zalando-incubator
diff --git a/‎cluster/cluster.yaml
Lines changed: 15 additions & 0 deletions b/‎cluster/cluster.yaml
Lines changed: 15 additions & 0 deletions
diff --git a/‎cluster/config-defaults.yaml
Lines changed: 23 additions & 14 deletions b/‎cluster/config-defaults.yaml
Lines changed: 23 additions & 14 deletions
diff --git a/‎cluster/manifests/01-coredns-local/daemonset-coredns.yaml
Lines changed: 1 addition & 1 deletion b/‎cluster/manifests/01-coredns-local/daemonset-coredns.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎cluster/manifests/02-admission-control/config.yaml
Lines changed: 5 additions & 1 deletion b/‎cluster/manifests/02-admission-control/config.yaml
Lines changed: 5 additions & 1 deletion
diff --git a/‎cluster/manifests/02-admission-control/deployment.yaml
Lines changed: 1 addition & 1 deletion b/‎cluster/manifests/02-admission-control/deployment.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎cluster/manifests/02-admission-control/teapot.yaml
Lines changed: 10 additions & 0 deletions b/‎cluster/manifests/02-admission-control/teapot.yaml
Lines changed: 10 additions & 0 deletions
diff --git a/‎cluster/manifests/03-kube-aws-iam-controller/deployment.yaml
Lines changed: 1 addition & 1 deletion b/‎cluster/manifests/03-kube-aws-iam-controller/deployment.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎cluster/manifests/04-ebs-csi/controller.yaml
Lines changed: 2 additions & 2 deletions b/‎cluster/manifests/04-ebs-csi/controller.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎cluster/manifests/04-ebs-csi/node.yaml
Lines changed: 1 addition & 1 deletion b/‎cluster/manifests/04-ebs-csi/node.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎cluster/manifests/deployment-service/controller-statefulset.yaml
Lines changed: 1 addition & 1 deletion b/‎cluster/manifests/deployment-service/controller-statefulset.yaml
Lines changed: 1 addition & 1 deletion
@@ -252,6 +252,21 @@ Resources:
       KubernetesGroups:
       - zalando:administrator
       Type: "STANDARD"
+{{- if eq .Cluster.Environment "e2e" }}
+  EKSAccessEntryManualAdministratorAuth:
+    Type: "AWS::EKS::AccessEntry"
+    Properties:
+      AccessPolicies:
+      - AccessScope:
+          Type: "cluster"
+        PolicyArn: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+      ClusterName: !Ref EKSCluster
+      PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/Manual"
+      Username: !Sub "arn:aws:sts::${AWS::AccountId}:assumed-role/Manual/{{`{{SessionName}}`}}"
+      KubernetesGroups:
+      - zalando:administrator
+      Type: "STANDARD"
+{{- end }}
   EKSAddonPodIdentityAgent:
     Type: AWS::EKS::Addon
     Properties:
 
@@ -41,6 +41,12 @@ karpenter_max_pods_per_node: "32"
 # Our AMI configured RAID0 at boot.
 karpenter_instance_storage_raid0: "true"
 
+# configure whether karpenter node pools only allow instances supporting
+# in-transit encryption
+# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/data-protection.html#encryption-transit
+# Can be set cluster wide or per node pool
+karpenter_in_transit_support_required: "false"
+
 # ALB config created by kube-aws-ingress-controller
 kube_aws_ingress_controller_ssl_policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
 kube_aws_ingress_controller_idle_timeout: "1m"
@@ -104,11 +110,7 @@ skipper_ingress_binpack: "false"
 
 # skipper node-pool
 enable_dedicate_nodepool_skipper: "true"
-{{if eq .Cluster.Environment "e2e"}}
-skipper_attach_only_to_skipper_node_pool: "false"
-{{else}}
 skipper_attach_only_to_skipper_node_pool: "true"
-{{end}}
 
 skipper_suppress_route_update_logs: "true"
 skipper_validate_query: "true"
@@ -366,6 +368,9 @@ skipper_ingress_routegroup_crd_require_hosts: "true"
 skipper_open_policy_agent_enabled: "false"
 skipper_open_policy_agent_styra_token: ""
 
