primary ENI can't be easily ignored

Author: haouc

pkg/awsutils/awsutils.go

@@ -237,7 +237,7 @@ type APIs interface {
 	GetVpcSubnets(ctx context.Context) ([]ec2types.Subnet, error)
 
 	// IsSubnetExcluded returns if a subnet is excluded for pod IPs based on its tags
-	IsSubnetExcluded(ctx context.Context, subnetID string, isPrimarySubnet bool) (bool, error)
+	IsSubnetExcluded(ctx context.Context, subnetID string) (bool, error)
 }
 
 // EC2InstanceMetadataCache caches instance metadata
@@ -1206,7 +1206,7 @@ func (cache *EC2InstanceMetadataCache) createENI(ctx context.Context, sg []*stri
 				log.Info("Defaulting to same subnet as the primary interface for the new ENI")
 
 				// Even in fallback, check if primary subnet is excluded
-				excluded, checkErr := cache.IsSubnetExcluded(ctx, cache.subnetID, true)
+				excluded, checkErr := cache.IsSubnetExcluded(ctx, cache.subnetID)
 				if checkErr != nil {
 					return "", fmt.Errorf("Failed to check if primary subnet is excluded: %w. Quit ENI creation attempt.", checkErr)
 				} else if excluded {
@@ -1260,7 +1260,7 @@ func (cache *EC2InstanceMetadataCache) createENI(ctx context.Context, sg []*stri
 		} else {
 			log.Info("Using same security group config as the primary interface for the new ENI")
 			// When subnet discovery is disabled, check if primary subnet is excluded
-			excluded, checkErr := cache.IsSubnetExcluded(ctx, cache.subnetID, true)
+			excluded, checkErr := cache.IsSubnetExcluded(ctx, cache.subnetID)
 			if checkErr != nil {
 				// If we can't determine exclusion status, log warning and proceed
 				log.Warnf("Failed to check if primary subnet is excluded: %v. Proceeding with ENI creation attempt.", checkErr)
@@ -1339,7 +1339,7 @@ func isSubnetValidForENICreation(subnet ec2types.Subnet, isPrimarySubnet bool) b
 	}
 
 	// Rule 3: Check cluster-specific tags
-	if ValidSubnetForCluster(subnet, isPrimarySubnet) {
+	if ValidSubnetTagsMatchingClusterName(subnet) {
 		return true
 	}
 
@@ -1349,13 +1349,8 @@ func isSubnetValidForENICreation(subnet ec2types.Subnet, isPrimarySubnet bool) b
 }
 
 // ValidSubnetForCluster checks if a subnet is valid for use by this cluster
-// For primary subnets, they are always valid for any cluster
 // For secondary subnets, they must either have no cluster tags or have a matching cluster tag
-func ValidSubnetForCluster(subnet ec2types.Subnet, isPrimarySubnet bool) bool {
-	if isPrimarySubnet {
-		// Primary subnets are always valid for any cluster
-		return true
-	}
+func ValidSubnetTagsMatchingClusterName(subnet ec2types.Subnet) bool {
 	// Get cluster name for cluster-specific tag checks
 	localClusterName := os.Getenv(clusterNameEnvVar)
 	localClusterTagKey := clusterTagKeyPrefix + localClusterName
@@ -2627,7 +2622,7 @@ func checkAPIErrorAndBroadcastEvent(err error, api string) {
 }
 
 // IsSubnetExcluded checks if a subnet is excluded by examining its kubernetes.io/role/cni tag
-func (cache *EC2InstanceMetadataCache) IsSubnetExcluded(ctx context.Context, subnetID string, isPrimarySubnet bool) (bool, error) {
+func (cache *EC2InstanceMetadataCache) IsSubnetExcluded(ctx context.Context, subnetID string) (bool, error) {
 	// Get all VPC subnets with their tags
 	subnets, err := cache.GetVpcSubnets(ctx)
 	if err != nil {
@@ -2637,8 +2632,8 @@ func (cache *EC2InstanceMetadataCache) IsSubnetExcluded(ctx context.Context, sub
 	// Find the specific subnet and check its tags
 	for _, subnet := range subnets {
 		if *subnet.SubnetId == subnetID {
-			if !ValidSubnetForCluster(subnet, isPrimarySubnet) {
-				log.Debugf("IsSubnetExcluded: subnet %s doesn't have valid cluster tag", subnetID)
+			if !ValidSubnetTagsMatchingClusterName(subnet) {
+				log.Debugf("IsSubnetExcluded: subnet %s doesn't have valid cluster name tag", subnetID)
 				return true, nil
 			}
 			// Check if the subnet has the exclusion tag kubernetes.io/role/cni=0

