Merge branch 'kubernetes-sigs:master' into stringInterpolationExistin…

…gVolMod

.github/workflows/generate-code-coverage.yaml

@@ -26,7 +26,7 @@ jobs:
           ref: ${{ github.event.pull_request.base.ref }}
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
 
@@ -49,7 +49,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
 

.github/workflows/govulncheck.yaml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
 

.github/workflows/helm-chart-release.yaml

@@ -24,6 +24,7 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions: write-all
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/output-code-coverage.yaml

@@ -53,7 +53,7 @@ jobs:
           sourceRunId: ${{ github.event.workflow_run.id }}
 
       - name: Set up go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: '^1.20.2'
 

.github/workflows/release.yaml

@@ -22,6 +22,7 @@ jobs:
   build:
     name: Release
     runs-on: ubuntu-latest
+    permissions: write-all
     steps:
       - name: Create Release
         id: create-release

.github/workflows/trivy-containers.yaml

@@ -31,7 +31,7 @@ jobs:
         uses: actions/checkout@v4
 
       - id: set-matrix
-        uses: mikefarah/yq@master
+        uses: mikefarah/yq@4
         with:
           # Dynamically build the matrix of images to scan
           cmd: "yq '[{\"repository\": .image.repository, \"tag\": \"v'$(yq '.appVersion' charts/aws-ebs-csi-driver/Chart.yaml)'\"}] + (.sidecars | map(.image)) | map(.repository + \":\" + .tag) | . style=\"flow\"' charts/aws-ebs-csi-driver/values.yaml"

.github/workflows/trivy.yaml

@@ -28,7 +28,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.17.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true

.github/workflows/unit-tests.yaml

@@ -30,7 +30,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
 

CHANGELOG.md

@@ -1,3 +1,15 @@
+# v1.34.0
+### Notable Changes
+* Consider accelerators when calculating node attachment limit ([#2115](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2115), [@ElijahQuinones](https://github.com/ElijahQuinones))
+* Consider GPUs when calculating node attachment limit ([#2108](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2108), [@ElijahQuinones](https://github.com/ElijahQuinones))
+
+### Bug Fixes
+* Ensure ModifyVolume returns InvalidArgument error code if VAC contains invalid parameter ([#2103](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2103), [@mdzraf](https://github.com/mdzraf))
+
+### Improvements
+* Document metadata requirement and available sources ([#2117](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2117), [@ConnorJC3](https://github.com/ConnorJC3))
+* Upgrade dependencies ([#2123](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2123), [@AndrewSirenko](https://github.com/AndrewSirenko))
+
 # v1.33.0
 ### Urgent Upgrade Notes
 *(No, really, you MUST read this before you upgrade)*

Makefile

@@ -18,7 +18,7 @@
 
 ## Variables/Functions
 
-VERSION?=v1.33.0
+VERSION?=v1.34.0
 
 PKG=github.com/kubernetes-sigs/aws-ebs-csi-driver
 GIT_COMMIT?=$(shell git rev-parse HEAD)

README.md

@@ -20,8 +20,8 @@ The [Amazon Elastic Block Store](https://aws.amazon.com/ebs/) Container Storage
 
 | Driver Version | [registry.k8s.io](https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/) Image | [ECR Public](https://gallery.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver) Image |
 |----------------|---------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
+| v1.34.0        | registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.34.0                                           | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.34.0                      |
 | v1.33.0        | registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.33.0                                           | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.33.0                      |
-| v1.32.0        | registry.k8s.io/provider-aws/aws-ebs-csi-driver:v1.32.0                                           | public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.32.0                      |
 
