Merge remote-tracking branch 'github/mainline' into mainline

Author: pgasca

latest/ug/clusters/private-clusters.adoc

@@ -115,7 +115,7 @@ We recommend that you link:vpc/latest/privatelink/interface-endpoints.html#enabl
 * *EFS storage* - If your Pods use Amazon EFS volumes, then before deploying the <<efs-csi,Store an elastic file system with Amazon EFS>>, the driver's https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/deploy/kubernetes/overlays/stable/kustomization.yaml[kustomization.yaml] file must be changed to set the container images to use the same {aws} Region as the Amazon EKS cluster.
 * Route53 does not support {aws} PrivateLink. You cannot manage Route53 DNS records from a private Amazon EKS cluster. This impacts Kubernetes https://github.com/kubernetes-sigs/external-dns[external-dns].
 * If you use the EKS Optimized AMI, you should enable the `ec2` endpoint in the table above. Alternatively, you can manually set the Node DNS name. The optimized AMI uses EC2 APIs to set the node DNS name automatically. 
-* You can use the <<aws-load-balancer-controller,{aws} Load Balancer Controller>> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint.
+* You can use the <<aws-load-balancer-controller,{aws} Load Balancer Controller>> to deploy {aws} Application Load Balancers (ALB) and Network Load Balancers to your private cluster. When deploying it, you should use https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/configurations/#controller-command-line-flags[command line flags] to set `enable-shield`, `enable-waf`, and `enable-wafv2` to false. https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/cert_discovery/#discover-via-ingress-rule-host[Certificate discovery] with hostnames from Ingress objects isn't supported. This is because the controller needs to reach {aws} Certificate Manager, which doesn't have a VPC interface endpoint.
 +
 The controller supports network load balancers with IP targets, which are required for use with Fargate. For more information, see <<alb-ingress>> and <<network-load-balancer>>.
 * https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md[Cluster Autoscaler] is supported. When deploying Cluster Autoscaler Pods, make sure that the command line includes `--aws-use-static-instance-list=true`. For more information, see https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#use-static-instance-list[Use Static Instance List] on GitHub. The worker node VPC must also include the {aws} STS VPC endpoint and autoscaling VPC endpoint.

latest/ug/manage-access/aws-access/enable-iam-roles-for-service-accounts.adoc

@@ -12,6 +12,8 @@ Learn how to create an {aws} Identity and Access Management OpenID Connect provi
 
 Your cluster has an https://openid.net/connect/[OpenID Connect] (OIDC) issuer URL associated with it. To use {aws} Identity and Access Management (IAM) roles for service accounts, an IAM OIDC provider must exist for your cluster's OIDC issuer URL.
 
+== Prerequisites
+
 * An existing Amazon EKS cluster. To deploy one, see <<getting-started>>.
 * Version `2.12.3` or later or version `1.27.160` or later of the {aws} Command Line Interface ({aws} CLI) installed and configured on your device or {aws} CloudShell. To check your current version, use `aws --version | cut -d / -f2 | cut -d ' ' -f1`. Package managers such `yum`, `apt-get`, or Homebrew for macOS are often several versions behind the latest version of the {aws} CLI. To install the latest version, see link:cli/latest/userguide/cli-chap-install.html[Installing, updating, and uninstalling the {aws} CLI,type="documentation"] and link:cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config[Quick configuration with aws configure,type="documentation"] in the _{aws} Command Line Interface User Guide_. The {aws} CLI version that is installed in {aws} CloudShell might also be several versions behind the latest version. To update it, see link:cloudshell/latest/userguide/vm-specs.html#install-cli-software[Installing {aws} CLI to your home directory,type="documentation"] in the _{aws} CloudShell User Guide_.
 * The `kubectl` command line tool is installed on your device or {aws} CloudShell. The version can be the same as or up to one minor version earlier or later than the Kubernetes version of your cluster. For example, if your cluster version is `1.29`, you can use `kubectl` version `1.28`, `1.29`, or `1.30` with it. To install or upgrade `kubectl`, see <<install-kubectl>>.

latest/ug/networking/eks-networking-add-ons.adoc

@@ -43,7 +43,7 @@ This add-on maintains network rules on your Amazon EC2 nodes and enables network
 == Optional {aws} networking add-ons
 
 *{aws} Load Balancer Controller*::
-When you deploy Kubernetes service objects of type `loadbalancer`, the controller creates {aws} Network Load Balancers . When you create Kubernetes ingress objects, the controller creates {aws} Application Load Balancers. We recommend using this controller to provision Network Load Balancers, rather than using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] controller built-in to Kubernetes. For more information, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller[{aws} Load Balancer Controller] documentation.
+When you deploy Kubernetes service objects of type `loadbalancer`, the controller creates {aws} Network Load Balancers . When you create Kubernetes ingress objects, the controller creates {aws} Application Load Balancers. We recommend using this controller to provision Network Load Balancers, rather than using the https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] controller built-in to Kubernetes. For more information, see the https://kubernetes-sigs.github.io/aws-load-balancer-controller[{aws} Load Balancer Controller] documentation.
 
