Release notes for Cluster API Provider AWS (CAPA) v2.8.1

Documentation

There is no v2.8.0 GitHub release due to issues during the release process.

Changelog since v2.7.1

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Action required
  Bump CAPI to v1.9.z
  !! ACTION REQUIRED BEFORE UPGRADING !!
  If you are using the AWSManagedControlPlane to provision EKS clusters and you do not have a spec.Version specified in such resource (meaning you are relying on the default that AWS provides), you will need to either:
  a) explicitly set such spec.Version field before upgrading CAPA
  or b) disable the MachineSetPreflightChecks in your cluster either:
  b1) by setting this core CAPI feature gate to false
  b2) or by disabling it via the relevant annotation on all the machineSets belonging to said cluster (follow this guide on how to do this: https://cluster-api.sigs.k8s.io/tasks/experimental-features/machineset-preflight-checks).
  This is necessary as core CAPI 1.9 introduces a feature gate change, setting MachineSetPreflightChecks=true, which in turn relies on the presence of spec.Version and status.Version on the AWSManagedControlPlane object.
  We are planning a future refactor of these API fields in v1beta3 (#3853).
  Other places where you can find details on this are:
  • #5225
  • kubernetes-sigs/cluster-api#11117
  • https://kubernetes.slack.com/archives/CD6U2V71N/p1739783013734149 (#5209, @damdo)
• Action required
  From this release onwards we recommend not creating clusters using the classic ELB (which is the default for the API). Classic ELB support is deprected and support will be removed in a future version.
  For new & existing clusters that use a classic elb AND do not specify the health check protocol then the protocol will be changed/set to TCP instead of SSL.
  If you want to use a classic elb with an SSL healthcheck then you will need to specify the cipher suites to use in the KubeadmControlPlane:

apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: "${CLUSTER_NAME}-control-plane"
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      apiServer:
        extraArgs:
          cloud-provider: external

          # This is needed for Kubernetes v1.30+ since else it uses the Go defaults which don't
          # work with AWS classic load balancers, see
          # https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/5139. If you use
          # another load balancer type such as NLB, this is not needed.
          #
          # The list consists of the secure ciphers from Go 1.23.3, plus some less secure
          # RSA ciphers which the AWS classic load balancer instance health check supports.
          tls-cipher-suites: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

(#5346, @richardcase)

• If deploying clusters to an existing VPC (not managed by the AWS provider), the provider will no longer automatically create a security group rule allowing traffic from all addresses (0.0.0.0/0). You may need to update AWSCluster.spec.controlPlaneLoadBalancer.ingressRules with the source address of your Management Cluster. (#5198, @sl1pm4t)

Changes by Kind

Support

• Add devbox and devcontainer configuration (#5301, @faermanj)
• Update metadata file for v2.7.0 release. (#5187, @richardcase)
• Update metadata for release v2.8.x (#5397, @richardcase)

API Change

• Adds optional Conditions field to Status for AWSManagedCluster, ROSACluster. Sets Paused condition when reconciliation is paused (Contract change) (#5394, @theobarberbany)

Feature

• Add AWSMachines to back the EC2 instances in AWSMachinePools and AWSManagedMachinePools (#5319, @AndiDog)
• Add ROSA-HCP version channel group for Machine Pools (#5332, @PanSpagetka)
• Add VolumeSize parameter for RosaMachinePool. (#5270, @PanSpagetka)
• Add flag to support BootstrapSelfManagedAddons to provision Bare EKS cluster without default addons (coreDNS, kube-proxy, aws-vpc-cni) (#5222, @jas-nik)
• Add support for creating instances with elastic fabric adapter interface type. (#5275, @RadekManak)
• Avoid reconciling AWSMachinePools when only the status field has changed (#5333, @fiunchinho)
• Introduce the --disable-controllers argument to the controller manager binary. (#5395, @nrb)
• Log AWS account being used when the e2e tests run. (#5250, @richardcase)
• Support running EC2 instances from a reserved capacity block (new API field marketType). i.e, marketType: capacity-block (#5211, @athiruma)
• Templates: start explicitly using NLB (Network Load Balancer) + HTTPS checks for the Control Plane Load Balancer (#5345, @damdo)
• Wait for AWSCluster dependent object to be deleted (#5365, @alexander-demicev)

Documentation

• Fix typo on table of feature gates (#5273, @Rudro-25)
• Release notes include reminder to update Prow jobs. (#5204, @richardcase)
• Update links to new 2025 meeting notes doc (#5277, @richardcase)

Failing Test

• Fix the EFS & classic elb e2e tests. (#5418, @richardcase)
• Remove CoreDNS check from EKS e2e after a change by AWS to EKS. (#5239, @nrb)
• Updates to e2e tests to stop using v1.23 (#5297, @richardcase)
• Upgrade to CAPI 1.8.6 (#5249, @nrb)

Bug or Regression

• 1. fixed adding a secondary load balancer to existing aws cluster (#5248, @alexeysofin)
• Filter out AWS internal tags when reconciling AWS infra (#5181, @fiunchinho)
• Fix OIDC unit test after test runner go version change. (#5352, @richardcase)
• Fix ROSA doc formatting (#5324, @mzazrivec)
• Fix cluster deletion when using BYO AWS infra mode and Secondary CIDR (#5291, @adriananeci)
• Fix delay in reconciliation caused by patching wrong object with new paused condition. (#5425, @richardcase)
• Fix nil pointer dereference in reconcileNodegroupVersion by adding a check for nodegroup version. (#5019, @nueavv)
• Fix self hosted e2e test caused by disk pressure. (#5288, @richardcase)
• Fix subnet sorting with multiple vpcs when launching an instance (#5114, @cnmcavoy)
• Fix: Include AddOn configuration and conflict resolution for reconciliation (#5199, @gutmensch)
• Fixed RosaMachinePool typo. (#5244, @tinaafitz)
• Remove placeholder CA bundles from webhook configuration to support Kubernetes 1.31. (#5197, @robinkb)
• Tags defined in subnet spec should be applied (#5175, @fiunchinho)
• Use different names for controllers watching AWSCluster objects (#5313, @AndiDog)

Other (Cleanup or Flake)

• Update PR verifier to be inline with upstream CAPI. (#5300, @richardcase)

Uncategorized

• Add ROSA-HCP version channel group (#5279, @serngawy)
• Feat: enable support for service account authentication in ROSA installations (#5233, @mzazrivec)
• Fixed a few typos. (#5238, @tinaafitz)
• Set Paused condition on reconciled resources status upon pausing reconciliation (CAPI provider contract change) (#5383, @theobarberbany)
• Update ROSA upgrade documentation (#5235, @serngawy)

The images for this release are:
docker pull registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:${VERSION}

Thanks to all our contributors.