Periodic update 06/26/20-12:56pm PDT

doc_source/calico.md

@@ -37,7 +37,7 @@ Calico is not supported when using Fargate with Amazon EKS\.
 
 This section walks through the [Stars policy demo](https://docs.projectcalico.org/v3.1/getting-started/kubernetes/tutorials/stars-policy/) provided by the Project Calico documentation\. The demo creates a frontend, backend, and client service on your Amazon EKS cluster\. The demo also creates a management GUI that shows the available ingress and egress paths between each service\. 
 
-Before you create any network policies, all services can communicate bidirectionally\. After you apply the network policies, you can see that the client can only communicate with the frontend service, and the frontend can only communicate with the backend\.
+Before you create any network policies, all services can communicate bidirectionally\. After you apply the network policies, you can see that the client can only communicate with the frontend service, and the backend only accepts traffic from the frontend\.
 
 **To run the Stars policy demo**
 

doc_source/cni-custom-network.md

@@ -31,7 +31,7 @@ Enabling a custom network effectively removes an available elastic network inter
    Output:
 
    ```
-   amazon-k8s-cni:1.6.2
+   amazon-k8s-cni:1.6.3
    ```
 
 1. If you have version 1\.3 or later of the CNI installed, you can skip to step 6\. Define a new `ENIConfig` custom resource for your cluster\.

doc_source/cni-upgrades.md

@@ -2,7 +2,7 @@
 
 When you launch an Amazon EKS cluster, we apply a recent version of the [Amazon VPC CNI plugin for Kubernetes](https://github.com/aws/amazon-vpc-cni-k8s) to your cluster\. The absolute latest version of the plugin is available on [GitHub](https://github.com/aws/amazon-vpc-cni-k8s/releases) for a short grace period before new clusters are switched over to use it\. Amazon EKS does not automatically upgrade the CNI plugin on your cluster when new versions are released\. To get a newer version of the CNI plugin on existing clusters, you must manually upgrade the plugin\.
 
-The latest version that we recommend  is version 1\.6\.2\. You can view the different releases available for the plugin, and read the release notes for each version [on GitHub](https://github.com/aws/amazon-vpc-cni-k8s/releases)\.
+The latest version that we recommend  is version 1\.6\.3\. You can view the different releases available for the plugin, and read the release notes for each version [on GitHub](https://github.com/aws/amazon-vpc-cni-k8s/releases)\.
 
 Use the following procedures to check your CNI plugin version and upgrade to the latest recommended version\.
 
@@ -16,13 +16,13 @@ Use the following procedures to check your CNI plugin version and upgrade to the
   Output:
 
   ```
-  amazon-k8s-cni:1.6.1
+  amazon-k8s-cni:1.6.2
   ```
 
-  In this example output, the CNI version is 1\.6\.1, which is earlier than the current recommended version, 1\.6\.2\. Use the following procedure to upgrade the CNI\.
+  In this example output, the CNI version is 1\.6\.2, which is earlier than the current recommended version, 1\.6\.3\. Use the following procedure to upgrade the CNI\.
 
 **To upgrade the Amazon VPC CNI plugin for Kubernetes**
-+ If your CNI version is earlier than 1\.6\.2, then use the appropriate command below to update your CNI version to the latest recommended version:
++ If your CNI version is earlier than 1\.6\.3, then use the appropriate command below to update your CNI version to the latest recommended version:
   + US West \(Oregon\) \(`us-west-2`\)
 
     ```

doc_source/horizontal-pod-autoscaler.md

@@ -2,7 +2,7 @@
 
 The Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales the number of pods in a deployment, replication controller, or replica set based on that resource's CPU utilization\. This can help your applications scale out to meet increased demand or scale in when resources are not needed, thus freeing up your worker nodes for other applications\. When you set a target CPU utilization percentage, the Horizontal Pod Autoscaler scales your application in or out to try to meet that target\.
 
-The Horizontal Pod Autoscaler is a standard API resource in Kubernetes that simply requires that a metrics source \(such as the Kubernetes metrics server\) is installed on your Amazon EKS cluster to work\. You do not need to deploy or install the Horizontal Pod Autoscaler on your cluster to begin scaling your applications\. For more information, see [Horizontal pod autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) in the Kubernetes documentation\.
+The Horizontal Pod Autoscaler is a standard API resource in Kubernetes that simply requires that a metrics source \(such as the Kubernetes metrics server\) is installed on your Amazon EKS cluster to work\. You do not need to deploy or install the Horizontal Pod Autoscaler on your cluster to begin scaling your applications\. For more information, see [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) in the Kubernetes documentation\.
 
 Use this topic to prepare the Horizontal Pod Autoscaler for your Amazon EKS cluster and to verify that it is working with a sample application\.
 
@@ -145,7 +145,7 @@ It may take a few minutes before you see the replica count reach its maximum\. I
    php-apache   Deployment/php-apache   0%/50%    1         10        1          25m
    ```
 **Note**  
-It may take a few minutes before you see the replica count reach 1 again, even when the current CPU percentage is 0 percent\.
+The default timeframe for scaling back down is five minutes, so it will take some time before you see the replica count reach 1 again, even when the current CPU percentage is 0 percent\. The timeframe is modifiable\. For more information, see [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) in the Kubernetes documentation\.
 
