Tests • Bump upgrade commit pin (#8768) #8769 (Ryan Mistretta) Chores • Bump Upstream Karpenter to include patch changes (#8834) #8834 (Amanuel Engeda) • update static instance data (#8833) #8833 (Jason Deal) • Bump Upstream Karpenter to v1.8.1 (#8839) #8839 (Amanuel Engeda)

This blog post examines how Salesforce, operating one of the world's largest Kubernetes deployments, successfully migrated from Cluster Autoscaler to Karpenter across their fleet of 1,000 plus Amazon Elastic Kubernetes Service (Amazon EKS) clusters.

What's Changed • feat(nodeadm): add nodeadm config dump command by @vflaux in https://github.com/awslabs/amazon-eks-ami/pull/2107 • fix(nodeadm): clarify missing cluster ID error for outposts by @HusainZafar in https://github.com/awslabs/amazon-eks-ami/pull/2573 • fix(al2023): Only enable DNS for the primary interface to avoid duplicate entries by @shvbsle in https://github.com/awslabs/amazon-eks-ami/pull/2578 Full Changelog: https://github.com/awslabs/amazon-eks-ami/compare/v20251217...v20260107

v2.17.1 (requires Kubernetes 1.22+) Documentation Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.17.1 Thanks to all our contributors! 😊 🚀 What's New QUIC Protocol Support: Added QUIC protocol support for Gateway API and Service API JWT Validation: Support for JWT validation in Gateway API Default Load Balancer Scheme: Added support for specifying —default-load-balancer-scheme flag in Helm chart 🔧 Enhancements and Fixes Bug Fixes • Helm Chart: Duplicated CRD in helm kustomization Documentation Updates • Service Actions: Fixed service.beta.kubernetes.io/actions example in documentation • Conformance Report: Generated v2.17.0 conformance test report Changelog since v2.17.0 • Merge Main to release-2.17 (#4533, @wweiwei-li) • [GW API] Add QUIC support (#4530, @zac-nixon) • docs: fix service.beta.kubernetes.io/actions example (#4529, @davidxia) • Add E2E tests for QUIC support in Service API. (#4527, @zac-nixon) • feat(chart): add support for specifying —default-load-balancer-scheme flag (#4141, @ysam12345) • fix: duplicated CRD in helm kustomization (#4518, @wweiwei-li) • generate v2.17.0 conformance test report (#4521, @shuqz) • [feat gw-api]support jwt validation (#4516, @shuqz) • fix helm chart version (#4515, @wweiwei-li)

This post explores using the Amazon CloudWatch monitoring, including new Amazon EKS metrics and the CloudWatch Observability Operator, to gain deeper visibility into cluster operations, detect issues, understand bottlenecks, and maintain healthy EKS clusters.

Amazon Web Services (AWS) announced the availability of DNS-based and Admin network policies for Amazon Elastic Kubernetes Service (EKS) Auto mode and Admin network policies for both EKS Auto mode and EKS on Amazon Elastic Compute Cloud (EC2), providing enhanced capabilities to secure network traffic both within your clusters and to external endpoints. In this post, we explore practical use cases that demonstrate how these policies solve real-world challenges and remove the need to rely on third-party software across different deployment scenarios, from securing access to external services to hybrid cloud integration and multi-tenant environments.

This post details how platform engineering teams can build an assurance pipeline for Amazon EKS deployments, incorporating validation frameworks that verify configurations, test infrastructure as code (IaC), assess application resilience, and establish compliance with organizational standards.

This post looks at various options for container image caching, model training, and inferencing workloads. This post also discusses various storage options such as Amazon Simple Storage Service (Amazon S3), FSx for lustre, S3 Express One Zone, and Amazon S3 Connector for PyTorch.

In this post, we focus on observing and scaling ML operations (MLOps) infrastructure on Kubernetes. MLOps platforms running on Amazon EKS provide powerful built-in capabilities for logging, monitoring, and alerting that are essential for maintaining healthy ML systems at scale.

In this post we demonstrate how using GitLab Runners on EKS Auto Mode, combined with Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, can deliver enterprise-scale CI/CD capabilities while achieving up to 90% cost reduction when compared to traditional deployment models. This approach not only optimizes operational expenses, but also provides resilient, scalable pipeline execution.

In this deep dive, we explore advanced scenarios with Argo CD including hub-and-spoke multi-cluster deployments, native AWS service integrations, multi-tenancy implementation, scaling with advanced Argo CD configurations and integration with CI/CD pipeline.

AWS EBS CSI Driver CHANGELOG See CHANGELOG for full list of changes

A Helm chart for AWS EBS CSI Driver

<p>Today, we’re announcing enhanced network policy capabilities in <a href="https://aws.amazon.com/eks/" target="_blank">Amazon Elastic Kubernetes Service (EKS)</a>, allowing customers to improve the network security posture for their Kubernetes workloads and their integrations with cluster-external destinations. This enhancement builds on network segmentation features previously supported in EKS. Now you can centrally enforce network access filters across the entire cluster, as well as leverage Domain Name System (DNS) based policies to secure egress traffic from your cluster’s environment.<br> <br> As customers continue to scale their application environments using EKS, network traffic isolation is increasingly fundamental for preventing unauthorized access to resources inside and outside the cluster. To address this, EKS introduced support for <a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/" target="_blank">Kubernetes NetworkPolicies</a> in the <a href="https://github.com/aws/amazon-vpc-cni-k8s" target="_blank">Amazon VPC Container Network Interface (VPC CNI) plugin</a>, allowing you to segment pod-to-pod communication at a namespace level. Now you can further strengthen the defensive posture for your Kubernetes network environment by centrally managing network filters for the whole cluster. Also, cluster admins now have a more stable and predictable approach for preventing unauthorized access to cluster-external resources in the cloud or on-prem using egress rules that filter traffic to external endpoints based on their Fully Qualified Domain Name (FQDN).<br> <br> These new network security features are available in all commercial AWS Regions for new EKS clusters running Kubernetes version 1.29 or later, with support for existing clusters to follow in the coming weeks. ClusterNetworkPolicy is available in all EKS cluster launch modes using VPC CNI v1.21.0 or later. DNS-based policies are only supported in <a href="https://docs.aws.amazon.com/eks/latest/userguide/automode.html" target="_blank">EKS Auto Mode-launched EC2 instances</a>. To learn more, visit the <a href="https://docs.aws.amazon.com/eks/latest/userguide/auto-net-pol.html" target="_blank">Amazon EKS documentation</a> or read the <a href="https://aws.amazon.com/blogs/containers/amazon-eks-introduces-enhanced-network-policy-capabilities" target="_blank">launch blog post here</a>.</p>

Today, we are excited to announce the expansion of native network policy support in Amazon EKS to include both Admin Policies and Application Network Policies. With these additional policies, Cluster Administrators (e.g. platform or security teams) can set cluster-wide security rules for their clusters to enhance the overall network security for their Kubernetes workloads. In […]

A Helm chart for AWS EBS CSI Driver

Picture this: your containerized Java application that was running smoothly yesterday is now consuming 90% CPU and barely responding to user requests. Now your customers are experiencing timeouts, and your ops team is under pressure to resolve the issue quickly. When debugging unresponsive applications or excessive CPU consumption, one of the most valuable diagnostic tools […]

Chores • bump greatest supported k8s version (#8774) #8774 (Jason Deal)

Bug Fixes • update AMI versions for suite test (#8779) #8779 (Jason Deal) Chores • bump greatest supported k8s version (#8775) #8775 (Jason Deal)

