chore: Release v1.9.0 (#8938)

Co-authored-by: StableRelease <StableRelease@users.noreply.github.com>
Co-authored-by: Sarthak Umarani <sarthnu@amazon.com>

Author: 3 people

charts/karpenter-crd/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: karpenter-crd
 description: A Helm chart for Karpenter Custom Resource Definitions (CRDs).
 type: application
-version: 1.8.1
-appVersion: 1.8.1
+version: 1.9.0
+appVersion: 1.9.0
 keywords:
   - cluster
   - node

charts/karpenter/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: karpenter
 description: A Helm chart for Karpenter, an open-source node provisioning project built for Kubernetes.
 type: application
-version: 1.8.1
-appVersion: 1.8.1
+version: 1.9.0
+appVersion: 1.9.0
 keywords:
   - cluster
   - node

charts/karpenter/README.md

@@ -2,7 +2,7 @@
 
 A Helm chart for Karpenter, an open-source node provisioning project built for Kubernetes.
 
-![Version: 1.8.1](https://img.shields.io/badge/Version-1.8.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
+![Version: 1.9.0](https://img.shields.io/badge/Version-1.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square)
 
 ## Documentation
 
@@ -15,7 +15,7 @@ You can follow the detailed installation instruction in the [documentation](http
 ```bash
 helm upgrade --install --namespace karpenter --create-namespace \
   karpenter oci://public.ecr.aws/karpenter/karpenter \
-  --version 1.8.1 \
+  --version 1.9.0 \
   --set "serviceAccount.annotations.eks\.amazonaws\.com/role-arn=${KARPENTER_IAM_ROLE_ARN}" \
   --set settings.clusterName=${CLUSTER_NAME} \
   --set settings.interruptionQueue=${CLUSTER_NAME} \
@@ -27,13 +27,13 @@ helm upgrade --install --namespace karpenter --create-namespace \
 As the OCI Helm chart is signed by [Cosign](https://github.com/sigstore/cosign) as part of the release process you can verify the chart before installing it by running the following command.
 
