Upgrade AWS VPC CNI to 1.7.0

[moshevayner]

https://github.com/aws/amazon-vpc-cni-k8s/releases/tag/v1.7.0

[rifelpet]

I'm wondering what this means exactly in their release notes:

... Because of these changes, upgrades should not be done by just editing the image tag.

Does that mean we should change the updateStrategy to OnDelete? their example manifest has rollingUpdate so we might want to get clarification on that.

[moshevayner]

I'm wondering what this means exactly in their release notes:

... Because of these changes, upgrades should not be done by just editing the image tag.

Does that mean we should change the updateStrategy to OnDelete? their example manifest has rollingUpdate so we might want to get clarification on that.

Actually, the current manifest already includes it.
I basically pulled the current manifest from https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.7/config/v1.7/aws-k8s-cni.yaml and did a side-by-side comparison with the changes. This is why there are more changes than just the usual image tag update.

** UPDATE **
Re-reading your comment, I think what they meant is that we should also make sure our manifest is aligned with their example that you mentioned, because it does include a bunch of other changes, mostly to the ENVs and Volumes.
I guess that's what they meant by "don't only update the image tag"?

[rifelpet]

ahh, my interpretation was "there are changes to the startup sequence which means you shouldnt upgrade the cni pod on an existing node"

I think your interpretation makes more sense. There are additional changes to the manifest beyond just the image tag bump.

Regardless, our prow jobs don't test upgrade scenarios so we may want to test upgrading an existing cluster from 1.6.X to 1.7.0 just to confirm.

[moshevayner]

Good point.
I'll create a test cluster with this version and make sure it works as expected.
Once confirmed it's good, I'll post an update here. Until then -
/hold

[moshevayner]

OK, I've just rebuilt the release branch locally with the changes from this PR and built a test cluster.
Everything seems to be operating as expected:

Pods output:

$ kubectl get pods -n kube-system -l k8s-app=aws-node
NAME             READY   STATUS    RESTARTS   AGE
aws-node-2lk6j   1/1     Running   0          109s
aws-node-5d28c   1/1     Running   0          5m11s
aws-node-sltgb   1/1     Running   0          9m7s

Logs output:

$ stern -n kube-system aws-node
+ aws-node-sltgb › aws-node
+ aws-node-2lk6j › aws-node
+ aws-node-5d28c › aws-node
aws-node-sltgb aws-node {"level":"info","ts":"2020-08-20T03:09:55.581Z","caller":"entrypoint.sh","msg":"Install CNI binary.."}
aws-node-sltgb aws-node {"level":"info","ts":"2020-08-20T03:09:55.601Z","caller":"entrypoint.sh","msg":"Starting IPAM daemon in the background ... "}
aws-node-sltgb aws-node {"level":"info","ts":"2020-08-20T03:09:55.615Z","caller":"entrypoint.sh","msg":"Checking for IPAM connectivity ... "}
aws-node-sltgb aws-node {"level":"info","ts":"2020-08-20T03:09:57.652Z","caller":"entrypoint.sh","msg":"Copying config file ... "}
aws-node-sltgb aws-node {"level":"info","ts":"2020-08-20T03:09:57.655Z","caller":"entrypoint.sh","msg":"Successfully copied CNI plugin binary and config file."}
aws-node-sltgb aws-node {"level":"info","ts":"2020-08-20T03:09:57.656Z","caller":"entrypoint.sh","msg":"Foregrounding IPAM daemon ..."}
aws-node-2lk6j aws-node {"level":"info","ts":"2020-08-20T03:17:14.216Z","caller":"entrypoint.sh","msg":"Install CNI binary.."}
aws-node-2lk6j aws-node {"level":"info","ts":"2020-08-20T03:17:14.234Z","caller":"entrypoint.sh","msg":"Starting IPAM daemon in the background ... "}
aws-node-2lk6j aws-node {"level":"info","ts":"2020-08-20T03:17:14.249Z","caller":"entrypoint.sh","msg":"Checking for IPAM connectivity ... "}
aws-node-2lk6j aws-node {"level":"info","ts":"2020-08-20T03:17:16.267Z","caller":"entrypoint.sh","msg":"Copying config file ... "}
aws-node-2lk6j aws-node {"level":"info","ts":"2020-08-20T03:17:16.270Z","caller":"entrypoint.sh","msg":"Successfully copied CNI plugin binary and config file."}
aws-node-2lk6j aws-node {"level":"info","ts":"2020-08-20T03:17:16.271Z","caller":"entrypoint.sh","msg":"Foregrounding IPAM daemon ..."}
aws-node-5d28c aws-node {"level":"info","ts":"2020-08-20T03:13:51.861Z","caller":"entrypoint.sh","msg":"Install CNI binary.."}
aws-node-5d28c aws-node {"level":"info","ts":"2020-08-20T03:13:51.879Z","caller":"entrypoint.sh","msg":"Starting IPAM daemon in the background ... "}
aws-node-5d28c aws-node {"level":"info","ts":"2020-08-20T03:13:51.892Z","caller":"entrypoint.sh","msg":"Checking for IPAM connectivity ... "}
aws-node-5d28c aws-node {"level":"info","ts":"2020-08-20T03:13:53.909Z","caller":"entrypoint.sh","msg":"Copying config file ... "}
aws-node-5d28c aws-node {"level":"info","ts":"2020-08-20T03:13:53.911Z","caller":"entrypoint.sh","msg":"Successfully copied CNI plugin binary and config file."}
aws-node-5d28c aws-node {"level":"info","ts":"2020-08-20T03:13:53.912Z","caller":"entrypoint.sh","msg":"Foregrounding IPAM daemon ..."}

Validating the version:

$ kubectl describe ds aws-node -n kube-system | grep Image | cut -d ":" -f 2-3
        602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.7.0
      602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.7.0

So looks like we're good to go.
/hold cancel

[rifelpet]

👍 thanks for checking that

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MoShitrit, rifelpet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rifelpet]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment