Prevent Calico from setting the NetworkUnavailable condition on nodes when overlay networking gets disabled (#1703)

* add mutatingadmissionpolicies for NetworkUnavailable condition for calico when overlay is disabled

* address review feedback

Author: DockToFuture

charts/internal/shoot-system-components/charts/calico-mutating-admission-policy/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+description: Mutating admission policy to control NetworkUnavailable condition set by Calico CNI plugin.
+name: calico-mutating-admission-policy
+version: 0.1.0

charts/internal/shoot-system-components/charts/calico-mutating-admission-policy/templates/mutating-admission-policy.yaml

@@ -0,0 +1,63 @@
+{{- if .Values.enabled }}
+---
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: MutatingAdmissionPolicyBinding
+metadata:
+  name: block-calico-network-unavailable-binding
+spec:
+  policyName: block-calico-network-unavailable
+---
+# MutatingAdmissionPolicy to block Calico from setting the NetworkUnavailable condition on nodes.
+# This policy intercepts node/status updates from the calico-node service account and removes
+# any changes to the NetworkUnavailable condition, effectively preserving the existing condition.
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: MutatingAdmissionPolicy
+metadata:
+  name: block-calico-network-unavailable
+spec:
+  failurePolicy: Fail
+  reinvocationPolicy: IfNeeded
+  matchConstraints:
+    resourceRules:
+    - apiGroups: [""]
+      apiVersions: ["v1"]
+      operations: ["UPDATE"]
+      resources: ["nodes/status"]
+  matchConditions:
+  # Only apply to requests from the calico-node service account
+  - name: is-calico-node
+    expression: >-
+      request.userInfo.username == "system:serviceaccount:kube-system:calico-node"
+  # Only apply if calico is trying to set/modify NetworkUnavailable condition
+  - name: has-network-unavailable-in-request
+    expression: >-
+      object.status.conditions.exists(c, c.type == 'NetworkUnavailable')
+  variables:
+  # Extract the current NetworkUnavailable condition from the old object (may be empty for new nodes)
+  - name: oldNetworkUnavailableCondition
+    expression: >-
+      has(oldObject.status) && has(oldObject.status.conditions) ? 
+      oldObject.status.conditions.filter(c, c.type == 'NetworkUnavailable') : []
+  # Remove NetworkUnavailable from the new conditions and preserve all other conditions
+  - name: conditionsWithoutNetworkUnavailable
+    expression: >-
+      object.status.conditions.filter(c, c.type != 'NetworkUnavailable')
+  # Reconstruct the final conditions: all non-NetworkUnavailable conditions + old NetworkUnavailable (if it existed)
+  - name: finalConditions
+    expression: >-
+      variables.oldNetworkUnavailableCondition.size() > 0 ?
+      variables.conditionsWithoutNetworkUnavailable + variables.oldNetworkUnavailableCondition :
+      variables.conditionsWithoutNetworkUnavailable
+  mutations:
+  # Replace the entire conditions array with the reconstructed version
+  - patchType: JSONPatch
+    jsonPatch:
+      expression: |
+        [
+          JSONPatch{
+            op: "replace",
+            path: "/status/conditions",
+            value: variables.finalConditions
+          }
+        ]
+{{- end }}

charts/internal/shoot-system-components/charts/calico-mutating-admission-policy/values.yaml