 ```shell
-cosign verify public.ecr.aws/karpenter/karpenter:1.8.1 \
+cosign verify public.ecr.aws/karpenter/karpenter:1.9.0 \
   --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
   --certificate-identity-regexp='https://github\.com/aws/karpenter-provider-aws/\.github/workflows/release\.yaml@.+' \
   --certificate-github-workflow-repository=aws/karpenter-provider-aws \
   --certificate-github-workflow-name=Release \
-  --certificate-github-workflow-ref=refs/tags/v1.8.1 \
-  --annotations version=1.8.1
+  --certificate-github-workflow-ref=refs/tags/v1.9.0 \
+  --annotations version=1.9.0
 ```
 
 ## Values
@@ -49,9 +49,9 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.8.1 \
 | controller.envFrom | list | `[]` |  |
 | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts for the controller container. |
 | controller.healthProbe.port | int | `8081` | The container port to use for http health probe. |
-| controller.image.digest | string | `"sha256:41c28a606cbad86869384ff8ae8345203b63f81612b6fcfd2e136197dccc03ef"` | SHA256 digest of the controller image. |
+| controller.image.digest | string | `"sha256:30a506c64fbb1d8026cbfd9a1d662be3ab6e33a7999290a104085d78b49a69d7"` | SHA256 digest of the controller image. |
 | controller.image.repository | string | `"public.ecr.aws/karpenter/controller"` | Repository path to the controller image. |
-| controller.image.tag | string | `"1.8.1"` | Tag of the controller image. |
+| controller.image.tag | string | `"1.9.0"` | Tag of the controller image. |
 | controller.metrics.port | int | `8080` | The container port to use for metrics. |
 | controller.resources | object | `{}` | Resources for the controller container. |
 | controller.securityContext.appArmorProfile | object | `{}` | AppArmor profile for the controller container. |
@@ -90,7 +90,7 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.8.1 \
 | serviceMonitor.endpointConfig | object | `{}` | Configuration on `http-metrics` endpoint for the ServiceMonitor. Not to be used to add additional endpoints. See the Prometheus operator documentation for configurable fields https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#endpoint |
 | serviceMonitor.metricRelabelings | list | `[]` | Metric relabelings for the `http-metrics` endpoint on the ServiceMonitor. For more details on metric relabelings, see: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs |
 | serviceMonitor.relabelings | list | `[]` | Relabelings for the `http-metrics` endpoint on the ServiceMonitor. For more details on relabelings, see: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config |
-| serviceMonitor.sampleLimit | int | `nil` | Set a sampleLimit on the ServiceMonitor. By default, no limit is set. For more information, see: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#configuration-file |
+| serviceMonitor.sampleLimit | string | `nil` | Specifies the sampleLimit for prometheus scrapes. Per-scrape limit on the number of scraped samples that will be accepted. If more than this number of samples are present after metric relabeling the entire scrape will be treated as failed. 0 means no limit. |
 | settings | object | `{"batchIdleDuration":"1s","batchMaxDuration":"10s","clusterCABundle":"","clusterEndpoint":"","clusterName":"","disableClusterStateObservability":false,"disableDryRun":false,"eksControlPlane":false,"featureGates":{"nodeOverlay":false,"nodeRepair":false,"reservedCapacity":true,"spotToSpotConsolidation":false,"staticCapacity":false},"ignoreDRARequests":true,"interruptionQueue":"","isolatedVPC":false,"minValuesPolicy":"Strict","preferencePolicy":"Respect","reservedENIs":"0","vmMemoryOverheadPercent":0.075}` | Global Settings to configure Karpenter |
 | settings.batchIdleDuration | string | `"1s"` | The maximum amount of time with no new ending pods that if exceeded ends the current batching window. If pods arrive faster than this time, the batching window will be extended up to the maxDuration. If they arrive slower, the pods will be batched separately. |
 | settings.batchMaxDuration | string | `"10s"` | The maximum length of a batch window. The longer this is, the more pods we can consider for provisioning at one time which usually results in fewer but larger nodes. |
@@ -101,7 +101,7 @@ cosign verify public.ecr.aws/karpenter/karpenter:1.8.1 \
 | settings.disableDryRun | bool | `false` | Disable dry run validation for EC2NodeClasses. |
 | settings.eksControlPlane | bool | `false` | Marking this true means that your cluster is running with an EKS control plane and Karpenter should attempt to discover cluster details from the DescribeCluster API. |
 | settings.featureGates | object | `{"nodeOverlay":false,"nodeRepair":false,"reservedCapacity":true,"spotToSpotConsolidation":false,"staticCapacity":false}` | Feature Gate configuration values. Feature Gates will follow the same graduation process and requirements as feature gates in Kubernetes. More information here https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-alpha-or-beta-features. |
-| settings.featureGates.nodeOverlay | bool | `false` | nodeOverlay is ALPHA and is disabled by default. Setting this will allow the use of node overlay to impact scheduling decisions  |
+| settings.featureGates.nodeOverlay | bool | `false` | nodeOverlay is ALPHA and is disabled by default. Setting this will allow the use of node overlay to impact scheduling decisions |
 | settings.featureGates.nodeRepair | bool | `false` | nodeRepair is ALPHA and is disabled by default. Setting this to true will enable node repair. |
 | settings.featureGates.reservedCapacity | bool | `true` | reservedCapacity is BETA and is enabled by default. Setting this will enable native on-demand capacity reservation support. |
 | settings.featureGates.spotToSpotConsolidation | bool | `false` | spotToSpotConsolidation is ALPHA and is disabled by default. Setting this to true will enable spot replacement consolidation for both single and multi-node consolidation. |

charts/karpenter/values.yaml

@@ -126,9 +126,9 @@ controller:
     # -- Repository path to the controller image.
     repository: public.ecr.aws/karpenter/controller
     # -- Tag of the controller image.
-    tag: 1.8.1
+    tag: 1.9.0
     # -- SHA256 digest of the controller image.
-    digest: sha256:41c28a606cbad86869384ff8ae8345203b63f81612b6fcfd2e136197dccc03ef
+    digest: sha256:30a506c64fbb1d8026cbfd9a1d662be3ab6e33a7999290a104085d78b49a69d7
   # -- Additional environment variables for the controller pod.
   env: []
   # - name: AWS_REGION

hack/docs/compatibilitymatrix_gen/compatibility.yaml

@@ -81,3 +81,7 @@ compatibility:
   - appVersion: 1.8.x
     minK8sVersion: 1.26
     maxK8sVersion: 1.34
+
+  - appVersion: 1.9.x
+    minK8sVersion: 1.26
+    maxK8sVersion: 1.35

website/content/en/docs/concepts/disruption.md

@@ -173,11 +173,19 @@ Pod disruption budgets may be used to rate-limit application disruption.
 
 ### Expiration
 
-A node is expired once it's lifetime exceeds the duration set on the owning NodeClaim's `spec.expireAfter` field.
+Expiration is a forceful disruption method that begins draining a node immediately once its lifetime exceeds the duration set on the owning NodeClaim's `spec.expireAfter` field.
 Changes to `spec.template.spec.expireAfter` on the owning NodePool will not update the field for existing NodeClaims - it will induce NodeClaim drift and the replacements will have the updated value.
 Expiration can be used, in conjunction with [`terminationGracePeriod`](#terminationgraceperiod), to enforce a maximum Node lifetime.
 By default, `expireAfter` is set to `720h` (30 days).
 
+{{% alert title="Note" color="primary" %}}
+The `expireAfter` field defines the **maximum** node lifetime (upper bound), not a guaranteed minimum.
+Nodes can be disrupted earlier than the `expireAfter` duration by other disruption methods such as [Drift]({{<ref "#drift" >}}), [Consolidation]({{<ref "#consolidation" >}}), or [Emptiness]({{<ref "#consolidation" >}}) if their [disruption budgets]({{<ref "#nodepool-disruption-budgets" >}}) allow.
+For example, a NodePool with `expireAfter: 720h` (30 days) can still have nodes terminated earlier if the node becomes drifted due to an AMI update and the disruption budget permits drift-based disruptions.
+
+To enforce a true maximum node lifetime that cannot be shortened by other disruption methods, use `expireAfter` in combination with carefully configured disruption budgets that limit or prevent other disruption reasons.
+{{% /alert %}}
+
 {{% alert title="Warning" color="warning" %}}
 Misconfigured PDBs and pods with the `karpenter.sh/do-not-disrupt` annotation may block draining indefinitely.
 For this reason, it is not recommended to set `expireAfter` without also setting `terminationGracePeriod` **if** your cluster has pods with the `karpenter.sh/do-not-disrupt` annotation.

website/content/en/docs/concepts/nodeclasses.md

@@ -527,6 +527,15 @@ max-pods = 110
 </powershell>
 ```
 
