Closed
Conversation
dshehbaj
force-pushed
the
shehbaj/enhanced-subnet-discovery-rebase
branch
from
96310d6 to
0a64e10
Compare
dshehbaj
changed the title
dshehbaj
commented
Jul 30, 2025
| // Mark primary ENI as excluded if primary subnet is excluded | ||
| if eni == primaryENI && c.isPrimarySubnetExcluded { | ||
| log.Infof("Marking primary ENI %s as excluded from pod IP allocation", eni) | ||
| err := c.dataStoreAccess.GetDataStore(eniMetadata.NetworkCard).SetENIExcludedForPodIPs(eni, true) |
Contributor
Author
There was a problem hiding this comment.
Check if eniMetadata.NetworkCard is the same network card as 0.
dshehbaj
force-pushed
the
shehbaj/enhanced-subnet-discovery-rebase
branch
6 times, most recently
from
f1898c7 to
7945b5a
Compare
dshehbaj
commented
Aug 4, 2025
Comment on lines
+2786
to
+2809
| name: "IPv6 enabled with subnet discovery and mixed IPv4/IPv6 subnets", | ||
| subnets: []ec2types.Subnet{ |
Contributor
Author
There was a problem hiding this comment.
Need to check edge case in code if customer is on IPv4 cluster and the code picks up an IPv6 subnet because that's all they had tagged in the console and vice versa.
dshehbaj
force-pushed
the
shehbaj/enhanced-subnet-discovery-rebase
branch
6 times, most recently
from
903a226 to
0368ae0
Compare
dshehbaj
commented
Aug 5, 2025
dshehbaj
commented
Aug 5, 2025
dshehbaj
commented
Aug 5, 2025
Comment on lines
+1239
to
+1248
| // When subnet discovery is disabled, check if primary subnet is excluded | ||
| excluded, checkErr := cache.isPrimarySubnetExcluded() | ||
| if checkErr != nil { | ||
| // If we can't determine exclusion status, log warning and proceed | ||
| log.Warnf("Failed to check if primary subnet is excluded: %v. Proceeding with ENI creation attempt.", checkErr) | ||
| } else if excluded { | ||
| // Primary subnet is explicitly excluded | ||
| err = errors.New("primary subnet is tagged with kubernetes.io/role/cni=0 and subnet discovery is disabled - no valid subnets available for ENI creation") | ||
| log.Error(err.Error()) | ||
| return "", err | ||
| } |
Contributor
Author
There was a problem hiding this comment.
This checks if Cx has a tagged subnet, but have not enable subnet discovery. Do we want to do this check?
dshehbaj
commented
Aug 5, 2025
Comment on lines
+465
to
+472
| if c.enableIPv6 { | ||
| assignedIPs = primaryENIInfo.AssignedIPv6Addresses() | ||
| ipType = "IPv6" | ||
| } else { | ||
| assignedIPs = primaryENIInfo.AssignedIPv4Addresses() | ||
| ipType = "IPv4" | ||
| } |
Contributor
Author
There was a problem hiding this comment.
See if we can use hasPods() function.
Currently hasPods() only checks for IPv4 assigned addresses, will need to update that func to support IPv6.
dshehbaj
commented
Aug 6, 2025
Comment on lines
+1066
to
+1119
| // Skip ENIs that are excluded from pod IP allocation | ||
| if eni.IsExcludedForPodIPs { | ||
| ds.log.Debugf("Skip needs IP check for ENI %s as it is excluded from pod IP allocation", eni.ID) | ||
| continue | ||
| } |
Contributor
Author
There was a problem hiding this comment.
This will skip the primary ENI in GetAllocatableENIs function and prevent it from getting IPs assigned/allocated
dshehbaj
force-pushed
the
shehbaj/enhanced-subnet-discovery-rebase
branch
from
0368ae0 to
ea0763f
Compare
dshehbaj
commented
Aug 7, 2025
| assert.False(t, wasUsed, "Primary ENI should be excluded and auto-cleanup prefixes") | ||
| } | ||
|
|
||
| func TestPrimaryENIAutoCleanupFailureHandling(t *testing.T) { |
Contributor
Author
There was a problem hiding this comment.
