controller: fix ip allocation from IPPools (#5729)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>

Author: zhangzujian

.github/workflows/build-x86-image.yaml

@@ -1048,7 +1048,7 @@ jobs:
       - build-kube-ovn
       - build-e2e-binaries
     runs-on: ubuntu-24.04
-    timeout-minutes: 40
+    timeout-minutes: 45
     strategy:
       fail-fast: false
       matrix:

go.mod

@@ -330,7 +330,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.21.0 // indirect
 	golang.org/x/crypto v0.42.0 // indirect
-	golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b // indirect
+	golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect
 	golang.org/x/oauth2 v0.31.0 // indirect
 	golang.org/x/sync v0.17.0 // indirect
 	golang.org/x/term v0.35.0 // indirect

go.sum

@@ -1319,8 +1319,8 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b h1:DXr+pvt3nC887026GRP39Ej11UATqWDmWuS99x26cD0=
-golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4=
+golang.org/x/exp v0.0.0-20250911091902-df9299821621 h1:2id6c1/gto0kaHYyrixvknJ8tUK/Qs5IsmBtrc+FtgU=
+golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk=
 golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=

makefiles/e2e.mk

@@ -135,7 +135,7 @@ kube-ovn-conformance-e2e:
 	E2E_BRANCH=$(E2E_BRANCH) \
 	E2E_IP_FAMILY=$(E2E_IP_FAMILY) \
 	E2E_NETWORK_MODE=$(E2E_NETWORK_MODE) \
-	ginkgo $(GINKGO_OUTPUT_OPT) $(GINKGO_PARALLEL_OPT) --randomize-all -v --timeout=30m \
+	ginkgo $(GINKGO_OUTPUT_OPT) $(GINKGO_PARALLEL_OPT) --randomize-all -v --timeout=35m \
 		--focus=CNI:Kube-OVN ./test/e2e/kube-ovn/kube-ovn.test -- $(TEST_BIN_ARGS)
 
 .PHONY: kube-ovn-ic-conformance-e2e

pkg/controller/pod.go

@@ -1932,6 +1932,8 @@ func (c *Controller) acquireAddress(pod *v1.Pod, podNet *kubeovnNet) (string, st
 		macPointer = ptr.To("")
 	}
 
+	var err error
+	var nsNets []*kubeovnNet
 	ippoolStr := pod.Annotations[fmt.Sprintf(util.IPPoolAnnotationTemplate, podNet.ProviderName)]
 	if ippoolStr == "" {
 		ns, err := c.namespacesLister.Get(pod.Namespace)
@@ -1942,6 +1944,15 @@ func (c *Controller) acquireAddress(pod *v1.Pod, podNet *kubeovnNet) (string, st
 
 		if len(ns.Annotations) != 0 {
 			if ipPoolList, ok := ns.Annotations[util.IPPoolAnnotation]; ok {
+				if nsNets, err = c.getNsAvailableSubnets(pod, podNet); err != nil {
+					klog.Errorf("failed to get available subnets for pod %s/%s, %v", pod.Namespace, pod.Name, err)
+					return "", "", "", podNet.Subnet, err
+				}
+				subnetNames := make([]string, 0, len(nsNets))
+				for _, net := range nsNets {
+					subnetNames = append(subnetNames, net.Subnet.Name)
+				}
+
 				for ipPoolName := range strings.SplitSeq(ipPoolList, ",") {
 					ippool, err := c.ippoolLister.Get(ipPoolName)
 					if err != nil {
@@ -1965,10 +1976,18 @@ func (c *Controller) acquireAddress(pod *v1.Pod, podNet *kubeovnNet) (string, st
 						}
 					}
 
