aws · jaydeokar · Nov 17, 2025 · Oct 6, 2025 · Oct 7, 2025 · Oct 8, 2025
@@ -16,7 +16,7 @@ jobs:
         with:
           show-progress: false
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # refs/tags/v4.3.3
+        uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # refs/tags/v4.8.1
   govulncheck:
     runs-on: ubuntu-latest
     steps:

@@ -21,7 +21,7 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
           go-version-file: '.go-version'
 

@@ -22,9 +22,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # refs/tags/v3.11.1
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -21,9 +21,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # refs/tags/v3.11.1
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod
@@ -43,8 +43,8 @@ jobs:
           ROLE_ARN: ${{ secrets.EKS_CLUSTER_ROLE_ARN }}
           RUN_CNI_INTEGRATION_TESTS: false
           RUN_KOPS_TEST: true
-          K8S_VERSION: 1.33.0-beta.0
-          KOPS_VERSION: v1.33.0-beta.1
+          K8S_VERSION: 1.34.0-beta.0
+          KOPS_VERSION: v1.34.0-beta.1
           KOPS_RUN_TOO_NEW_VERSION: 1
         run: |
           ./scripts/run-integration-tests.sh

@@ -21,9 +21,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # refs/tags/v3.11.1
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -15,9 +15,10 @@ jobs:
       - name: Checkout latest commit in the PR
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # refs/tags/v5.0.0
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
+          check-latest: true
       - name: Set up tools
         run: |
           go install golang.org/x/lint/golint@latest
@@ -51,9 +52,10 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # refs/tags/v3.11.1
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
+          check-latest: true
       - name: Build CNI images
         run: make multi-arch-cni-build
   docker-build-init:
@@ -67,8 +69,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # refs/tags/v3.11.1
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
+          check-latest: true
       - name: Build CNI Init images
         run: make multi-arch-cni-init-build
@@ -27,9 +27,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # refs/tags/v3.11.1
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -20,9 +20,9 @@ jobs:
         with:
           ref: "refs/tags/${{ github.event.release.tag_name }}"
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: Generate CNI YAML
         run: make generate-cni-yaml
       - name: Create eks-charts PR

@@ -16,9 +16,9 @@ jobs:
       - name: Checkout latest commit in the PR
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # refs/tags/v5.0.0
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -21,9 +21,9 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # refs/tags/v3.11.1
       - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # refs/tags/v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
-          go-version: "1.24"
+          go-version: "1.25"
       - name: Set up tools
         run: |
           # Install ginkgo version from go.mod

@@ -1 +1 @@
-1.24
+1.25
@@ -796,7 +796,6 @@ Downgrade considerations
 This plugin interacts with the following tags on ENIs:
 
 * `cluster.k8s.amazonaws.com/name`
-* `kubernetes.io/role/cni`
 * `node.k8s.amazonaws.com/instance_id`
 * `node.k8s.amazonaws.com/no_manage`
 
@@ -805,17 +804,6 @@ This plugin interacts with the following tags on ENIs:
 The tag `cluster.k8s.amazonaws.com/name` will be set to the cluster name of the
 aws-node daemonset which created the ENI.
 
-#### CNI role tag
-
-The tag `kubernetes.io/role/cni` is read by the aws-node daemonset to determine
-if a secondary subnet can be used for creating secondary ENIs.
-
-This tag is not set by the cni plugin itself, but rather must be set by a user
-to indicate that a subnet can be used for secondary ENIs. Secondary subnets
-to be used must have this tag. The primary subnet (node's subnet) is not
-required to be tagged.
-
-
 #### Instance ID tag
 
 The tag `node.k8s.amazonaws.com/instance_id` will be set to the instance ID of
@@ -836,6 +824,21 @@ value for the Kubelet's `--max-pods` configuration option. Consider also
 updating the `MAX_ENI` and `--max-pods` configuration options on this plugin
 and the kubelet respectively if you are making use of this tag.
 
+## Subnet tags related to Allocation
+
+This plugin additionally interacts with the `kubernetes.io/role/cni` tag on subnets when `ENABLE_SUBNET_DISCOVERY` is set to `true`.
+
+#### CNI role tag
+
+The tag `kubernetes.io/role/cni` is read by the aws-node daemonset to determine
+if a secondary subnet can be used for creating secondary ENIs.
+
+This tag is not set by the cni plugin itself, but rather must be set by a user
+to indicate that a subnet can be used for secondary ENIs. Secondary subnets
+to be used must have this tag. The primary subnet (node's subnet) is not
+required to be tagged.
+
+
 ## Container Runtime
 
 For VPC CNI >=v1.12.0, IPAMD have switched to use an on-disk file `/var/run/aws-node/ipam.json` to track IP allocations, thus became container runtime agnostic and no longer requires access to Container Runtime Interface(CRI) socket.

