Workload cluster release aws-33.1.0 for CAPA
Update Kubernetes to v1.33.6, Flatcar to v4459.2.1 and various component upgrades.
Changes compared to v33.0.1
Components
- cluster-aws from v6.2.0 to v6.4.1
- Flatcar from v4230.2.3 to v4459.2.1
- Kubernetes from v1.33.5 to v1.33.6
- os-tooling from v1.26.1 to v1.26.2
cluster-aws v6.2.0…v6.4.1
Added
- This change will roll the nodes on Karpenter node pools Attach the
lbSecurity Group to Karpenter nodes. - This change will roll the nodes on Karpenter node pools Name instance on AWS after the nodepool name.
- Add node-problem-detector-app, disabled by default.
Changed
- Tidy up dependencies on
azs-getter. - Make
global.baseDomainandglobal.managementClusterrequired values. These values will be passed to the chart when deploying it from thecluster-app-installation-valuesConfigMap in the default namespace. - Extract required values to its own central file to avoid repeating the
requiredkeyword and error messages. This is normally done automatically by a Kyverno policy. - Change the default root disk size for Karpenter node pools. Karpenter will choose the cheapest instances, and certain instances, like
g6f.xlargecome with some drivers that require a larger disk. - Chart: Update
clusterto v4.3.0.
Apps
- aws-ebs-csi-driver from v3.2.0 to v3.3.0
- aws-pod-identity-webhook from v2.0.0 to v2.1.0
- cert-exporter from v2.9.12 to v2.9.14
- cert-manager from v3.9.3 to v3.9.4
- cilium from v1.3.1 to v1.3.2
- etcd-defrag from v1.2.1 to v1.2.3
- etcd-k8s-res-count-exporter from v1.10.9 to v1.10.11
- k8s-audit-metrics from v0.10.8 to v0.10.10
- karpenter-crossplane-resources from v0.4.0 to v0.5.1
- node-exporter from v1.20.7 to v1.20.9
- observability-policies from v0.0.2 to v0.0.3
- security-bundle from v1.13.1 to v1.15.0
- teleport-kube-agent from v0.10.6 to v0.10.7
aws-ebs-csi-driver v3.2.0…v3.3.0
Changed
- Chart: Sync to upstream. (#338)
- Chart: Update AWS EBS CSI Driver from v1.41.0 to v1.51.0.
- Chart: ⚠️ URGENT: XFS Compatibility Issue - Newly formatted XFS volumes may fail to mount on nodes with older kernels (Amazon Linux 2). Use
node.legacyXFS: trueas workaround. - Chart: ⚠️ URGENT: Controller Health Checks - Controller now performs AWS API dry-run checks. Ensure proper IAM permissions and network connectivity.
- Chart: ⚠️ URGENT: StorageClass Parameter Deprecation* -
blockExpressparameter is deprecated forio2volumes (now always uses 256,000 IOPS cap). - Chart: Add support for creating instant, point-in-time copies of EBS volumes within the same Availability Zone.
- Chart: Add
debugLogsparameter for maximum verbosity logging and debugging. - Chart: Add
metadataSourcesconfiguration option for node metadata handling. - Chart: Add
disableMutationparameter for service account mutation control. - Chart: Add support for updating node’s max attachable volume count via
MutableCSINodeAllocatableCountfeature gate (Kubernetes 1.33+). - Chart: Update dependencies including AWS SDK, Prometheus, and various Go modules.
- Chart: Add missing
enablePrometheusAnnotationsvalues for controller and node components. - Chart: Update sidecar container versions:
- csi-provisioner: v5.2.0 → v5.3.0
- csi-attacher: v4.8.1 → v4.9.0
- csi-snapshotter: v8.2.1 → v8.3.0
- livenessprobe: v2.14.0 → v2.16.0
- csi-resizer: v1.13.2 → v1.14.0
- csi-node-driver-registrar: v2.13.0 → v2.14.0
- volume-modifier-for-k8s: v0.5.1 → v0.8.0
aws-pod-identity-webhook v2.0.0…v2.1.0
Changed
- Set VPA
minAllowedCPU to 50m. Otherwise VPA will set the CPU to tiny values that will cause CPU throttling.
cert-exporter v2.9.12…v2.9.14
Changed
- Go: Update dependencies.
- Go: Update dependencies.
cert-manager v3.9.3…v3.9.4
Added
- Add E2E tests using apptest-framework for automated PR testing across multiple providers (CAPA, CAPV, CAPZ, CAPVCD).
- Basic test suite: Validates fresh installations
- Upgrade test suite: Tests upgrade scenarios and certificate reconciliation
- Add certificate issuance integration test to cluster-test-suites.
Changed
- Upgrade cert-manager to v1.18.2.
cilium v1.3.1…v1.3.2
Changed
- Upgrade Cilium to v1.18.4.
etcd-defrag v1.2.1…v1.2.3
Changed
- Chart: Update dependency ahrtr/etcd-defrag to v0.36.0. (#69)
- Chart: Update dependency ahrtr/etcd-defrag to v0.35.0. (#64)
etcd-k8s-res-count-exporter v1.10.9…v1.10.11
Changed
- Go: Update dependencies.
- Go: Update dependencies.
k8s-audit-metrics v0.10.8…v0.10.10
Changed
- Go: Update dependencies.
- Go: Update dependencies.
karpenter-crossplane-resources v0.4.0…v0.5.1
Added
- Add new Helm value to configure the workers IAM role. When Karpenter launches worker instances, it will attach the worker instance profile.
Fixed
- Default the
iam:PassRoleresource to old worker role ARN (the one used before crossplane started managing the IAM Roles) whenworkersIamRoleis not provided. This is needed to make our tests automation to work, regardless of the version of this app used.
node-exporter v1.20.7…v1.20.9
Changed
- Go: Update dependencies.
- Go: Update dependencies.
observability-policies v0.0.2…v0.0.3
Fixed
- Missing RBAC for kyverno-report-controller
security-bundle v1.13.1…v1.15.0
Added
- Add
kubescape(app) version v0.0.4.
Changed
- Update
kyverno(app) to v0.21.1. - Update
kyverno-crds(app) to v1.15.0. - Update
kyverno(app) to v0.20.1. - Update
kyverno-crds(app) to v1.14.0. - Update
kyverno-policies(app) to v0.24.0. - Update
reports-server(app) to v0.0.3.
teleport-kube-agent v0.10.6…v0.10.7
Added
- Add
ephemeral-storagerequests and limits to satisfy Kyverno policyrequire-emptydir-requests-and-limits.
Changed
- Enable upstream-provided Prometheus PodMonitor to scrape metrics from Teleport Kube Agent pods.