v2.8.2

Release notes for Cluster API Provider AWS (CAPA) v2.8.2

Documentation

Changelog since v2.8.1

Changes by Kind

Support

• Bump github.com/golang-jwt/jwt to 4.5.2 and 5.5.2 (#5436, @damdo)

The images for this release are:
registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.8.2

Thanks to all our contributors.

v2.7.2

Release notes for Cluster API Provider AWS (CAPA) v2.7.2

Documentation

Changelog since v2.7.1

Changes by Kind

Support

• Bump github.com/golang-jwt/jwt to 4.5.2 and 5.5.2 (#5435, @damdo)

Uncategorized

• Add devbox and devcontainer configuration (#5317, @k8s-infra-cherrypick-robot)
• Fix OIDC unit test after test runner go version change. (#5353, @k8s-infra-cherrypick-robot)
• Fix self hosted e2e test caused by disk pressure. (#5293, @k8s-infra-cherrypick-robot)
• Fix: Include AddOn configuration and conflict resolution for reconciliation (#5202, @k8s-infra-cherrypick-robot)
• Update PR verifier to be inline with upstream CAPI. (#5302, @k8s-infra-cherrypick-robot)
• Updates to e2e tests to stop using v1.23 (#5310, @k8s-infra-cherrypick-robot)
• Upgrade to CAPI 1.8.6 (#5328, @k8s-infra-cherrypick-robot)

The images for this release are:

registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.7.2

Thanks to all our contributors.

v2.8.1

Release notes for Cluster API Provider AWS (CAPA) v2.8.1

Documentation

There is no v2.8.0 GitHub release due to issues during the release process.

Changelog since v2.7.1

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Action required
  Bump CAPI to v1.9.z
  !! ACTION REQUIRED BEFORE UPGRADING !!
  If you are using the AWSManagedControlPlane to provision EKS clusters and you do not have a spec.Version specified in such resource (meaning you are relying on the default that AWS provides), you will need to either:
  a) explicitly set such spec.Version field before upgrading CAPA
  or b) disable the MachineSetPreflightChecks in your cluster either:
  b1) by setting this core CAPI feature gate to false
  b2) or by disabling it via the relevant annotation on all the machineSets belonging to said cluster (follow this guide on how to do this: https://cluster-api.sigs.k8s.io/tasks/experimental-features/machineset-preflight-checks).
  This is necessary as core CAPI 1.9 introduces a feature gate change, setting MachineSetPreflightChecks=true, which in turn relies on the presence of spec.Version and status.Version on the AWSManagedControlPlane object.
  We are planning a future refactor of these API fields in v1beta3 (#3853).
  Other places where you can find details on this are:
  • #5225
  • kubernetes-sigs/cluster-api#11117
  • https://kubernetes.slack.com/archives/CD6U2V71N/p1739783013734149 (#5209, @damdo)
• Action required
  From this release onwards we recommend not creating clusters using the classic ELB (which is the default for the API). Classic ELB support is deprected and support will be removed in a future version.
  For new & existing clusters that use a classic elb AND do not specify the health check protocol then the protocol will be changed/set to TCP instead of SSL.
  If you want to use a classic elb with an SSL healthcheck then you will need to specify the cipher suites to use in the KubeadmControlPlane:

apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: "${CLUSTER_NAME}-control-plane"
spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      apiServer:
        extraArgs:
          cloud-provider: external

          # This is needed for Kubernetes v1.30+ since else it uses the Go defaults which don't
          # work with AWS classic load balancers, see
          # https://github.com/kubernetes-sigs/cluster-api-provider-aws/issues/5139. If you use
          # another load balancer type such as NLB, this is not needed.
          #
          # The list consists of the secure ciphers from Go 1.23.3, plus some less secure
          # RSA ciphers which the AWS classic load balancer instance health check supports.
          tls-cipher-suites: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

(#5346, @richardcase)

• If deploying clusters to an existing VPC (not managed by the AWS provider), the provider will no longer automatically create a security group rule allowing traffic from all addresses (0.0.0.0/0). You may need to update AWSCluster.spec.controlPlaneLoadBalancer.ingressRules with the source address of your Management Cluster. (#5198, @sl1pm4t)

