From 060f77ae53fcdd5f2a2a36e9f0ded8bbcb7abda6 Mon Sep 17 00:00:00 2001 From: "k8s-on-aws-manager-app[bot]" <181735053+k8s-on-aws-manager-app[bot]@users.noreply.github.com> Date: Thu, 23 Jan 2025 08:32:01 +0000 Subject: [PATCH 01/10] fabric-gateway: Update to version master-301 Update container-registry.zalando.net/gwproxy/fabric-gateway to version master-301 --- cluster/manifests/fabric-gateway/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/manifests/fabric-gateway/deployment.yaml b/cluster/manifests/fabric-gateway/deployment.yaml index f645f7f490..dd05ef0591 100644 --- a/cluster/manifests/fabric-gateway/deployment.yaml +++ b/cluster/manifests/fabric-gateway/deployment.yaml @@ -1,4 +1,4 @@ -# {{ $image := "container-registry.zalando.net/gwproxy/fabric-gateway:master-300" }} +# {{ $image := "container-registry.zalando.net/gwproxy/fabric-gateway:master-301" }} # {{ $version := index (split $image ":") 1 }} apiVersion: apps/v1 kind: Deployment From 0d0bee08159d45d7ecc979bf40cf408dff293fb4 Mon Sep 17 00:00:00 2001 From: Alexander Yastrebov Date: Thu, 23 Jan 2025 12:20:24 +0100 Subject: [PATCH 02/10] skipper: update main to v0.21.257 * update main version * configure `-kubernetes-annotation-filters-append` and `-kubernetes-east-west-range-annotation-filters-append` (added by https://github.com/zalando/skipper/pull/3376) Pull requests: * https://github.com/zalando/skipper/pull/3371 * https://github.com/zalando/skipper/pull/3368 * https://github.com/zalando/skipper/pull/3369 * https://github.com/zalando/skipper/pull/3370 * https://github.com/zalando/skipper/pull/3372 * https://github.com/zalando/skipper/pull/3373 * https://github.com/zalando/skipper/pull/3374 * https://github.com/zalando/skipper/pull/3375 * https://github.com/zalando/skipper/pull/3380 * https://github.com/zalando/skipper/pull/3376 * https://github.com/zalando/skipper/pull/3381 * https://github.com/zalando/skipper/pull/3379 * https://github.com/zalando/skipper/pull/3378 See: * [changes](https://github.com/zalando/skipper/compare/v0.21.247...v0.21.257) * #8791 Signed-off-by: Alexander Yastrebov --- cluster/config-defaults.yaml | 3 +++ cluster/manifests/skipper/deployment.yaml | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml index 63256d83cf..aa746880d1 100644 --- a/cluster/config-defaults.yaml +++ b/cluster/config-defaults.yaml @@ -127,8 +127,11 @@ skipper_edit_route_placeholders: "" skipper_ingress_inline_routes: "" skipper_ingress_refuse_payload: "" skipper_endpointslices_enabled: "true" + skipper_kubernetes_annotation_predicates: '' +skipper_kubernetes_annotation_filters_append: '' skipper_kubernetes_east_west_range_annotation_predicates: '' +skipper_kubernetes_east_west_range_annotation_filters_append: '' skipper_compress_encodings: "gzip,deflate,br" diff --git a/cluster/manifests/skipper/deployment.yaml b/cluster/manifests/skipper/deployment.yaml index 9cdd982fdf..7d7d0c902b 100644 --- a/cluster/manifests/skipper/deployment.yaml +++ b/cluster/manifests/skipper/deployment.yaml @@ -1,6 +1,6 @@ {{/* image-updater-bot detects *image variables so use print to disable it for main image */}} -{{ $main_image := print "container-registry.zalando.net/teapot/skipper-internal:" "v0.21.247-1070" }} +{{ $main_image := print "container-registry.zalando.net/teapot/skipper-internal:" "v0.21.257-1079" }} {{ $canary_image := "container-registry.zalando.net/teapot/skipper-internal:v0.21.257-1079" }} @@ -174,7 +174,9 @@ spec: - "-kubernetes-east-west-range-domains=ingress.cluster.local" - "-kubernetes-east-west-range-predicates=ClientIP(\"10.2.0.0/15\", \"{{ .Values.vpc_ipv4_cidr }}\")" - '-kubernetes-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_predicates }}' + - '-kubernetes-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_filters_append }}' - '-kubernetes-east-west-range-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_predicates }}' + - '-kubernetes-east-west-range-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_filters_append }}' - "-reverse-source-predicate" {{ end }} - "-proxy-preserve-host" @@ -543,7 +545,9 @@ spec: - "-kubernetes-east-west-range-domains=ingress.cluster.local" - "-kubernetes-east-west-range-predicates=ClientIP(\"10.2.0.0/15\", \"{{ .Values.vpc_ipv4_cidr }}\")" - '-kubernetes-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_predicates }}' + - '-kubernetes-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_filters_append }}' - '-kubernetes-east-west-range-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_predicates }}' + - '-kubernetes-east-west-range-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_filters_append }}' - "-reverse-source-predicate" - "-default-filters-dir=/etc/config/default-filters" - '-default-filters-prepend={{ .Cluster.ConfigItems.skipper_default_filters }}' From a796bb8198baebba0f37f509de0538b92f94900e Mon Sep 17 00:00:00 2001 From: "k8s-on-aws-manager-app[bot]" <181735053+k8s-on-aws-manager-app[bot]@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:21:15 +0000 Subject: [PATCH 03/10] aws-ebs-csi-driver: Update to version v1.38.1-master-25 Update container-registry.zalando.net/teapot/aws-ebs-csi-driver to version v1.38.1-master-25 --- cluster/manifests/03-ebs-csi/controller.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/manifests/03-ebs-csi/controller.yaml b/cluster/manifests/03-ebs-csi/controller.yaml index 923276b111..9588631c6b 100644 --- a/cluster/manifests/03-ebs-csi/controller.yaml +++ b/cluster/manifests/03-ebs-csi/controller.yaml @@ -35,7 +35,7 @@ spec: runAsUser: 1000 containers: - name: ebs-plugin - image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.38.1-master-24 + image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.38.1-master-25 args: - controller - --endpoint=$(CSI_ENDPOINT) From 280bbf67b8de87cb49cbb1d9d66c9e1ea5f9b82b Mon Sep 17 00:00:00 2001 From: "k8s-on-aws-manager-app[bot]" <181735053+k8s-on-aws-manager-app[bot]@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:21:23 +0000 Subject: [PATCH 04/10] external-provisioner: Update to version v5.1.0-eks-1-31-10-master-25 Update container-registry.zalando.net/teapot/external-provisioner to version v5.1.0-eks-1-31-10-master-25 --- cluster/manifests/03-ebs-csi/controller.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/manifests/03-ebs-csi/controller.yaml b/cluster/manifests/03-ebs-csi/controller.yaml index 923276b111..dc98614baf 100644 --- a/cluster/manifests/03-ebs-csi/controller.yaml +++ b/cluster/manifests/03-ebs-csi/controller.yaml @@ -82,7 +82,7 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - name: csi-provisioner - image: container-registry.zalando.net/teapot/external-provisioner:v5.1.0-eks-1-31-10-master-24 + image: container-registry.zalando.net/teapot/external-provisioner:v5.1.0-eks-1-31-10-master-25 args: - --csi-address=$(ADDRESS) - --v=2 From 692b8a6c767ceae37793ff5d8ca31e1502d911df Mon Sep 17 00:00:00 2001 From: "k8s-on-aws-manager-app[bot]" <181735053+k8s-on-aws-manager-app[bot]@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:21:30 +0000 Subject: [PATCH 05/10] external-attacher: Update to version v4.7.0-eks-1-31-10-master-25 Update container-registry.zalando.net/teapot/external-attacher to version v4.7.0-eks-1-31-10-master-25 --- cluster/manifests/03-ebs-csi/controller.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/manifests/03-ebs-csi/controller.yaml b/cluster/manifests/03-ebs-csi/controller.yaml index 923276b111..5945244c79 100644 --- a/cluster/manifests/03-ebs-csi/controller.yaml +++ b/cluster/manifests/03-ebs-csi/controller.yaml @@ -107,7 +107,7 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - name: csi-attacher - image: container-registry.zalando.net/teapot/external-attacher:v4.7.0-eks-1-31-10-master-24 + image: container-registry.zalando.net/teapot/external-attacher:v4.7.0-eks-1-31-10-master-25 args: - --csi-address=$(ADDRESS) - --v=2 From 9b40292104b53ae343e10f2ca52659da822c4540 Mon Sep 17 00:00:00 2001 From: "k8s-on-aws-manager-app[bot]" <181735053+k8s-on-aws-manager-app[bot]@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:21:37 +0000 Subject: [PATCH 06/10] external-resizer: Update to version v1.12.0-eks-1-31-10-master-25 Update container-registry.zalando.net/teapot/external-resizer to version v1.12.0-eks-1-31-10-master-25 --- cluster/manifests/03-ebs-csi/controller.