+# Default timeout value in seconds for outgoing http calls from Open Policy Agent in a skipper filter
+skipper_open_policy_agent_styra_response_header_timeout: "2"
+
 #
 # FabricGateway controller config
 #
@@ -768,14 +773,18 @@ tracing_coredns_local_zone_traces_endpoint: ""
 # AMI id given the image name and the Image AWS account owner.
 #
 # [0]: https://github.com/zalando-incubator/cluster-lifecycle-manager/blob/8a9bd1cb2d094038a9e23e646421f8146b48886a/provisioner/template.go#L116
-kuberuntu_image_v1_31_old_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.4-amd64-master-359" "861068367966" }}
-kuberuntu_image_v1_31_old_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.4-arm64-master-359" "861068367966" }}
-kuberuntu_image_v1_31_new_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.6-amd64-master-368" "861068367966" }}
-kuberuntu_image_v1_31_new_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.6-arm64-master-368" "861068367966" }}
+kuberuntu_image_v1_31_aws_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.6-amd64-master-368" "861068367966" }}
+kuberuntu_image_v1_31_aws_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.6-arm64-master-368" "861068367966" }}
+kuberuntu_image_v1_31_eks_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.7-amd64-master-371" "861068367966" }}
+kuberuntu_image_v1_31_eks_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.7-arm64-master-371" "861068367966" }}
 
 # This is used to determine which AMI to use for the cluster or individual node
-# pools. Possible values are 'new' or 'old'
-kuberuntu_ami_version: "new"
+# pools. Possible values are 'aws' or 'eks'
+{{if eq .Cluster.Provider "zalando-eks"}}
+kuberuntu_ami_version: "eks"
+{{else}}
+kuberuntu_ami_version: "aws"
+{{end}}
 
 # Feature toggle for auditing events
 audit_pod_events: "true"
@@ -913,7 +922,7 @@ external_dns_zones_cache_duration: "1h"
 external_dns_mem: "4Gi"
 
 # select which cache to use for Cluster DNS: unbound or dnsmasq.
-dns_cache: "dnsmasq"
+dns_cache: "unbound"
 
 expirimental_dns_unbound_liveness_probe: "true"
 
@@ -1249,10 +1258,10 @@ role_sync_controller_enabled: "false"
 wiz_enable_runtime_sensor: "false"
 wiz_enable_runtime_connector: "false"
 wiz_enable_runtime_connector_broker: "false"
-wiz_sensor_cpu: "300m"
+wiz_sensor_cpu: "200m"
 wiz_sensor_memory: "300Mi"
-wiz_connector_cpu: "300m"
-wiz_connector_memory: "300Mi"
+wiz_connector_cpu: "50m"
+wiz_connector_memory: "150Mi"
 wiz_priority: "false"
 # Please note when this is set to true it allows the use of the node selector feature
 # to deploy the sensor and connector on specific nodes, by manually setting the node selector label on the nodes.
 
@@ -212,7 +212,7 @@ spec:
         {{- if eq .Cluster.Provider "zalando-eks" }}
         image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/coredns:1.12.0-master-25
         {{- else }}
-        image: container-registry.zalando.net/teapot/coredns:1.12.0-master-25
+        image: container-registry.zalando.net/teapot/coredns:1.12.1-master-26
         {{- end }}
         args: [ "-conf", "/etc/coredns/Corefile" ]
         env:
 