 1. When you are done experimenting with your sample application, delete the `php-apache` resources\.
 

doc_source/iam-roles-for-service-accounts-cni-walkthrough.md

@@ -2,7 +2,7 @@
 
 The [Amazon VPC CNI plugin for Kubernetes](https://github.com/aws/amazon-vpc-cni-k8s) is the networking plugin for pod networking in Amazon EKS clusters\. The CNI plugin is responsible for allocating VPC IP addresses to Kubernetes nodes and configuring the necessary networking for pods on each node\. The plugin requires IAM permissions, provided by the AWS managed policy `[AmazonEKS\_CNI\_Policy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy%24jsonEditor)`, to make calls to AWS APIs on your behalf\. By default, this policy is attached to your worker node IAM role\. However, using this method, all pods on the worker nodes have the same permissions as the CNI plugin\. You can use the IAM roles for service accounts feature to provide the `[AmazonEKS\_CNI\_Policy](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy%24jsonEditor)` permissions, and then remove the policy from the worker node IAM role\.
 
-For ease of use, this topic uses `eksctl` to configure IAM roles for service accounts\. However, if you would rather use the AWS Management Console, the AWS CLI, or one of the AWS SDKs, the same basic concepts apply, but you will have to modify the steps to use the procedures in [Enabling IAM roles for service accounts on your cluster](enable-iam-roles-for-service-accounts.md)
+For ease of use, this topic uses `eksctl` to configure IAM roles for service accounts\. However, if you would rather use the AWS Management Console, the AWS CLI, or one of the AWS SDKs, the same basic concepts apply, but you will have to modify the steps to use the procedures in [Enabling IAM roles for service accounts on your cluster](enable-iam-roles-for-service-accounts.md)\.
 
 **To configure the CNI plugin to use IAM roles for service accounts**
 
@@ -23,10 +23,10 @@ For ease of use, this topic uses `eksctl` to configure IAM roles for service acc
    Output:
 
    ```
-   amazon-k8s-cni:1.6.1
+   amazon-k8s-cni:1.6.2
    ```
 
-   If your CNI version is earlier than 1\.6\.2, complete the following steps to create a service account and then upgrade your CNI version to the latest version:
+   If your CNI version is earlier than 1\.6\.3, complete the following steps to create a service account and then upgrade your CNI version to the latest version:
 
    1. Create an OIDC identity provider for your cluster with the following command\. Substitute the cluster name with your own value\.
 
@@ -73,7 +73,7 @@ For ease of use, this topic uses `eksctl` to configure IAM roles for service acc
    aws-node-qt9dl   1/1     Running       0          17m
    ```
 
-1. Check the version of your cluster's Amazon VPC CNI Plugin for Kubernetes again, confirming that the version is 1\.6\.2\. 
+1. Check the version of your cluster's Amazon VPC CNI Plugin for Kubernetes again, confirming that the version is 1\.6\.3\. 
 
    ```
    kubectl describe daemonset aws-node --namespace kube-system | grep Image | cut -d "/" -f 2
@@ -82,7 +82,7 @@ For ease of use, this topic uses `eksctl` to configure IAM roles for service acc
    Output:
 
    ```
-   amazon-k8s-cni:1.6.2
+   amazon-k8s-cni:1.6.3
    ```
 
 1. Describe one of the pods and verify that the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` environment variables exist\.

doc_source/sample-deployment.md

@@ -59,7 +59,7 @@ In this topic, you create a Kubernetes manifest and deploy it to your cluster\.
               - containerPort: 80
       ```
 
-      To learn more about Kubernetes [services](https://kubernetes.io/docs/concepts/services-networking/service/) and [deployments](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), see the Kubernetes documentation\. The containers in the sample manifest do not use network storage, but they may be able to\. For more information, see [Storage](storage.md)\.
+      To learn more about Kubernetes [services](https://kubernetes.io/docs/concepts/services-networking/service/) and [deployments](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), see the Kubernetes documentation\. The containers in the sample manifest do not use network storage, but they may be able to\. For more information, see [Storage](storage.md)\. Though not implemented in this example, we recommend that you create Kubernetes service accounts for your pods, and associate them to AWS IAM accounts\. Specifying service accounts enables your pods to have the minimum permissions that they require to interact with other services\. For more information, see [IAM roles for service accounts](iam-roles-for-service-accounts.md)
 
    1. Deploy the application\.
 

doc_source/sec-group-reqs.md

@@ -15,24 +15,23 @@ aws eks describe-cluster --name cluster_name --query cluster.resourcesVpcConfig.
 If your cluster is running Kubernetes version 1\.14 and [platform version](platform-versions.md) `eks.3` or later, then we recommend that you add the cluster security group to all existing and future worker node groups\. For more information, see [Security Groups for Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) in the *Amazon VPC User Guide*\. Amazon EKS [managed node groups](managed-node-groups.md) are automatically configured to use the cluster security group\.
 