Changes by Kind

Support

• Add devbox and devcontainer configuration (#5301, @faermanj)
• Update metadata file for v2.7.0 release. (#5187, @richardcase)
• Update metadata for release v2.8.x (#5397, @richardcase)

API Change

• Adds optional Conditions field to Status for AWSManagedCluster, ROSACluster. Sets Paused condition when reconciliation is paused (Contract change) (#5394, @theobarberbany)

Feature

• Add AWSMachines to back the EC2 instances in AWSMachinePools and AWSManagedMachinePools (#5319, @AndiDog)
• Add ROSA-HCP version channel group for Machine Pools (#5332, @PanSpagetka)
• Add VolumeSize parameter for RosaMachinePool. (#5270, @PanSpagetka)
• Add flag to support BootstrapSelfManagedAddons to provision Bare EKS cluster without default addons (coreDNS, kube-proxy, aws-vpc-cni) (#5222, @jas-nik)
• Add support for creating instances with elastic fabric adapter interface type. (#5275, @RadekManak)
• Avoid reconciling AWSMachinePools when only the status field has changed (#5333, @fiunchinho)
• Introduce the --disable-controllers argument to the controller manager binary. (#5395, @nrb)
• Log AWS account being used when the e2e tests run. (#5250, @richardcase)
• Support running EC2 instances from a reserved capacity block (new API field marketType). i.e, marketType: capacity-block (#5211, @athiruma)
• Templates: start explicitly using NLB (Network Load Balancer) + HTTPS checks for the Control Plane Load Balancer (#5345, @damdo)
• Wait for AWSCluster dependent object to be deleted (#5365, @alexander-demicev)

Documentation

• Fix typo on table of feature gates (#5273, @Rudro-25)
• Release notes include reminder to update Prow jobs. (#5204, @richardcase)
• Update links to new 2025 meeting notes doc (#5277, @richardcase)

Failing Test

• Fix the EFS & classic elb e2e tests. (#5418, @richardcase)
• Remove CoreDNS check from EKS e2e after a change by AWS to EKS. (#5239, @nrb)
• Updates to e2e tests to stop using v1.23 (#5297, @richardcase)
• Upgrade to CAPI 1.8.6 (#5249, @nrb)

Bug or Regression

• 1. fixed adding a secondary load balancer to existing aws cluster (#5248, @alexeysofin)
• Filter out AWS internal tags when reconciling AWS infra (#5181, @fiunchinho)
• Fix OIDC unit test after test runner go version change. (#5352, @richardcase)
• Fix ROSA doc formatting (#5324, @mzazrivec)
• Fix cluster deletion when using BYO AWS infra mode and Secondary CIDR (#5291, @adriananeci)
• Fix delay in reconciliation caused by patching wrong object with new paused condition. (#5425, @richardcase)
• Fix nil pointer dereference in reconcileNodegroupVersion by adding a check for nodegroup version. (#5019, @nueavv)
• Fix self hosted e2e test caused by disk pressure. (#5288, @richardcase)
• Fix subnet sorting with multiple vpcs when launching an instance (#5114, @cnmcavoy)
• Fix: Include AddOn configuration and conflict resolution for reconciliation (#5199, @gutmensch)
• Fixed RosaMachinePool typo. (#5244, @tinaafitz)
• Remove placeholder CA bundles from webhook configuration to support Kubernetes 1.31. (#5197, @robinkb)
• Tags defined in subnet spec should be applied (#5175, @fiunchinho)
• Use different names for controllers watching AWSCluster objects (#5313, @AndiDog)

Other (Cleanup or Flake)

• Update PR verifier to be inline with upstream CAPI. (#5300, @richardcase)

Uncategorized

• Add ROSA-HCP version channel group (#5279, @serngawy)
• Feat: enable support for service account authentication in ROSA installations (#5233, @mzazrivec)
• Fixed a few typos. (#5238, @tinaafitz)
• Set Paused condition on reconciled resources status upon pausing reconciliation (CAPI provider contract change) (#5383, @theobarberbany)
• Update ROSA upgrade documentation (#5235, @serngawy)

The images for this release are:
docker pull registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.8.1

Thanks to all our contributors.

v2.7.1

Release notes for Cluster API Provider AWS (CAPA) v2.7.1

Documentation

Changelog since v2.6.1

NOTE: there is no v2.7.0 release available due to an issue encountered during the release process.