@@ -29,7 +29,7 @@ data:
   pod.service-account-iam.enable: "true"
   pod.service-account-iam.base-aws-account-id: "{{ accountID .Cluster.InfrastructureAccount }}"
 {{- if eq .Cluster.ConfigItems.teapot_admission_controller_inject_aws_waiter "true" }}
-  pod.aws-waiter.image: "926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/automata/aws-credentials-waiter:master-249"
+  pod.aws-waiter.image: "926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/automata/aws-credentials-waiter:master-257"
 {{- end }}
   pod.env-inject.enable: "{{ .Cluster.ConfigItems.teapot_admission_controller_inject_environment_variables }}"
   pod.env-inject.variable._PLATFORM_ACCOUNT: "{{ .Cluster.Alias }}"
@@ -45,6 +45,10 @@ data:
   pod.env-inject.variable._PLATFORM_OBSERVABILITY_METRICS_PORT: "{{ .Cluster.ConfigItems.observability_metrics_port }}"
   pod.env-inject.variable._PLATFORM_OBSERVABILITY_ACCESS_TOKEN: "{{ .Cluster.ConfigItems.lightstep_token }}"
   pod.env-inject.variable._PLATFORM_OBSERVABILITY_COMMON_ATTRIBUTE_CLOUD__ACCOUNT__ID : "{{ .Cluster.Alias }}"
+{{- if and (eq .Cluster.Provider "zalando-eks") (eq .Cluster.ConfigItems.eks_ip_family "ipv6")}}
+  pod.env-inject.variable.AWS_EC2_METADATA_SERVICE_ENDPOINT: "http://[fd00:ec2::254]"
+  pod.env-inject.variable.AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE: "IPv6"
+{{- end }}
 {{- if eq .Cluster.Environment "e2e" }}
   pod.env-inject.variable._PLATFORM_E2E: "injected"
 {{- end }}
 
@@ -33,7 +33,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
       - name: admission-controller
-        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-250
+        image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-251
         lifecycle:
           preStop:
             exec:
 
@@ -575,6 +575,16 @@ webhooks:
             object.kind == "ConfigMap" &&
             object.metadata.name == "skipper-default-filters"
           )
+      - name: 'allow-routesrv-routes-access'
+        expression: |
+          !(
+            "okta:common/engineer" in request.userInfo.groups &&
+            request.name == "skipper-ingress-routesrv" &&
+            request.resource.resource == "services" &&
+            request.subResource == "proxy" &&
+            request.operation == "CONNECT"
+          )
+
   - name: collaborator-deny-admitter.teapot.zalan.do
     clientConfig:
       {{- if eq .Cluster.Provider "zalando-eks"}}
 
@@ -27,7 +27,7 @@ spec:
       hostNetwork: true
       containers:
       - name: kube-aws-iam-controller
-        image: container-registry.zalando.net/teapot/kube-aws-iam-controller:v0.3.0-68-g08c195b
+        image: container-registry.zalando.net/teapot/kube-aws-iam-controller:v0.3.0-74-g62d552b
         env:
         - name: AWS_DEFAULT_REGION
           value: "{{.Cluster.Region}}"
 
@@ -91,7 +91,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-provisioner
-          image: container-registry.zalando.net/teapot/external-provisioner:v5.1.0-eks-1-31-10-master-27
+          image: container-registry.zalando.net/teapot/external-provisioner:v5.1.0-eks-1-31-10-master-28
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -116,7 +116,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-attacher
-          image: container-registry.zalando.net/teapot/external-attacher:v4.7.0-eks-1-31-10-master-27
+          image: container-registry.zalando.net/teapot/external-attacher:v4.7.0-eks-1-31-10-master-28
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
 
@@ -77,7 +77,7 @@ spec:
             privileged: true
             readOnlyRootFilesystem: true
         - name: node-driver-registrar
-          image: container-registry.zalando.net/teapot/node-driver-registrar:v2.12.0-eks-1-31-10-master-27
+          image: container-registry.zalando.net/teapot/node-driver-registrar:v2.12.0-eks-1-31-10-master-28
           args:
             - --csi-address=$(ADDRESS)
             - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
 
@@ -29,7 +29,7 @@ spec:
       terminationGracePeriodSeconds: 300
       containers:
         - name: "deployment-service-controller"
-          image: "container-registry.zalando.net/teapot/deployment-controller:master-238"
+          image: "container-registry.zalando.net/teapot/deployment-controller:master-239"
           args:
             - "--config-namespace=kube-system"
             - "--decrypt-kms-alias-arn=arn:aws:kms:{{ .Cluster.Region }}:{{ .Cluster.InfrastructureAccount | getAWSAccountID }}:alias/deployment-secret"