pkg ipamd: gracefully exclude primary ENI if existing pods

Author: dshehbaj

pkg/ipamd/datastore/data_store.go

@@ -1258,6 +1258,14 @@ func (ds *DataStore) UnassignPodIPAddress(ipamKey IPAMKey) (e *ENI, ip string, d
 		ipamKey, addr.Address, eni.DeviceNumber)
 	// Decrement ENI IP usage when a pod is deallocated
 	prometheusmetrics.EniIPsInUse.WithLabelValues(eni.ID).Dec()
+
+	// Check if ENI is excluded and CIDR is now empty - cleanup if needed
+	if eni.IsExcludedForPodIPs && availableCidr.AssignedIPAddressesInCidr() == 0 {
+		ds.log.Infof("CIDR %s on excluded ENI %s is now empty, scheduling for cleanup", availableCidr.Cidr.String(), eni.ID)
+		// Schedule async cleanup of the empty CIDR
+		go ds.deallocateEmptyCIDR(eni.ID, availableCidr)
+	}
+
 	return eni, addr.Address, eni.DeviceNumber, originalIPAMMetadata.InterfacesCount, nil
 }
 
@@ -1733,3 +1741,66 @@ func (ds *DataStoreAccess) ReadAllDataStores(enableIPv6 bool) error {
 	}
 	return nil
 }
+
+// deallocateEmptyCIDR asynchronously deallocates an empty CIDR from an excluded ENI
+func (ds *DataStore) deallocateEmptyCIDR(eniID string, cidrToCleanup *CidrInfo) {
+	cidrStr := cidrToCleanup.Cidr.String()
+	ds.log.Infof("Starting async cleanup for empty CIDR %s on excluded ENI %s", cidrStr, eniID)
+
+	// Add delay to avoid race conditions with pod cleanup
+	time.Sleep(5 * time.Second)
+
+	ds.lock.Lock()
+	defer ds.lock.Unlock()
+
+	// Double-check that the CIDR is still empty and ENI is still excluded
+	eni := ds.eniPool[eniID]
+	if eni == nil {
+		ds.log.Warnf("ENI %s not found during CIDR cleanup", eniID)
+		return
+	}
+
+	if !eni.IsExcludedForPodIPs {
+		ds.log.Infof("ENI %s is no longer excluded, skipping CIDR cleanup", eniID)
+		return
+	}
+
+	// Find the CIDR in the appropriate map using AddressFamily
+	var targetCidr *CidrInfo
+	var isIPv4 bool = cidrToCleanup.AddressFamily == "4"
+
+	if isIPv4 {
+		targetCidr = eni.AvailableIPv4Cidrs[cidrStr]
+	} else {
+		targetCidr = eni.IPv6Cidrs[cidrStr]
+	}
+
+	if targetCidr == nil {
+		ds.log.Warnf("CIDR %s not found on ENI %s during cleanup", cidrStr, eniID)
+		return
+	}
+
+	// Check if CIDR is still empty
+	if targetCidr.AssignedIPAddressesInCidr() > 0 {
+		ds.log.Infof("CIDR %s on ENI %s is no longer empty, skipping cleanup", cidrStr, eniID)
+		return
+	}
+
+	// Remove the empty CIDR from the ENI structure
+	ds.log.Infof("Removing empty CIDR %s from excluded ENI %s in datastore", cidrStr, eniID)
+
+	// Remove the CIDR from the appropriate ENI map
+	if isIPv4 {
+		delete(eni.AvailableIPv4Cidrs, cidrStr)
+	} else {
+		delete(eni.IPv6Cidrs, cidrStr)
+	}
+
+	// Update backing store
+	if err := ds.writeBackingStoreUnsafe(); err != nil {
+		ds.log.Warnf("Failed to write backing store after removing empty CIDR: %v", err)
+		// Note: We continue since the CIDR removal from local state was successful
+	}
+
+	ds.log.Infof("Successfully removed empty CIDR %s from excluded ENI %s", cidrStr, eniID)
+}