@@ -0,0 +1 @@
+enabled: false

pkg/controller/controlplane/actuator.go

@@ -0,0 +1,195 @@
+// SPDX-FileCopyrightText: SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package controlplane
+
+import (
+	"context"
+	"fmt"
+
+	extensionsconfigv1alpha1 "github.com/gardener/gardener/extensions/pkg/apis/config/v1alpha1"
+	extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
+	"github.com/gardener/gardener/extensions/pkg/controller/controlplane"
+	"github.com/gardener/gardener/extensions/pkg/util"
+	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/util/retry"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+
+	networking "github.com/gardener/gardener-extension-provider-aws/pkg/utils/networking"
+)
+
+const (
+	// NetworkUnavailableConditionType is the type of the NetworkUnavailable condition.
+	NetworkUnavailableConditionType = "NetworkUnavailable"
+	// CalicoIsUpReason is the reason set by Calico when it sets the NetworkUnavailable condition to indicate Calico is up.
+	CalicoIsUpReason = "CalicoIsUp"
+	// CalicoIsDownReason is the reason set by Calico when it sets the NetworkUnavailable condition to indicate Calico is down.
+	CalicoIsDownReason = "CalicoIsDown"
+	// AnnotationCalicoCleanupCompleted indicates that Calico condition cleanup has been completed.
+	AnnotationCalicoCleanupCompleted = "aws.provider.extensions.gardener.cloud/calico-cleanup-completed"
+)
+
+// NewActuator creates a new Actuator that wraps the generic actuator and adds cleanup logic.
+func NewActuator(mgr manager.Manager, a controlplane.Actuator) controlplane.Actuator {
+	return &actuator{
+		Actuator: a,
+		client:   mgr.GetClient(),
+	}
+}
+
+// actuator is an Actuator that acts upon and updates the status of ControlPlane resources.
+type actuator struct {
+	controlplane.Actuator
+	client client.Client
+}
+
+func (a *actuator) Reconcile(
+	ctx context.Context,
+	log logr.Logger,
+	cp *extensionsv1alpha1.ControlPlane,
+	cluster *extensionscontroller.Cluster,
+) (bool, error) {
+	// Call Reconcile on the composed Actuator
+	ok, err := a.Actuator.Reconcile(ctx, log, cp, cluster)
+	if err != nil {
+		return ok, err
+	}
+
+	// Only clean up NetworkUnavailable conditions if overlay is disabled
+	overlayEnabled, err := networking.IsOverlayEnabled(cluster.Shoot.Spec.Networking)
+	if err != nil {
+		log.Error(err, "Failed to determine if overlay is enabled")
+		return ok, err
+	}
+
+	// Clean up NetworkUnavailable conditions set by Calico only when overlay is disabled
+	// Only run cleanup if it hasn't been completed yet (annotation not present)
+	if !overlayEnabled && cp.Annotations[AnnotationCalicoCleanupCompleted] != "true" {
+		if err := a.cleanupCalicoNetworkUnavailableConditions(ctx, log, cp.Namespace, cluster); err != nil {
+			log.Error(err, "Failed to cleanup Calico NetworkUnavailable conditions")
+			return ok, err
+		} else {
+			// Mark cleanup as completed
+			if err := a.markCleanupCompleted(ctx, cp); err != nil {
+				log.Error(err, "Failed to mark cleanup as completed")
+				return ok, err
+			}
+		}
+	}
+
+	// Remove cleanup annotation when overlay is enabled so cleanup can run again if overlay is disabled later
+	if overlayEnabled && cp.Annotations[AnnotationCalicoCleanupCompleted] == "true" {
+		if err := a.removeCleanupAnnotation(ctx, cp); err != nil {
+			log.Error(err, "Failed to remove cleanup annotation")
+			return ok, err
+		}
+	}
+
+	return ok, nil
+}
+
+// cleanupCalicoNetworkUnavailableConditions removes NetworkUnavailable conditions from nodes
