Update client.authentication.k8s.io to v1beta1 (#1095)

Makefile

@@ -78,19 +78,23 @@ k8s: validate ## Build default K8s version of EKS Optimized AL2 AMI
 
 .PHONY: 1.20
 1.20: ## Build EKS Optimized AL2 AMI - K8s 1.20
-	$(MAKE) k8s kubernetes_version=1.20.15 kubernetes_build_date=2022-07-27 pull_cni_from_github=true
+	$(MAKE) k8s kubernetes_version=1.20.15 kubernetes_build_date=2022-10-31 pull_cni_from_github=true
 
 .PHONY: 1.21
 1.21: ## Build EKS Optimized AL2 AMI - K8s 1.21
-	$(MAKE) k8s kubernetes_version=1.21.14 kubernetes_build_date=2022-07-27 pull_cni_from_github=true
+	$(MAKE) k8s kubernetes_version=1.21.14 kubernetes_build_date=2022-10-31 pull_cni_from_github=true
 
 .PHONY: 1.22
 1.22: ## Build EKS Optimized AL2 AMI - K8s 1.22
-	$(MAKE) k8s kubernetes_version=1.22.12 kubernetes_build_date=2022-07-27 pull_cni_from_github=true
+	$(MAKE) k8s kubernetes_version=1.22.15 kubernetes_build_date=2022-10-31 pull_cni_from_github=true
 
 .PHONY: 1.23
 1.23: ## Build EKS Optimized AL2 AMI - K8s 1.23
-	$(MAKE) k8s kubernetes_version=1.23.9 kubernetes_build_date=2022-07-27 pull_cni_from_github=true
+	$(MAKE) k8s kubernetes_version=1.23.13 kubernetes_build_date=2022-10-31 pull_cni_from_github=true
+
+.PHONY: 1.24
+1.24: ## Build EKS Optimized AL2 AMI - K8s 1.24
+	$(MAKE) k8s kubernetes_version=1.24.7 kubernetes_build_date=2022-10-31 pull_cni_from_github=true
 
 .PHONY: help
 help: ## Display help

files/bootstrap.sh

@@ -146,9 +146,6 @@ if vercmp "$KUBELET_VERSION" gteq "1.24.0"; then
   IS_124_OR_GREATER=true
   DEFAULT_CONTAINER_RUNTIME=containerd
 elif vercmp "$KUBELET_VERSION" gteq "1.22.0"; then
-  # Ensure that these exist for testing purposes
-  mkdir -p /etc/eks/ecr-credential-provider
-  touch /etc/eks/ecr-credential-provider/ecr-credential-provider-config
   # These APIs are only available in alpha pre-1.24.
   # This can be removed when version 1.23 is no longer supported.
   sed -i s,kubelet.config.k8s.io/v1beta1,kubelet.config.k8s.io/v1alpha1,g /etc/eks/ecr-credential-provider/ecr-credential-provider-config

files/kubelet-kubeconfig

@@ -15,11 +15,11 @@ users:
 - name: kubelet
   user:
     exec:
-      apiVersion: client.authentication.k8s.io/v1alpha1
+      apiVersion: client.authentication.k8s.io/v1beta1
       command: /usr/bin/aws-iam-authenticator
       args:
         - "token"
         - "-i"
         - "CLUSTER_NAME"
         - --region
-        - "AWS_REGION"
+        - "AWS_REGION"

scripts/install-worker.sh

@@ -260,6 +260,16 @@ for binary in ${BINARIES[*]}; do
   sudo mv $binary /usr/bin/
 done
 
+# Verify that the aws-iam-authenticator is at last v0.5.9 or greater. Otherwise, nodes will be
+# unable to join clusters due to upgrading to client.authentication.k8s.io/v1beta1
+iam_auth_version=$(sudo /usr/bin/aws-iam-authenticator version | jq -r .Version)
+if vercmp "$iam_auth_version" lt "v0.5.9"; then
+  # To resolve this issue, you need to update the aws-iam-authenticator binary. Using binaries distributed by EKS
+  # with kubernetes_build_date 2022-10-31 or later include v0.5.10 or greater.
+  echo "❌ The aws-iam-authenticator should be on version v0.5.9 or later. Found $iam_auth_version"
+  exit 1
+fi
+
 # Since CNI 0.7.0, all releases are done in the plugins repo.
 CNI_PLUGIN_FILENAME="cni-plugins-linux-${ARCH}-${CNI_PLUGIN_VERSION}"
 

test/Dockerfile

@@ -1,14 +1,15 @@
 FROM public.ecr.aws/aws-ec2/amazon-ec2-metadata-mock:v1.11.2 as aemm
 FROM public.ecr.aws/amazonlinux/amazonlinux:2
-RUN yum install -y jq
-RUN yum install -y wget
-RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
-RUN chmod a+x /usr/local/bin/yq
+RUN yum install -y jq && \
+    yum install -y wget && \
+    wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && \
+    chmod a+x /usr/local/bin/yq
 
 ENV IMDS_ENDPOINT=127.0.0.1:1338
 COPY --from=aemm /ec2-metadata-mock /sbin/ec2-metadata-mock
 COPY files/kubelet-config.json /etc/kubernetes/kubelet/kubelet-config.json
 COPY files/kubelet-kubeconfig /var/lib/kubelet/kubeconfig
+COPY files/ecr-credential-provider-config /etc/eks/ecr-credential-provider/ecr-credential-provider-config
 COPY test/entrypoint.sh /entrypoint.sh
 COPY files /etc/eks
 COPY files/bin/* /usr/bin/

test/cases/ecr-credential-provider-config.sh

@@ -4,14 +4,20 @@ set -euo pipefail
 exit_code=0
 TEMP_DIR=$(mktemp -d)
 
-# Setup test cases
-mkdir -p /etc/eks/ecr-credential-provider
 export CRED_PROVIDER_FILE="/etc/eks/ecr-credential-provider/ecr-credential-provider-config"
+export CRED_PROVIDER_RESET_FILE="./cred-provider-config"
+
+# Store the original version of the config
+cp $CRED_PROVIDER_FILE $CRED_PROVIDER_RESET_FILE
+# Reset the file that may have changed
+function reset_scenario {
+  echo "Resetting test scenario"
+  cp $CRED_PROVIDER_RESET_FILE $CRED_PROVIDER_FILE
+}
 
 echo "--> Should default to credentialprovider.kubelet.k8s.io/v1alpha1 and kubelet.config.k8s.io/v1alpha1 when below k8s version 1.24"
+reset_scenario
 
-# Ensure the credential provider config is present and fresh
-cp /etc/eks/ecr-credential-provider-config $CRED_PROVIDER_FILE
 # This variable is used to override the default value in the kubelet mock
 export KUBELET_VERSION=v1.22.15-eks-ba74326
 /etc/eks/bootstrap.sh \
@@ -39,9 +45,8 @@ if [[ "$expected_kubelet_config_api" != "$actual" ]]; then
 fi
 
 echo "--> Should default to credentialprovider.kubelet.k8s.io/v1beta1 and kubelet.config.k8s.io/v1beta1 when at or above k8s version 1.24"
+reset_scenario
 
-# Ensure the credential provider config is present and fresh
-cp /etc/eks/ecr-credential-provider-config $CRED_PROVIDER_FILE
 export KUBELET_VERSION=v1.24.15-eks-ba74326
 /etc/eks/bootstrap.sh \
   --b64-cluster-ca dGVzdA== \