 ## Releases
 

charts/aws-ebs-csi-driver/CHANGELOG.md

@@ -1,4 +1,10 @@
 # Helm chart
+## v2.34.0
+* Bump driver version to `v1.34.0`
+* Add toggle for PodDisruptionBudget in chart ([#2109](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2109), [@AndrewSirenko](https://github.com/AndrewSirenko))
+* Add nodeComponentOnly parameter to helm chart ([#2106](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2106), [@AndrewSirenko](https://github.com/AndrewSirenko))
+* fix: sidecars.snapshotter.logLevel not being respect ([#2102](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2102), [@zyue110026](https://github.com/zyue110026))
+
 ## v2.33.0
 * Bump driver version to `v1.33.0`
 * Bump CSI sidecar container versions

charts/aws-ebs-csi-driver/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 1.33.0
+appVersion: 1.34.0
 name: aws-ebs-csi-driver
 description: A Helm chart for AWS EBS CSI Driver
-version: 2.33.0
+version: 2.34.0
 kubeVersion: ">=1.17.0-0"
 home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
 sources:

charts/aws-ebs-csi-driver/templates/controller.yaml

@@ -231,9 +231,6 @@ spec:
             {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.provisioner.additionalArgs)) }}
             - --retry-interval-max=30m
             {{- end }}
-            {{- if .Capabilities.APIVersions.Has "storage.k8s.io/v1beta1/VolumeAttributesClass" }}
-            - --feature-gates=VolumeAttributesClass=true
-            {{- end }}
             {{- range .Values.sidecars.provisioner.additionalArgs }}
             - {{ . }}
             {{- end }}
@@ -290,9 +287,6 @@ spec:
             {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.attacher.additionalArgs)) }}
             - --retry-interval-max=5m
             {{- end }}
-            {{- if .Capabilities.APIVersions.Has "storage.k8s.io/v1beta1/VolumeAttributesClass" }}
-            - --feature-gates=VolumeAttributesClass=true
-            {{- end }}
             {{- range .Values.sidecars.attacher.additionalArgs }}
             - {{ . }}
             {{- end }}

charts/aws-ebs-csi-driver/values.yaml

@@ -73,7 +73,7 @@ sidecars:
     image:
       pullPolicy: IfNotPresent
       repository: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter
-      tag: "v8.0.1-eks-1-30-10"
+      tag: "v8.0.1-eks-1-30-12"
     logLevel: 2
     # Additional parameters provided by csi-snapshotter.
     additionalArgs: []
@@ -485,4 +485,4 @@ nodeComponentOnly: false
 helmTester:
   enabled: true
   # Supply a custom image to the ebs-csi-driver-test pod in helm-tester.yaml
-  image: "gcr.io/k8s-staging-test-infra/kubekins-e2e:v20240705-131cd74733-master"
+  image: "gcr.io/k8s-staging-test-infra/kubekins-e2e:v20240803-cf1183f2db-master"

deploy/kubernetes/base/controller.yaml

@@ -62,7 +62,7 @@ spec:
         runAsUser: 1000
       containers:
         - name: ebs-plugin
-          image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.33.0
+          image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.34.0
           imagePullPolicy: IfNotPresent
           args:
             # - {all,controller,node} # specify the driver mode
@@ -192,7 +192,7 @@ spec:
             seccompProfile:
               type: RuntimeDefault
         - name: csi-snapshotter
-          image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter:v8.0.1-eks-1-30-10
+          image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter:v8.0.1-eks-1-30-12
           imagePullPolicy: IfNotPresent
           args:
             - --csi-address=$(ADDRESS)

deploy/kubernetes/base/node.yaml

@@ -54,7 +54,7 @@ spec:
         runAsUser: 0
       containers:
         - name: ebs-plugin
-          image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.33.0
+          image: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver:v1.34.0
           imagePullPolicy: IfNotPresent
           args:
             - node

