kubernetes-sigs
diff --git a/‎pkg/apis/types.go‎
Lines changed: 18 additions & 0 deletions b/‎pkg/apis/types.go‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎pkg/cloudprovider/alibaba/alibaba.go‎
Lines changed: 198 additions & 0 deletions b/‎pkg/cloudprovider/alibaba/alibaba.go‎
Lines changed: 198 additions & 0 deletions
diff --git a/‎pkg/cloudprovider/alibaba/alibaba_test.go‎
Lines changed: 120 additions & 0 deletions b/‎pkg/cloudprovider/alibaba/alibaba_test.go‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎pkg/driver/dra_hooks.go‎
Lines changed: 41 additions & 0 deletions b/‎pkg/driver/dra_hooks.go‎
Lines changed: 41 additions & 0 deletions
@@ -86,6 +86,13 @@ type InterfaceConfig struct {
 	// If provided, the interface will be enslaved to a VRF device with this name.
 	// This enables grouping multiple network interfaces into the same VRF.
 	VRF *VRFConfig `json:"vrf,omitempty"`
+
+	// IPVlan, when set, instructs the driver to create an IPvlan slave interface
+	// from the parent netdev instead of moving the host netdev into the Pod's
+	// network namespace. The parent netdev remains in the host namespace.
+	// This is used for HPN (High-Performance Networking) fabrics where the
+	// parent netdev must retain its identity and address on the fabric.
+	IPVlan *IPVlanConfig `json:"ipvlan,omitempty"`
 }
 
 // VRFConfig represents the configuration for a Virtual Routing and Forwarding domain.
@@ -100,6 +107,17 @@ type VRFConfig struct {
 	Table *int `json:"table,omitempty"`
 }
 
+// IPVlanConfig specifies that the driver should create an IPvlan slave interface
+// rather than moving the host netdev into the Pod namespace.
+type IPVlanConfig struct {
+	// Mode describes the addressing strategy for the IPvlan slave.
+	// Supported values:
+	//   "ipv6" - derive Pod IPv6 from the parent's prefix (first 12 bytes)
+	//            combined with the Pod's IPv4 address (last 4 bytes).
+	//            The kernel IPvlan mode is L2 with BRIDGE flag.
+	Mode string `json:"mode"`
+}
+
 // RouteConfig represents a network route configuration.
 type RouteConfig struct {
 	// Destination is the target network in CIDR format (e.g., "0.0.0.0/0", "10.0.0.0/8").
 
@@ -0,0 +1,198 @@
+/*
+Copyright The Kubernetes Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package alibaba
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog/v2"
+
+	resourceapi "k8s.io/api/resource/v1"
+	"sigs.k8s.io/dranet/pkg/apis"
+	"sigs.k8s.io/dranet/pkg/cloudprovider"
+)
+
+const (
+	AlibabaAttrPrefix = "alibaba.dra.net"
+
+	AttrInstanceType = AlibabaAttrPrefix + "/" + "instanceType"
+
+	// Alibaba Cloud ECS Instance Metadata Service endpoint.
+	imdsEndpoint = "http://100.100.100.200/latest"
+	// IMDSv2 token endpoint and header.
+	imdsTokenPath = "/api/token"
+	imdsTokenTTL  = "21600"
+)
+
+var _ cloudprovider.CloudInstance = (*AlibabaInstance)(nil)
+
+// AlibabaInstance holds Alibaba Cloud instance metadata relevant to network device configuration.
+type AlibabaInstance struct {
+	InstanceType string
+	IsHPN        bool
+}
+
+// OnAlibaba returns true if running on an Alibaba Cloud ECS instance.
+func OnAlibaba(ctx context.Context) bool {
+	pollCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+	return wait.PollUntilContextCancel(pollCtx, 1*time.Second, true, func(ctx context.Context) (bool, error) {
+		token, err := fetchIMDSToken(ctx)
+		if err != nil {
+			return false, nil
+		}
+		req, err := http.NewRequestWithContext(ctx, http.MethodGet, imdsEndpoint+"/meta-data/instance-id", nil)
+		if err != nil {
+			return false, nil
+		}
+		req.Header.Set("X-aliyun-ecs-metadata-token", token)
+		resp, err := http.DefaultClient.Do(req)
+		if err != nil {
+			return false, nil
+		}
+		defer resp.Body.Close()
+		return resp.StatusCode == http.StatusOK, nil
+	}) == nil
+}
+
+// GetInstance retrieves Alibaba Cloud instance metadata via IMDS.
+func GetInstance(ctx context.Context) (cloudprovider.CloudInstance, error) {
+	instanceType, err := queryIMDS(ctx, "/meta-data/instance/instance-type")
+	if err != nil {
+		klog.Infof("could not get Alibaba instance type: %v", err)
+	}
+
+	isHPN := detectHPN(instanceType)
+	klog.Infof("Alibaba Cloud instance: type=%q hpn=%v", instanceType, isHPN)
+
+	return &AlibabaInstance{
+		InstanceType: instanceType,
+		IsHPN:        isHPN,
+	}, nil
+}
+
+// GetDeviceAttributes returns Alibaba Cloud-specific attributes for a device.