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• A new community owned AWS account is now being used for publishing AMIs. The old account owner by a company is no longer accessible and the images are being automatically deleted by AWS. Support for ubuntu 18.04 & 20.04 has been dropped and ubuntu 24.04 is now the default OS if no OS is supplied. (#5133, @richardcase)
• View the projects policy on publishing AMIs here.
• There is known issue creating clusters with Kubernetes v1.30 or greater when the load balancer is an ELB (which is the default). Its recommended for new clusters that you use an NLB instead, See #5139 for further details.

Changes by Kind

Support

• Add issue templates for reviewer and maintainer changes (#5079, @richardcase)
• Bump CAPI to v1.8.4 (#5061, @damdo)
• Switch PodDisruptionBudget in templates to policy/v1 (#5102, @AndiDog)
• Templates: align cluster-template.yaml and cluster-template-machinepool.yaml, use external cloud controller and CSI (#5136, @AndiDog)
• Update metadata file for v2.7.0 release. (#5187, @richardcase)

Feature

• Add NonRootVolumes to AWSMachinePool launch template. (#4954, @mnitchev)
• Add ROSA Control plane registry configuration. (#5132, @serngawy)
• Change prevenet deletion label to be specific to CAPA. (#5072, @richardcase)
• Feat: add support for additionalControlPlaneIngressRules in AWSManagedControlPlane (#4783, @fad3t)
• New AMI building workflow that allows a packer vars file to be passed in. (#5152, @richardcase)
• New AWSCluster.spec.network.NodePortIngressRuleCidrBlocks parameter which allows to specify IPv4 CIDR blocks for Security group rule "Node Port Services" instead of default 0.0.0.0/. (#5147, @krasoffski)
• New workflow to publish CAPA AMIs (#5138, @richardcase)
• Support adding custom secondary VPC CIDR blocks in AWSCluster (#4898, @AndiDog)
• Support setting maxHealthyPercentage to configure ASG instance refresh (#5140, @fiunchinho)

Bug or Regression

• A missing permission needed for using nlbs (#5154, @richardcase)
• Check for the LB "active" status instead of trying to resolve the DNS name to validate the LB is ready. (#5093, @r4f4)
• Fix duplicated/leaked EIP when using BYO IPv4 on Machines. (#5039, @mtulio)
• Fix kustomize issue with e2e tests. (#5167, @richardcase)
• Fix: do not attach security groups for Network Load Balancers in secret regions. (#5030, @r4f4)
• Mark S3BucketCreated condition ready after successful reconciliation (#5089, @AndiDog)
• Updates EKS e2e tests after recent bumping of EKS versions. (#5185, @richardcase)

Uncategorized

• Add versionGate Acknowledgement for upgrading ROSA-HCP y-stream versions (#5166, @serngawy)
• Fix: Fargate: Standardize cluster name in role names to avoid errors on mismatch between Cluster CR and EKS cluster name (#5111, @alam0rt)
• Update Flatcar template to use external CCM. (#5099, @ader1990)

The images for this release are:

registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.7.1

Thanks to all our contributors.

v2.6.1

Release notes for Cluster API Provider AWS (CAPA) v2.6.1

Documentation

Changelog since v2.5.2

| NOTE: there is no v2.6.0 release publicly available due to issue encountered during release.

