From df588c475916f31524d0a3eebc6cb4aab1cfc529 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 19 Jul 2023 10:56:56 -0400 Subject: [PATCH] fix: Avoid listing `PodSecurityPolicys` on versions greater than 1.25 since those have been removed --- Cargo.lock | 328 ++++++++----------- eksup/Cargo.toml | 4 +- eksup/src/k8s/findings.rs | 2 +- eksup/src/k8s/resources.rs | 51 ++- examples/eks-managed/main.tf | 6 +- examples/eks-managed/versions.tf | 4 +- examples/fargate-profile/main.tf | 6 +- examples/fargate-profile/versions.tf | 4 +- examples/mixed/main.tf | 33 +- examples/mixed/versions.tf | 4 +- examples/self-managed/main.tf | 6 +- examples/self-managed/versions.tf | 4 +- examples/test-mixed_v1.26_upgrade.md | 462 +++++++++++++++++++++++++++ 13 files changed, 681 insertions(+), 233 deletions(-) create mode 100644 examples/test-mixed_v1.26_upgrade.md diff --git a/Cargo.lock b/Cargo.lock index 09ccff2..f897240 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -83,7 +83,7 @@ version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5ca11d4be1bab0c8bc8734a9aa7bf4ee8316d462a08c6ac5052f888fef5b494b" dependencies = [ - "windows-sys 0.48.0", + "windows-sys", ] [[package]] @@ -93,14 +93,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "180abfa45703aebe0093f79badacc01b8fd4ea2e35118747e5811127f926e188" dependencies = [ "anstyle", - "windows-sys 0.48.0", + "windows-sys", ] [[package]] name = "anyhow" -version = "1.0.71" +version = "1.0.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c7d0618f0e0b7e8ff11427422b64564d5fb0be1940354bfe2e0529b18a9d9b8" +checksum = "3b13c32d80ecc7ab747b80c3784bce54ee8a7a0cc4fbda9bf4cda2cf6fe90854" [[package]] name = "autocfg" @@ -600,9 +600,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.3.10" +version = "4.3.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "384e169cc618c613d5e3ca6404dda77a8685a63e08660dcc64abaf7da7cb0c7a" +checksum = "74bb1b4028935821b2d6b439bba2e970bdcf740832732437ead910c632e30d7d" dependencies = [ "clap_builder", "clap_derive", @@ -621,9 +621,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.3.10" +version = "4.3.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef137bbe35aab78bdb468ccfba75a5f4d8321ae011d34063770780545176af2d" +checksum = "5ae467cbb0111869b765e13882a1dbbd6cb52f58203d8b80c44f667d4dd19843" dependencies = [ "anstream", "anstyle", @@ -633,14 +633,14 @@ dependencies = [ [[package]] name = "clap_derive" -version = "4.3.2" +version = "4.3.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8cd2b2a819ad6eec39e8f1d6b53001af1e5469f8c177579cdaeb313115b825f" +checksum = "54a9bb5758fc5dfe728d1019941681eccaf0cf8a4189b692a0ee2f2ecf90a050" dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", ] [[package]] @@ -673,9 +673,9 @@ checksum = "e496a50fda8aacccc86d7529e2c1e0892dbd0f898a6b5645b5561b89c3210efa" [[package]] name = "cpufeatures" -version = "0.2.8" +version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "03e69e28e9f7f77debdedbaafa2866e1de9ba56df55a8bd7cfc724c25a09987c" +checksum = "a17b76ff3a4162b0b27f354a0c87015ddad39d35f9c0c36607a3bdd175dde1f1" dependencies = [ "libc", ] @@ -768,9 +768,9 @@ dependencies = [ [[package]] name = "dyn-clone" -version = "1.0.11" +version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68b0cf012f1230e43cd00ebb729c6bb58707ecfa8ad08b52ef3a4ccd2697fc30" +checksum = "304e6508efa593091e97a9abbc10f90aa7ca635b6d2784feff3c89d41dd12272" [[package]] name = "either" @@ -810,9 +810,9 @@ dependencies = [ [[package]] name = "equivalent" -version = "1.0.0" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "88bffebc5d80432c9b140ee17875ff173a8ab62faad5b257da912bd2f6c1c0a1" +checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" @@ -822,7 +822,7 @@ checksum = "4bcfec3a70f97c962c307b2d2c56e358cf1d00b558d74262b5f929ee8cc7e73a" dependencies = [ "errno-dragonfly", "libc", - "windows-sys 0.48.0", + "windows-sys", ] [[package]] @@ -915,7 +915,7 @@ checksum = "89ca545a94061b6365f2c7355b4b32bd20df3ff95f02da9329b34ccc3bd6ee72" dependencies = [ "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", ] [[package]] @@ -1029,9 +1029,9 @@ checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" [[package]] name = "hermit-abi" -version = "0.3.1" +version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fed44880c466736ef9a5c5b5facefb5ed0785676d0c02d612db14e54f0d84286" +checksum = "443144c8cdadd93ebf52ddb4056d257f5b52c04d3c804e657d19eb73fc33668b" [[package]] name = "hex" @@ -1129,14 +1129,15 @@ dependencies = [ [[package]] name = "hyper-rustls" -version = "0.24.0" +version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0646026eb1b3eea4cd9ba47912ea5ce9cc07713d105b1a14698f4e6433d348b7" +checksum = "8d78e1e73ec14cf7375674f74d7dde185c8206fd9dea6fb6295e8a98098aaa97" dependencies = [ + "futures-util", "http", "hyper", "log", - "rustls 0.21.2", + "rustls 0.21.5", "rustls-native-certs", "tokio", "tokio-rustls 0.24.1", @@ -1248,13 +1249,13 @@ dependencies = [ [[package]] name = "is-terminal" -version = "0.4.8" +version = "0.4.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24fddda5af7e54bf7da53067d6e802dbcc381d0a8eef629df528e3ebf68755cb" +checksum = "cb0889898416213fab133e1d33a0e5858a48177452750691bde3666d0fdbaf8b" dependencies = [ "hermit-abi", "rustix", - "windows-sys 0.48.0", + "windows-sys", ] [[package]] @@ -1268,9 +1269,9 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.6" +version = "1.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "453ad9f582a441959e5f0d088b02ce04cfe8d51a8eaf077f12ac6d3e94164ca6" +checksum = "af150ab688ff2122fcef229be89cb50dd66af9e01a4ff320cc137eecc9bacc38" [[package]] name = "js-sys" @@ -1308,9 +1309,9 @@ dependencies = [ [[package]] name = "kube" -version = "0.83.0" +version = "0.84.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32f468b2fa6c5ef92117813238758f79e394c2d7688bd6faa3e77243f90260b0" +checksum = "14bd236a6f6ddeac3fefa2863eb4e363cb3a2c49d66619e181b5b8f8f0787575" dependencies = [ "k8s-openapi", "kube-client", @@ -1320,9 +1321,9 @@ dependencies = [ [[package]] name = "kube-client" -version = "0.83.0" +version = "0.84.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "337eb332d253036adc3247936248d0742c6c743f51eb38a684fd9b3b2878b27c" +checksum = "04a28620131ca89b2509e52f5e1b71bfa3e61a50321836b2ae373bc18e0309e6" dependencies = [ "base64 0.20.0", "bytes", @@ -1333,14 +1334,14 @@ dependencies = [ "http", "http-body", "hyper", - "hyper-rustls 0.24.0", + "hyper-rustls 0.24.1", "hyper-timeout", "jsonpath_lib", "k8s-openapi", "kube-core", "pem", "pin-project", - "rustls 0.21.2", + "rustls 0.21.5", "rustls-pemfile", "secrecy", "serde", @@ -1356,9 +1357,9 @@ dependencies = [ [[package]] name = "kube-core" -version = "0.83.0" +version = "0.84.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f924177ad71936cfe612641b45bb9879890696d3c026f0846423529f4fa449af" +checksum = "8227a989f1eeee3bcbf045165d6aca462af3744ecd4dfdcfba81051fb7de428e" dependencies = [ "chrono", "form_urlencoded", @@ -1373,9 +1374,9 @@ dependencies = [ [[package]] name = "kube-derive" -version = "0.83.0" +version = "0.84.