 
 *{aws} Gateway API Controller*::

latest/ug/networking/lbc-helm.adoc

@@ -110,7 +110,7 @@ helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
   --set clusterName=my-cluster \
   --set serviceAccount.create=false \
   --set serviceAccount.name=aws-load-balancer-controller \
-  --version 1.13.0
+  --version 1.14.0
 ----
 
 

latest/ug/networking/vpc-add-on-create.adoc

@@ -62,12 +62,12 @@ kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml
 . Create the add-on using the {aws} CLI. If you want to use the {aws-management-console} or `eksctl` to create the add-on, see <<creating-an-add-on>> and specify `vpc-cni` for the add-on name. Copy the command that follows to your device. Make the following modifications to the command, as needed, and then run the modified command.
 +
 ** Replace [.replaceable]`my-cluster` with the name of your cluster.
-** Replace [.replaceable]`v1.20.1-eksbuild.3` with the latest version listed in the latest version table for your cluster version. For the latest version table, see <<vpc-cni-latest-available-version>>.
+** Replace [.replaceable]`v1.20.3-eksbuild.1` with the latest version listed in the latest version table for your cluster version. For the latest version table, see <<vpc-cni-latest-available-version>>.
 ** Replace [.replaceable]`111122223333` with your account ID and [.replaceable]`AmazonEKSVPCCNIRole` with the name of an <<cni-iam-role-create-role,existing IAM role>> that you've created. Specifying a role requires that you have an IAM OpenID Connect (OIDC) provider for your cluster. To determine whether you have one for your cluster, or to create one, see <<enable-iam-roles-for-service-accounts>>. 
 +
 [source,bash,subs="verbatim,attributes"]
 ----
-aws eks create-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.20.1-eksbuild.3 \
+aws eks create-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.20.3-eksbuild.1 \
     --service-account-role-arn {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole
 ----
 +
@@ -85,7 +85,7 @@ An example output is as follows.
 +
 [source,bash,subs="verbatim,attributes"]
 ----
-v1.20.1-eksbuild.3
+v1.20.3-eksbuild.1
 ----
 . If you made custom settings to your original add-on, before you created the Amazon EKS add-on, use the configuration that you saved in a previous step to update the EKS add-on with your custom settings. Follow the steps in <<vpc-add-on-update>>.
 . (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub.

latest/ug/networking/vpc-add-on-self-managed-update.adoc

@@ -47,7 +47,7 @@ To review the available versions and familiarize yourself with the changes in th
 +
 [source,bash,subs="verbatim,attributes"]
 ----
-curl -O https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.20.1/config/master/aws-k8s-cni.yaml
+curl -O https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.20.3/config/master/aws-k8s-cni.yaml
 ----
 +
 If necessary, modify the manifest with the custom settings from the backup you made in a previous step and then apply the modified manifest to your cluster. If your nodes don't have access to the private Amazon EKS Amazon ECR repositories that the images are pulled from (see the lines that start with `image:` in the manifest), then you'll have to download the images, copy them to your own repository, and modify the manifest to pull the images from your repository. For more information, see <<copy-image-to-repository>>.
@@ -67,6 +67,6 @@ An example output is as follows.
 +
 [source,bash,subs="verbatim,attributes"]
 ----
-v1.20.1
+v1.20.3
 ----
 . (Optional) Install the `cni-metrics-helper` to your cluster. It scrapes elastic network interface and IP address information, aggregates it at a cluster level, and publishes the metrics to Amazon CloudWatch. For more information, see https://github.com/aws/amazon-vpc-cni-k8s/blob/master/cmd/cni-metrics-helper/README.md[cni-metrics-helper] on GitHub.

latest/ug/networking/vpc-add-on-update.adoc

@@ -38,7 +38,7 @@ kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml
 +
 [source,bash,subs="verbatim,attributes"]
 ----
-aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.20.1-eksbuild.3 \
+aws eks update-addon --cluster-name my-cluster --addon-name vpc-cni --addon-version v1.20.3-eksbuild.1 \
     --service-account-role-arn {arn-aws}iam::111122223333:role/AmazonEKSVPCCNIRole \
     --resolve-conflicts PRESERVE --configuration-values '{"env":{"AWS_VPC_K8S_CNI_EXTERNALSNAT":"true"}}'
 ----
@@ -62,7 +62,7 @@ An example output is as follows.
         "addonName": "vpc-cni",
         "clusterName": "my-cluster",
         "status": "ACTIVE",
-        "addonVersion": "v1.20.1-eksbuild.3",
+        "addonVersion": "v1.20.3-eksbuild.1",
         "health": {
             "issues": []
         },

latest/ug/security/cross-service-confused-deputy-prevention.adoc

@@ -22,7 +22,7 @@ If the `aws:SourceArn` value does not contain the account ID, such as an Amazon
 [#cross-service-confused-deputy-cluster-role]
 == Amazon EKS cluster role cross-service confused deputy prevention
 
