amazon-network-policy-controller-k8s + name: policyendpoints.networking.k8s.aws +spec: + group: networking.k8s.aws + names: + kind: PolicyEndpoint + listKind: PolicyEndpointList + plural: policyendpoints + singular: policyendpoint + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: PolicyEndpoint is the Schema for the policyendpoints API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicyEndpointSpec defines the desired state of PolicyEndpoint + properties: + egress: + description: Egress is the list of egress rules containing resolved + network addresses + items: + description: EndpointInfo defines the network endpoint information + for the policy ingress/egress + properties: + cidr: + description: CIDR is the network address(s) of the endpoint + type: string + except: + description: Except is the exceptions to the CIDR ranges mentioned + above. + items: + type: string + type: array + ports: + description: Ports is the list of ports + items: + description: Port contains information about the transport + port/protocol + properties: + endPort: + description: Endport specifies the port range port to + endPort port must be defined and an integer, endPort + > port + format: int32 + type: integer + port: + description: Port specifies the numerical port for the + protocol. If empty applies to all ports + format: int32 + type: integer + protocol: + default: TCP + description: Protocol specifies the transport protocol, + default TCP + type: string + type: object + type: array + required: + - cidr + type: object + type: array + ingress: + description: Ingress is the list of ingress rules containing resolved + network addresses + items: + description: EndpointInfo defines the network endpoint information + for the policy ingress/egress + properties: + cidr: + description: CIDR is the network address(s) of the endpoint + type: string + except: + description: Except is the exceptions to the CIDR ranges mentioned + above. + items: + type: string + type: array + ports: + description: Ports is the list of ports + items: + description: Port contains information about the transport + port/protocol + properties: + endPort: + description: Endport specifies the port range port to + endPort port must be defined and an integer, endPort + > port + format: int32 + type: integer + port: + description: Port specifies the numerical port for the + protocol. If empty applies to all ports + format: int32 + type: integer + protocol: + default: TCP + description: Protocol specifies the transport protocol, + default TCP + type: string + type: object + type: array + required: + - cidr + type: object + type: array + podIsolation: + description: PodIsolation specifies whether the pod needs to be isolated + for a particular traffic direction Ingress or Egress, or both. If + default isolation is not specified, and there are no ingress/egress + rules, then the pod is not isolated from the point of view of this + policy. This follows the NetworkPolicy spec.PolicyTypes. + items: + description: PolicyType string describes the NetworkPolicy type + This type is beta-level in 1.8 + type: string + type: array + podSelector: + description: PodSelector is the podSelector from the policy resource + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelectorEndpoints: + description: PodSelectorEndpoints contains information about the pods + matching the podSelector + items: + description: PodEndpoint defines the summary information for the + pods + properties: + hostIP: + description: HostIP is the IP address of the host the pod is + currently running on + type: string + name: + description: Name is the pod name + type: string + namespace: + description: Namespace is the pod namespace + type: string + podIP: + description: PodIP is the IP address of the pod + type: string + required: + - hostIP + - name + - namespace + - podIP + type: object + type: array + policyRef: + description: PolicyRef is a reference to the Kubernetes NetworkPolicy + resource. + properties: + name: + description: Name is the name of the Policy + type: string + namespace: + description: Namespace is the namespace of the Policy + type: string + required: + - name + - namespace + type: object + required: + - policyRef + type: object + status: + description: PolicyEndpointStatus defines the observed state of PolicyEndpoint + type: object + type: object + served: true + storage: true + subresources: + status: {} \ No newline at end of file diff --git a/stable/aws-vpc-cni/templates/_helpers.tpl b/stable/aws-vpc-cni/templates/_helpers.tpl index 591b09797..c5df0d5e1 100644 --- a/stable/aws-vpc-cni/templates/_helpers.tpl +++ b/stable/aws-vpc-cni/templates/_helpers.tpl @@ -77,3 +77,14 @@ The aws-vpc-cni image to use {{- printf "%s.dkr.