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3ce7c7a14cf3fe567ca856de41db0d61394867675cfb0d65094c55f0fa2df2e0" +checksum = "19d227fcf3e12f53ea1a38d4766a8c29f8b27795579e4146464effb88d52dd99" dependencies = [ "darling", "proc-macro2", @@ -1444,7 +1445,7 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8263075bb86c5a1b1427b5ae862e8889656f126e9f77c484496e8b47cf5c5558" dependencies = [ - "regex-automata", + "regex-automata 0.1.10", ] [[package]] @@ -1476,7 +1477,7 @@ checksum = "927a765cd3fc26206e66b296465fa9d3e5ab003e651c1b3c060e7956d96b19d2" dependencies = [ "libc", "wasi", - "windows-sys 0.48.0", + "windows-sys", ] [[package]] @@ -1611,9 +1612,9 @@ checksum = "9b2a4787296e9989611394c33f193f676704af1686e70b8f8033ab5ba9a35a94" [[package]] name = "pest" -version = "2.7.0" +version = "2.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f73935e4d55e2abf7f130186537b19e7a4abc886a0252380b59248af473a3fc9" +checksum = "0d2d1d55045829d65aad9d389139882ad623b33b904e7c9f1b10c5b8927298e5" dependencies = [ "thiserror", "ucd-trie", @@ -1621,9 +1622,9 @@ dependencies = [ [[package]] name = "pest_derive" -version = "2.7.0" +version = "2.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aef623c9bbfa0eedf5a0efba11a5ee83209c326653ca31ff019bec3a95bfff2b" +checksum = "5f94bca7e7a599d89dea5dfa309e217e7906c3c007fb9c3299c40b10d6a315d3" dependencies = [ "pest", "pest_generator", @@ -1631,22 +1632,22 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.7.0" +version = "2.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b3e8cba4ec22bada7fc55ffe51e2deb6a0e0db2d0b7ab0b103acc80d2510c190" +checksum = "99d490fe7e8556575ff6911e45567ab95e71617f43781e5c05490dc8d75c965c" dependencies = [ "pest", "pest_meta", "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", ] [[package]] name = "pest_meta" -version = "2.7.0" +version = "2.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a01f71cb40bd8bb94232df14b946909e14660e33fc05db3e50ae2a82d7ea0ca0" +checksum = "2674c66ebb4b4d9036012091b537aae5878970d6999f81a265034d85b136b341" dependencies = [ "once_cell", "pest", @@ -1655,29 +1656,29 @@ dependencies = [ [[package]] name = "pin-project" -version = "1.1.1" +version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e138fdd8263907a2b0e1b4e80b7e58c721126479b6e6eedfb1b402acea7b9bd" +checksum = "030ad2bc4db10a8944cb0d837f158bdfec4d4a4873ab701a95046770d11f8842" dependencies = [ "pin-project-internal", ] [[package]] name = "pin-project-internal" -version = "1.1.1" +version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1fef411b303e3e12d534fb6e7852de82da56edd937d895125821fb7c09436c7" +checksum = "ec2e072ecce94ec471b13398d5402c188e76ac03cf74dd1a975161b23a3f6d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", ] [[package]] name = "pin-project-lite" -version = "0.2.9" +version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116" +checksum = "4c40d25201921e5ff0c862a505c6557ea88568a4e3ace775ab55e93f2f4f9d57" [[package]] name = "pin-utils" @@ -1717,18 +1718,18 @@ checksum = "dc375e1527247fe1a97d8b7156678dfe7c1af2fc075c9a4db3690ecd2a148068" [[package]] name = "proc-macro2" -version = "1.0.63" +version = "1.0.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b368fba921b0dce7e60f5e04ec15e565b3303972b42bcfde1d0713b881959eb" +checksum = "18fb31db3f9bddb2ea821cde30a9f70117e3f119938b5ee630b7403aa6e2ead9" dependencies = [ "unicode-ident", ] [[package]] name = "quote" -version = "1.0.29" +version = "1.0.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "573015e8ab27661678357f27dc26460738fd2b6c86e46f386fde94cb5d913105" +checksum = "5fe8a65d69dd0808184ebb5f836ab526bb259db23c657efa38711b1072ee47f0" dependencies = [ "proc-macro2", ] @@ -1764,13 +1765,14 @@ dependencies = [ [[package]] name = "regex" -version = "1.8.4" +version = "1.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d0ab3ca65655bb1e41f2a8c8cd662eb4fb035e67c3f78da1d61dffe89d07300f" +checksum = "b2eae68fc220f7cf2532e4494aded17545fce192d59cd996e0fe7887f4ceb575" dependencies = [ "aho-corasick", "memchr", - "regex-syntax 0.7.2", + "regex-automata 0.3.3", + "regex-syntax 0.7.4", ] [[package]] @@ -1782,6 +1784,17 @@ dependencies = [ "regex-syntax 0.6.29", ] +[[package]] +name = "regex-automata" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "39354c10dd07468c2e73926b23bb9c2caca74c5501e38a35da70406f1d923310" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax 0.7.4", +] + [[package]] name = "regex-syntax" version = "0.6.29" @@ -1790,9 +1803,9 @@ checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1" [[package]] name = "regex-syntax" -version = "0.7.2" +version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "436b050e76ed2903236f032a59761c1eb99e1b0aead2c257922771dab1fc8c78" +checksum = "e5ea92a5b6195c6ef2a0295ea818b312502c6fc94dde986c5553242e18fd4ce2" [[package]] name = "ring" @@ -1836,7 +1849,7 @@ dependencies = [ "proc-macro2", "quote", "rust-embed-utils", - "syn 2.0.22", + "syn 2.0.26", "walkdir", ] @@ -1867,15 +1880,15 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.1" +version = "0.38.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbc6396159432b5c8490d4e301d8c705f61860b8b6c863bf79942ce5401968f3" +checksum = "0a962918ea88d644592894bc6dc55acc6c0956488adcebbfb6e273506b7fd6e5" dependencies = [ "bitflags 2.3.3", "errno", "libc", "linux-raw-sys", - "windows-sys 0.48.0", + "windows-sys", ] [[package]] @@ -1892,9 +1905,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.21.2" +version = "0.21.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e32ca28af694bc1bbf399c33a516dbdf1c90090b8ab23c2bc24f834aa2247f5f" +checksum = "79ea77c539259495ce8ca47f53e66ae0330a8819f67e23ac96ca02f50e7b7d36" dependencies = [ "log", "ring", @@ -1925,9 +1938,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.100.1" +version = "0.101.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6207cd5ed3d8dca7816f8f3725513a34609c0c765bf652b8c3cb4cfd87db46b" +checksum = "15f36a6828982f422756984e47912a7a51dcbc2a197aa791158f8ca61cd8204e" dependencies = [ "ring", "untrusted", @@ -1935,9 +1948,9 @@ dependencies = [ [[package]] name = "ryu" -version = "1.0.13" +version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f91339c0467de62360649f8d3e185ca8de4224ff281f66000de5eb2a77a79041" +checksum = "1ad4cc8da4ef723ed60bced201181d83791ad433213d8c24efffda1eec85d741" [[package]] name = "same-file" @@ -1950,11 +1963,11 @@ dependencies = [ [[package]] name = "schannel" -version = "0.1.21" +version = "0.1.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "713cfb06c7059f3588fb8044c0fad1d09e3c01d225e25b9220dbfdcf16dbb1b3" +checksum = "0c3733bf4cf7ea0880754e19cb5a462007c4a8c1914bff372ccc95b464f1df88" dependencies = [ - "windows-sys 0.42.0", + "windows-sys", ] [[package]] @@ -1983,9 +1996,9 @@ dependencies = [ [[package]] name = "scopeguard" -version = "1.1.0" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] name = "sct" @@ -2032,21 +2045,21 @@ dependencies = [ [[package]] name = "semver" -version = "1.0.17" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bebd363326d05ec3e2f532ab7660680f3b02130d780c299bca73469d521bc0ed" +checksum = "b0293b4b29daaf487284529cc2f5675b8e57c61f70167ba415a463651fd6a918" [[package]] name = "seq-macro" -version = "0.3.3" +version = "0.3.