azure: Disable Calico encapsulation for pod traffic

hakman · hakman · commit c9e666cab2f2 · 2025-12-19T08:25:19.000+02:00
Signed-off-by: Ciprian Hacman &lt;ciprian@hakman.dev&gt;
diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
@@ -1559,15 +1559,17 @@ func validateNetworkingCalico(c *kops.ClusterSpec, v *kops.CalicoNetworkingSpec,
 		valid := []string{"ipip", "vxlan", "none"}
 		allErrs = append(allErrs, IsValidValue(fldPath.Child("encapsulationMode"), &v.EncapsulationMode, valid)...)
 
-		if v.EncapsulationMode != "none" && c.IsIPv6Only() {
-			// IPv6 doesn't support encapsulation and kops only uses the "none" networking backend.
-			// The bird networking backend could also be added in the future if there's any valid use case.
-			allErrs = append(allErrs, field.Forbidden(fldPath.Child("encapsulationMode"), "IPv6 requires an encapsulationMode of \"none\""))
-		} else if v.EncapsulationMode == "none" && !c.IsIPv6Only() {
-			// Don't tolerate "None" for now, which would disable encapsulation in the default IPPool
-			// object. Note that with no encapsulation, we'd need to select the "bird" networking
-			// backend in order to allow use of BGP to distribute routes for pod traffic.
-			allErrs = append(allErrs, field.Forbidden(fldPath.Child("encapsulationMode"), "encapsulationMode \"none\" is only supported for IPv6 clusters"))
+		if c.CloudProvider.Azure == nil {
+			if v.EncapsulationMode != "none" && c.IsIPv6Only() {
+				// IPv6 doesn't support encapsulation and kops only uses the "none" networking backend.
+				// The bird networking backend could also be added in the future if there's any valid use case.
+				allErrs = append(allErrs, field.Forbidden(fldPath.Child("encapsulationMode"), "IPv6 requires an encapsulationMode of \"none\""))
+			} else if v.EncapsulationMode == "none" && !c.IsIPv6Only() {
+				// Don't tolerate "None" for now, which would disable encapsulation in the default IPPool
+				// object. Note that with no encapsulation, we'd need to select the "bird" networking
+				// backend in order to allow use of BGP to distribute routes for pod traffic.
+				allErrs = append(allErrs, field.Forbidden(fldPath.Child("encapsulationMode"), "encapsulationMode \"none\" is only supported for IPv6 clusters"))
+			}
 		}
 	}
 
diff --git a/pkg/model/components/calico.go b/pkg/model/components/calico.go
@@ -36,6 +36,9 @@ func (b *CalicoOptionsBuilder) BuildOptions(o *kops.Cluster) error {
 	}
 
 	c.EncapsulationMode = "ipip"
+	if o.GetCloudProvider() == kops.CloudProviderAzure {
+		c.EncapsulationMode = "none"
+	}
 	if clusterSpec.IsIPv6Only() {
 		c.EncapsulationMode = "none"
 	}

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,9 @@ func (b CalicoOptionsBuilder) BuildOptions(o kops.Cluster) error {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`c.EncapsulationMode = "ipip"`
	`39`	`+ if o.GetCloudProvider() == kops.CloudProviderAzure {`
	`40`	`+ c.EncapsulationMode = "none"`
	`41`	`+ }`
`39`	`42`	`if clusterSpec.IsIPv6Only() {`
`40`	`43`	`c.EncapsulationMode = "none"`
`41`	`44`	`}`