pkg/awsutils/awsutils_test.go

@@ -2645,12 +2645,11 @@ func TestIsSubnetExcluded(t *testing.T) {
 	os.Setenv(clusterNameEnvVar, "test-cluster")
 
 	tests := []struct {
-		name            string
-		subnetTags      []ec2types.Tag
-		isPrimarySubnet bool
-		describeError   error
-		want            bool
-		wantErr         bool
+		name          string
+		subnetTags    []ec2types.Tag
+		describeError error
+		want          bool
+		wantErr       bool
 	}{
 		{
 			name: "subnet with tag value 0 - excluded",
@@ -2660,9 +2659,8 @@ func TestIsSubnetExcluded(t *testing.T) {
 					Value: aws.String("0"),
 				},
 			},
-			isPrimarySubnet: false,
-			want:            true,
-			wantErr:         false,
+			want:    true,
+			wantErr: false,
 		},
 		{
 			name: "subnet with tag value 1 - not excluded",
@@ -2672,9 +2670,8 @@ func TestIsSubnetExcluded(t *testing.T) {
 					Value: aws.String("1"),
 				},
 			},
-			isPrimarySubnet: false,
-			want:            false,
-			wantErr:         false,
+			want:    false,
+			wantErr: false,
 		},
 		{
 			name: "subnet without tag - not excluded",
@@ -2684,12 +2681,11 @@ func TestIsSubnetExcluded(t *testing.T) {
 					Value: aws.String("value"),
 				},
 			},
-			isPrimarySubnet: false,
-			want:            false,
-			wantErr:         false,
+			want:    false,
+			wantErr: false,
 		},
 		{
-			name: "secondary subnet with different cluster tag - excluded by cluster validation",
+			name: "subnet with different cluster tag - excluded by cluster validation",
 			subnetTags: []ec2types.Tag{
 				{
 					Key:   aws.String("kubernetes.io/role/cni"),
@@ -2700,12 +2696,11 @@ func TestIsSubnetExcluded(t *testing.T) {
 					Value: aws.String("shared"),
 				},
 			},
-			isPrimarySubnet: false,
-			want:            true,
-			wantErr:         false,
+			want:    true,
+			wantErr: false,
 		},
 		{
-			name: "secondary subnet with matching cluster tag - not excluded",
+			name: "subnet with matching cluster tag - not excluded",
 			subnetTags: []ec2types.Tag{
 				{
 					Key:   aws.String("kubernetes.io/role/cni"),
@@ -2716,46 +2711,26 @@ func TestIsSubnetExcluded(t *testing.T) {
 					Value: aws.String("shared"),
 				},
 			},
-			isPrimarySubnet: false,
-			want:            false,
-			wantErr:         false,
+			want:    false,
+			wantErr: false,
 		},
 		{
-			name: "primary subnet always valid regardless of cluster tag",
-			subnetTags: []ec2types.Tag{
-				{
-					Key:   aws.String("kubernetes.io/role/cni"),
-					Value: aws.String("1"),
-				},
-				{
-					Key:   aws.String("kubernetes.io/cluster/other-cluster"),
-					Value: aws.String("shared"),
-				},
-			},
-			isPrimarySubnet: true,
-			want:            false,
-			wantErr:         false,
-		},
-		{
-			name:            "GetVpcSubnets API error",
-			describeError:   errors.New("API error"),
-			isPrimarySubnet: false,
-			want:            false,
-			wantErr:         true,
+			name:          "GetVpcSubnets API error",
+			describeError: errors.New("API error"),
+			want:          false,
+			wantErr:       true,
 		},
 		{
-			name:            "no subnets returned",
-			subnetTags:      []ec2types.Tag{},
-			isPrimarySubnet: false,
-			want:            false,
-			wantErr:         false,
+			name:       "no subnets returned",
+			subnetTags: []ec2types.Tag{},
+			want:       false,
+			wantErr:    false,
 		},
 		{
-			name:            "subnet not found in VPC - should error",
-			subnetTags:      []ec2types.Tag{},
-			isPrimarySubnet: false,
-			want:            false,
-			wantErr:         true,
+			name:       "subnet not found in VPC - should error",
+			subnetTags: []ec2types.Tag{},
+			want:       false,
+			wantErr:    true,
 		},
 	}
 