@@ -71,7 +71,7 @@ The following table lists the configurable parameters for this chart and their d
 | `originalMatchLabels`   | Use the original daemonset matchLabels                  | `false`                             |
 | `nameOverride`          | Override the name of the chart                          | `aws-node`                          |
 | `nodeAgent.enabled`     | If the Node Agent container should be created           | `true`                              |
-| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.2.6`                            |
+| `nodeAgent.image.tag`   | Image tag for Node Agent                                | `v1.2.7`                            |
 | `nodeAgent.image.domain`| ECR repository domain                                   | `amazonaws.com`                     |
 | `nodeAgent.image.region`| ECR repository region to use. Should match your cluster | `us-west-2`                         |
 | `nodeAgent.image.endpoint`   | ECR repository endpoint to use.                    | `ecr`                               |

@@ -29,7 +29,7 @@ init:
 nodeAgent:
   enabled: true
   image:
-    tag: v1.2.6
+    tag: v1.2.7
     domain: amazonaws.com
     region: us-west-2
     endpoint: ecr

@@ -17,14 +17,14 @@ package main
 import (
 	"os"
 
+	"github.com/aws/amazon-vpc-cni-k8s/pkg/netlinkwrapper"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/procsyswrapper"
 	"github.com/aws/amazon-vpc-cni-k8s/utils"
 	"github.com/aws/amazon-vpc-cni-k8s/utils/cp"
 	"github.com/aws/amazon-vpc-cni-k8s/utils/imds"
 
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
-	"github.com/vishvananda/netlink"
 )
 
 const (
@@ -49,7 +49,8 @@ func getNodePrimaryIF() (string, error) {
 	}
 	log.Infof("Found primaryMAC %s", primaryMAC)
 
-	links, err := netlink.LinkList()
+	nl := netlinkwrapper.NewNetLink()
+	links, err := nl.LinkList()
 	if err != nil {
 		return primaryIF, errors.Wrap(err, "Failed to list links")
 	}

@@ -564,7 +564,7 @@ func (n *linuxNetwork) teardownIPBasedContainerRouteRules(containerAddr *net.IPN
 	log.Debugf("Successfully deleted toContainer rule, containerAddr=%s, rtTable=%v", containerAddr.String(), "main")
 
 	if rtTable != unix.RT_TABLE_MAIN {
-		fromContainerRule := netlink.NewRule()
+		fromContainerRule := n.netLink.NewRule()
 		fromContainerRule.Src = containerAddr
 		fromContainerRule.Priority = networkutils.FromPodRulePriority
 		fromContainerRule.Table = rtTable

@@ -543,7 +543,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.2.6
+          image: 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-network-policy-agent:v1.2.7
           imagePullPolicy: Always
           ports:
             - containerPort: 8162

@@ -543,7 +543,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.6
+          image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.7
           imagePullPolicy: Always
           ports:
             - containerPort: 8162

@@ -543,7 +543,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.6
+          image: 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-network-policy-agent:v1.2.7
           imagePullPolicy: Always
           ports:
             - containerPort: 8162

@@ -543,7 +543,7 @@ spec:
           - mountPath: /run/xtables.lock
             name: xtables-lock
         - name: aws-eks-nodeagent
-          image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent:v1.2.6
+          image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-network-policy-agent:v1.2.7
           imagePullPolicy: Always
           ports:
             - containerPort: 8162

@@ -1,20 +1,20 @@
 module github.com/aws/amazon-vpc-cni-k8s
 
-go 1.24.6
+go 1.25.3
 
 require (
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/aws/amazon-vpc-cni-k8s/test/agent v0.0.0-20231212223725-21c4bd73015b
 	github.com/aws/amazon-vpc-resource-controller-k8s v1.7.14
-	github.com/aws/aws-sdk-go-v2 v1.39.1
-	github.com/aws/aws-sdk-go-v2/config v1.31.10
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.8
-	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.59.2
-	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.66.3
-	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.51.0
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.254.0
-	github.com/aws/aws-sdk-go-v2/service/eks v1.74.1
-	github.com/aws/aws-sdk-go-v2/service/iam v1.47.6
+	github.com/aws/aws-sdk-go-v2 v1.39.2
+	github.com/aws/aws-sdk-go-v2/config v1.31.12
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9
+	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.59.3
+	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.66.4
+	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.51.1
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.254.1
+	github.com/aws/aws-sdk-go-v2/service/eks v1.74.2
+	github.com/aws/aws-sdk-go-v2/service/iam v1.47.7
 	github.com/aws/smithy-go v1.23.0
 	github.com/containernetworking/cni v1.2.3
 	github.com/containernetworking/plugins v1.5.1
@@ -61,15 +61,15 @@ require (
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.14 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.8 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.8 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.18.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.29.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.38.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.29.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect