aws · orsenthil · May 28, 2024 · Apr 3, 2024 · Apr 3, 2024 · Apr 3, 2024
@@ -23,7 +23,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -16,7 +16,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           go install golang.org/x/lint/golint@latest
@@ -50,7 +50,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Build CNI images
         run: make multi-arch-cni-build
       - name: Build CNI Init images

@@ -29,7 +29,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -22,7 +22,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Generate CNI YAML
         run: make generate-cni-yaml
       - name: Create eks-charts PR

@@ -23,7 +23,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -1 +1 @@
-1.22.2
+1.22.3
@@ -40,7 +40,7 @@ See [here](./docs/iam-policy.md) for required IAM policies.
 * `unit-test`, `format`,`lint` and `vet` provide ways to run the respective tests/tools and should be run before submitting a PR.
 * `make docker` will create a docker container using `docker buildx` that contains the finished binaries, with a tag of `amazon/amazon-k8s-cni:latest`
 * `make docker-unit-tests` uses a docker container to run all unit tests.
-* builds for all build and test actions run in docker containers based on `golang:1.21.5-6-gcc-al2` unless a different `GOLANG_IMAGE` tag is passed in.
+* Builds for all build and test actions run in docker containers based on `.go-version` unless a different `GOLANG_IMAGE` tag is passed in.
 
 ## Components
 

@@ -134,6 +134,7 @@ spec:
             - --enable-network-policy={{ .Values.enableNetworkPolicy }}
             - --enable-cloudwatch-logs={{ .Values.nodeAgent.enableCloudWatchLogs }}
             - --enable-policy-event-logs={{ .Values.nodeAgent.enablePolicyEventLogs }}
+            - --log-file={{ .Values.nodeAgent.networkPolicyAgentLogFileLocation }}
             - --metrics-bind-addr={{ include "aws-vpc-cni.nodeAgentMetricsBindAddr" . }}
             - --health-probe-bind-addr={{ include "aws-vpc-cni.nodeAgentHealthProbeBindAddr" . }}
             - --conntrack-cache-cleanup-period={{ .Values.nodeAgent.conntrackCacheCleanupPeriod }}

@@ -43,6 +43,7 @@ nodeAgent:
     privileged: true
   enableCloudWatchLogs: "false"
   enablePolicyEventLogs: "false"
+  networkPolicyAgentLogFileLocation: "/var/log/aws-routed-eni/network-policy-agent.log"
   enableIpv6: "false"
   metricsBindAddr: "8162"
   healthProbeBindAddr: "8163"

@@ -12,10 +12,22 @@ This chart provides a Kubernetes deployment for the Amazon VPC CNI Metrics Helpe
 First add the EKS repository to Helm:
 
 ```shell
-helm repo add eks https://aws.github.io/eks-charts
+$ helm repo add eks https://aws.github.io/eks-charts
 ```
 