-					if ippool.Spec.Subnet == podNet.Subnet.Name {
-						ippoolStr = ippool.Name
-						break
+					for _, net := range nsNets {
+						if net.Subnet.Name == ippool.Spec.Subnet {
+							ippoolStr = ippool.Name
+							podNet.Subnet = net.Subnet
+							break
+						}
 					}
+					break
+				}
+				if ippoolStr == "" {
+					klog.Infof("no available ippool in subnets %s for pod %s/%s", strings.Join(subnetNames, ","), pod.Namespace, pod.Name)
+					return "", "", "", podNet.Subnet, ipam.ErrNoAvailable
 				}
 			}
 		}
@@ -2007,9 +2026,14 @@ func (c *Controller) acquireAddress(pod *v1.Pod, podNet *kubeovnNet) (string, st
 	portName := ovs.PodNameToPortName(podName, pod.Namespace, podNet.ProviderName)
 
 	// The static ip can be assigned from any subnet after ns supports multi subnets
-	nsNets, _ := c.getNsAvailableSubnets(pod, podNet)
+	if nsNets == nil {
+		if nsNets, err = c.getNsAvailableSubnets(pod, podNet); err != nil {
+			klog.Errorf("failed to get available subnets for pod %s/%s, %v", pod.Namespace, pod.Name, err)
+			return "", "", "", podNet.Subnet, err
+		}
+	}
+
 	var v4IP, v6IP, mac string
-	var err error
 
 	// Static allocate
 	if pod.Annotations[fmt.Sprintf(util.IPAddressAnnotationTemplate, podNet.ProviderName)] != "" {
@@ -2041,9 +2065,13 @@ func (c *Controller) acquireAddress(pod *v1.Pod, podNet *kubeovnNet) (string, st
 
 		if len(ipPool) == 1 && (!strings.ContainsRune(ipPool[0], ',') && net.ParseIP(ipPool[0]) == nil) {
 			var skippedAddrs []string
+			pool, err := c.ippoolLister.Get(ipPool[0])
+			if err != nil {
+				klog.Errorf("failed to get ippool %s: %v", ipPool[0], err)
+				return "", "", "", podNet.Subnet, err
+			}
 			for {
-				portName := ovs.PodNameToPortName(podName, pod.Namespace, podNet.ProviderName)
-				ipv4, ipv6, mac, err := c.ipam.GetRandomAddress(key, portName, macPointer, podNet.Subnet.Name, ipPool[0], skippedAddrs, !podNet.AllowLiveMigration)
+				ipv4, ipv6, mac, err := c.ipam.GetRandomAddress(key, portName, macPointer, pool.Spec.Subnet, ipPool[0], skippedAddrs, !podNet.AllowLiveMigration)
 				if err != nil {
 					klog.Error(err)
 					return "", "", "", podNet.Subnet, err
@@ -2293,17 +2321,16 @@ func (c *Controller) getNameByPod(pod *v1.Pod) string {
 
 // When subnet's v4availableIPs is 0 but still there's available ip in exclude-ips, the static ip in exclude-ips can be allocated normal.
 func (c *Controller) getNsAvailableSubnets(pod *v1.Pod, podNet *kubeovnNet) ([]*kubeovnNet, error) {
-	var result []*kubeovnNet
 	// keep the annotation subnet of the pod in first position
-	result = append(result, podNet)
+	result := []*kubeovnNet{podNet}
 
 	ns, err := c.namespacesLister.Get(pod.Namespace)
 	if err != nil {
 		klog.Errorf("failed to get namespace %s, %v", pod.Namespace, err)
 		return nil, err
 	}
 	if ns.Annotations == nil {
-		return nil, nil
+		return []*kubeovnNet{}, nil
 	}
 
 	subnetNames := ns.Annotations[util.LogicalSwitchAnnotation]

test/e2e/kube-ovn/ipam/ipam.go

@@ -573,7 +573,7 @@ var _ = framework.Describe("[group:ipam]", func() {
 		testSubnet := framework.MakeSubnet(subnetName2, "", testCidr, "", "", "", nil, nil, []string{namespaceName})
 		subnetClient.CreateSync(testSubnet)
 