Changes by Kind

Feature

• Add natgatewayips as source for ingress rules (#5005, @alexander-demicev)
• Add separate eks kubeconfig secret keys for the cluster-autoscaler to support refreshing the token automatically, see eks kubeconfig for more info. (#4648, @cnmcavoy)
• EBS Volumes and ENIs are now tagged when created as part of EC2 Instance Creation. (#5057, @fahlmant)
• Flag to enable private subnet filter for EKS control plane (#5058, @jas-nik)
• New AWSCluster.spec.network.vpc.SubnetSchema parameter which allows to change preferred way of subnet division to public and private. (#4971, @krasoffski)
• Adding a new API field capacityReservationId to create capacity reserved instances (#5047, @athiruma)

Bug or Regression

• Continue reconciliation after filling an empty AWSMachinePool.status.launchTemplateVersion field (#5048, @AndiDog)
• Fix comparison of ingress rules during Security Group reconciliation to avoid unnecessary revokes and authorizes. (#5024, @r4f4)
• Fix managed subnet tagging with "owned" value for "kubernetes.io/cluster/" tag. (#5051, @r4f4)
• Fix registering instances to Load Balancers when instances are still pending. (#5040, @r4f4)
• Fixed released binary name template. (#5055, @nrb)
• Fixes target group and listeners creation for v2 Load Balancers. (#5017, @r4f4)
• Flag to remove the default Helm-managed AWS VPC CNI EKS Addon (#5009, @jas-nik)
• Change prevenet deletion label to be specific to CAPA. (#5072, @richardcase)

Other

• Move AndiDog to maintainer status. (#5060, @richardcase)
• Update the metadata file for v2.6.0 (#5071, @richardcase)

The images for this release are:
registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.6.1

Thanks to all our contributors.

v2.5.2

Release notes for Cluster API Provider AWS (CAPA) v2.5.2

Documentation

Changelog since v2.5.0

NOTE: there is no v2.5.1 release due to issues with the release process.

Changes by Kind

Uncategorized

• Add support for AL2023 AMI types (#4973, @k8s-infra-cherrypick-robot)
• Fix ROSAMachinePool changes detection logic (#5025, @k8s-infra-cherrypick-robot)
• Fix: check for nil matching subnet when publicIP: true (#5007, @k8s-infra-cherrypick-robot)
• Use generate name for CP loadbalancer listeners (#5006, @k8s-infra-cherrypick-robot)

The images for this release are: registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.5.2

Thanks to all our contributors.

v2.5.0

Release notes for Cluster API Provider AWS (CAPA) v2.5.0

Documentation

Changelog since v2.4.2

Changes by Kind

Support

• Bump CAPI to v1.7.0 (#4897, @damdo)
• Bump cert-manager to v1.14.4 (#4935, @damdo)

API Change

• Action required
  Support deploying network requirements, subnets and carrier gateway, in AWS Wavelength Zones. This introduces new required IAM permissions. If you have an existing stack you will need to update it with clusterawsadm bootstrap iam create-cloudformation-stack (#4901, @mtulio)
• Add support to provision subnets on AWS Local Zone infrastructure. (#4882, @mtulio)
• Exposing the health check attributes for the target group for the control plane load balancers, allowing customized health checks for API or additional listeners. (#4849, @mtulio)
• Fixed a bug where ingress rules specified in the secondary load balancer were not applied to the security group. (#4866, @r4f4)

Feature

• Add a new field to S3Bucket, BestEffortDeleteObjects, to allow ignoring AccessDenied errors when deleting S3 objects. (#4904, @r4f4)
• Add flags to manager for leaderElection timeouts (#4845, @nikParasyr)
• Add support to specify PlacementGroupPartition of placement group in instances. (#4883, @chiragkyal)
• ROSA: Support for External OIDC (#4915, @muraee)
• Use goreleaser for releasing binary (#4748, @kranurag7)

Bug or Regression

• Create aws.Config with a region to be able to work with different AWS partitions (#4860, @calvix)
• Fix a bug where the machine controller will keep trying to delete an already deleted s3 object. (#4879, @r4f4)
• Fix machines getting a public IP even when user-supplied subnets don't have MapPublicIpOnLaunch. (#4892, @r4f4)
• Fix the error handling by deleting the created route table on errors when creating routes. (#4899, @mtulio)
• Fixes in the health check probe configuration for API target group on ELBv2. The correct health check path now is set to /readyz when AWSLoadBalancerSpec.HealthCheckProtocol is HTTP or HTTPS. (#4846, @mtulio)
• Retry getting and deleting user data from SecretsManager in the bootstrap script in case of request failure. (#4896, @alexander-demicev)
• Revert a change where the Target Group's name would use the Load Balancer's name as prefix, possibly causing it to exceed the 32 characters limit (#4948, @r4f4)