pkg/ipamd/datastore/data_store_test.go

@@ -1968,3 +1968,160 @@ func TestFreeablePrefixesBothIPv4AndIPv6(t *testing.T) {
 	freeablePrefixes = ds.FreeablePrefixes("eni-nonexistent")
 	assert.Nil(t, freeablePrefixes, "Should return nil for non-existent ENI")
 }
+
+func TestDeallocateEmptyCIDR(t *testing.T) {
+	ds := NewDataStore(Testlog, NullCheckpoint{}, false, defaultNetworkCard)
+
+	// Setup test ENI
+	eniID := "eni-test-dealloc"
+	err := ds.AddENI(eniID, 1, false, false, false)
+	assert.NoError(t, err)
+
+	// Mark ENI as excluded for pod IPs
+	err = ds.SetENIExcludedForPodIPs(eniID, true)
+	assert.NoError(t, err)
+
+	t.Run("IPv4 CIDR cleanup on excluded ENI", func(t *testing.T) {
+		// Add IPv4 CIDR to ENI
+		ipv4Cidr := net.IPNet{IP: net.ParseIP("192.168.1.0"), Mask: net.CIDRMask(24, 32)}
+		err = ds.AddIPv4CidrToStore(eniID, ipv4Cidr, false)
+		assert.NoError(t, err)
+
+		// Verify CIDR exists
+		eni := ds.eniPool[eniID]
+		cidrStr := ipv4Cidr.String()
+		cidrInfo, exists := eni.AvailableIPv4Cidrs[cidrStr]
+		assert.True(t, exists, "IPv4 CIDR should exist before cleanup")
+
+		// Call deallocateEmptyCIDR
+		ds.deallocateEmptyCIDR(eniID, cidrInfo)
+
+		// Verify CIDR is removed
+		_, exists = eni.AvailableIPv4Cidrs[cidrStr]
+		assert.False(t, exists, "IPv4 CIDR should be removed after cleanup")
+	})
+
+	t.Run("IPv6 CIDR cleanup on excluded ENI", func(t *testing.T) {
+		// Add IPv6 CIDR to ENI
+		ipv6Cidr := net.IPNet{IP: net.ParseIP("2001:db8:1::"), Mask: net.CIDRMask(64, 128)}
+		err = ds.AddIPv6CidrToStore(eniID, ipv6Cidr, false)
+		assert.NoError(t, err)
+
+		// Verify CIDR exists
+		eni := ds.eniPool[eniID]
+		cidrStr := ipv6Cidr.String()
+		cidrInfo, exists := eni.IPv6Cidrs[cidrStr]
+		assert.True(t, exists, "IPv6 CIDR should exist before cleanup")
+
+		// Call deallocateEmptyCIDR
+		ds.deallocateEmptyCIDR(eniID, cidrInfo)
+
+		// Verify CIDR is removed
+		_, exists = eni.IPv6Cidrs[cidrStr]
+		assert.False(t, exists, "IPv6 CIDR should be removed after cleanup")
+	})
+
+	t.Run("Skip cleanup when ENI is not excluded", func(t *testing.T) {
+		// Create new non-excluded ENI
+		nonExcludedENI := "eni-not-excluded"
+		err := ds.AddENI(nonExcludedENI, 1, false, false, false)
+		assert.NoError(t, err)
+
+		// Don't mark as excluded (default is false)
+
+		// Add IPv4 CIDR
+		ipv4Cidr := net.IPNet{IP: net.ParseIP("192.168.2.0"), Mask: net.CIDRMask(24, 32)}
+		err = ds.AddIPv4CidrToStore(nonExcludedENI, ipv4Cidr, false)
+		assert.NoError(t, err)
+
+		// Get CIDR info
+		eni := ds.eniPool[nonExcludedENI]
+		cidrStr := ipv4Cidr.String()
+		cidrInfo, exists := eni.AvailableIPv4Cidrs[cidrStr]
+		assert.True(t, exists, "IPv4 CIDR should exist")
+
+		// Call deallocateEmptyCIDR - should not remove CIDR since ENI is not excluded
+		ds.deallocateEmptyCIDR(nonExcludedENI, cidrInfo)
+
+		// Verify CIDR still exists
+		_, exists = eni.AvailableIPv4Cidrs[cidrStr]
+		assert.True(t, exists, "IPv4 CIDR should remain since ENI is not excluded")
+	})
+
+	t.Run("Skip cleanup when CIDR has assigned IPs", func(t *testing.T) {
+		// Create fresh datastore for isolated test
+		dsIsolated := NewDataStore(Testlog, NullCheckpoint{}, false, defaultNetworkCard)
+
+		// Create new excluded ENI
+		excludedENI := "eni-excluded-with-ips"
+		err := dsIsolated.AddENI(excludedENI, 1, false, false, false)
+		assert.NoError(t, err)
+
+		err = dsIsolated.SetENIExcludedForPodIPs(excludedENI, true)
+		assert.NoError(t, err)
+
+		// Add IPv4 CIDR
+		ipv4Cidr := net.IPNet{IP: net.ParseIP("192.168.10.0"), Mask: net.CIDRMask(24, 32)}
+		err = dsIsolated.AddIPv4CidrToStore(excludedENI, ipv4Cidr, false)
+		assert.NoError(t, err)
+
+		// Manually assign an IP to the CIDR to simulate non-empty state
+		eni := dsIsolated.eniPool[excludedENI]
+		cidrStr := ipv4Cidr.String()
+		cidrInfo, exists := eni.AvailableIPv4Cidrs[cidrStr]
+		assert.True(t, exists, "IPv4 CIDR should exist")
+
+		// Manually mark an IP as assigned in the CIDR
+		testIP := net.ParseIP("192.168.10.1")
+		cidrInfo.IPAddresses[testIP.String()] = &AddressInfo{
+			Address:      testIP.String(),
+			IPAMKey:      IPAMKey{NetworkName: "test", ContainerID: "test-container", IfName: "eth0"},
+			IPAMMetadata: IPAMMetadata{K8SPodNamespace: "default", K8SPodName: "test-pod"},
+			AssignedTime: time.Now(),
+		}
+
+		// Verify CIDR has assigned IPs
+		assert.Greater(t, cidrInfo.AssignedIPAddressesInCidr(), 0, "CIDR should have assigned IPs")
+
+		// Call deallocateEmptyCIDR - should not remove CIDR since it has assigned IPs
+		dsIsolated.deallocateEmptyCIDR(excludedENI, cidrInfo)
+
+		// Verify CIDR still exists
+		_, exists = eni.AvailableIPv4Cidrs[cidrStr]
+		assert.True(t, exists, "IPv4 CIDR should remain since it has assigned IPs")
+	})
+
+	t.Run("Handle non-existent ENI gracefully", func(t *testing.T) {
+		// Create dummy CIDR info
+		dummyCidr := &CidrInfo{
+			Cidr:          net.IPNet{IP: net.ParseIP("192.168.4.0"), Mask: net.CIDRMask(24, 32)},
+			AddressFamily: "4",
+		}
+
+		// Should not panic when ENI doesn't exist
+		ds.deallocateEmptyCIDR("eni-nonexistent", dummyCidr)
+	})
+
+	t.Run("Handle non-existent CIDR gracefully", func(t *testing.T) {
+		// Create ENI
+		testENI := "eni-cidr-test"
+		err := ds.AddENI(testENI, 1, false, false, false)
+		assert.NoError(t, err)
+
+		err = ds.SetENIExcludedForPodIPs(testENI, true)
+		assert.NoError(t, err)
+
+		// Create CIDR info that doesn't exist in the ENI
+		nonExistentCidr := &CidrInfo{
+			Cidr:          net.IPNet{IP: net.ParseIP("192.168.5.0"), Mask: net.CIDRMask(24, 32)},
+			AddressFamily: "4",
+		}
+
+		// Should handle gracefully when CIDR doesn't exist
+		ds.deallocateEmptyCIDR(testENI, nonExistentCidr)
+
+		// Verify ENI still exists and is unaffected
+		_, exists := ds.eniPool[testENI]
+		assert.True(t, exists, "ENI should still exist")
+	})
+}