Add case for IPv6 mode too
dshehbaj
force-pushed
the
shehbaj/enhanced-subnet-discovery-rebase
branch
3 times, most recently
from
587b9f3 to
ea0763f
Compare
haouc
reviewed
Aug 10, 2025
| describeSGInput := &ec2.DescribeSecurityGroupsInput{ | ||
| Filters: []ec2types.Filter{ | ||
| { | ||
| Name: aws.String("vpc-id"), |
Contributor
There was a problem hiding this comment.
We need support global SGs which could be in another VPCs.
Contributor
Author
There was a problem hiding this comment.
I don't believe we support VPC peering in CNI. I could not find any existing logic that I could leverage.
I think keeping it local VPC only might keep things simpler, and we could do VPC peering as a follow up.
What do you think?
Contributor
There was a problem hiding this comment.
global SGs is not VPC peering. EC2 support using SG from another VPC.
haouc
reviewed
Aug 10, 2025
| }, | ||
| { | ||
| Name: aws.String("tag:" + subnetDiscoveryTagKey), | ||
| Values: []string{"1"}, |
Contributor
There was a problem hiding this comment.
nit: let's make them to const, such as selected = 1.
dshehbaj
force-pushed
the
shehbaj/enhanced-subnet-discovery-rebase
branch
3 times, most recently
from
9036276 to
a188827
Compare
dshehbaj
force-pushed
the
shehbaj/enhanced-subnet-discovery-rebase
branch
2 times, most recently
from
f0bc83a to
1d749c9
Compare
dshehbaj
force-pushed
the
shehbaj/enhanced-subnet-discovery-rebase
branch
from
8baff5a to
34be861
Compare
Contributor
|
This pull request is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days |
Contributor
|
Pull request closed due to inactivity. |
haouc
added a commit
that referenced
this pull request
Feb 18, 2026
* pkg awsutils * pkg ec2wrapper: add func to describe subnets * pkg ipamd: handle primary ENI exclusion * test: add integration test * pkg: enable subnet discovery for IPv6 mode * test integration eni-subnet-discovery: extend tests for IPv6 mode * pkg: use shared context for awsutils and ipamd * pkg awsutils: fix compilation error * pkg ipamd: clean up ENI if not previously used * pkg ipamd: gracefully exclude primary ENI if existing pods * test integration: add integration test for primary ENI exclusion * pkg ipamd: fix bug when calculating currentENIs when primary ENI is excluded * pkg ipamd: implement secondary ENI exclusion logic * pkg ipamd: add unit test for secondary ENI exclusion * test integration: add integ test for secondary ENI exclusion testing * test integration: add test for security group refresh * rebase to latest mainline chnages * remove value check for tags * reviewed * updated based on comments * add more unit tests * primary ENI can't be easily ignored --------- Co-authored-by: Shehbaj Dhillon <dshehbaj@amazon.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
feature
Which issue does this PR fix?:
#3067
#2904
What does this PR do / Why do we need it?:
This PR adds a requested customer feature to allow customers to
kubernetes.io/role/cni=1orkubernetes.io/role/cni=0respectively.kubernetes.io/role/cni=1tagged subnet if the alternate security group is also taggedkubernetes.io/role/cni=1.kubernetes.io/cluster/<my-example-cluster>tag. See Enhanced subnet discovery should use configurable tags #2904 more.Testing done on this change:
Will this PR introduce any new dependencies?:
Will this break upgrades or downgrades? Has updating a running cluster been tested?:
Does this change require updates to the CNI daemonset config files to work?:
ENABLE_SUBNET_DISCOVERYenabled which is already done by default.Does this PR introduce any user-facing change?:
Users were already tagging their subnets as the part of the original subnet discovery feature. This enhanced feature will also allow users to tag alternate security groups.
Make sure that IPv6 documentation and managed IPv4 policy are updated.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Integration tests passing in IPv4 cluster.
Currently adapting our test framework to work with IPv6 cluster. Will paste results here.