Other (Cleanup or Flake)

• Bump aws-sdk-go to v1.51 (#4916, @stefanmcshane)

The images for this release are: registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.5.0

Thanks to all our contributors.

v2.4.2

Release notes for Cluster API Provider AWS (CAPA) v2.4.2

Documentation

Changelog since v2.4.1

Changes by Kind

Bug or Regression

• Fixes in the health check probe configuration for API target group on ELBv2. The correct health check path now is set to /readyz when AWSLoadBalancerSpec.HealthCheckProtocol is HTTP or HTTPS. (#4846, @mtulio)
• Fix a bug where the machine controller will keep trying to delete an already deleted s3 object. (#4907, @k8s-infra-cherrypick-robot)
• Fix instance PrivateDNSName when domain-name is set in dhcpOpts (#4921, @jparrill)
• Fix machines getting a public IP even when user-supplied subnets don't have MapPublicIpOnLaunch. (#4908, @k8s-infra-cherrypick-robot)
• Fix the error handling by deleting the created route table on errors when creating routes. (#4912, @k8s-infra-cherrypick-robot)
• Fixed a bug where ingress rules specified in the secondary load balancer were not applied to the security group. (#4913, @k8s-infra-cherrypick-robot)
• Retry getting and deleting user data from SecretsManager in the bootstrap script in case of request failure. (#4911, @k8s-infra-cherrypick-robot)

The images for this release are:
registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.4.2

Thanks to all our contributors.

v2.4.1

Release notes for Cluster API Provider AWS (CAPA) v2.4.1

Documentation

Changelog since v2.4.0

Changes by Kind

Support

• Add @damdo as a reviewer (#4842, @richardcase)

API Change

• Add additionalTags API field to ROSAMachinePool (#4869, @muraee)

Feature

• Add ProvisionShardID API field to ROSAControlPlane (#4872, @muraee)
• Add additionalSecurityGroups field to ROSAMachinePool (#4848, @muraee)
• Add new field 'auditLogRoleARN' to ROSAControlPlane (#4857, @muraee)
• Add new fields to ROSAControlPlane - additionalTags, etcdEncryption, endpointAccess (#4844, @muraee)
• Fix typo in awsmachinetemplate_webhook logs (#4789, @guettli)
• Ignition, from v3.1, now supports including Proxy or CA bundle data. (#4750, @vincepri)
• Reconcile ROSAMachinePool fields (#4804, @muraee)
• Reconcile ROSAMachinePool.spec.ProviderIDList (#4831, @muraee)

Bug or Regression

• Fix discovered subnets for additional Load Balancers ("SecondaryControlPlaneLoadBalancer") when it is internet-facing. (#4840, @mtulio)
• Fix upgrade of managed node groups using custom AMIs (#4830, @fad3t)
• Fix: bump rosa deps to fix int overflow on non-64bit arch (#4836, @damdo)
• Fixes in the health check probe configuration for API target group on ELBv2. The correct health check path now is set to /readyz when AWSLoadBalancerSpec.HealthCheckProtocol is HTTP or HTTPS. (#4846, @mtulio)
• Skip location constraint configuration when creating a bucket on us-east-1. (#4839, @mtulio)

The images for this release are: registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.4.1

Thanks to all our contributors.

v2.4.0

Release notes for Cluster API Provider AWS (CAPA) v2.4.0

Documentation

Changelog since v2.3.0

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• v1beta1 types are not going to be served any longer and will be removed in the next release (#4757, @vincepri)

Changes by Kind

Feature

• A new enum value, disabled, is added for the AWSCluster.spec.controlPlaneLoadBalancer.loadBalancerType field, which skips the reconciliation of the load balancer for the given cluster, useful for clusters which are consuming an externally managed Control Plane. (#4438, @prometherion)
• Add & Reconcile ROSAMachinePools.spec.version (#4764, @muraee)
• Add tests for the re-introduced managed subnet functionality in #4474 (#4637, @AndiDog)
• Added AWSMachine and AWSMachineTemplate fields to control vpc placement for individual instances (#4541, @cnmcavoy)
• Adds support for a secondary, internal API server load balancer within clusters. (#4733, @nrb)
• Allow to configure garbage collector using clusterawsadm (#4500, @Fedosin)
• Enable transit encryption on S3 buckets (#4676, @fiunchinho)
• Generate CAPI kubeconfig secret for ROSA clusters (#4742, @muraee)
• Ignition: add option to store User Data in plain text (#4700, @damdo)
• Introduce basic support for ROSAMachinePools (#4725, @muraee)
• Log full ARN in GC error messages (#4709, @AndiDog)
• Prevent users setting SpotMarketOptions and MixedInstancesPolicy at the same time (#4656, @fiunchinho)
• Reconcile ROSAControlPlane version to trigger upgrades (#4761, @muraee)
• Reconcile ROSAControlePlane status (#4759, @muraee)
• Remove ingress and egress rules from vpc default security group (#4707, @fiunchinho)
• Skip AWSCluster deletion reconciliation once CAPA finalizer is gone (#4730, @AndiDog)
• Support setting HostnameType options for subnets and machines (#4664, @MaxFedotov)
• Trigger machine pool instance refresh (node rollout) if bootstrap config reference changes (#4619, @AndiDog)
• Use go 1.21.5 (#4710, @fiunchinho)
• Bump CAPI to v1.6.x (#4739, @damdo)

Bug or Regression

• Don't error when ASG is not present while deciding whether or not to refresh ASG instances. (#4660, @fiunchinho)
• Fix logging verbosity for machine pool reconciliation (#4620, @AndiDog)
• Fix: bump rosa deps to fix int overflow on non-64bit arch (#4836, @damdo)
• Make VPC creation idempotent to avoid indefinite creation of new VPCs if storage of the ID fails (#4723, @AndiDog)
• Resolved issue where deleted control planes were still registered in the kube-apiserver load balancer, causing potential disruptions. (#4701, @tobiasgiese)
• Skip instance refresh attempt if ASG does not yet exist (#4662, @fiunchinho)
• Treat the annotation cluster.x-k8s.io/replicas-managed-by on MachinePool CR as described in CAPI documentation and do not set desired replicas on ASG when the annotation is present. (#4654, @calvix)
• Update AWSMachine providerID and instanceID earlier to minimize scenarios where tag-based searching is needed (#4670, @mjlshen)
• Various changes to the releases process. (#4813, @richardcase)
• When using Ignition, the S3 bucket was previously created in us-east-1 regardless of where the cluster was located, new S3 buckets will be created within the same region as the cluster. (#4732, @vincepri)

Failing Test

• Add CI script to test docker builds for the controller and clusterawsadm with all architectures. (#4834, @richardcase)

Support

• Disable dependency report short term. (#4825, @richardcase)
• Move @AndiDog to reviewer status (#4687, @richardcase)
• Update metadata for v2.4.x release series. (#4833, @richardcase)

Other (Cleanup or Flake)

• Dependabot configuration update to group updates, (#4688, @richardcase)
• Fix some logging and error cases (#4724, @AndiDog)
• If you're using S3 buckets for bootstrap data, the following permissions are required on the controller to automatically detect whether an object is still needing to be deleted: s3:GetObject. The following permissions are optional: s3:ListBucket. (#4667, @thefirstofthe300)

Uncategorized

• Updated the default clusterctl template to use external cloud-controller-manager (#4678, @nrb)
• Use seedling emoji for dependabot pull requests (#4652, @kranurag7)
• Wrap the underlying error when the AWSMachinePool reconciler fails to get the infra provider cluster or control plane object (#4685, @harveyxia)

The images for this release are: registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.4.0

Thanks to all our contributors.