Difference between recommended and default versions?

Question

Difference between recommended and default versions?

joebowbeer opened this issue 7 months ago · 3 comments

What happened:

The AWS EKS best practices for both networking and security recommend routinely updating the VPC CNI version to the latest available version unless there is some specific reason not to.

The VPC CNI is backward compatible. The latest version works with all Amazon EKS supported Kubernetes versions. Additionally, the VPC CNI is offered as an EKS add-on (see “Deploy VPC CNI Managed Add-On” above). While EKS add-ons orchestrates upgrades of add-ons, it will not automatically upgrade add-ons like the CNI because they run on the data plane. You are responsible for upgrading the VPC CNI add-on following managed and self-managed worker node upgrades.

This is reiterated in the vpc-cni docs:

Unless you have a specific reason for running an earlier version, we recommend running the latest version.

At present, the latest version is v1.16.0-eksbuild.1.

However, the result returned from aws eks describe-addon-versions lists a much older version as the default version:

aws eks describe-addon-versions --kubernetes-version 1.28

    # ...
    addonVersion: v1.14.1-eksbuild.1
    compatibilities:
    - clusterVersion: "1.28"
      defaultVersion: true

Why is this old version returned as the default if a more recent version is recommended?

Environment:

Kubernetes version (use kubectl version): 1.28 eks.6
CNI Version: 1.14.1
OS (e.g: cat /etc/os-release): bottlerocket
Kernel (e.g. uname -a):

Answer 1 · 2024-01-10T01:09:13.000Z

@joebowbeer this question gets asked often and I can definitely understand the confusion. When EKS supports a new Kubernetes version, we select the latest VPC CNI (at the time of launch) as the default addon version for that EKS version.

Currently, the default addon version for an EKS version is an immutable field. We are working internally on making these fields mutable so that the version used when creating a new cluster will be the latest addon version (which is also the recommended version).

In the meantime, when you create a cluster, you can specify to install the latest addon version. For eksctl, that would be passing:

addons:
  - name: vpc-cni
    version: latest
  - name: coredns
    version: latest
  - name: kube-proxy
    version: latest

Answer 2 · 2024-01-30T16:28:06.000Z

Closing so that this is not tracked as an active issue. This will still be searchable

Answer 3 · 2024-01-30T16:28:25.000Z

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.