deploy/kubernetes/overlays/stable/gcr/kustomization.yaml

@@ -7,7 +7,7 @@ images:
     newName: registry.k8s.io/provider-aws/aws-ebs-csi-driver
   - name: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
     newName: registry.k8s.io/sig-storage/csi-provisioner
-    newTag: v5.0.1
+    newTag: v5.0.2
   - name: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher
     newName: registry.k8s.io/sig-storage/csi-attacher
     newTag: v4.6.1
@@ -19,7 +19,7 @@ images:
     newTag: v8.0.1
   - name: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer
     newName: registry.k8s.io/sig-storage/csi-resizer
-    newTag: v1.11.1
+    newTag: v1.11.2
   - name: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
     newName: registry.k8s.io/sig-storage/csi-node-driver-registrar
     newTag: v2.11.1

docs/faq.md

@@ -32,9 +32,9 @@ Warning  FailedAttachVolume      6m51s              attachdetach-controller  Mul
   systemctl restart kubelet
 ```
 
-3. **Spot Instances and Karpenter Best Practices:** When using Spot Instances with Karpenter, enable [interruption handling](https://aws.github.io/aws-eks-best-practices/karpenter/#enable-interruption-handling-when-using-spot) to manage involuntary interruptions gracefully. Karpenter supports native interruption handling, which cordons, drains, and terminates nodes ahead of interruption events, maximizing workload cleanup time.
-
-4. **Set `.node.tolerateAllTaints=false` when deploying the EBS CSI Driver:** This allows Karpenter to safely drain the `ebs-csi-node` pod before terminating the instance. If you are relying on the `ebs-csi-node` pod to tolerate certain taints, please manually add those tolerations to the driver with `.node.tolerations`.
+3. **Karpenter Best Practices:**
+  - Upgrade to Karpenter version ≥ v1.0.0, where Karpenter will now wait to terminate nodes until all volumes have been detached from them. 
+  - When using Spot Instances with Karpenter, enable [interruption handling](https://aws.github.io/aws-eks-best-practices/karpenter/#enable-interruption-handling-when-using-spot) to manage involuntary interruptions gracefully. Karpenter supports native interruption handling, which cordons, drains, and terminates nodes ahead of interruption events, maximizing workload cleanup time.
 
 ### What is the PreStop lifecycle hook?
 

docs/install.md

@@ -8,6 +8,31 @@
 
 * Important: If you intend to use the Volume Snapshot feature, the [Kubernetes Volume Snapshot CRDs](https://github.com/kubernetes-csi/external-snapshotter/tree/master/client/config/crd) must be installed **before** the EBS CSI driver. For installation instructions, see [CSI Snapshotter Usage](https://github.com/kubernetes-csi/external-snapshotter#usage).
 
+### Metadata
+
+The EBS CSI Driver uses a metadata source in order to gather necessary information about the environment to function. The driver currently supports two metadata sources: [IMDS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) or Kubernetes.
+
+The controller `Deployment` can skip metadata if the region is provided via the `AWS_REGION` environment variable (Helm parameter `controller.region`). The node `DaemonSet` requires metadata and will not function without access to one of the sources.
+
+#### IMDS (EC2) Metadata
+
+If the driver is able to access IMDS, it will utilize that as a preferred source of metadata. The EBS CSI Driver supports IMDSv1 and IMDSv2 (and will prefer IMDSv2 if both are available). However, by default, [IMDSv2 uses a hop limit of 1](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-v2-how-it-works). That will prevent the driver from accessing IMDSv2 if run inside a container with the default IMDSv2 configuration.
+
+In order for the driver to access IMDS, it either must be run in host networking mode, or with a [hop limit of at least 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-existing-instances.html#modify-PUT-response-hop-limit).
+
+#### Kubernetes Metadata
+
+If the driver is unable to reach IMDS, it will fallback to using the Kubernetes API. For this metadata source to work, the driver pods must have access to the Kubernetes API server. Additionally, the Kubernetes node objects must include the following information:
+
+- Instance ID (in the `Node`'s `ProviderID`)
