feat: Copy permanent neighbor (ARP/NDP) entries from host

Author: gauravkghildiyal

pkg/apis/types.go

@@ -26,6 +26,9 @@ type NetworkConfig struct {
 	// Routes defines static routes to be configured for this interface.
 	Routes []RouteConfig `json:"routes,omitempty"`
 
+	// Neighbors defines neighbor (ARP/NDP) entries to be configured for this interface.
+	Neighbors []NeighborConfig `json:"neighbors,omitempty"`
+
 	// Ethtool defines hardware offload features and other settings managed by `ethtool`.
 	Ethtool *EthtoolConfig `json:"ethtool,omitempty"`
 }
@@ -85,6 +88,19 @@ type RouteConfig struct {
 	Scope uint8 `json:"scope,omitempty"`
 }
 
+// NeighborConfig represents a neighbor (ARP/NDP) entry.
+type NeighborConfig struct {
+	// Destination is the target IP address.
+	Destination string `json:"destination,omitempty"`
+	// HardwareAddr is the MAC address of the neighbor.
+	HardwareAddr string `json:"hardwareAddr,omitempty"`
+	// State is the state of the neighbor entry (e.g., permanent, reachable).
+	// Refers to Linux neighbor states (e.g., 0x02 for NUD_REACHABLE, 0x80 for NUD_PERMANENT).
+	State int `json:"state,omitempty"`
+	// Family is the address family of the neighbor entry (e.g., AF_INET, AF_INET6).
+	Family int `json:"family,omitempty"`
+}
+
 // EthtoolConfig defines ethtool-based optimizations for a network interface.
 // These settings correspond to features typically toggled using `ethtool -K <dev> <feature> on|off`.
 type EthtoolConfig struct {

pkg/driver/dra_hooks.go

@@ -315,6 +315,27 @@ func (np *NetworkDriver) prepareResourceClaim(ctx context.Context, claim *resour
 			podCfg.NetworkInterfaceConfigInPod.Routes = append(podCfg.NetworkInterfaceConfigInPod.Routes, routeCfg)
 		}
 
+		// Obtain the neighbors associated to the interface
+		neighs, err := nlHandle.NeighList(link.Attrs().Index, netlink.FAMILY_ALL)
+		if err != nil {
+			klog.Infof("failed to get neighbors for interface %s: %v", ifName, err)
+		}
+		for _, neigh := range neighs {
+			if neigh.HardwareAddr == nil {
+				continue
+			}
+			if neigh.State != netlink.NUD_PERMANENT {
+				continue
+			}
+			neighCfg := apis.NeighborConfig{
+				Destination:  neigh.IP.String(),
+				HardwareAddr: neigh.HardwareAddr.String(),
+				State:        neigh.State,
+				Family:       neigh.Family,
+			}
+			podCfg.NetworkInterfaceConfigInPod.Neighbors = append(podCfg.NetworkInterfaceConfigInPod.Neighbors, neighCfg)
+		}
+
 		// Get RDMA configuration: link and char devices
 		if rdmaDev, _ := rdmamap.GetRdmaDeviceForNetdevice(ifName); rdmaDev != "" {
 			klog.V(2).Infof("RunPodSandbox processing RDMA device: %s", rdmaDev)

