zalando-incubator · mikkeloscar · Jun 5, 2025 · Aug 19, 2025 · Aug 19, 2025 · Aug 22, 2025
diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml
@@ -170,7 +170,7 @@ Resources:
 {{- end }}
     Properties:
       Name: "{{.Cluster.Name}}"
-      Version: "1.32"
+      Version: "1.33"
       RoleArn: !GetAtt EKSClusterRole.Arn
       KubernetesNetworkConfig:
         IpFamily: "{{.Cluster.ConfigItems.eks_ip_family}}"
@@ -295,6 +295,12 @@ Resources:
     Properties:
       AddonName: eks-pod-identity-agent
       ClusterName: !Ref EKSCluster
+  EKSAddonKubeProxy:
+    Type: AWS::EKS::Addon
+    Properties:
+      AddonName: kube-proxy
+      AddonVersion: "v1.33.3-eksbuild.6"
+      ClusterName: !Ref EKSCluster
   {{ if eq .Cluster.Environment "e2e" }}
   E2EEKSIAMTestRoleReadOnly:
     Properties:

diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -795,8 +795,8 @@ tracing_coredns_local_zone_traces_endpoint: ""
 # AMI id given the image name and the Image AWS account owner.
 #
 # [0]: https://github.com/zalando-incubator/cluster-lifecycle-manager/blob/8a9bd1cb2d094038a9e23e646421f8146b48886a/provisioner/template.go#L116
-kuberuntu_image_v1_32_new_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.32.4-amd64-master-373" "861068367966" }}
-kuberuntu_image_v1_32_new_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.32.4-arm64-master-373" "861068367966" }}
+kuberuntu_image_v1_33_new_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.33.4-amd64-master-378" "861068367966" }}
+kuberuntu_image_v1_33_new_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.33.4-arm64-master-378" "861068367966" }}
 
 # This is used to determine which AMI to use for the cluster or individual node
 # pools. Possible values are 'new' or 'old'

diff --git a/cluster/manifests/02-admission-control/teapot.yaml b/cluster/manifests/02-admission-control/teapot.yaml
@@ -139,6 +139,14 @@ webhooks:
         apiVersions: ["v1"]
         resources: ["nodes"]
   - name: configmap-admitter.teapot.zalan.do
+{{- if eq .Cluster.Provider "zalando-eks"}}
+    # avoid admission-control applying to the admission-controller components (🐔🥚)
+    objectSelector:
+      matchExpressions:
+        - key: eks.amazonaws.com/component
+          operator: NotIn
+          values: ["kube-proxy"]
+{{- end }}
     clientConfig:
       {{- if eq .Cluster.Provider "zalando-eks"}}
       service:

diff --git a/cluster/node-pools/master-default/stack.yaml b/cluster/node-pools/master-default/stack.yaml
@@ -10,7 +10,7 @@ Mappings:
   Images:
     {{.Cluster.Region}}:
       # Use the node pool's architecture to construct the config item name that we're using to get the AMI name.
-      MachineImage: '{{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_32_" .NodePool.ConfigItems.kuberuntu_ami_version "_" .Values.InstanceInfo.Architecture) }}'
+      MachineImage: '{{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_33_" .NodePool.ConfigItems.kuberuntu_ami_version "_" .Values.InstanceInfo.Architecture) }}'
 
 Resources:
   AutoScalingGroup:

diff --git a/cluster/node-pools/worker-combined/stack.yaml b/cluster/node-pools/worker-combined/stack.yaml
@@ -11,7 +11,7 @@ Mappings:
   Images:
     {{.Cluster.Region}}:
       # Use the node pool's architecture to construct the config item name that we're using to get the AMI name.
-      MachineImage: '{{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_32_" .NodePool.ConfigItems.kuberuntu_ami_version "_" .Values.InstanceInfo.Architecture) }}'
+      MachineImage: '{{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_33_" .NodePool.ConfigItems.kuberuntu_ami_version "_" .Values.InstanceInfo.Architecture) }}'
 
 Resources:
   AutoScalingGroup:

diff --git a/cluster/node-pools/worker-karpenter/provisioners.yaml b/cluster/node-pools/worker-karpenter/provisioners.yaml
@@ -7,8 +7,8 @@ spec:
   amiFamily: Custom
   amiSelectorTerms:
     # Select on any AMI that has any of the following IDs
-    - id: {{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_32_" .NodePool.ConfigItems.kuberuntu_ami_version "_amd64") }}
-    - id: {{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_32_" .NodePool.ConfigItems.kuberuntu_ami_version "_arm64") }}
+    - id: {{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_33_" .NodePool.ConfigItems.kuberuntu_ami_version "_amd64") }}
+    - id: {{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_33_" .NodePool.ConfigItems.kuberuntu_ami_version "_arm64") }}
   metadataOptions:
     httpEndpoint: enabled
     # {{ if and (eq .Cluster.Provider "zalando-eks") (eq .Cluster.ConfigItems.eks_ip_family "ipv6") }}

diff --git a/cluster/node-pools/worker-splitaz/stack.yaml b/cluster/node-pools/worker-splitaz/stack.yaml
@@ -11,7 +11,7 @@ Mappings:
   Images:
     {{.Cluster.Region}}:
       # Use the node pool's architecture to construct the config item name that we're using to get the AMI name.
-      MachineImage: '{{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_32_" .NodePool.ConfigItems.kuberuntu_ami_version "_" .Values.InstanceInfo.Architecture) }}'
+      MachineImage: '{{ index .NodePool.ConfigItems (print "kuberuntu_image_v1_33_" .NodePool.ConfigItems.kuberuntu_ami_version "_" .Values.InstanceInfo.Architecture) }}'
 