+- Instance Type (in the label `node.kubernetes.io/instance-type`)
+- Instance Region (in the label `topology.kubernetes.io/region`)
+- Instance AZ (in the label `topology.kubernetes.io/zone`)
+
+These values are typically set by the [AWS CCM](https://github.com/kubernetes/cloud-provider-aws). You must have the AWS CCM or a similar tool installed in your cluster providing these values for Kubernetes metadata to function.
+
+Kubernetes metadata does not provide information about the number of ENIs or EBS volumes attached to an instance. Thus, when performing volume limit calculations, node pods using Kubernetes metadata will assume one ENI and one EBS volume (the root volume) is attached.
+
 ## Installation
 ### Set up driver permissions
 The driver requires IAM permissions to talk to Amazon EBS to manage the volume on user's behalf. [The example policy here](./example-iam-policy.json) defines these permissions. AWS maintains a managed policy, available at ARN `arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy`. 
@@ -52,7 +77,7 @@ You may deploy the EBS CSI driver via Kustomize, Helm, or as an [Amazon EKS mana
 
 #### Kustomize
 ```sh
-kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.33"
+kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.34"
 ```
 
 *Note: Using the master branch to deploy the driver is not supported as the master branch may contain upcoming features incompatible with the currently released stable version of the driver.*

docs/modify-volume.md

@@ -12,14 +12,12 @@ The EBS CSI Driver (starting from v1.19.0) supports volume modification through
 
 To use this feature, it must be enabled in the following places:
 - `VolumeAttributesClass` feature gate on `kube-apiserver` (consult your Kubernetes distro's documentation)
-- `storage.k8s.io/v1alpha1` (Kubernetes 1.30 and before) or `storage.k8s.io/v1alpha1` (Kubernetes 1.31 and later) enabled in `kube-apiserver` via [`runtime-config`](https://kubernetes.io/docs/tasks/administer-cluster/enable-disable-api/) (consult your Kubernetes distro's documentation)
+- `storage.k8s.io/v1alpha1` enabled in `kube-apiserver` via [`runtime-config`](https://kubernetes.io/docs/tasks/administer-cluster/enable-disable-api/) (consult your Kubernetes distro's documentation)
 - `VolumeAttributesClass` feature gate on `kube-controller-manager` (consult your Kubernetes distro's documentation)
-- `VolumeAttributesClass` feature gate on `external-provisioner` sidecar
-- `VolumeAttributesClass` feature gate on `external-resizer` sidecar
+- `VolumeAttributesClass` feature gate on `external-provisioner` (add `--feature-gates=VolumeAttributesClass=true` to `sidecars.provisioner.additionalArgs` when using the EBS CSI Helm chart)
+- `VolumeAttributesClass` feature gate on `kube-controller-manager` (add `--feature-gates=VolumeAttributesClass=true` to `sidecars.resizer.additionalArgs` when using the EBS CSI Helm chart)
 
-The EBS CSI Driver Helm chart will automatically enable the `VolumeAttributesClass` feature gate on the sidecars if `VolumeAttributesClass` object is detected with a beta API version (Kubernetes 1.31 and later). You (or your Kubernetes distro, on your behalf) are responsible for enabling the feature gate on the control plane components (`kube-apiserver` and `kube-controller-manager`).
-
-For more information, see the [Kubernetes documentation for Volume Attributes Classes](https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/).
+For more information, see the [Kubernetes documentation for the feature](https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/).
 
 ### `volume-modifier-for-k8s`
 
@@ -35,8 +33,6 @@ Users can specify the following modification parameters:
 - `iops`: to update the IOPS
 - `throughput`: to update the throughput
 
-The EBS CSI Driver also supports modifying tags of existing volumes (only available for `VolumeAttributesClass`), see [the modification section in the tagging documentation](tagging.md#adding-modifying-and-deleting-tags-of-existing-volumes) for more information.
-
 ## Considerations
 
 - Keep in mind the [6 hour cooldown period](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVolume.html) for EBS ModifyVolume. Multiple ModifyVolume calls for the same volume within a 6 hour period will fail.