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/manifests/03-ebs-csi/controller.yaml b/cluster/manifests/03-ebs-csi/controller.yaml index 923276b111..235f57289b 100644 --- a/cluster/manifests/03-ebs-csi/controller.yaml +++ b/cluster/manifests/03-ebs-csi/controller.yaml @@ -129,7 +129,7 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - name: csi-resizer - image: container-registry.zalando.net/teapot/external-resizer:v1.12.0-eks-1-31-10-master-24 + image: container-registry.zalando.net/teapot/external-resizer:v1.12.0-eks-1-31-10-master-25 args: - --csi-address=$(ADDRESS) - --v=2 From 50cbf8bd83245a1c82c0cadd66ed9c4461994691 Mon Sep 17 00:00:00 2001 From: "k8s-on-aws-manager-app[bot]" <181735053+k8s-on-aws-manager-app[bot]@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:21:46 +0000 Subject: [PATCH 07/10] livenessprobe: Update to version v2.14.0-eks-1-31-10-master-25 Update container-registry.zalando.net/teapot/livenessprobe to version v2.14.0-eks-1-31-10-master-25 --- cluster/manifests/03-ebs-csi/controller.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/manifests/03-ebs-csi/controller.yaml b/cluster/manifests/03-ebs-csi/controller.yaml index 923276b111..f7d6a013b7 100644 --- a/cluster/manifests/03-ebs-csi/controller.yaml +++ b/cluster/manifests/03-ebs-csi/controller.yaml @@ -151,7 +151,7 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - name: liveness-probe - image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-10-master-24 + image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-10-master-25 args: - --csi-address=/csi/csi.sock resources: From 4ee585712602cc4e14030841a92332207d021cc0 Mon Sep 17 00:00:00 2001 From: "k8s-on-aws-manager-app[bot]" <181735053+k8s-on-aws-manager-app[bot]@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:22:02 +0000 Subject: [PATCH 08/10] node-driver-registrar: Update to version v2.12.0-eks-1-31-10-master-25 Update container-registry.zalando.net/teapot/node-driver-registrar to version v2.12.0-eks-1-31-10-master-25 --- cluster/manifests/03-ebs-csi/node.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/manifests/03-ebs-csi/node.yaml b/cluster/manifests/03-ebs-csi/node.yaml index a3863386a4..343201f7be 100644 --- a/cluster/manifests/03-ebs-csi/node.yaml +++ b/cluster/manifests/03-ebs-csi/node.yaml @@ -77,7 +77,7 @@ spec: privileged: true readOnlyRootFilesystem: true - name: node-driver-registrar - image: container-registry.zalando.net/teapot/node-driver-registrar:v2.12.0-eks-1-31-10-master-24 + image: container-registry.zalando.net/teapot/node-driver-registrar:v2.12.0-eks-1-31-10-master-25 args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) From 026ed65178b6de0ec0cde601eff0fac56bb1b67f Mon Sep 17 00:00:00 2001 From: Mikkel Oscar Lyderik Larsen Date: Mon, 27 Jan 2025 17:41:58 +0100 Subject: [PATCH 09/10] Correctly exclude wiz from node readiness check Signed-off-by: Mikkel Oscar Lyderik Larsen --- cluster/manifests/wiz/sensor-daemonset.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cluster/manifests/wiz/sensor-daemonset.yaml b/cluster/manifests/wiz/sensor-daemonset.yaml index 38ad4c6334..d2b9cb328d 100644 --- a/cluster/manifests/wiz/sensor-daemonset.yaml +++ b/cluster/manifests/wiz/sensor-daemonset.yaml @@ -10,6 +10,8 @@ metadata: application: "wiz" component: "sensor" daemonset: "wiz-sensor" + annotations: + node-ready.cluster.zalando.org/exclude: "true" namespace: wiz spec: selector: @@ -27,7 +29,6 @@ spec: annotations: container.apparmor.security.beta.kubernetes.io/wiz-sensor: unconfined cluster-autoscaler.kubernetes.io/enable-ds-eviction: "true" - node-ready.cluster.zalando.org/exclude: "true" spec: serviceAccountName: wiz-sensor nodeSelector: From d926bed1d992bc6e12824233696f1426f76f40a5 Mon Sep 17 00:00:00 2001 From: Mikkel Oscar Lyderik Larsen Date: Mon, 27 Jan 2025 19:42:28 +0100 Subject: [PATCH 10/10] Fix typo in wiz-sensor service account name Signed-off-by: Mikkel Oscar Lyderik Larsen --- cluster/manifests/01-admission-control/config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/manifests/01-admission-control/config.yaml b/cluster/manifests/01-admission-control/config.yaml index e8634886e5..f87bb8d946 100644 --- a/cluster/manifests/01-admission-control/config.yaml +++ b/cluster/manifests/01-admission-control/config.yaml @@ -116,7 +116,7 @@ data: pod.pod-security-policy.privileged-service-accounts.{{ $sa }}: "" {{- end}} {{- if eq .Cluster.ConfigItems.wiz_enable_runtime_sensor "true" }} - pod.pod-security-policy.privileged-service-accounts.wiz_wiz_sensor: "" + pod.pod-security-policy.privileged-service-accounts.wiz_wiz-sensor: "" {{- end }} pod.pod-security-policy.allowed-restricted-capabilities.AUDIT_WRITE: ""