-To install the chart with the release name `cni-metrics-helper` and default configuration:
+Ensure helm repository up to date
+
+```shell
+$ helm repo update eks
+```
+
+To identify the version you are going to apply
+
+```shell
+$ helm search repo eks/cni-metrics-helper --versions
+```
+
+To install the latest chart with the release name `cni-metrics-helper` and default configuration:
 
 ```shell
 $ helm install cni-metrics-helper --namespace kube-system eks/cni-metrics-helper
@@ -43,26 +55,34 @@ $ helm uninstall cni-metrics-helper --namespace kube-system
 
 The following table lists the configurable parameters for this chart and their default values.
 
-| Parameter                    | Description                                                   | Default            |
-|------------------------------|---------------------------------------------------------------|--------------------|
-| fullnameOverride             | Override the fullname of the chart                            | cni-metrics-helper |
-| image.region                 | ECR repository region to use. Should match your cluster       | us-west-2          |
-| image.tag                    | Image tag                                                     | v1.18.1            |
-| image.account                | ECR repository account number                                 | 602401143452       |
-| image.domain                 | ECR repository domain                                         | amazonaws.com      |
-| env.USE_CLOUDWATCH           | Whether to export CNI metrics to CloudWatch                   | true               |
-| env.USE_PROMETHEUS           | Whether to export CNI metrics to Prometheus                   | false              |
-| env.AWS_CLUSTER_ID           | ID of the cluster to use when exporting metrics to CloudWatch | default            |
-| env.AWS_VPC_K8S_CNI_LOGLEVEL | Log verbosity level (ie. FATAL, ERROR, WARN, INFO, DEBUG)     | INFO               |
-| env.METRIC_UPDATE_INTERVAL   | Interval at which to update CloudWatch metrics, in seconds.   |                    |
-|                              | Metrics are published to CloudWatch at 2x the interval        | 30                 |
-| serviceAccount.name          | The name of the ServiceAccount to use                         | nil                |
-| serviceAccount.create        | Specifies whether a ServiceAccount should be created          | true               |
-| serviceAccount.annotations   | Specifies the annotations for ServiceAccount                  | {}                 |
-| podAnnotations               | Specifies the annotations for pods                            | {}                 |
-| revisionHistoryLimit         | The number of revisions to keep                               | 10                 |
-| podSecurityContext           | SecurityContext to set on the pod                             | {}                 |
-| containerSecurityContext     | SecurityContext to set on the container                       | {}                 |
+
+| Parameter                      | Description                                                   | Default                             |
+| -------------------------------|---------------------------------------------------------------|-------------------------------------|
+| `affinity`                     | Map of node/pod affinities                                    | `{}`                                |
+| `fullnameOverride`             | Override the fullname of the chart                            | `cni-metrics-helper`                |
+| `image.tag`                    | Image tag                                                     | `v1.18.1`                           |
+| `image.domain`                 | ECR repository domain                                         | `amazonaws.com`                     |
+| `image.region`                 | ECR repository region to use. Should match your cluster       | `us-west-2`                         |
+| `image.account`                | ECR repository account number                                 | `602401143452`                      |
+| `env.USE_CLOUDWATCH`           | Whether to export CNI metrics to CloudWatch                   | `true`                              |
+| `env.USE_PROMETHEUS`           | Whether to export CNI metrics to Prometheus                   | `false`                             |
+| `env.AWS_CLUSTER_ID`           | ID of the cluster to use when exporting metrics to CloudWatch | `default`                           |
+| `env.AWS_VPC_K8S_CNI_LOGLEVEL` | Log verbosity level (ie. FATAL, ERROR, WARN, INFO, DEBUG)     | `INFO`                              |
+| `env.METRIC_UPDATE_INTERVAL`   | Interval at which to update CloudWatch metrics, in seconds.   |                                     |
+|                                | Metrics are published to CloudWatch at 2x the interval        | `30`                                |
+| `serviceAccount.name`          | The name of the ServiceAccount to use                         | `nil`                               |
+| `serviceAccount.create`        | Specifies whether a ServiceAccount should be created          | `true`                              |
+| `serviceAccount.annotations`   | Specifies the annotations for ServiceAccount                  | `{}`                                |
+| `podAnnotations`               | Specifies the annotations for pods                            | `{}`                                |
+| `revisionHistoryLimit`         | The number of revisions to keep                               | `10`                                |
+| `podSecurityContext`           | SecurityContext to set on the pod                             | `{}`                                |