-		ginkgo.By("Creating IPPool resources ")
+		ginkgo.By("Creating IPPool resources")
 		ipsRange1 := framework.RandomIPPool(cidr, ipsCount)
 		ipsRange2 := framework.RandomIPPool(testCidr, ipsCount)
 		ippool1 := framework.MakeIPPool(ippoolName, subnetName, ipsRange1, []string{namespaceName})
@@ -607,7 +607,7 @@ var _ = framework.Describe("[group:ipam]", func() {
 		replicas := 1
 		ipsCount := 1
 
-		ginkgo.By("Creating IPPool resources ")
+		ginkgo.By("Creating IPPool resources")
 		ipsRange := framework.RandomIPPool(cidr, ipsCount*2)
 		ipv4Range, ipv6Range := util.SplitIpsByProtocol(ipsRange)
 		var ipsRange1, ipsRange2 []string
@@ -667,4 +667,56 @@ var _ = framework.Describe("[group:ipam]", func() {
 			}
 		}
 	})
+
+	framework.ConformanceIt("should block IP allocation if the ippool bound by namespace annotation has no available IPs", func() {
+		f.SkipVersionPriorTo(1, 14, "This feature was introduced in v1.14")
+
+		ginkgo.By("Creating IPPool " + ippoolName)
+		ipsCount := 1
+		ips := framework.RandomIPPool(cidr, ipsCount)
+		ippool := framework.MakeIPPool(ippoolName, subnetName, ips, []string{namespaceName})
+		_ = ippoolClient.CreateSync(ippool)
+
+		ginkgo.By("Creating deployment " + deployName + " with replicas equal to the number of IPs in the ippool")
+		labels := map[string]string{"app": deployName}
+		deploy := framework.MakeDeployment(deployName, int32(ipsCount), labels, nil, "pause", framework.PauseImage, "")
+		_ = deployClient.CreateSync(deploy)
+
+		ginkgo.By("Creating pod " + podName + " which should be blocked for IP allocation")
+		pod := framework.MakePod(namespaceName, podName, nil, nil, "", nil, nil)
+		_ = podClient.Create(pod)
+
+		ginkgo.By("Waiting for pod " + podName + " to have event indicating IP allocation failure")
+		eventClient := f.EventClient()
+		_ = eventClient.WaitToHaveEvent("Pod", podName, "Warning", "AcquireAddressFailed", "kube-ovn-controller", "")
+	})
+
+	framework.ConformanceIt("should be able to allocate IP from IPPools in different subnets", func() {
+		f.SkipVersionPriorTo(1, 14, "This feature was introduced in v1.14")
+		ipsCount := 1
+
+		ginkgo.By("Creating subnet " + subnetName2)
+		cidr2 := framework.RandomCIDR(f.ClusterIPFamily)
+		subnet2 := framework.MakeSubnet(subnetName2, "", cidr2, "", "", "", nil, nil, []string{namespaceName})
+		_ = subnetClient.CreateSync(subnet2)
+
+		ginkgo.By("Creating IPPool " + ippoolName)
+		ips := framework.RandomIPPool(cidr, ipsCount)
+		ippool := framework.MakeIPPool(ippoolName, subnetName, ips, []string{namespaceName})
+		_ = ippoolClient.CreateSync(ippool)
+
+		ginkgo.By("Creating IPPool " + ippoolName2)
+		ips2 := framework.RandomIPPool(cidr2, ipsCount)
+		ippool2 := framework.MakeIPPool(ippoolName2, subnetName2, ips2, []string{namespaceName})
+		_ = ippoolClient.CreateSync(ippool2)
+
+		ginkgo.By("Creating deployment " + deployName + " with replicas equal to the number of IPs in the ippool " + ippoolName)
+		labels := map[string]string{"app": deployName}
+		deploy := framework.MakeDeployment(deployName, int32(ipsCount), labels, nil, "pause", framework.PauseImage, "")
+		_ = deployClient.CreateSync(deploy)
+
+		ginkgo.By("Creating pod " + podName + " which should have IP allocated from ippool " + ippoolName2)
+		pod := framework.MakePod(namespaceName, podName, nil, nil, "", nil, nil)
+		_ = podClient.CreateSync(pod)
+	})
 })