pkg/ipamd/ipamd.go

@@ -601,23 +601,16 @@ func (c *IPAMContext) nodeInit() error {
 		return err
 	}
 
-	// Check if primary ENI was previously used and re-include if needed
+	// Handle primary ENI exclusion - always respect exclusion tags
 	if c.isPrimarySubnetExcluded {
+		primaryENI := c.awsClient.GetPrimaryENI()
 		if c.primaryENIWasPreviouslyUsed() {
-			primaryENI := c.awsClient.GetPrimaryENI()
-			log.Infof("Primary subnet is tagged for exclusion but primary ENI %s has existing pod IPs, re-including for backward compatibility", primaryENI)
-			err := c.dataStoreAccess.GetDataStore(DefaultNetworkCardIndex).SetENIExcludedForPodIPs(primaryENI, false)
-			if err != nil {
-				log.Warnf("Failed to re-include primary ENI: %v", err)
-			} else {
-				c.isPrimarySubnetExcluded = false
-			}
+			log.Infof("Primary ENI %s is excluded from pod IP allocation but has existing pod IPs, will cleanup resources as pods terminate", primaryENI)
 		} else {
-			// Primary ENI is excluded and has no assigned pods - cleanup unassigned resources
-			primaryENI := c.awsClient.GetPrimaryENI()
 			log.Infof("Primary ENI %s is excluded from pod IP allocation, cleaning up unassigned resources", primaryENI)
-			c.cleanupExcludedPrimaryENI(ctx, primaryENI)
 		}
+		// Always cleanup free resources on excluded primary ENI
+		c.cleanupExcludedPrimaryENI(ctx, primaryENI)
 	}
 
 	if c.enableIPv4 {

pkg/ipamd/ipamd_test.go

@@ -2889,16 +2889,21 @@ func TestNodeInitPrimarySubnetExclusionWithExistingPodIPs(t *testing.T) {
 	}
 	m.k8sClient.Create(ctx, &fakeNode)
 
+	// Expect cleanup calls for excluded primary ENI (with existing pod IPs)
+	// The cleanup function will try to unassign any unassigned IPs/prefixes
+	m.awsutils.EXPECT().DeallocIPAddresses(gomock.Any(), primaryENIid, gomock.Any()).Return(nil).AnyTimes()
+	m.awsutils.EXPECT().DeallocPrefixAddresses(gomock.Any(), primaryENIid, gomock.Any()).Return(nil).AnyTimes()
+
 	// Add IPs
 	m.awsutils.EXPECT().AllocIPAddresses(gomock.Any(), gomock.Any(), gomock.Any())
 	os.Setenv("MY_NODE_NAME", myNodeName)
 	err := mockContext.nodeInit()
 	assert.NoError(t, err)
 
-	// Verify that primary ENI was re-included due to existing pod IPs
-	assert.False(t, mockContext.isPrimarySubnetExcluded, "Primary subnet should be re-included due to existing pod IPs")
+	// Verify that primary ENI exclusion is now always respected
+	assert.True(t, mockContext.isPrimarySubnetExcluded, "Primary subnet should remain excluded even with existing pod IPs")
 	isExcluded := mockContext.dataStoreAccess.GetDataStore(defaultNetworkCard).IsENIExcludedForPodIPs(primaryENIid)
-	assert.False(t, isExcluded, "Primary ENI should not be excluded from pod IP allocation due to existing pod IPs")
+	assert.True(t, isExcluded, "Primary ENI should remain excluded from pod IP allocation despite existing pod IPs")
 }
 
 func TestNodeInitPrimarySubnetExclusionWithoutExistingPodIPs(t *testing.T) {