%s.%s.%s/amazon-k8s-cni:%s" .Values.image.account .Values.image.endpoint .Values.image.region .Values.image.domain .Values.image.tag }} {{- end }} {{- end }} + +{{/* +The aws-network-policy-agent image to use +*/}} +{{- define "aws-vpc-cni.nodeAgentImage" -}} +{{- if .Values.nodeAgent.image.override }} +{{- .Values.nodeAgent.image.override }} +{{- else }} +{{- printf "%s.dkr.%s.%s.%s/amazon/aws-network-policy-agent:%s" .Values.nodeAgent.image.account .Values.nodeAgent.image.endpoint .Values.nodeAgent.image.region .Values.nodeAgent.image.domain .Values.nodeAgent.image.tag }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/stable/aws-vpc-cni/templates/clusterrole.yaml b/stable/aws-vpc-cni/templates/clusterrole.yaml index 24b91556f..02b42d643 100644 --- a/stable/aws-vpc-cni/templates/clusterrole.yaml +++ b/stable/aws-vpc-cni/templates/clusterrole.yaml @@ -24,7 +24,7 @@ rules: resources: - pods verbs: ["list", "watch", "get"] -{{- end }} +{{- end }} - apiGroups: [""] resources: - nodes @@ -33,3 +33,11 @@ rules: resources: - events verbs: ["create", "patch", "list"] + - apiGroups: ["networking.k8s.aws"] + resources: + - policyendpoints + verbs: ["create", "delete", "get", "patch", "list", "update", "watch"] + - apiGroups: ["networking.k8s.aws"] + resources: + - policyendpoints/status + verbs: ["get"] \ No newline at end of file diff --git a/stable/aws-vpc-cni/templates/configmap.yaml b/stable/aws-vpc-cni/templates/configmap.yaml index 401a8c192..f52255d22 100644 --- a/stable/aws-vpc-cni/templates/configmap.yaml +++ b/stable/aws-vpc-cni/templates/configmap.yaml @@ -8,3 +8,14 @@ metadata: data: 10-aws.conflist: {{ .Values.cniConfig.fileContents | b64enc }} {{- end -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: amazon-vpc-cni + namespace: {{ .Release.Namespace }} + labels: +{{ include "aws-vpc-cni.labels" . | indent 4 }} +data: + enable-windows-ipam: {{ .Values.enableWindowsIpam | quote }} + enable-network-policy-controller: {{ .Values.enableNetworkPolicy | quote }} diff --git a/stable/aws-vpc-cni/templates/daemonset.yaml b/stable/aws-vpc-cni/templates/daemonset.yaml index a6877b1f8..ed27887dc 100644 --- a/stable/aws-vpc-cni/templates/daemonset.yaml +++ b/stable/aws-vpc-cni/templates/daemonset.yaml @@ -116,7 +116,35 @@ spec: {{- with .Values.extraVolumeMounts }} {{- toYaml .| nindent 10 }} {{- end }} + - name: aws-eks-nodeagent + image: {{ include "aws-vpc-cni.nodeAgentImage" . }} + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + args: + - --enable-ipv6={{ .Values.nodeAgent.enableIpv6 }} + - --enable-network-policy={{ .Values.enableNetworkPolicy }} + - --enable-cloudwatch-logs={{ .Values.nodeAgent.enableCloudWatchLogs }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.nodeAgent.securityContext | nindent 12 }} + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /sys/fs/bpf + name: bpf-pin-path + - mountPath: /var/log/aws-routed-eni + name: log-dir + - mountPath: /var/run/aws-node + name: run-dir volumes: + - name: bpf-pin-path + hostPath: + path: /sys/fs/bpf - name: cni-bin-dir hostPath: path: /opt/cni/bin diff --git a/stable/aws-vpc-cni/values.yaml b/stable/aws-vpc-cni/values.yaml index 6804d19d0..1eff7dbe7 100644 --- a/stable/aws-vpc-cni/values.yaml +++ b/stable/aws-vpc-cni/values.yaml @@ -8,7 +8,7 @@ nameOverride: aws-node init: image: - tag: v1.13.4 + tag: v1.14.0 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -23,8 +23,27 @@ init: securityContext: privileged: true +nodeAgent: + image: + tag: v1.0.1 + domain: amazonaws.com + region: us-west-2 + endpoint: ecr + account: "602401143452" + pullPolicy: Always + # Set to use custom image + override: + # override: "repo/org/image:tag" + securityContext: + capabilities: + add: + - "NET_ADMIN" + privileged: true + enableCloudWatchLogs: "false" + enableIpv6: "false" + image: - tag: v1.13.4 + tag: v1.14.0 domain: amazonaws.com region: us-west-2 endpoint: ecr @@ -62,6 +81,9 @@ env: # You can then annotate and label the original aws-node resources and 'adopt' them into a helm release originalMatchLabels: false +enableWindowsIpam: "false" +enableNetworkPolicy: "false" + cniConfig: enabled: false fileContents: ""