pkg/driver/netnamespace.go

@@ -87,3 +87,47 @@ func applyRoutingConfig(containerNsPAth string, ifName string, routeConfig []api
 	}
 	return errors.Join(errorList...)
 }
+
+func applyNeighborConfig(containerNsPAth string, ifName string, neighConfig []apis.NeighborConfig) error {
+	containerNs, err := netns.GetFromPath(containerNsPAth)
+	if err != nil {
+		return fmt.Errorf("could not get network namespace from path %s: %w", containerNsPAth, err)
+	}
+	defer containerNs.Close()
+
+	nhNs, err := netlink.NewHandleAt(containerNs)
+	if err != nil {
+		return fmt.Errorf("can not get netlink handle: %v", err)
+	}
+	defer nhNs.Close()
+
+	nsLink, err := nhNs.LinkByName(ifName)
+	if err != nil && !errors.Is(err, netlink.ErrDumpInterrupted) {
+		return fmt.Errorf("link not found for interface %s on namespace %s: %w", ifName, containerNsPAth, err)
+	}
+
+	var errorList []error
+	for _, neigh := range neighConfig {
+		ip := net.ParseIP(neigh.Destination)
+		if ip == nil {
+			errorList = append(errorList, fmt.Errorf("invalid ip address: %s", neigh.Destination))
+			continue
+		}
+		mac, err := net.ParseMAC(neigh.HardwareAddr)
+		if err != nil {
+			errorList = append(errorList, fmt.Errorf("invalid mac address: %s", neigh.HardwareAddr))
+			continue
+		}
+		n := netlink.Neigh{
+			LinkIndex:    nsLink.Attrs().Index,
+			State:        neigh.State,
+			Family:       neigh.Family,
+			IP:           ip,
+			HardwareAddr: mac,
+		}
+		if err := nhNs.NeighAdd(&n); err != nil && !errors.Is(err, syscall.EEXIST) {
+			errorList = append(errorList, fmt.Errorf("failed to add permanent neighbor entry %s (%s) for interface %s: %w", neigh.Destination, neigh.HardwareAddr, ifName, err))
+		}
+	}
+	return errors.Join(errorList...)
+}

pkg/driver/nri_hooks.go

@@ -202,6 +202,14 @@ func (np *NetworkDriver) runPodSandbox(ctx context.Context, pod *api.PodSandbox)
 			klog.Infof("RunPodSandbox error configuring device %s namespace %s routing: %v", deviceName, ns, err)
 			return fmt.Errorf("error configuring device %s routes on namespace %s: %v", deviceName, ns, err)
 		}
+
+		// Configure neighbors
+		err = applyNeighborConfig(ns, ifNameInNs, config.NetworkInterfaceConfigInPod.Neighbors)
+		if err != nil {
+			klog.Infof("RunPodSandbox for pod %s/%s (UID %s) failed to apply neighbor configuration for interface %s in namespace %s: %v", pod.Namespace, pod.Name, pod.Uid, ifNameInNs, ns, err)
+			return fmt.Errorf("failed to apply neighbor configuration for interface %s in namespace %s: %w", ifNameInNs, ns, err)
+		}
+
 		resourceClaimStatusDevice.WithConditions(
 			metav1apply.Condition().
 				WithType("NetworkReady").

tests/e2e.bats

@@ -402,3 +402,31 @@ EOF
 )
   kubectl rollout status ds/dranet --namespace=kube-system
 }
+
+@test "permanent neighbor entry is copied to pod namespace" {
+  local NODE_NAME="$CLUSTER_NAME"-worker
+  local DUMMY_IFACE="dummy-neigh"
+  local NEIGH_IP="192.168.1.1"
+  local NEIGH_MAC="00:11:22:33:44:55"
+
+  # Create a dummy interface on the worker node
+  docker exec "$NODE_NAME" bash -c "ip link add $DUMMY_IFACE type dummy"
+  docker exec "$NODE_NAME" bash -c "ip link set up dev $DUMMY_IFACE"
+  docker exec "$NODE_NAME" bash -c "ip addr add 169.254.169.15/32 dev $DUMMY_IFACE"
+
+  # Add a permanent neighbor entry on the worker node
+  docker exec "$NODE_NAME" bash -c "ip neigh add $NEIGH_IP lladdr $NEIGH_MAC dev $DUMMY_IFACE nud permanent"
+
+  kubectl apply -f "$BATS_TEST_DIRNAME"/../tests/manifests/deviceclass.yaml
+  kubectl apply -f "$BATS_TEST_DIRNAME"/../tests/manifests/resourceclaim.yaml
+  kubectl wait --timeout=30s --for=condition=ready pods -l app=pod
+
+  # Get the pod name
+  POD_NAME=$(kubectl get pods -l app=pod -o name)
+
+  # Verify the neighbor entry inside the pod's network namespace
+  run kubectl exec "$POD_NAME" -- ip neigh show
+  assert_success
+  assert_output --partial "$NEIGH_IP dev eth99 lladdr $NEIGH_MAC PERM"
+}
+