AWS Security ChangesHomeSearch

AWS eks documentation change

Service: eks · 2026-01-25 · Documentation low

File: eks/latest/userguide/vpc-add-on-update.md

Summary

Fixed ARN placeholder in CLI example and added troubleshooting section about required node replacement when upgrading VPC CNI from versions older than v1.13.2

Security assessment

Added operational guidance for version compatibility but doesn't document security features or address vulnerabilities. No evidence of security implications in the change.

Diff

diff --git a/eks/latest/userguide/vpc-add-on-update.md b/eks/latest/userguide/vpc-add-on-update.md
index 087f02580..23ecdfbfc 100644
--- a//eks/latest/userguide/vpc-add-on-update.md
+++ b//eks/latest/userguide/vpc-add-on-update.md
@@ -4,0 +5,2 @@
+Troubleshooting
+
@@ -40 +42 @@ Compare the version with the table of latest versions at [Amazon VPC CNI version
-            --service-account-role-arn <shared id="region.arn"/>iam::111122223333:role/AmazonEKSVPCCNIRole \
+            --service-account-role-arn arn:aws:iam::111122223333:role/AmazonEKSVPCCNIRole \
@@ -62 +64 @@ An example output is as follows.
-            "addonArn": "<shared id="region.arn"/>eks:region:111122223333:addon/my-cluster/vpc-cni/74c33d2f-b4dc-8718-56e7-9fdfa65d14a9",
+            "addonArn": "arn:aws:eks:region:111122223333:addon/my-cluster/vpc-cni/74c33d2f-b4dc-8718-56e7-9fdfa65d14a9",
@@ -65 +67 @@ An example output is as follows.
-            "serviceAccountRoleArn": "<shared id="region.arn"/>iam::111122223333:role/AmazonEKSVPCCNIRole",
+            "serviceAccountRoleArn": "arn:aws:iam::111122223333:role/AmazonEKSVPCCNIRole",
@@ -73,0 +76,8 @@ An example output is as follows.
+## Troubleshooting
+
+When upgrading the VPC CNI from a version older than v1.13.2, you must replace all nodes in the cluster after the update. Versions prior to v1.13.2 use the iptables-legacy backend to insert iptables rules necessary for proper functionality, such as source NAT (SNAT).
+
+Version v1.13.2 was a significant release that [introduced iptables-wrapper](https://github.com/aws/amazon-vpc-cni-k8s/pull/2402), which automatically detects the appropriate iptables backend (iptables-legacy or iptables-nft) for inserting chains and rules. This change aligned with the upstream Kubernetes decision to move away from the legacy backend due to performance limitations.
+
+Replacing nodes following an upgrade from a version older than v1.13.2 of the VPC CNI is required because introducing rules into both the iptables-legacy and iptables-nft backends can lead to unexpected behavior for traffic originating from non-primary ENIs.
+