+// that were set by Calico for example "CalicoIsUp" or "CalicoIsDown".
+func (a *actuator) cleanupCalicoNetworkUnavailableConditions(
+	ctx context.Context,
+	log logr.Logger,
+	namespace string,
+	cluster *extensionscontroller.Cluster,
+) error {
+	if extensionscontroller.IsHibernated(cluster) {
+		return nil
+	}
+
+	_, shootClient, err := util.NewClientForShoot(ctx, a.client, namespace, client.Options{}, extensionsconfigv1alpha1.RESTOptions{})
+	if err != nil {
+		return fmt.Errorf("could not create shoot client: %w", err)
+	}
+
+	nodes := &corev1.NodeList{}
+	if err := shootClient.List(ctx, nodes); err != nil {
+		return fmt.Errorf("could not list nodes in shoot cluster: %w", err)
+	}
+
+	for _, node := range nodes.Items {
+		if err := a.cleanupNodeNetworkUnavailableCondition(ctx, log, shootClient, &node); err != nil {
+			log.Error(err, "Failed to cleanup NetworkUnavailable condition from node", "node", node.Name)
+			return err
+		}
+	}
+
+	return nil
+}
+
+// cleanupNodeNetworkUnavailableCondition removes the NetworkUnavailable condition from a node
+// if it was set by Calico.
+func (a *actuator) cleanupNodeNetworkUnavailableCondition(
+	ctx context.Context,
+	log logr.Logger,
+	shootClient client.Client,
+	node *corev1.Node,
+) error {
+	// Check if the node has a NetworkUnavailable condition set by Calico
+	hasCondition := false
+	for _, condition := range node.Status.Conditions {
+		if condition.Type == NetworkUnavailableConditionType &&
+			(condition.Reason == CalicoIsUpReason || condition.Reason == CalicoIsDownReason) {
+			hasCondition = true
+			break
+		}
+	}
+
+	if !hasCondition {
+		return nil
+	}
+
+	// Remove the NetworkUnavailable condition
+	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
+		// Get the latest version of the node
+		currentNode := &corev1.Node{}
+		if err := shootClient.Get(ctx, client.ObjectKey{Name: node.Name}, currentNode); err != nil {
+			return err
+		}
+
+		// Filter out the NetworkUnavailable condition set by Calico
+		var newConditions []corev1.NodeCondition
+		removed := false
+		for _, condition := range currentNode.Status.Conditions {
+			if condition.Type == NetworkUnavailableConditionType &&
+				(condition.Reason == CalicoIsUpReason || condition.Reason == CalicoIsDownReason) {
+				removed = true
+				log.Info("Removing NetworkUnavailable condition set by Calico", "node", currentNode.Name, "reason", condition.Reason)
+				continue
+			}
+			newConditions = append(newConditions, condition)
+		}
+
+		// Only update if we actually removed a condition
+		if !removed {
+			return nil
+		}
+
+		currentNode.Status.Conditions = newConditions
+		return shootClient.Status().Update(ctx, currentNode)
+	})
+}
+
+// markCleanupCompleted marks the cleanup as completed by adding an annotation to the ControlPlane resource.
+func (a *actuator) markCleanupCompleted(ctx context.Context, cp *extensionsv1alpha1.ControlPlane) error {
+	patch := client.MergeFrom(cp.DeepCopy())
+	if cp.Annotations == nil {
+		cp.Annotations = make(map[string]string)
+	}
+	cp.Annotations[AnnotationCalicoCleanupCompleted] = "true"
+	return a.client.Patch(ctx, cp, patch)
+}
+
+// removeCleanupAnnotation removes the cleanup completion annotation from the ControlPlane resource.
+func (a *actuator) removeCleanupAnnotation(ctx context.Context, cp *extensionsv1alpha1.ControlPlane) error {
+	patch := client.MergeFrom(cp.DeepCopy())
+	delete(cp.Annotations, AnnotationCalicoCleanupCompleted)
+	return a.client.Patch(ctx, cp, patch)
+}