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e6b44e8fc93a14e66336d230954dda83d18b4605ccace8fe09bc7514a71ad0bc" +checksum = "a3f0bf26fd526d2a95683cd0f87bf103b8539e2ca1ef48ce002d67aad59aa0b4" [[package]] name = "serde" -version = "1.0.164" +version = "1.0.171" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e8c8cf938e98f769bc164923b06dce91cea1751522f46f8466461af04c9027d" +checksum = "30e27d1e4fd7659406c492fd6cfaf2066ba8773de45ca75e855590f856dc34a9" dependencies = [ "serde_derive", ] @@ -2063,13 +2076,13 @@ dependencies = [ [[package]] name = "serde_derive" -version = "1.0.164" +version = "1.0.171" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d9735b638ccc51c28bf6914d90a2e9725b377144fc612c49a611fddd1b631d68" +checksum = "389894603bd18c46fa56231694f8d827779c0951a667087194cf9de94ed24682" dependencies = [ "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", ] [[package]] @@ -2085,9 +2098,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.99" +version = "1.0.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46266871c240a00b8f503b877622fe33430b3c7d963bdc0f2adc511e54a1eae3" +checksum = "d03b412469450d4404fe8499a268edd7f8b79fecb074b0d812ad64ca21f4031b" dependencies = [ "indexmap 2.0.0", "itoa", @@ -2097,9 +2110,9 @@ dependencies = [ [[package]] name = "serde_yaml" -version = "0.9.22" +version = "0.9.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "452e67b9c20c37fa79df53201dc03839651086ed9bbe92b3ca585ca9fdaa7d85" +checksum = "bd5f51e3fdb5b9cdd1577e1cb7a733474191b1aca6a72c2e50913241632c1180" dependencies = [ "indexmap 2.0.0", "itoa", @@ -2148,9 +2161,9 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.10.0" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a507befe795404456341dfab10cef66ead4c041f62b8b11bbb92bffe5d0953e0" +checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9" [[package]] name = "socket2" @@ -2193,9 +2206,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.22" +version = "2.0.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2efbeae7acf4eabd6bcdcbd11c92f45231ddda7539edc7806bd1a04a03b24616" +checksum = "45c3457aacde3c65315de5031ec191ce46604304d2446e803d71ade03308d970" dependencies = [ "proc-macro2", "quote", @@ -2228,22 +2241,22 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.40" +version = "1.0.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "978c9a314bd8dc99be594bc3c175faaa9794be04a5a5e153caba6915336cebac" +checksum = "a35fc5b8971143ca348fa6df4f024d4d55264f3468c71ad1c2f365b0a4d58c42" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.40" +version = "1.0.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9456a42c5b0d803c8cd86e73dd7cc9edd429499f37a3550d286d5e86720569f" +checksum = "463fe12d7993d3b327787537ce8dd4dfa058de32fc2b195ef3cde03dc4771e8f" dependencies = [ "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", ] [[package]] @@ -2258,9 +2271,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.22" +version = "0.3.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ea9e1b3cf1243ae005d9e74085d4d542f3125458f3a81af210d901dcd7411efd" +checksum = "59e399c068f43a5d116fedaf73b203fa4f9c519f17e2b34f63221d3792f81446" dependencies = [ "serde", "time-core", @@ -2275,9 +2288,9 @@ checksum = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb" [[package]] name = "time-macros" -version = "0.2.9" +version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "372950940a5f07bf38dbe211d7283c9e6d7327df53794992d293e534c733d09b" +checksum = "96ba15a897f3c86766b757e5ac7221554c6750054d74d5b28844fce5fb36a6c4" dependencies = [ "time-core", ] @@ -2299,7 +2312,7 @@ dependencies = [ "signal-hook-registry", "socket2", "tokio-macros", - "windows-sys 0.48.0", + "windows-sys", ] [[package]] @@ -2320,7 +2333,7 @@ checksum = "630bdcf245f78637c13ec01ffae6187cca34625e8c63150d424b59e55af2675e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", ] [[package]] @@ -2340,7 +2353,7 @@ version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "rustls 0.21.2", + "rustls 0.21.5", "tokio", ] @@ -2388,11 +2401,11 @@ dependencies = [ [[package]] name = "tower-http" -version = "0.4.1" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8bd22a874a2d0b70452d5597b12c537331d49060824a95f49f108994f94aa4c" +checksum = "7ac8060a61f8758a61562f6fb53ba3cbe1ca906f001df2e53cccddcdbee91e7c" dependencies = [ - "base64 0.20.0", + "base64 0.21.2", "bitflags 2.3.3", "bytes", "futures-core", @@ -2440,7 +2453,7 @@ checksum = "5f4f31f56159e98206da9efd823404b79b6ef3143b4a7ab76e67b1751b25a4ab" dependencies = [ "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", ] [[package]] @@ -2496,15 +2509,15 @@ checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba" [[package]] name = "ucd-trie" -version = "0.1.5" +version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9e79c4d996edb816c91e4308506774452e55e95c3c9de07b6729e17e15a5ef81" +checksum = "ed646292ffc8188ef8ea4d1e0e0150fb15a5c2e12ad9b8fc191ae7a8a7f3c4b9" [[package]] name = "unicode-ident" -version = "1.0.9" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b15811caf2415fb889178633e7724bad2509101cde276048e013b9def5e51fa0" +checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c" [[package]] name = "unicode-width" @@ -2514,9 +2527,9 @@ checksum = "c0edd1e5b14653f783770bce4a4dabb4a5108a5370a5f5d8cfe8710c361f6c8b" [[package]] name = "unsafe-libyaml" -version = "0.2.8" +version = "0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1865806a559042e51ab5414598446a5871b561d21b6764f2eabb0dd481d880a6" +checksum = "f28467d3e1d3c6586d8f25fa243f544f5800fec42d97032474e17222c2b75cfa" [[package]] name = "untrusted" @@ -2600,7 +2613,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", "wasm-bindgen-shared", ] @@ -2622,7 +2635,7 @@ checksum = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.22", + "syn 2.0.26", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -2693,21 +2706,6 @@ dependencies = [ "windows-targets", ] -[[package]] -name = "windows-sys" -version = "0.42.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7" -dependencies = [ - "windows_aarch64_gnullvm 0.42.2", - "windows_aarch64_msvc 0.42.2", - "windows_i686_gnu 0.42.2", - "windows_i686_msvc 0.42.2", - "windows_x86_64_gnu 0.42.2", - "windows_x86_64_gnullvm 0.42.2", - "windows_x86_64_msvc 0.42.2", -] - [[package]] name = "windows-sys" version = "0.48.0" @@ -2723,93 +2721,51 @@ version = "0.48.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "05d4b17490f70499f20b9e791dcf6a299785ce8af4d709018206dc5b4953e95f" dependencies = [ - "windows_aarch64_gnullvm 0.48.0", - "windows_aarch64_msvc 0.48.0", - "windows_i686_gnu 0.48.0", - "windows_i686_msvc 0.48.0", - "windows_x86_64_gnu 0.48.0", - "windows_x86_64_gnullvm 0.48.0", - "windows_x86_64_msvc 0.48.0", + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", ] -[[package]] -name = "windows_aarch64_gnullvm" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" - [[package]] name = "windows_aarch64_gnullvm" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc" -[[package]] -name = "windows_aarch64_msvc" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" - [[package]] name = "windows_aarch64_msvc" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3" -[[package]] -name = "windows_i686_gnu" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" - [[package]] name = "windows_i686_gnu" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241" -[[package]] -name = "windows_i686_msvc" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" - [[package]] name = "windows_i686_msvc" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00" -[[package]] -name = "windows_x86_64_gnu" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" - [[package]] name = "windows_x86_64_gnu" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1" -[[package]] -name = "windows_x86_64_gnullvm" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" - [[package]] name = "windows_x86_64_gnullvm" version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953" -[[package]] -name = "windows_x86_64_msvc" -version = "0.42.