 
-|  | Protocol | Port range | Source | Destination | 
+|  | Protocol | Ports | Source | Destination | 
 | --- | --- | --- | --- | --- | 
-| Recommended inbound traffic |  All  |  All  | Self |  | 
-| Recommended outbound traffic |  All  |  All  |  |  0\.0\.0\.0/0  | 
+|  Recommended inbound traffic  |  All  |  All  | Self |  | 
+|  Recommended outbound traffic  |  All  |  All  |  |  0\.0\.0\.0/0  | 
 
-### Restricting Cluster security group
-If your cluster needs restricted inbound and outbound communication due to security compliance, Cluster security group can be modified to allow only required minimum traffic for cluster communication between control plane and worker nodes. The ports that should be allowed have not changed between 1.14 and other versions. The Cluster security group created with default rules can be modified to allow below minimum traffic:
-|  | Protocol | Port range | Source | Destination | 
-| --- | --- | --- | --- | --- | 
-| Minimum inbound traffic |  TCP  |  443  | Cluster Security Group |  |
-| Minimum inbound traffic\* |  TCP  |  10250  | Cluster Security Group |  |
-| Minimum outbound traffic |  TCP  |  443  |  |  Cluster Security Group  | 
-| Minimum outbound traffic\* |  TCP  |  10250  |  |  Cluster Security Group  |
+**Restricting cluster traffic**  
+If you need to limit the open ports between the control plane and worker nodes, the default cluster security group can be modified to allow only the following required minimum ports\. The required minimum ports are the same as they were in previous Amazon EKS versions\. 
 
-\* Any protocol and ports that you expect your worker nodes to use for inter-worker communication should be included if required.
 
-\* Worker nodes also require outbound internet access to the Amazon EKS APIs for cluster introspection and node registration at launch time\. To pull container images, they require access to the Amazon S3 and Amazon ECR APIs \(and any other container registries, such as DockerHub\)\. For more information, see [AWS IP Address Ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html) in the *AWS General Reference*\.
+|  | Protocol | Port | Source | Destination | 
+| --- | --- | --- | --- | --- | 
+| Minimum inbound traffic | TCP |  443  | Cluster security group |  | 
+| Minimum inbound traffic\* | TCP |  10250  | Cluster security group |  | 
+| Minimum outbound traffic | TCP |  443  |  |  Cluster security group  | 
+| Minimum outbound traffic\* | TCP |  10250  |  |  Cluster security group  | 
 
+\*Any protocol and ports that you expect your worker nodes to use for inter\-worker communication should be included, if required\. Worker nodes also require outbound internet access to the Amazon EKS APIs for cluster introspection and node registration at launch time, or that you've impelmented the required necessary settings in [Private clusters](private-clusters.md)\. To pull container images, they require access to Amazon S3, Amazon ECR APIs, and any other container registries that they need to pull images from, such as DockerHub\. For more information, see [AWS IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html) in the AWS General Reference\.
 
 ## Control plane and worker node security groups \(for Amazon EKS clusters earlier than Kubernetes version 1\.14 and [platform version](platform-versions.md) `eks.3`\)<a name="control-plane-worker-node-sgs"></a>
 
@@ -82,4 +81,4 @@ If you have more than one security group associated to your worker nodes, then o
 
 | Key | Value | 
 | --- | --- | 
-| `kubernetes.io/cluster/<cluster-name>` | `owned` | 
+| `kubernetes.io/cluster/<cluster-name>` | `owned` | 

doc_source/service-quotas.md

@@ -87,4 +87,4 @@ aws service-quotas request-service-quota-increase \
     --service-code ecs \
     --quota-code L-46458851 \
     --desired-value your-desired-value
-```
+```

doc_source/update-cluster.md

@@ -19,7 +19,7 @@ Amazon EKS does not modify any of your Kubernetes add\-ons when you update a clu
 
 | Kubernetes version | 1\.16 | 1\.15 | 1\.14 | 1\.13 | 
 | --- | --- | --- | --- | --- | 
-| Amazon VPC CNI plug\-in | 1\.6\.2 | 1\.6\.2 | 1\.6\.2 | 1\.6\.2 | 
+| Amazon VPC CNI plug\-in | 1\.6\.3 | 1\.6\.3 | 1\.6\.3 | 1\.6\.3 | 
 | DNS \(CoreDNS\) | 1\.6\.6 | 1\.6\.6 | 1\.6\.6 | 1\.6\.6 | 
 | KubeProxy | 1\.16\.8 | 1\.15\.11 | 1\.14\.9 | 1\.13\.12 | 
 
@@ -260,10 +260,10 @@ The cluster update should finish in a few minutes\.
    Output:
 
    ```
-   amazon-k8s-cni:1.6.1
+   amazon-k8s-cni:1.6.2
    ```
 
-   If your CNI version is earlier than 1\.6\.2, then use the appropriate command below to update your CNI version to the latest recommended version:
+   If your CNI version is earlier than 1\.6\.3, then use the appropriate command below to update your CNI version to the latest recommended version:
    + US West \(Oregon\) \(`us-west-2`\)
 
      ```