2026-05-21
Upgraded cluster add-ons, with Vertical Pod Autoscaler and Loki refreshed
#add-on #kubernetes #update #upgrade #component #eks #cve
The following updates have been rolled out to all non-production clusters, and will be deployed to production in the coming week. Alongside the regular add-on upgrades, this round refreshes two long-pinned components: the Vertical Pod Autoscaler now ships from the upstream Helm chart, and Loki now tracks the new grafana-community Helm repository where active maintenance lives.
Add-on upgrades
- alloy v1.16.1 (chart v1.8.1)
- amazon-eks-ami v20260512
- Includes a SOCI-snapshotter fix that pre-imports the pause image during launch, working around a behavioural change in containerd 2.2.3 that affects lazy image pulls
- aws-ebs-csi-driver v1.59.0-eksbuild.1
- The driver now calls
ec2:DescribeInstanceTypesat runtime; AWS has already added this permission to the managedAmazonEBSCSIDriverPolicyV2we switched in a previous maintenance cycle
- The driver now calls
- aws-efs-csi-driver v3.2.0 (chart v4.2.0)
- aws-load-balancer-controller v3.3.0
- aws-vpc-cni v1.21.1-eksbuild.8
- coredns v1.14.2-eksbuild.4
- csi-snapshot-controller v8.5.0-eksbuild.4
- eks-node-monitoring-agent v1.6.4-eksbuild.1
- external-dns v0.21.0 (chart v1.21.1)
- fluent-bit v5.0.5 (chart v0.57.5)
- flux v2.8.7
- Bumps
go-gitto v5.19.0 to address CVE-2026-45022 in the source-controller and image-automation-controller, plus a kustomize-controller fix forkustomize.toolkit.fluxcd.io/ssa: IfNotPresentannotation handling
- Bumps
- grafana-loki v3.7.2 (chart v16.0.1)
- karpenter v1.12.1
- kube-prometheus-stack v85.1.3 — bundled subcomponent highlights:
- Grafana v13.0.0 (subchart v12.x → v13.0.0) — major Grafana version with refreshed UI, new explore experience for traces, improved Loki query builder, and updated alerting workflows
- prometheus-node-exporter now uses the upstream
-distrolessimage variant by default: smaller attack surface, no shell in the container, but otherwise functionally identical
- prometheus-blackbox-exporter v0.28.0 (chart v11.10.0)
- secrets-store-csi-driver v1.6.0
- Secret rotation is now driven by the standard Kubernetes
RequiresRepublishmechanism instead of a dedicated rotation controller, reducing background reconciliation overhead
- Secret rotation is now driven by the standard Kubernetes
- secrets-store-csi-driver-provider-aws v3.1.0
- grafana-tempo v2.10.5 (chart v2.1.2)
- traefik v3.7.1 (chart v40.2.0)
- Major chart version bump. Chart v40 also drops the bundled Gateway API v1.5.1 CRDs (unused on our environments)
- velero v1.18.0 (chart v12.0.1)
- vertical-pod-autoscaler v1.6.0 (chart v0.9.0)