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" - [[package]] name = "windows_x86_64_msvc" version = "0.48.0" diff --git a/eksup/Cargo.toml b/eksup/Cargo.toml index 1946bbf..775ac4e 100644 --- a/eksup/Cargo.toml +++ b/eksup/Cargo.toml @@ -37,8 +37,8 @@ clap-verbosity-flag = "2.0" handlebars = { version = "4.3", features = ["rust-embed"] } itertools = "0.11" # https://kube.rs/kubernetes-version/ -k8s-openapi = { version = "0.18.0", default-features = false, features = ["v1_22"] } -kube = { version = "0.83.0", default-features = false, features = [ "client", "derive", "rustls-tls" ] } +k8s-openapi = { version = "0.18.0", default-features = false, features = ["v1_23"] } +kube = { version = "0.84.0", default-features = false, features = [ "client", "derive", "rustls-tls" ] } rust-embed = { version = "6.4", features = ["compression"] } schemars = "0.8" seq-macro = "0.3" diff --git a/eksup/src/k8s/findings.rs b/eksup/src/k8s/findings.rs index 01e9847..d2c0530 100644 --- a/eksup/src/k8s/findings.rs +++ b/eksup/src/k8s/findings.rs @@ -45,7 +45,7 @@ pub async fn get_kubernetes_findings( .iter() .filter_map(|s| s.docker_socket(target_version)) .collect(); - let pod_security_policy = resources::get_podsecuritypolicies(client, target_version).await?; + let pod_security_policy = resources::get_podsecuritypolicies(client, target_version, cluster_version).await?; let kube_proxy_version_skew = checks::kube_proxy_version_skew(&nodes, &resources).await?; Ok(KubernetesFindings { diff --git a/eksup/src/k8s/resources.rs b/eksup/src/k8s/resources.rs index 146cd94..529a755 100644 --- a/eksup/src/k8s/resources.rs +++ b/eksup/src/k8s/resources.rs @@ -1,6 +1,6 @@ use std::collections::BTreeMap; -use anyhow::Result; +use anyhow::{Context, Result}; use k8s_openapi::api::{ apps, batch, core::{self, v1::PodTemplateSpec}, @@ -10,6 +10,7 @@ use kube::{api::Api, Client, CustomResource}; use schemars::JsonSchema; use serde::{Deserialize, Serialize}; use tabled::Tabled; +use tracing::warn; use crate::{finding, k8s::checks, version}; @@ -71,7 +72,7 @@ pub struct Node { pub async fn get_nodes(client: &Client) -> Result> { let api: Api = Api::all(client.to_owned()); - let node_list = api.list(&Default::default()).await?; + let node_list = api.list(&Default::default()).await.context("Failed to list Nodes")?; Ok( node_list @@ -99,14 +100,23 @@ pub async fn get_nodes(client: &Client) -> Result> { /// available IPs in the subnet(s) when custom networking is enabled pub async fn get_eniconfigs(client: &Client) -> Result> { let api = Api::::all(client.to_owned()); - let eniconfigs: Vec = api.list(&Default::default()).await?.items; + let eniconfigs = match api.list(&Default::default()).await { + Ok(eniconfigs) => eniconfigs.items, + Err(_) => { + warn!("Failed to list ENIConfigs"); + vec![] + }, + }; Ok(eniconfigs) } async fn get_deployments(client: &Client) -> Result> { let api: Api = Api::all(client.to_owned()); - let deployment_list = api.list(&Default::default()).await?; + let deployment_list = api + .list(&Default::default()) + .await + .context("Failed to list Deployments")?; let deployments = deployment_list .items @@ -143,7 +153,10 @@ async fn get_deployments(client: &Client) -> Result> { async fn get_replicasets(client: &Client) -> Result> { let api: Api = Api::all(client.to_owned()); - let replicaset_list = api.list(&Default::default()).await?; + let replicaset_list = api + .list(&Default::default()) + .await + .context("Failed to list ReplicaSets")?; let replicasets = replicaset_list .items @@ -183,7 +196,10 @@ async fn get_replicasets(client: &Client) -> Result> { async fn get_statefulsets(client: &Client) -> Result> { let api: Api = Api::all(client.to_owned()); - let statefulset_list = api.list(&Default::default()).await?; + let statefulset_list = api + .list(&Default::default()) + .await + .context("Failed to list StatefulSets")?; let statefulsets = statefulset_list .items @@ -220,7 +236,10 @@ async fn get_statefulsets(client: &Client) -> Result> { async fn get_daemonsets(client: &Client) -> Result> { let api: Api = Api::all(client.to_owned()); - let daemonset_list = api.list(&Default::default()).await?; + let daemonset_list = api + .list(&Default::default()) + .await + .context("Failed to list DaemonSets")?; let daemonsets = daemonset_list .items @@ -257,7 +276,7 @@ async fn get_daemonsets(client: &Client) -> Result> { async fn get_jobs(client: &Client) -> Result> { let api: Api = Api::all(client.to_owned()); - let job_list = api.list(&Default::default()).await?; + let job_list = api.list(&Default::default()).await.context("Failed to list Jobs")?; let jobs = job_list .items @@ -297,7 +316,7 @@ async fn get_jobs(client: &Client) -> Result> { async fn get_cronjobs(client: &Client) -> Result> { let api: Api = Api::all(client.to_owned()); - let cronjob_list = api.list(&Default::default()).await?; + let cronjob_list = api.list(&Default::default()).await.context("Failed to list CronJobs")?; let cronjobs = cronjob_list .items @@ -344,9 +363,19 @@ async fn get_cronjobs(client: &Client) -> Result> { pub(crate) async fn get_podsecuritypolicies( client: &Client, target_version: &str, + current_version: &str, ) -> Result> { + let current_version = version::parse_minor(current_version)?; + if current_version <= 25 { + // Pod Security Policy support is removed starting in 1.25 + return Ok(vec![]); + } + let api: Api = Api::all(client.to_owned()); - let psp_list = api.list(&Default::default()).await?; + let psp_list = api + .list(&Default::default()) + .await + .context("Failed to list PodSecurityPolicies")?; let target_version = version::parse_minor(target_version)?; let remediation = if target_version >= 25 { @@ -456,7 +485,7 @@ impl checks::K8sFindings for StdResource { fn min_ready_seconds(&self) -> Option { let resource = self.get_resource(); - if vec![Kind::CronJob, Kind::DaemonSet, Kind::Job].contains(&resource.kind) { + if [Kind::CronJob, Kind::DaemonSet, Kind::Job].contains(&resource.kind) { return None; } diff --git a/examples/eks-managed/main.tf b/examples/eks-managed/main.tf index b5f8bd3..34d29d7 100644 --- a/examples/eks-managed/main.tf +++ b/examples/eks-managed/main.tf @@ -19,7 +19,7 @@ data "aws_availability_zones" "available" {} locals { name = "test-${basename(path.cwd)}" - minor_version = 23 + minor_version = 25 region = "us-east-1" vpc_cidr = "10.0.0.0/16" @@ -37,7 +37,7 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.12" + version = "~> 19.15" cluster_name = local.name cluster_version = "1.${local.minor_version}" @@ -81,7 +81,7 @@ module "eks" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr diff --git a/examples/eks-managed/versions.tf b/examples/eks-managed/versions.tf index aeb892f..ae8408b 100644 --- a/examples/eks-managed/versions.tf +++ b/examples/eks-managed/versions.tf @@ -4,11 +4,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.47" + version = ">= 5.0" } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.10" + version = ">= 2.20" } } } diff --git a/examples/fargate-profile/main.tf b/examples/fargate-profile/main.tf index 50a82da..ebc1b7e 100644 --- a/examples/fargate-profile/main.tf +++ b/examples/fargate-profile/main.tf @@ -19,7 +19,7 @@ data "aws_availability_zones" "available" {} locals { name = "test-${basename(path.cwd)}" - minor_version = 23 + minor_version = 25 region = "us-east-1" vpc_cidr = "10.0.0.0/16" @@ -37,7 +37,7 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.12" + version = "~> 19.15" cluster_name = local.name cluster_version = "1.${local.minor_version}" @@ -75,7 +75,7 @@ module "eks" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 3.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr diff --git a/examples/fargate-profile/versions.tf b/examples/fargate-profile/versions.tf index aeb892f..ae8408b 100644 --- a/examples/fargate-profile/versions.tf +++ b/examples/fargate-profile/versions.tf @@ -4,11 +4,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.47" + version = ">= 5.0" } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.10" + version = ">= 2.20" } } } diff --git a/examples/mixed/main.tf b/examples/mixed/main.tf index 59dcfd8..b249fd7 100644 --- a/examples/mixed/main.tf +++ b/examples/mixed/main.tf @@ -33,7 +33,7 @@ data "aws_availability_zones" "available" {} locals { name = "test-${basename(path.cwd)}" - minor_version = 23 + minor_version = 25 region = "us-east-1" vpc_cidr_nodes = "10.0.0.0/16" @@ -52,7 +52,7 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.12" + version = "~> 19.15" cluster_name = local.name cluster_version = "1.${local.minor_version}" @@ -60,19 +60,20 @@ module "eks" { cluster_addons = { coredns = { - # aws eks describe-addon-versions --kubernetes-version 1.21 --addon-name coredns + # aws eks describe-addon-versions --kubernetes-version 1.25 --addon-name coredns --query 'addons[*].addonVersions[*].addonVersion' addon_version = "v1.8.4-eksbuild.2" configuration_values = jsonencode({ computeType = "Fargate" }) } kube-proxy = { - # aws eks describe-addon-versions --kubernetes-version 1.21 --addon-name kube-proxy - addon_version = "v1.21.14-eksbuild.3" + # aws eks describe-addon-versions --kubernetes-version 1.25 --addon-name kube-proxy --query 'addons[*].addonVersions[*].addonVersion' + addon_version = "v1.23.15-eksbuild.1" } vpc-cni = { - # aws eks describe-addon-versions --kubernetes-version 1.21 --addon-name vpc-cni - addon_version = "v1.11.3-eksbuild.3" + # aws eks describe-addon-versions --kubernetes-version 1.25 --addon-name vpc-cni --query 'addons[*].addonVersions[*].addonVersion' + addon_version = "v1.11.5-eksbuild.1" + before_compute = true configuration_values = jsonencode({ env = { # Reference https://aws.github.io/aws-eks-best-practices/reliability/docs/networkmanagement/#cni-custom-networking @@ -99,10 +100,10 @@ module "eks" { eks_managed_node_groups = { # This uses a custom launch template (custom as in module/user supplied) standard = { - pre_bootstrap_user_data = <<-EOT - #!/bin/bash - echo "Hello from user data!" - EOT + # pre_bootstrap_user_data = <<-EOT + # #!/bin/bash + # echo "Hello from user data!" + # EOT # To show pending changes update_launch_template_default_version = false @@ -131,10 +132,10 @@ module "eks" { } different = { - pre_bootstrap_user_data = <<-EOT - #!/bin/bash - echo "Hello from user data!" - EOT + # pre_bootstrap_user_data = <<-EOT + # #!/bin/bash + # echo "Hello from user data!" + # EOT # To show pending changes instance_refresh = {} @@ -182,7 +183,7 @@ resource "kubectl_manifest" "eni_config" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr_nodes diff --git a/examples/mixed/versions.tf b/examples/mixed/versions.tf index f9f63aa..912453c 100644 --- a/examples/mixed/versions.tf +++ b/examples/mixed/versions.tf @@ -4,11 +4,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.47" + version = ">= 5.0" } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.10" + version = ">= 2.20" } kubectl = { source = "gavinbunney/kubectl" diff --git a/examples/self-managed/main.tf b/examples/self-managed/main.tf index 2d332a6..ed72aba 100644 --- a/examples/self-managed/main.tf +++ b/examples/self-managed/main.tf @@ -19,7 +19,7 @@ data "aws_availability_zones" "available" {} locals { name = "test-${basename(path.cwd)}" - minor_version = 23 + minor_version = 25 region = "us-east-1" vpc_cidr = "10.0.0.0/16" @@ -37,7 +37,7 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.5" + version = "~> 19.15" cluster_name = local.name cluster_version = "1.${local.minor_version}" @@ -81,7 +81,7 @@ module "eks" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 3.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr diff --git a/examples/self-managed/versions.tf b/examples/self-managed/versions.tf index aeb892f..ae8408b 100644 --- a/examples/self-managed/versions.tf +++ b/examples/self-managed/versions.tf @@ -4,11 +4,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.47" + version = ">= 5.0" } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.10" + version = ">= 2.20" } } } diff --git a/examples/test-mixed_v1.26_upgrade.md b/examples/test-mixed_v1.26_upgrade.md new file mode 100644 index 0000000..4a4cf5c --- /dev/null +++ b/examples/test-mixed_v1.26_upgrade.md @@ -0,0 +1,462 @@ +# EKS Cluster Upgrade + +| | Value | +| :------------------------- | :-------------------------------------------------------: | +| Amazon EKS cluster | `test-mixed` | +| Current version | `v1.25` | +| Target version | `v1.26` | +| EKS Managed nodegroup(s) | ✅ | +| Self-Managed nodegroup(s) | ✅ | +| Fargate profile(s) | ✅ | + +## Table of Contents + +- [Upgrade the Control Plane](#upgrade-the-control-plane) + - [Control Plane Pre-Upgrade](#control-plane-pre-upgrade) + - [Control Plane Upgrade](#control-plane-upgrade) +- [Upgrade EKS Addons](#upgrade-eks-addons) + - [Addon Pre-Upgrade](#addon-pre-upgrade) + - [Addon Upgrade](#addon-upgrade) +- [Upgrade the Data Plane](#upgrade-the-data-plane) + - [Data Plane Pre-Upgrade](#data-plane-pre-upgrade) + - [EKS Managed Nodegroup](#eks-managed-nodegroup) + - [Self-Managed Nodegroup](#self-managed-nodegroup) + - [Fargate Profile](#fargate-profile) +- [Post-Upgrade](#post-upgrade) +- [References](#references) + + +## Upgrade the Control Plane + +### Control Plane Pre-Upgrade + +1. Review the following resources for affected changes in the next version of Kubernetes: + + - ‼️ [Kubernetes `1.26` API deprecations](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#v1-26) + - ℹ️ [Kubernetes `1.26` release announcement](https://kubernetes.io/blog/2022/12/09/kubernetes-v1-26-release/) + - ℹ️ [EKS `1.26` release notes](https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.26) + +2. Per the [Kubernetes version skew policy](https://kubernetes.io/releases/version-skew-policy/#supported-version-skew), the `kubelet` version must not be newer than `kube-apiserver`, and may be up to two minor versions older. It is recommended that the nodes in the data plane are aligned with the same minor version as the control plane before upgrading. + +