+func (a *AlibabaInstance) GetDeviceAttributes(id cloudprovider.DeviceIdentifiers) map[resourceapi.QualifiedName]resourceapi.DeviceAttribute {
+	attributes := make(map[resourceapi.QualifiedName]resourceapi.DeviceAttribute)
+	if a.InstanceType != "" {
+		attributes[AttrInstanceType] = resourceapi.DeviceAttribute{StringValue: &a.InstanceType}
+	}
+	return attributes
+}
+
+// GetDeviceConfig returns a NetworkConfig that signals IPvlan mode for
+// HPN bond devices. Non-HPN or non-bond devices return nil.
+func (a *AlibabaInstance) GetDeviceConfig(id cloudprovider.DeviceIdentifiers) *apis.NetworkConfig {
+	if !a.IsHPN || !isHPNBondDevice(id.Name) {
+		return nil
+	}
+	return &apis.NetworkConfig{
+		Interface: apis.InterfaceConfig{
+			IPVlan: &apis.IPVlanConfig{
+				Mode: "ipv6",
+			},
+		},
+	}
+}
+
+// isHPNBondDevice returns true if the device name indicates it is an HPN
+// bond master interface (e.g. bond0, bond1). Bond slaves (reth*) and other
+// interfaces are not HPN devices.
+func isHPNBondDevice(name string) bool {
+	return strings.HasPrefix(name, "bond")
+}
+
+// detectHPN determines whether this instance is a HPN machine.
+// Only called when we already know we're on Alibaba Cloud (via IMDS
+// reachability or --cloud-provider-hint=ALIBABA).
+func detectHPN(instanceType string) bool {
+	lower := strings.ToLower(instanceType)
+	if strings.Contains(lower, "hpn") || strings.Contains(lower, "efg") {
+		return true
+	}
+	// On confirmed Alibaba Cloud instances where IMDS didn't return instance type
+	// (e.g. bare-metal), check for RDMA infiniband devices as HPN indicator.
+	if instanceType == "" {
+		if entries, err := os.ReadDir("/sys/class/infiniband"); err == nil && len(entries) > 0 {
+			klog.V(2).Infof("Alibaba Cloud instance with %d infiniband devices, assuming HPN", len(entries))
+			return true
+		}
+	}
+	return false
+}
+
+// fetchIMDSToken obtains a session token for IMDSv2.
+func fetchIMDSToken(ctx context.Context) (string, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodPut, imdsEndpoint+imdsTokenPath, nil)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("X-aliyun-ecs-metadata-token-ttl-seconds", imdsTokenTTL)
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("IMDS token request returned %d", resp.StatusCode)
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(body)), nil
+}
+
+// queryIMDS fetches a single metadata value from Alibaba Cloud IMDS (v2 with token).
+func queryIMDS(ctx context.Context, path string) (string, error) {
+	var result string
+	err := wait.PollUntilContextTimeout(ctx, 1*time.Second, 10*time.Second, true, func(ctx context.Context) (bool, error) {
+		token, err := fetchIMDSToken(ctx)
+		if err != nil {
+			klog.V(4).Infof("IMDS token fetch failed: %v", err)
+			return false, nil
+		}
+		req, err := http.NewRequestWithContext(ctx, http.MethodGet, imdsEndpoint+path, nil)
+		if err != nil {
+			return false, nil
+		}
+		req.Header.Set("X-aliyun-ecs-metadata-token", token)
+		resp, err := http.DefaultClient.Do(req)
+		if err != nil {
+			klog.V(4).Infof("IMDS request to %s failed: %v", path, err)
+			return false, nil
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusOK {
+			return false, nil
+		}
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return false, nil
+		}
+		result = strings.TrimSpace(string(body))
+		return true, nil
+	})
+	return result, err
+}
@@ -0,0 +1,120 @@
+/*
+Copyright The Kubernetes Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package alibaba
+
+import (
+	"testing"
+
+	"sigs.k8s.io/dranet/pkg/cloudprovider"
+)
+
+func TestGetDeviceAttributes(t *testing.T) {
+	tests := []struct {
+		name         string
+		instance     AlibabaInstance
+		wantInstType string
+	}{
+		{
+			name: "HPN instance",
+			instance: AlibabaInstance{
+				InstanceType: "ecs.ebmhpn7.320xlarge",
+				IsHPN:        true,
+			},
+			wantInstType: "ecs.ebmhpn7.320xlarge",
+		},
+		{
+			name: "regular ECS instance",
+			instance: AlibabaInstance{
+				InstanceType: "ecs.g7.xlarge",
+				IsHPN:        false,
+			},
+			wantInstType: "ecs.g7.xlarge",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			attrs := tt.instance.GetDeviceAttributes(cloudprovider.DeviceIdentifiers{Name: "bond0"})
+			if tt.wantInstType != "" {
+				instAttr, ok := attrs[AttrInstanceType]
+				if !ok {
+					t.Fatal("missing instanceType attribute")
+				}
+				if instAttr.StringValue == nil || *instAttr.StringValue != tt.wantInstType {
+					t.Errorf("instanceType = %v, want %s", instAttr.StringValue, tt.wantInstType)
+				}
+			}
+		})
+	}
+}
+
+func TestGetDeviceConfig(t *testing.T) {
+	t.Run("HPN returns IPVlan config for bond device", func(t *testing.T) {
+		instance := &AlibabaInstance{IsHPN: true}
+		config := instance.GetDeviceConfig(cloudprovider.DeviceIdentifiers{Name: "bond0"})
+		if config == nil {
+			t.Fatal("expected non-nil config for HPN bond device")
+		}
+		if config.Interface.IPVlan == nil {
+			t.Fatal("expected IPVlan config")
+		}
+		if config.Interface.IPVlan.Mode != "ipv6" {
+			t.Errorf("IPVlan mode = %q, want %q", config.Interface.IPVlan.Mode, "ipv6")
+		}
+	})
+
+	t.Run("HPN returns nil for non-bond device", func(t *testing.T) {
+		instance := &AlibabaInstance{IsHPN: true}
+		config := instance.GetDeviceConfig(cloudprovider.DeviceIdentifiers{Name: "reth0"})
+		if config != nil {
+			t.Errorf("expected nil config for bond slave, got %v", config)
+		}
+	})
+
+	t.Run("non-HPN returns nil", func(t *testing.T) {
+		instance := &AlibabaInstance{IsHPN: false}
+		config := instance.GetDeviceConfig(cloudprovider.DeviceIdentifiers{Name: "bond0"})
+		if config != nil {
+			t.Errorf("expected nil config for non-HPN, got %v", config)
+		}
+	})
+}
+
+func TestDetectHPNHPN(t *testing.T) {
+	tests := []struct {
+		name         string
+		instanceType string
+		want         bool
+	}{
+		{"hpn in name", "ecs.ebmhpn7.320xlarge", true},
+		{"hpn in name", "ecs.hpn2.xlarge", true},
+		{"HPN uppercase", "ecs.ebmHPN.large", true},
+		{"regular instance without infiniband", "ecs.g7.xlarge", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := detectHPN(tt.instanceType)
+			// For types without "hpn", the result depends on
+			// whether /sys/class/infiniband exists on the test host.
+			// We only assert for positive matches from the instance type.
+			if tt.want && !got {
+				t.Errorf("detectHPN(%q) = false, want true", tt.instanceType)
+			}
+		})
+	}
+}
@@ -256,6 +256,47 @@ func (np *NetworkDriver) prepareResourceClaim(ctx context.Context, claim *resour
 			continue
 		}
 
+		// IPvlan path: cloud provider signals that the parent netdev must remain
+		// in the host namespace. Instead of moving the netdev, IPvlan slaves are
+		// created during RunPodSandbox.
+		if netconf.Interface.IPVlan != nil {
+			klog.V(2).Infof("IPvlan mode for device %s (mode=%s)", result.Device, netconf.Interface.IPVlan.Mode)
+			slaves, err := computeIPVlanSlaves(nlHandle)
+			if err != nil {
+				errorList = append(errorList, fmt.Errorf("failed to compute IPvlan slaves for device %s: %v", result.Device, err))
+				continue
+			}
+			deviceCfg.IPVlanSlaves = slaves
+
+			// RDMA char devices are still needed for container injection.
+			// Use a dedicated set: shared-mode pods need ALL RDMA char devices
+			// on the node, not just one device's.
+			ipvlanCharDevs := sets.New[string]()
+			rdmaLinks, _ := netlink.RdmaLinkList()
+			for _, rl := range rdmaLinks {
+				buildRDMAConfig(rl.Attrs.Name, ipvlanCharDevs)
+			}
+			if ipvlanCharDevs.Len() > 0 {
+				deviceCfg.RDMADevice = RDMAConfig{DevChars: make([]LinuxDevice, 0, ipvlanCharDevs.Len())}
+				for _, devpath := range ipvlanCharDevs.UnsortedList() {
+					dev, err := GetDeviceInfo(devpath)
+					if err != nil {
+						klog.Warningf("failed to get device info for %s: %v", devpath, err)
+						continue
+					}
+					deviceCfg.RDMADevice.DevChars = append(deviceCfg.RDMADevice.DevChars, dev)
+				}
+			}
+
+			for _, uid := range podUIDs {
+				if err := np.podConfigStore.SetDeviceConfig(uid, result.Device, deviceCfg); err != nil {
+					errorList = append(errorList, fmt.Errorf("failed to persist device config for pod %s device %s: %v", uid, result.Device, err))
+				}
+			}
+			klog.V(4).Infof("IPvlan claim resources for pods %v : %#v", podUIDs, deviceCfg)
+			continue
+		}
+
 		ifName, err := np.netdb.GetNetInterfaceName(result.Device)
 		if err != nil {
 			errorList = append(errorList, fmt.Errorf("failed to get network interface name for device %s: %v", result.Device, err))