-An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services.
+An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services.
 These cluster actions can only affect the same account, so we recommend that you limit each cluster role to that cluster and account.
 This is a specific application of the {aws} recommendation to follow the _principle of least privilege_ in your account.
 

latest/ug/security/iam-reference/cluster-iam-role.adoc

@@ -10,14 +10,14 @@ include::../../attributes.txt[]
 Learn how to create and configure the required {aws} Identity and Access Management role for Amazon EKS clusters to manage nodes and load balancers using managed or custom IAM policies.
 --
 
-An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services.
+An Amazon EKS cluster IAM role is required for each cluster. Kubernetes clusters managed by Amazon EKS use this role to manage nodes and the https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] uses this role to create load balancers with Elastic Load Balancing for services.
 
 Before you can create Amazon EKS clusters, you must create an IAM role with either of the following IAM policies:
 
 
 
 * link:aws-managed-policy/latest/reference/AmazonEKSClusterPolicy.html[AmazonEKSClusterPolicy,type="documentation"]
-* A custom IAM policy. The minimal permissions that follow allows the Kubernetes cluster to manage nodes, but doesn't allow the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] to create load balancers with Elastic Load Balancing. Your custom IAM policy must have at least the following permissions:
+* A custom IAM policy. The minimal permissions that follow allows the Kubernetes cluster to manage nodes, but doesn't allow the https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/annotations/#legacy-cloud-provider[legacy Cloud Provider] to create load balancers with Elastic Load Balancing. Your custom IAM policy must have at least the following permissions:
 +
 [source,json,subs="verbatim,attributes"]
 ----

latest/ug/workloads/alb-ingress.adoc

@@ -65,7 +65,7 @@ If you're using multiple security groups attached to worker node, exactly one se
 If the subnet role tags aren't explicitly added, the Kubernetes service controller examines the route table of your cluster VPC subnets. This is to determine if the subnet is private or public. We recommend that you don't rely on this behavior. Rather, explicitly add the private or public role tags. The {aws} Load Balancer Controller doesn't examine route tables. It also requires the private and public tags to be present for successful auto discovery.
 
 
-* The https://github.com/kubernetes-sigs/aws-load-balancer-controller[{aws} Load Balancer Controller] creates ALBs and the necessary supporting {aws} resources whenever a Kubernetes ingress resource is created on the cluster with the `kubernetes.io/ingress.class: alb` annotation. The ingress resource configures the ALB to route HTTP or HTTPS traffic to different Pods within the cluster. To ensure that your ingress objects use the {aws} Load Balancer Controller, add the following annotation to your Kubernetes ingress specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/spec/[Ingress specification] on GitHub.
+* The https://github.com/kubernetes-sigs/aws-load-balancer-controller[{aws} Load Balancer Controller] creates ALBs and the necessary supporting {aws} resources whenever a Kubernetes ingress resource is created on the cluster with the `kubernetes.io/ingress.class: alb` annotation. The ingress resource configures the ALB to route HTTP or HTTPS traffic to different Pods within the cluster. To ensure that your ingress objects use the {aws} Load Balancer Controller, add the following annotation to your Kubernetes ingress specification. For more information, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/spec/[Ingress specification] on GitHub.
 +
 [source,yaml,subs="verbatim,attributes"]
 ----
@@ -87,7 +87,7 @@ alb.ingress.kubernetes.io/ip-address-type: dualstack
 NOTE: Your Kubernetes service must specify the `NodePort` or `LoadBalancer` type to use this traffic mode.
 ** *IP*
  – Registers Pods as targets for the ALB. Traffic reaching the ALB is directly routed to Pods for your service. You must specify the `alb.ingress.kubernetes.io/target-type: ip` annotation to use this traffic mode. The IP target type is required when target Pods are running on Fargate or Amazon EKS Hybrid Nodes.
-* To tag ALBs created by the controller, add the following annotation to the controller: `alb.ingress.kubernetes.io/tags`. For a list of all available annotations supported by the {aws} Load Balancer Controller, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/[Ingress annotations] on GitHub.
+* To tag ALBs created by the controller, add the following annotation to the controller: `alb.ingress.kubernetes.io/tags`. For a list of all available annotations supported by the {aws} Load Balancer Controller, see https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/ingress/annotations/[Ingress annotations] on GitHub.
 * Upgrading or downgrading the ALB controller version can introduce breaking changes for features that rely on it. For more information about the breaking changes that are introduced in each release, see the https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases[ALB controller release notes] on GitHub.