+ 📌 CLI Example + + Ensure you have updated your `kubeconfig` locally before executing the following commands: + + ```sh + aws eks update-kubeconfig --region us-east-1 --name test-mixed + ``` + + Control plane Kubernetes version: + + ```sh + kubectl version --short + + # Output (truncated) + Server Version: v1.23.14-eks-ffeb93d + ``` + + Node(s) Kubernetes version(s): + + ```sh + kubectl get nodes + + # Output + NAME STATUS ROLES AGE VERSION + fargate-ip-10-0-14-253.ec2.internal Ready 9h v1.23.14-eks-a1bebd3 ✅ # Ready to upgrade + fargate-ip-10-0-7-182.ec2.internal Ready 9h v1.23.14-eks-a1bebd3 ✅ # Ready to upgrade + ip-10-0-14-102.ec2.internal Ready 9h v1.22.15-eks-fb459a0 ⚠️ # Recommended to upgrade first + ip-10-0-27-61.ec2.internal Ready 9h v1.22.15-eks-fb459a0 ⚠️ # Recommended to upgrade first + ip-10-0-41-36.ec2.internal Ready 9h v1.21.14-eks-fb459a0 ❌ # Requires upgrade first + ``` +
+ + #### Check [[K8S001]](https://clowdhaus.github.io/eksup/info/checks/#k8s001) + | CHECK | | NODE | CONTROL PLANE | SKEW | QUANTITY | + |--------|----|-------|---------------|------|----------| + | K8S001 | ❌ | v1.24 | v1.25 | +1 | 2 | + | K8S001 | ❌ | v1.23 | v1.25 | +2 | 2 | + + | | NAME | NODE | CONTROL PLANE | SKEW | + |----|-----------------------------|-------|---------------|------| + | ❌ | ip-10-0-10-190.ec2.internal | v1.23 | v1.25 | +2 | + | ❌ | ip-10-0-28-10.ec2.internal | v1.24 | v1.25 | +1 | + | ❌ | ip-10-0-45-169.ec2.internal | v1.23 | v1.25 | +2 | + | ❌ | ip-10-0-5-172.ec2.internal | v1.24 | v1.25 | +1 | + + +3. Verify that there are at least 5 free IPs in the VPC subnets used by the control plane. Amazon EKS creates new elastic network interfaces (ENIs) in any of the subnets specified for the control plane. If there are not enough available IPs, then the upgrade will fail (your control plane will stay on the prior version). + +
+ 📌 CLI Example + + ```sh + aws ec2 describe-subnets --region us-east-1 --subnet-ids \ + $(aws eks describe-cluster --region us-east-1 --name test-mixed \ + --query 'cluster.resourcesVpcConfig.subnetIds' --output text) \ + --query 'Subnets[*].AvailableIpAddressCount' + ``` + +
+ + #### Check [[EKS001]](https://clowdhaus.github.io/eksup/info/checks/#eks001) + ✅ - There is sufficient IP space in the subnets provided + +4. Ensure the cluster is free of any health issues as reported by Amazon EKS. If there are any issues, resolution of those issues is required before upgrading the cluster. Note - resolution in some cases may require creating a new cluster. For example, if the cluster primary security group was deleted, at this time, the only course of remediation is to create a new cluster and migrate any workloads over to that cluster (treated as a blue/green cluster upgrade). + +
+ 📌 CLI Example + + ```sh + aws eks describe-cluster --region us-east-1 --name test-mixed \ + --query 'cluster.health' + ``` + +
+ + #### Check [[EKS002]](https://clowdhaus.github.io/eksup/info/checks/#eks002) + ✅ - There are no reported health issues on the cluster control plane + +5. Ensure the EKS addons in use are using a version that is supported by the intended target Kubernetes version. If an addon is not compatible with the intended target Kubernetes version, upgrade the addon to a version that is compatible before upgrading the cluster. + +
+ 📌 CLI Example + + ```sh + for ADDON in $(aws eks list-addons --cluster-name test-mixed \ + --region us-east-1 --query 'addons[*]' --output text); do + CURRENT=$(aws eks describe-addon --cluster-name test-mixed --region us-east-1 \ + --addon-name ${ADDON} --query 'addon.addonVersion' --output text) + LATEST=$(aws eks describe-addon-versions --region us-east-1 --addon-name ${ADDON} \ + --kubernetes-version 1.26 --query 'addons[0].addonVersions[0].addonVersion' --output text) + LIST=$(aws eks describe-addon-versions --region us-east-1 --addon-name ${ADDON} \ + --kubernetes-version 1.26 --query 'addons[0].addonVersions[*].addonVersion') + + echo "${ADDON} current version: ${CURRENT}" + echo "${ADDON} next latest version: ${LATEST}" + echo "${ADDON} next available versions: ${LIST}" + done + ``` + +
+ + #### Check [[EKS005]](https://clowdhaus.github.io/eksup/info/checks/#eks005) + | | NAME | CURRENT | LATEST | DEFAULT | + |----|------------|---------------------|--------------------|--------------------| + | ❌ | coredns | v1.8.4-eksbuild.2 | v1.9.3-eksbuild.5 | v1.9.3-eksbuild.2 | + | ❌ | kube-proxy | v1.23.15-eksbuild.1 | v1.26.6-eksbuild.2 | v1.26.2-eksbuild.1 | + + +5. Check Kubernetes API versions currently in use and ensure any versions that are removed in the next Kubernetes release are updated prior to upgrading the cluster. There are several open source tools that can help you identify deprecated API versions in your Kubernetes manifests. The following open source projects support scanning both your cluster as well as manifest files to identify deprecated and/or removed API versions: + + - https://github.com/FairwindsOps/pluto + - https://github.com/doitintl/kube-no-trouble + +### Control Plane Upgrade + +ℹ️ [Updating an Amazon EKS cluster Kubernetes version](https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html) + +When upgrading the control plane, Amazon EKS performs standard infrastructure and readiness health checks for network traffic on the new control plane nodes to verify that they're working as expected. If any of these checks fail, Amazon EKS reverts the infrastructure deployment, and your cluster control plane remains on the prior Kubernetes version. Running applications aren't affected, and your cluster is never left in a non-deterministic or unrecoverable state. Amazon EKS regularly backs up all managed clusters, and mechanisms exist to recover clusters if necessary. + +1. Upgrade the control plane to the next Kubernetes minor version: + + ```sh + aws eks update-cluster-version --region us-east-1 --name test-mixed \ + --kubernetes-version 1.26 + ``` + +2. Wait for the control plane to finish upgrading before proceeding with any further modifications. The cluster status will change to `ACTIVE` once the upgrade is complete. + + ```sh + aws eks describe-cluster --region us-east-1 --name test-mixed \ + --query 'cluster.status' + ``` + +## Upgrade the Data Plane + +### Data Plane Pre-Upgrade + +1. Ensure applications and services running on the cluster are setup for high-availability to minimize and avoid disruption during the upgrade process. + + 🚧 TODO - fill in analysis results + + #### Check [[K8S002]](https://clowdhaus.github.io/eksup/info/checks/#k8s002) + | | NAME | NAMESPACE | KIND | REPLICAS | + |----|---------|-------------|------------|----------| + | ❌ | coredns | kube-system | Deployment | 2 | + + + #### Check [[K8S003]](https://clowdhaus.github.io/eksup/info/checks/#k8s003) + | | NAME | NAMESPACE | KIND | SECONDS | + |---|---------|-------------|------------|---------| + | ⚠️ | coredns | kube-system | Deployment | 0 | + + + #### Check [[K8S004]](https://clowdhaus.github.io/eksup/info/checks/#k8s004) + 🚧 TODO + + #### Check [[K8S005]](https://clowdhaus.github.io/eksup/info/checks/#k8s005) + ✅ - All relevant Kubernetes workloads have either podAntiAffinity or topologySpreadConstraints set + + #### Check [[K8S006]](https://clowdhaus.github.io/eksup/info/checks/#k8s006) + ✅ - All relevant Kubernetes workloads have a readiness probe configured + + #### Check [[K8S007]](https://clowdhaus.github.io/eksup/info/checks/#k8s007) + ✅ - No StatefulSet workloads have a terminationGracePeriodSeconds set to more than 0 + + #### Check [[K8S008]](https://clowdhaus.github.io/eksup/info/checks/#k8s008) + ✅ - No relevant Kubernetes workloads are found to be utilizing the Docker socket + + #### Check [[K8S009]](https://clowdhaus.github.io/eksup/info/checks/#k8s009) + ✅ - No PodSecurityPolicys were found within the cluster + + #### Check [[K8S0011]](https://clowdhaus.github.io/eksup/info/checks/#k8s011) + | | KUBELET | KUBE PROXY | SKEW | + |----|---------|------------|------| + | ❌ | v1.24 | v1.23 | -1 | + | ❌ | v1.25 | v1.23 | -2 | + + +2. Inspect [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) before upgrading. Accounts that are multi-tenant or already have a number of resources provisioned may be at risk of hitting service quota limits which will cause the cluster upgrade to fail, or impede the upgrade process. + +3. Verify that there is sufficient IP space available to the pods running in the cluster when using custom networking. With the in-place, surge upgrade process, there will be higher IP consumption during the upgrade. + +
+ 📌 CLI Example + + Ensure you have updated your `kubeconfig` locally before executing the following commands: + + ```sh + aws eks update-kubeconfig --region us-east-1 --name test-mixed + ``` + + Get the number of available IPs in each subnet used by the custom networking `ENIConfig` resources: + ```sh + aws ec2 describe-subnets --region us-east-1 --subnet-ids \ + $(kubectl get ENIConfigs -n kube-system -o jsonpath='{.items[*].spec.subnet}') \ + --query 'Subnets[*].AvailableIpAddressCount' + ``` + +
+ + #### Check [[AWS002]](https://clowdhaus.github.io/eksup/info/checks/#aws002) + ✅ - There is sufficient IP space in the subnets provided + +#### EKS Managed Nodegroup + +ℹ️ [Updating a managed nodegroup](https://docs.aws.amazon.com/eks/latest/userguide/update-managed-node-group.html) + +ℹ️ [Managed nodegroup update behavior](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-update-behavior.html) + +The [nodegroup update config](https://docs.aws.amazon.com/eks/latest/APIReference/API_NodegroupUpdateConfig.html) supports updating multiple nodes, up to a max of 100 nodes, in parallel during an upgrade. It is recommended to start with an update configuration of 30% max unavailable percentage and adjust as necessary. Increasing this percentage will reduce the time to upgrade (until the max quota of 100 nodes is reached) but also increase the amount of churn within then nodegroup and therefore increasing the potential for disruption to services running on the nodes. Conversely, reducing the percentage will increase the time to upgrade but also reduce the amount of churn within the nodegroup and therefore reduce the potential for disruption to services running on the nodes. Users should test the impact of the update configuration on their workloads and adjust as necessary to balance between time to upgrade and potential risk for service disruption. + +The default update strategy for EKS managed nodegroups is a surge, rolling update which respects the pod disruption budgets for your cluster. Updates can fail if there's a pod disruption budget issue that prevents Amazon EKS from gracefully draining the pods that are running on the nodegroup, or if pods do not safely evict from the nodes within a 15 minute window after the node has been marked as cordoned and set to drain. To circumvent this, you can specify a force update which does *NOT* respect pod disruption budgets. Updates occur regardless of pod disruption budget issues by forcing node replacements. + +##### Pre-Upgrade + +1. Ensure the EKS managed nodegroup(s) are free of any health issues as reported by Amazon EKS. If there are any issues, resolution of those issues is required before upgrading the cluster. + +
+ 📌 CLI Example + + ```sh + aws eks describe-nodegroup --region us-east-1 --cluster-name test-mixed \ + --nodegroup-name --query 'nodegroup.health' + ``` + +
+ + #### Check [[EKS003]](https://clowdhaus.github.io/eksup/info/checks/#eks003) + ✅ - There are no reported nodegroup health issues. + +2. Ensure the EKS managed nodegroup(s) do not have any pending updates and they are using the latest version of their respective launch templates. If the nodegroup(s) are not using the latest launch template, it is recommended to update to the latest to avoid accidentally introducing any additional and un-intended changes during the upgrade. + +
+ 📌 CLI Example + + ```sh + // TODO + ``` + +
+ + Check [[EKS006]](https://clowdhaus.github.io/eksup/info/checks/#eks006) + | | MANAGED NODEGROUP | LAUNCH TEMP ID | CURRENT | LATEST | + |---|-------------------------------------|----------------------|---------|--------| + | ⚠️ | standard-20230719142047772400000025 | lt-0c907965528ec45b1 | 1 | 2 | + + +##### Upgrade + +The following steps are applicable for each nodegroup in the cluster. + +Custom AMI: + + 1. Update the launch template, specifying the ID of an AMI that matches the control plane's Kubernetes version: + + ```sh + aws ec2 create-launch-template-version --region us-east-1 \ + --launch-template-id \ + --source-version --launch-template-data 'ImageId=' + ``` + + 2. Update the launch template version specified on the EKS managed nodegroup: + + ```sh + aws eks update-nodegroup-version --region us-east-1 --cluster-name test-mixed \ + --nodegroup-name --launch-template + ``` + + +EKS optimized AMI provided by Amazon EKS: + + 1. Update the Kubernetes version specified on the EKS managed nodegroup: + + ```sh + aws eks update-nodegroup-version --region us-east-1 --cluster-name test-mixed \ + --nodegroup-name --kubernetes-version 1.26 + ``` + +##### Process + +The following events take place when a nodegroup detects changes that require nodes to be cycled and replaced, such as upgrading the Kubernetes version or deploying a new AMI: + +For each node in the nodegroup: + - The node is cordoned so that Kubernetes does not schedule new Pods on it. + - The node is then drained while respecting the set `PodDisruptionBudget` and `GracefulTerminationPeriod` settings for pods for up to 15 minutes. + - The control plane reschedules Pods managed by controllers onto other nodes. Pods that cannot be rescheduled stay in the Pending phase until they can be rescheduled. + +The node pool upgrade process may take up to a few hours depending on the upgrade strategy, the number of nodes, and their workload configurations. Configurations that can cause a node upgrade to take longer to complete include: + + - A high value of `terminationGracePeriodSeconds` in a Pod's configuration. + - A conservative Pod Disruption Budget. + - Node affinity interactions + - Attached PersistentVolumes + +In the event that you encounter pod disruption budget issues or update timeouts due to pods not safely evicting from the nodes within the 15 minute window, you can force the update to proceed by adding the `--force` flag. + +#### Self-Managed Nodegroup + +ℹ️ [Self-managed node updates](https://docs.aws.amazon.com/eks/latest/userguide/update-workers.html) + +[Instance refresh](https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-instance-refresh.html) functionality provided by AWS Auto Scaling groups should be utilized on self-managed nodegroups in coordination with the [`node-termination-handler`](https://github.com/aws/aws-node-termination-handler) to gracefully migrate pods from instances scheduled for replacement when upgrading. Once the launch template has been updated with the new AMI ID, the Auto Scaling group will initiate the instance refresh cycle to rollout the replacement of instances to meet the new launch template specification. The `node-termination-handler` listens to the Auto Scaling group lifecycle events to intervene and gracefully migrate pods off of the instance(s) being replaced. When using EKS managed node groups, this functionality (rolling nodes with instance refresh and gracefully migrating pods with `node-termination-handler`) are provided by the service. + +A starting point for the instance refresh configuration is to use a value of 70% as the minimum healthy percentage and adjust as necessary. Lowering this value will allow more instances to be refreshed at once, however, it will also increase the risk of overwhelming the control plane with requests. Users should aim to replace no more than 100 instances at a time to match the behavior of EKS managed node groups and avoid overwhelming the control plane during an upgrade. + +##### Pre-Upgrade + +1. Ensure the self-managed nodegroup(s) do not have any pending updates and they are using the latest version of their respective launch templates. If the nodegroup(s) are not using the latest launch template, it is recommended to update to the latest to avoid accidentally introducing any additional and un-intended changes during the upgrade. + +
+ 📌 CLI Example + + ```sh + // TODO + ``` + +
+ + Check [[EKS007]](https://clowdhaus.github.io/eksup/info/checks/#eks007) + | | AUTOSCALING GROUP | LAUNCH TEMP ID | CURRENT | LATEST | + |---|--------------------------------------|----------------------|---------|--------| + | ⚠️ | different-20230719142047916300000029 | lt-02821351fdb1406e2 | 1 | 2 | + + +##### Upgrade + +1. Update the launch template, specifying the ID of an AMI that matches the control plane's Kubernetes version: + + ```sh + aws ec2 create-launch-template-version --region us-east-1 \ + --launch-template-id \ + --source-version --launch-template-data 'ImageId=' + ``` + + You can [retrieve the recommended EKS optimized AL2 AMI ID](https://docs.aws.amazon.com/eks/latest/userguide/retrieve-ami-id.html) by running the following command: + + ```sh + aws ssm get-parameter --region us-east-1 \ + --name /aws/service/eks/optimized-ami/1.26/amazon-linux-2/recommended/image_id \ + --query 'Parameter.Value' --output text + ``` + +2. Update the autoscaling-group to use the new launch template + + ```sh + aws autoscaling update-auto-scaling-group --region us-east-1 + --auto-scaling-group-name \ + --launch-template LaunchTemplateId=,Version='$Latest' + ``` + +3. Wait for the instance refresh to complete. From the [documentation](https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-instance-refresh.html#instance-refresh-how-it-works), here is what happens during the instance refresh: + + > Amazon EC2 Auto Scaling starts performing a rolling replacement of the instances. It takes a set of instances out of service, terminates them, and launches a set of instances with the new desired configuration. Then, it waits until the instances pass your health checks and complete warmup before it moves on to replacing other instances. + > + > After a certain percentage of the group is replaced, a checkpoint is reached. Whenever there is a checkpoint, Amazon EC2 Auto Scaling temporarily stops replacing instances, sends a notification, and waits for the amount of time you specified before continuing. After you receive the notification, you can verify that your new instances are working as expected. + > + > After the instance refresh succeeds, the Auto Scaling group settings are automatically updated with the configuration that you specified at the start of the operation. + +### Fargate Node + +ℹ️ [Fargate pod patching](https://docs.aws.amazon.com/eks/latest/userguide/fargate-pod-patching.html) + +#### Upgrade + +To update a Fargate node, you simply need to remove the existing node(s) and EKS will schedule new nodes using the appropriate Kubernetes version. +The Kubernetes version used by Fargate nodes is referenced from the control plane version at the time the node is created. Once the control plane has been updated, any new Fargate nodes created will use the latest patch version for the associated control plane version. + +1. To update the Fargate node(s) used, use the Kubernetes [eviction API](https://kubernetes.io/docs/concepts/scheduling-eviction/api-eviction/) to evict the node while respecting `PodDisruptionBudgets` and `terminationGracePeriodSeconds`. + + Ensure you have updated your `kubeconfig` locally before executing the following commands: + + ```sh + aws eks update-kubeconfig --region us-east-1 --name test-mixed + ``` + + Fargate nodes are identified by their `fargate-*` name prefix. + + ```sh + kubectl get nodes | grep '\bfargate-' + ``` + + Drain the node to ensure the `PodDisruptionBudgets` and `terminationGracePeriodSeconds` + + ```sh + kubectl drain --delete-emptydir-data + ``` + + +## Upgrade EKS Addons + +### Addon Pre-Upgrade + +1. Ensure the EKS addons in use are free of any health issues as reported by Amazon EKS. If there are any issues, resolution of those issues is required before upgrading the cluster. + +
+ 📌 CLI Example + + ```sh + aws eks describe-addon --region us-east-1 --cluster-name test-mixed \ + --addon-name --query 'addon.health' + ``` + +
+ + #### Check [[EKS004]](https://clowdhaus.github.io/eksup/info/checks/#eks004) + ✅ - There are no reported addon health issues. + +### Addon Upgrade + +1. Upgrade the addon to an appropriate version for the upgraded Kubernetes version: + + ```sh + aws eks update-addon --region us-east-1 --cluster-name test-mixed \ + --addon-name --addon-version + ``` + + You may need to add `--resolve-conflicts OVERWRITE` to the command if the addon has been modified since it was deployed to ensure the addon is upgraded. + +## Post Upgrade + +- Update applications running on the cluster +- Update tools that interact with the cluster (kubectl, awscli, etc.)