github aws/amazon-vpc-cni-k8s v1.22.1
on GitHub

3 hours ago

What's Changed

Amazon VPC CNI v1.22.1 introduces enhanced subnet discovery, allowing customers to separate pod and node subnets and apply dedicated security groups to pods on secondary ENIs.

⚠️ IAM Policy Update Required

The enhanced subnet discovery feature (enabled by default with ENABLE_SUBNET_DISCOVERY=true) requires ec2:DescribeSubnets and ec2:DescribeSecurityGroups permissions.

Without these permissions, aws-node will fail to start (#3704, #3705).

Who needs to take action:

  • IPv6 clusters — the customer-managed IAM policy does not include ec2:DescribeSubnets or ec2:DescribeSecurityGroups
  • Third-party IAM management (Terraform, Pulumi, CDK, etc.) — if your tool manages the VPC CNI IAM role independently, add both permissions before upgrading

Add the following to your CNI IAM policy: 

{
    "Effect": "Allow",
    "Action": [
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups"
    ],
    "Resource": "*"
}

Note: The AWS managed policy AmazonEKS_CNI_Policy already includes both permissions. If you are using the managed policy on an IPv4 cluster, no action is needed.

Alternatively, if you do not need subnet discovery, you can set ENABLE_SUBNET_DISCOVERY=false to disable the feature and avoid the new permission requirement.

Subnet Discovery

VPC CNI now supports advanced subnet selection for secondary ENIs:

  • Tag subnets with kubernetes.io/role/cni=1 to include them for pod ENI allocation
  • Tag subnets with kubernetes.io/role/cni=0 to exclude them (including the node's primary subnet)
  • Tag security groups with kubernetes.io/role/cni=1 to apply custom security groups to ENIs in secondary subnets
  • Use cni.networking.k8s.aws/cluster/<cluster-name> tags to scope subnets to specific clusters in multi-cluster VPCs

This feature is enabled by default via ENABLE_SUBNET_DISCOVERY=true.

Features

  • Enhanced subnet discovery with subnet exclusion, custom security groups, and cluster-specific tags (#3463, @dshehbaj, @haouc)
  • Migrate subnet cluster tag prefix to cni.networking.k8s.aws/cluster/ and fix primary subnet exclusion logic (#3647, @haouc)

Full Changelog: v1.21.2...v1.22.1

To manually apply this release: 

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.22/config/master/aws-k8s-cni.yaml

Note that the following regions use different manifests:

us-gov-east-1: 

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.22/config/master/aws-k8s-cni-us-gov-east-1.yaml

us-gov-west-1: 

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.22/config/master/aws-k8s-cni-us-gov-west-1.yaml

cn: 

kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/refs/heads/release-1.22/config/master/aws-k8s-cni-cn.yaml

To apply this release using helm:
Follow the installation instructions in https://github.com/aws/amazon-vpc-cni-k8s/blob/release-1.22/charts/aws-vpc-cni/README.md#installing-the-chart

Verify the update: 

$ kubectl describe daemonset aws-node -n kube-system | grep Image | cut -d "/" -f 2-3

amazon-k8s-cni-init:v1.22.1
amazon-k8s-cni:v1.22.1
amazon/aws-network-policy-agent:v1.3.5
Check out latest releases or
releases around aws/amazon-vpc-cni-k8s v1.22.1

Don't miss a new amazon-vpc-cni-k8s release

NewReleases is sending notifications on new releases.

Get notifications