@@ -2790,7 +2765,7 @@ func TestIsSubnetExcluded(t *testing.T) {
 				mockEC2.EXPECT().DescribeSubnets(gomock.Any(), gomock.Any()).Return(subnetResult, nil)
 			}
 
-			got, err := cache.IsSubnetExcluded(context.Background(), subnetID, tt.isPrimarySubnet)
+			got, err := cache.IsSubnetExcluded(context.Background(), subnetID)
 			if tt.wantErr {
 				assert.Error(t, err)
 			} else {
@@ -3877,7 +3852,7 @@ func TestDataStoreENISubnetID(t *testing.T) {
 
 func TestIsPrimaryENI(t *testing.T) {
 	cache := &EC2InstanceMetadataCache{primaryENI: "eni-primary"}
-	
+
 	assert.True(t, cache.IsPrimaryENI("eni-primary"))
 	assert.False(t, cache.IsPrimaryENI("eni-secondary"))
 	assert.False(t, cache.IsPrimaryENI(""))
@@ -3887,7 +3862,7 @@ func TestIsEfaOnlyENI(t *testing.T) {
 	cache := &EC2InstanceMetadataCache{
 		efaOnlyENIsByNetworkCard: []string{"", "eni-efa"},
 	}
-	
+
 	assert.True(t, cache.IsEfaOnlyENI(1, "eni-efa"))
 	assert.False(t, cache.IsEfaOnlyENI(0, "eni-efa"))
 	assert.False(t, cache.IsEfaOnlyENI(1, "eni-other"))
@@ -3896,7 +3871,7 @@ func TestIsEfaOnlyENI(t *testing.T) {
 func TestIsUnmanagedENI(t *testing.T) {
 	cache := &EC2InstanceMetadataCache{unmanagedENIs: StringSet{}}
 	cache.unmanagedENIs.Set([]string{"eni-unmanaged"})
-	
+
 	assert.True(t, cache.IsUnmanagedENI("eni-unmanaged"))
 	assert.False(t, cache.IsUnmanagedENI("eni-managed"))
 	assert.False(t, cache.IsUnmanagedENI(""))

pkg/awsutils/mocks/awsutils_mocks.go

@@ -2335,4 +2335,3 @@ func TestDataStore_FindFreeableCidrs(t *testing.T) {
 	cidrs := ds.FindFreeableCidrs(eniID)
 	assert.Len(t, cidrs, 1)
 }
-

pkg/ipamd/datastore/data_store_test.go

@@ -396,7 +396,6 @@ func (c *IPAMContext) inInsufficientCidrCoolingPeriod() bool {
 // then initializes IP address pool data store
 func New(ctx context.Context, k8sClient client.Client, withApiServer bool) (*IPAMContext, error) {
 	prometheusRegister()
-	ctx := context.Background()
 	c := &IPAMContext{}
 	c.k8sClient = k8sClient
 	c.networkClient = networkutils.New()
@@ -2871,7 +2870,7 @@ func (c *IPAMContext) SetAPIServerConnectivity(connected bool) {
 func (c *IPAMContext) excludedENIBasedOnSubnetTags(ctx context.Context, eni string, eniMetadata awsutils.ENIMetadata) (bool, error) {
 	primaryENI := c.awsClient.GetPrimaryENI()
 	// Check if this ENI (primary or secondary) is in an excluded subnet and mark it for exclusion
-	excluded, err := c.awsClient.IsSubnetExcluded(ctx, eniMetadata.SubnetID, eni == primaryENI)
+	excluded, err := c.awsClient.IsSubnetExcluded(ctx, eniMetadata.SubnetID)
 	if err != nil {
 		log.Warnf("setupENI: failed to check subnet exclusion for ENI %s (subnet %s): %v", eni, eniMetadata.SubnetID, err)
 		return false, err