 Resources:
 {{ with $data := . }}

diff --git a/test/e2e/Dockerfile b/test/e2e/Dockerfile
@@ -16,7 +16,7 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -qq bc curl
 
 ARG KUBE_VERSION
 RUN curl -L -s --fail "https://dl.k8s.io/${KUBE_VERSION}/kubernetes-client-linux-${TARGETARCH}.tar.gz" -o "kubernetes-client-linux-${TARGETARCH}.tar.gz" && \
-    printf "924bd0cdbef91caab04b5e9c31017c24d9d7c718f6db9e2c61d5c203d579c8f0c00ac7451bd3658d5cdf31d7a08c8ee5884511d8e961f0e9331d00b1f6f03bee kubernetes-client-linux-amd64.tar.gz\nbf84363c16f72863e38d9d67194531aabafb6a82a20e3361354cc037964205557e8a39b62fa23b3c435c87f989838b6619980ea5c325c456e5cd5d47564d1644 kubernetes-client-linux-arm64.tar.gz" | grep "${TARGETARCH}" | sha512sum -c - && \
+    printf "e628239516ed6a3d07d47b451b7f42199fb5dcfb4d416f7b519235fd454e0fca3d0c273cc9c709f653a935a32c1f9fbd0a4be88f4c59d0ddcd674be2c289c8a5 kubernetes-client-linux-amd64.tar.gz\neb349a54d2013ae535fd60a0c32b0a932f176c9203541fba88e9eecbb794a2701479d09389e04950f5ed27b8a48383072b658cdfe7bddb3f0b60c2657a93d90f kubernetes-client-linux-arm64.tar.gz" | grep "${TARGETARCH}" | sha512sum -c - && \
     tar xvf "kubernetes-client-linux-${TARGETARCH}.tar.gz" --strip-components 3 kubernetes/client/bin/ && \
     rm "kubernetes-client-linux-${TARGETARCH}.tar.gz" && \
     mv kubectl /usr/bin/kubectl

diff --git a/test/e2e/Makefile b/test/e2e/Makefile
@@ -2,7 +2,7 @@
 
 BINARY       ?= kubernetes-on-aws-e2e
 VERSION      ?= $(shell git describe --tags --always --dirty)
-KUBE_VERSION ?= v1.32.4
+KUBE_VERSION ?= v1.33.4
 IMAGE        ?= pierone.stups.zalan.do/teapot/$(BINARY)
 SOURCES      = $(shell find . -name '*.go')
 TAG          ?= $(VERSION)
@@ -11,7 +11,7 @@ DOCKERFILE   ?= Dockerfile
 default: build
 
 deps:
-	CGO_ENABLED=0 go install github.com/onsi/ginkgo/v2/ginkgo@v2.15.0
+	CGO_ENABLED=0 go install github.com/onsi/ginkgo/v2/ginkgo@v2.21.0
 
 e2e.test: go.mod $(SOURCES)
 	go test -v -c -o e2e.test

diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go
@@ -35,7 +35,6 @@ import (
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
 	"k8s.io/kubernetes/test/e2e/framework/statefulset"
 	admissionapi "k8s.io/pod-security-admission/api"
-	"k8s.io/utils/ptr"
 )
 
 const (
@@ -474,7 +473,7 @@ var _ = describe("Image Policy Tests (Job)", func() {
 			framework.ExpectNoError(err)
 		}()
 
-		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, ptr.To(batchv1.JobReasonCompletionsReached), 1)
+		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, batchv1.JobReasonCompletionsReached, 1)
 	})
 
 	It("Should not create Job using non-compliant image [Image-Policy] [Non-Compliant] [Zalando]", func() {
@@ -495,7 +494,7 @@ var _ = describe("Image Policy Tests (Job)", func() {
 			framework.ExpectNoError(err)
 		}()
 
-		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, ptr.To(batchv1.JobReasonCompletionsReached), 1)
+		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, batchv1.JobReasonCompletionsReached, 1)
 	})
 })
 
@@ -526,7 +525,7 @@ var _ = describe("Image Policy Tests (Job) (when disabled)", func() {
 			framework.ExpectNoError(err)
 		}()
 
-		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, ptr.To(batchv1.JobReasonCompletionsReached), 1)
+		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, batchv1.JobReasonCompletionsReached, 1)
 	})
 })
 
@@ -560,7 +559,7 @@ var _ = describe("ECR Registry Pull", func() {
 			framework.ExpectNoError(err)
 		}()
 
-		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, ptr.To(batchv1.JobReasonCompletionsReached), 1)
+		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, batchv1.JobReasonCompletionsReached, 1)
 	})
 
 	It("Should run a Job using a vanity image from the staging registry [ECR] [Zalando]", func() {
@@ -584,6 +583,6 @@ var _ = describe("ECR Registry Pull", func() {
 			framework.ExpectNoError(err)
 		}()
 
-		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, ptr.To(batchv1.JobReasonCompletionsReached), 1)
+		job.WaitForJobComplete(context.TODO(), cs, namespace, jobObj.Name, batchv1.JobReasonCompletionsReached, 1)
 	})
 })