<p>AWS Certificate Manager (ACM) now automates certificate provisioning and distribution for Kubernetes workloads through AWS Controllers for Kubernetes (ACK). Previously, ACM automated certificate management for AWS-integrated services like Application Load Balancers and CloudFront. However, using ACM certificates with applications terminating TLS in Kubernetes required manual steps: exporting certificates and private keys via API, creating Kubernetes Secrets, and updating them at renewal. This integration extends ACM's automation to any Kubernetes workload for both public and private certificates, enabling you to manage certificates using native Kubernetes APIs.<br> <br> With ACK, you define certificates as Kubernetes resources, and the ACK controller automates the complete certificate lifecycle: requesting certificates from ACM, exporting them after validation, updating Kubernetes Secrets with the certificate and private key, and automatically updating those Secrets at renewal. This enables you to use ACM exportable public certificates (launched in June 2025) for internet-facing workloads or AWS Private CA private certificates for internal services in Amazon EKS or other Kubernetes environments. Use cases include terminating TLS in application pods (NGINX, custom applications), securing service mesh communication (Istio, Linkerd), and managing certificates for third-party ingress controllers (NGINX Ingress, Traefik). You can also distribute certificates to hybrid and edge Kubernetes environments.<br> <br> This feature is available in all commercial, AWS GovCloud (US), and AWS China regions where ACM is available.<br> To learn more, visit the <a href="https://github.com/aws-controllers-k8s/acm-controller">Git hub link</a> or read our <a href="https://docs.aws.amazon.com/acm/latest/userguide/acm-exportable-certificates.html">documentation</a> and our <a href="https://aws.amazon.com/certificate-manager/pricing/">pricing page</a>.&nbsp;</p>

Note There are no changes to the AMI template in this release.

What's Changed • docs: cutoff 0.7.0 by @jakobmoellerdev in https://github.com/kubernetes-sigs/kro/pull/865 • docs: update make command to install crds by @heylongdacoder in https://github.com/kubernetes-sigs/kro/pull/867 • chore(deps): bump node-forge from 1.3.1 to 1.3.2 in /website in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/kubernetes-sigs/kro/pull/868 • docs: major docs revamp and website redesign by @a-hilaly in https://github.com/kubernetes-sigs/kro/pull/857 • fix: add app.kubernetes.io/managed-by label to child resources by @a-hilaly in https://github.com/kubernetes-sigs/kro/pull/869 • Make schema.group field immutable by @a-hilaly in https://github.com/kubernetes-sigs/kro/pull/870 • Update FAQ5 in README to match the website FAQ content. by @a-hilaly in https://github.com/kubernetes-sigs/kro/pull/875 • chore: Add K8s examples to doc by @kennygt51 in https://github.com/kubernetes-sigs/kro/pull/874 • chore(deps): bump mdast-util-to-hast from 13.2.0 to 13.2.1 in /website in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/kubernetes-sigs/kro/pull/879 • test: add unit tests for InstanceState by @kennygt51 in https://github.com/kubernetes-sigs/kro/pull/872 • Support Kubernetes CEL library extensions (URLs and Regex) by @antcybersec in https://github.com/kubernetes-sigs/kro/pull/882 • refactor(cel/ast): rewrite inspector to use native CEL AST and improve analysis accuracy by @jakobmoellerdev in https://github.com/kubernetes-sigs/kro/pull/884 • Correct grammar in code base and examples by @majst01 in https://github.com/kubernetes-sigs/kro/pull/881 • docs: fix some docs about saas-multi-tenant examples by @kennygt51 in https://github.com/kubernetes-sigs/kro/pull/876 • docs: add URLs and Regex to available CEL libraries by @antcybersec in https://github.com/kubernetes-sigs/kro/pull/891 • Add docs-tests presubmit script by @a-hilaly in https://github.com/kubernetes-sigs/kro/pull/888 • feat(website): add custom syntax highlighting for kro code blocks (RGDs) by @a-hilaly in https://github.com/kubernetes-sigs/kro/pull/887 • Publish static kro manifests on release by @tjamet in https://github.com/kubernetes-sigs/kro/pull/820 • chore: small refactor of dynamic controller funcs by @jakobmoellerdev in https://github.com/kubernetes-sigs/kro/pull/774 New Contributors • @heylongdacoder made their first contribution in https://github.com/kubernetes-sigs/kro/pull/867 • @antcybersec made their first contribution in https://github.com/kubernetes-sigs/kro/pull/882 • @majst01 made their first contribution in https://github.com/kubernetes-sigs/kro/pull/881 Full Changelog: https://github.com/kubernetes-sigs/kro/compare/v0.7.0...v0.7.1

Tests • fix e2e tests failures (#8711) #8750 (Jigisha Patil) Continuous Integration • Fix failing AMI tests after 1.34 upgrade #8751 (Saurav Agarwalla) Commits • 9a5d821: Skip instance profile cleanup in isolated VPCs (#8617) (#8749) (Ryan Mistretta) #8749