pkg/controller/controlplane/add.go

@@ -42,7 +42,7 @@ type AddOptions struct {
 // AddToManagerWithOptions adds a controller with the given Options to the given manager.
 // The opts.Reconciler is being set with a newly instantiated actuator.
 func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, opts AddOptions) error {
-	actuator, err := genericactuator.NewActuator(mgr, aws.Name,
+	genericActuator, err := genericactuator.NewActuator(mgr, aws.Name,
 		secretConfigsFunc, shootAccessSecretsFunc,
 		configChart, controlPlaneChart, controlPlaneShootChart, controlPlaneShootCRDsChart, storageClassChart,
 		NewValuesProvider(mgr), extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot),
@@ -51,8 +51,11 @@ func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, opts AddO
 		return err
 	}
 
+	// Wrap the generic actuator with our custom actuator for cleanup logic
+	wrappedActuator := NewActuator(mgr, genericActuator)
+
 	return controlplane.Add(mgr, controlplane.AddArgs{
-		Actuator:          actuator,
+		Actuator:          wrappedActuator,
 		ControllerOptions: opts.Controller,
 		Predicates:        controlplane.DefaultPredicates(ctx, mgr, opts.IgnoreOperationAnnotation),
 		Type:              aws.Type,

pkg/controller/controlplane/valuesprovider.go

@@ -28,6 +28,7 @@ import (
 	versionutils "github.com/gardener/gardener/pkg/utils/version"
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	policyv1 "k8s.io/api/policy/v1"
@@ -46,6 +47,7 @@ import (
 	"github.com/gardener/gardener-extension-provider-aws/pkg/apis/aws/helper"
 	"github.com/gardener/gardener-extension-provider-aws/pkg/aws"
 	"github.com/gardener/gardener-extension-provider-aws/pkg/utils"
+	networking "github.com/gardener/gardener-extension-provider-aws/pkg/utils/networking"
 )
 
 const (
@@ -300,6 +302,13 @@ var (
 					{Type: &rbacv1.RoleBinding{}, Name: "efs-csi-provisioner-binding"},
 				},
 			},
+			{
+				Name: "calico-mutating-admission-policy",
+				Objects: []*chart.Object{
+					{Type: &admissionregistrationv1alpha1.MutatingAdmissionPolicy{}, Name: "calico-mutating-admission-policy"},
+					{Type: &admissionregistrationv1alpha1.MutatingAdmissionPolicyBinding{}, Name: "block-calico-network-unavailable-binding"},
+				},
+			},
 		},
 	}
 
@@ -881,13 +890,22 @@ func getControlPlaneShootChartValues(
 		return nil, err
 	}
 
+	overlayEnabled, err := networking.IsOverlayEnabled(cluster.Shoot.Spec.Networking)
+	if err != nil {
+		return nil, fmt.Errorf("could not determine if overlay is enabled: %w", err)
+	}
+
+	// Only enable MutatingAdmissionPolicy if overlay is disabled AND all other conditions are met
+	mutatingAdmissionPolicyEnabled := !overlayEnabled && isUsingCalico(cluster) && isMutatingAdmissionPolicyEnabled(cluster)
+
 	return map[string]interface{}{
-		aws.CloudControllerManagerName:    map[string]interface{}{"enabled": true},
-		aws.AWSCustomRouteControllerName:  map[string]interface{}{"enabled": customRouteControllerEnabled},
-		aws.AWSIPAMControllerImageName:    map[string]interface{}{"enabled": ipamControllerEnabled},
-		aws.AWSLoadBalancerControllerName: albValues,
-		aws.CSINodeName:                   csiDriverNodeValues,
-		aws.CSIEfsNodeName:                getControlPlaneShootChartCSIEfsValues(infraConfig, infraStatus),
+		aws.CloudControllerManagerName:     map[string]interface{}{"enabled": true},
+		aws.AWSCustomRouteControllerName:   map[string]interface{}{"enabled": customRouteControllerEnabled},
+		aws.AWSIPAMControllerImageName:     map[string]interface{}{"enabled": ipamControllerEnabled},
+		aws.AWSLoadBalancerControllerName:  albValues,
+		aws.CSINodeName:                    csiDriverNodeValues,
+		aws.CSIEfsNodeName:                 getControlPlaneShootChartCSIEfsValues(infraConfig, infraStatus),
+		"calico-mutating-admission-policy": map[string]interface{}{"enabled": mutatingAdmissionPolicyEnabled},
 	}, nil
 }
 
@@ -919,3 +937,33 @@ func getControlPlaneShootChartCSIEfsValues(
 
 	return values
 }
+
+func isUsingCalico(cluster *extensionscontroller.Cluster) bool {
+	return cluster.Shoot.Spec.Networking != nil &&
+		cluster.Shoot.Spec.Networking.Type != nil &&
+		*cluster.Shoot.Spec.Networking.Type == "calico"
+}
+
+func isMutatingAdmissionPolicyEnabled(cluster *extensionscontroller.Cluster) bool {
+	if cluster.Shoot.Spec.Kubernetes.KubeAPIServer == nil {
+		return false
+	}
+
+	if cluster.Shoot.Spec.Kubernetes.KubeAPIServer.FeatureGates == nil {
+		return false
+	}
+
+	if enabled, ok := cluster.Shoot.Spec.Kubernetes.KubeAPIServer.FeatureGates["MutatingAdmissionPolicy"]; !ok || !enabled {
+		return false
+	}
+
+	if cluster.Shoot.Spec.Kubernetes.KubeAPIServer.RuntimeConfig == nil {
+		return false
+	}
+
+	if enabled, ok := cluster.Shoot.Spec.Kubernetes.KubeAPIServer.RuntimeConfig["admissionregistration.k8s.io/v1alpha1"]; !ok || !enabled {
+		return false
+	}
+
+	return true
+}