+| `containerSecurityContext`     | SecurityContext to set on the container                       | `{}`                                |
+| `tolerations`                  | Optional deployment tolerations                               | `[]`                                |
+| `updateStrategy`               | Optional update strategy                                      | `{}`                                |
+| `imagePullSecrets`             | Docker registry pull secret                                   | `[]`                                |
+| `nodeSelector`                 | Node labels for pod assignment                                | `{}`                                |
+| `tolerations`                  | Optional deployment tolerations                               | `[]`                                |
+
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install` or provide a YAML file containing the values for the above parameters:
 

@@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ include "cni-metrics-helper.fullname" . }}
+  labels:
+{{ include "cni-metrics-helper.labels" . | indent 4 }}
 rules:
   - apiGroups: [""]
     resources:

@@ -5,7 +5,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     k8s-app: cni-metrics-helper
+{{ include "cni-metrics-helper.labels" . | indent 4 }}
 spec:
+{{- if .Values.updateStrategy }}
+  strategy: {{ toYaml .Values.updateStrategy | nindent 4 }}
+{{- end }}
   revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
   selector:
     matchLabels:
@@ -19,6 +23,8 @@ spec:
       {{- end }}
       {{- end }}
       labels:
+        app.kubernetes.io/name: {{ include "cni-metrics-helper.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
         k8s-app: cni-metrics-helper
     spec:
       containers:
@@ -36,6 +42,22 @@ spec:
         name: cni-metrics-helper
         image: "{{- if .Values.image.override }}{{- .Values.image.override }}{{- else }}{{- .Values.image.account }}.dkr.ecr.{{- .Values.image.region }}.{{- .Values.image.domain }}/cni-metrics-helper:{{- .Values.image.tag }}{{- end}}"
       serviceAccountName: {{ template "cni-metrics-helper.serviceAccountName" . }}
-{{- if .Values.podSecurityContext }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podSecurityContext }}
       securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
-{{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
@@ -36,3 +36,34 @@ podSecurityContext: {}
 containerSecurityContext: {}
 
 podAnnotations: {}
+
+imagePullSecrets: []
+
+updateStrategy: {}
+#  type: RollingUpdate
+#  rollingUpdate:
+#    maxUnavailable: "10%"
+
+nodeSelector: {}
+
+tolerations: []
+# - operator: Exists
+
+affinity: {}
+#  nodeAffinity:
+#    requiredDuringSchedulingIgnoredDuringExecution:
+#      nodeSelectorTerms:
+#        - matchExpressions:
+#            - key: "kubernetes.io/os"
+#              operator: In
+#              values:
+#                - linux
+#            - key: "kubernetes.io/arch"
+#              operator: In
+#              values:
+#                - amd64
+#                - arm64
+#            - key: "eks.amazonaws.com/compute-type"
+#              operator: NotIn
+#              values:
+#                - fargate
@@ -29,7 +29,6 @@ import (
 
 const (
 	defaultHostCNIBinPath           = "/host/opt/cni/bin"
-	vpcCniInitDonePath              = "/vpc-cni-init/done"
 	metadataLocalIP                 = "local-ipv4"
 	metadataMAC                     = "mac"
 	defaultDisableIPv4TcpEarlyDemux = false
@@ -181,17 +180,7 @@ func _main() int {
 		return 1
 	}
 
-	// TODO: In order to speed up pod launch time, VPC CNI init container is not a Kubernetes init container.
-	// The VPC CNI container blocks on the existence of vpcCniInitDonePath
-	//err = cp.TouchFile(vpcCniInitDonePath)
-	//if err != nil {
-	//	log.WithError(err).Errorf("Failed to set VPC CNI init done")
-	//	return 1
-	//}
-
 	log.Infof("CNI init container done")
 
-	// TODO: Since VPC CNI init container is a real container, it never exits
-	// time.Sleep(time.Duration(1<<63 - 1))
 	return 0
 }
@@ -42,9 +42,7 @@ import (
 	"os/exec"
 	"strconv"
 	"strings"
-	"time"
 
-	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 
 	"github.com/containernetworking/cni/pkg/types"
@@ -188,27 +186,6 @@ func waitForIPAM() bool {
 	}
 }
 
-// Wait for vpcCniInitDonePath to exist (maximum wait time is 60 seconds)
-func waitForInit() error {
-	start := time.Now()
-	maxEnd := start.Add(time.Minute)
-	for {
-		// Check for existence of vpcCniInitDonePath
-		if _, err := os.Stat(vpcCniInitDonePath); err == nil {
-			// Delete the done file in case of a reboot of the node or restart of the container (force init container to run again)
-			if err := os.Remove(vpcCniInitDonePath); err == nil {
-				return nil
-			}
-			// If file deletion fails, log and allow retry
-			log.Errorf("Failed to delete file: %s", vpcCniInitDonePath)
-		}
-		if time.Now().After(maxEnd) {
-			return errors.Errorf("time exceeded")
-		}
-		time.Sleep(1 * time.Second)
-	}
-}
-
 func getPrimaryIP(ipv4 bool) (string, error) {
 	var hostIP string
 	var err error
@@ -471,12 +448,6 @@ func _main() int {
 		return 1
 	}
 
-	// Wait for init container to complete
-	//if err := waitForInit(); err != nil {
-	//	log.WithError(err).Errorf("Init container failed to complete")
-	//	return 1
-	//}
-
 	log.Infof("Copying config file... ")
 	err = generateJSON(defaultAWSconflistFile, tmpAWSconflistFile, getPrimaryIP)
 	if err != nil {

@@ -253,3 +253,11 @@ The [CNI image](../scripts/dockerfiles/Dockerfile.release) built for the `aws-no
 
 See the [cni-metrics-helper README](../cmd/cni-metrics-helper/README.md).
 
+
+## Build Troubleshooting
+
+If you encouter build issues while building vpc cni, ensure you are logged into a docker registry.
+For e.g.
+
+aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+~