+### Windows2025
+
+```powershell
+<powershell>
+[string]$EKSBootstrapScriptFile = "$env:ProgramFiles\Amazon\EKS\Start-EKSBootstrap.ps1"
+& $EKSBootstrapScriptFile -EKSClusterName 'test-cluster' -APIServerEndpoint 'https://test-cluster' -Base64ClusterCA 'ca-bundle' -KubeletExtraArgs '--node-labels="karpenter.sh/capacity-type=on-demand,karpenter.sh/nodepool=test" --max-pods=110' -DNSClusterIP '10.100.0.10'
+</powershell>
+```
+
 ### Custom
 
 The `Custom` AMIFamily ships without any default userData to allow you to configure custom bootstrapping for control planes or images that don't support the default methods from the other families. For this AMIFamily, kubelet must add the taint `karpenter.sh/unregistered:NoExecute` via the `--register-with-taints` flag ([flags](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options)) or the KubeletConfiguration spec ([options](https://kubernetes.io/docs/reference/config-api/kubelet-config.v1/#kubelet-config-k8s-io-v1-CredentialProviderConfig) and [docs](https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/)). Karpenter will fail to register nodes that do not have this taint.
@@ -744,6 +753,7 @@ An `alias` term can be used to select EKS-optimized AMIs. An `alias` is formatte
 * `bottlerocket`
 * `windows2019`
 * `windows2022`
+* `windows2025`
 
 The version string can be set to `latest`, or pinned to a specific AMI using the format of that AMI's GitHub release tags.
 For example, AL2 and AL2023 use dates for their release, so they can be pinned as follows:
@@ -1055,7 +1065,7 @@ spec:
         encrypted: true
 ```
 
-### Windows2019/Windows2022
+### Windows2019/Windows2022/Windows2025
 ```yaml
 spec:
   blockDeviceMappings:
@@ -1492,7 +1502,7 @@ This allows the container to take ownership of devices allocated to the pod via
 
 This setting helps you enable Neuron workloads on Bottlerocket instances. See [Accelerators/GPU Resources]({{< ref "./scheduling#acceleratorsgpu-resources" >}}) for more details.
 
-### Windows2019/Windows2022
+### Windows2019/Windows2022/Windows2025
 
 * Your UserData must be specified as PowerShell commands.
 * The UserData specified will be prepended to a Karpenter managed section that will bootstrap the kubelet.

website/content/en/docs/concepts/nodeoverlays.md

@@ -36,7 +36,7 @@ spec:
       operator: In
       values: ["spot"]
     - key: karpenter.k8s.aws/instance-cpu 
-      operator: Gt
+      operator: Gte
       values: ["32"]
 
   # Price and priceAdjustment are mutually exclusive