feat: add perNodeExclusions support for IPPool and CIDRPool

Add support for per-node index-based IP exclusions in both IPPool and
CIDRPool resources. This allows administrators to exclude specific IP
address ranges based on their index position within each node's allocated
IP block or prefix, rather than by absolute IP addresses.

API Changes:
- Add ExcludeIndexRange type with startIndex and endIndex fields
- Add perNodeExclusions field to IPPoolSpec and CIDRPoolSpec
- Add kubebuilder validation markers for CRD-level validation
  - startIndex and endIndex must be non-negative
  - endIndex must be >= startIndex
- Add runtime validation functions:
  - validatePerNodeExclusions() for CIDRPool (validates against perNodeNetworkPrefix)
  - validatePerNodeExclusionsForBlockSize() for IPPool (validates against perNodeBlockSize)
- Add comprehensive test coverage (24 test cases total)
  - 14 tests for CIDRPool (IPv4 and IPv6)
  - 10 tests for IPPool (IPv4 and IPv6)

Controller Implementation:
- IPPool controller: Add buildPerNodeExclusions() function
  - Converts index-based exclusions to IP addresses for node's IP block
  - Merges with pool-wide exclusions before passing to allocator
  - 10 unit tests covering all edge cases
- CIDRPool controller: Add buildPerNodeExclusions() function
  - Converts index-based exclusions to IP addresses for node's prefix
  - Combines with filtered pool-wide exclusions
  - 7 unit tests covering all edge cases

Implementation details:
- Each node processes only its own allocation (per-node)
- Index-based ranges are converted to IP-based ExclusionRange objects
- Ranges are clamped to node's allocation boundaries
- Ranges outside node's allocation are skipped
- Reuses existing allocator exclusion mechanism (no allocator changes)
- Memory efficient: large ranges create single ExclusionRange entries

Documentation:
- Update README.md with perNodeExclusions field descriptions
- Update docs/static-ip.md with examples
- Add detailed field explanations for both IPPool and CIDRPool

Example usage:
  perNodeExclusions:
    - startIndex: 0
      endIndex: 10

Node-A (192.168.0.1-192.168.0.100) excludes 192.168.0.1-192.168.0.11
Node-B (192.168.0.101-192.168.0.200) excludes 192.168.0.101-192.168.0.111

Signed-off-by: Fred Rolland <frolland@nvidia.com>

Author: rollandf

README.md

@@ -345,6 +345,9 @@ spec:
   exclusions: # optional
   - startIP: 192.168.0.10
     endIP: 192.168.0.20
+  perNodeExclusions: # optional
+  - startIndex: 0
+    endIndex: 10
   nodeSelector:
     nodeSelectorTerms:
     - matchExpressions:
@@ -385,6 +388,11 @@ spec:
     * `startIP`: start IP of the exclude range (inclusive).
     * `endIP`: end IP of the exclude range (inclusive).
 
+  * `perNodeExclusions` (optional, list): contains reserved IP address indexes that should not be allocated by nv-ipam node component. The IP address indexes are relative to the per-node IP block allocated to each node, counting from the start of the allocated range. For example, if a node is allocated the IP block 192.168.0.1-192.168.0.100, then index 0 corresponds to 192.168.0.1, index 1 to 192.168.0.2, and so on. Note: For IPPool, indexes count from the range start; for CIDRPool, indexes count from the subnet start (network address).
+
+    * `startIndex`: start index of the exclude range (inclusive). Must be non-negative.
+    * `endIndex`: end index of the exclude range (inclusive). Must be greater than or equal to startIndex and within the perNodeBlockSize range.
+
   * `nodeSelector` (optional): A list of node selector terms. The terms are ORed. Each term can have a list of matchExpressions that are ANDed. Only the nodes that match the provided labels will get assigned IP Blocks for the defined pool.
   * `defaultGateway` (optional): Add the pool gateway as default gateway in the pod static routes.
   * `routes` (optional, list): contains CIDR to be added in the pod static routes via the pool gateway.
@@ -419,6 +427,9 @@ spec:
   exclusions: # optional
     - startIP: 192.168.0.10
       endIP: 192.168.0.20
+  perNodeExclusions: # optional
+    - startIndex: 0
+      endIndex: 10
   staticAllocations:
     - nodeName: node-33
       prefix: 192.168.33.0/24
@@ -478,6 +489,11 @@ spec:
       * `startIP`: start IP of the exclude range (inclusive).
       * `endIP`:  end IP of the exclude range (inclusive).
 
+  * `perNodeExclusions` (optional, list): contains reserved IP address indexes that should not be allocated by nv-ipam node component. The IP address indexes are relative to the per-node prefix allocated to each node, counting from the subnet start (network address). For example, if a node is allocated the prefix 192.168.0.0/24, then index 0 corresponds to 192.168.0.0 (network address), index 1 to 192.168.0.1 (which would be the gateway if gatewayIndex is 1), index 2 to 192.168.0.2, and so on. This indexing is consistent with gatewayIndex.
+
+      * `startIndex`: start index of the exclude range (inclusive). Must be non-negative.
+      * `endIndex`: end index of the exclude range (inclusive). Must be greater than or equal to startIndex and within the subnet size defined by perNodeNetworkPrefix.
+
   * `staticAllocations` (optional, list): static allocations for the pool.
 
       * `nodeName` (optional): name of the node for static allocation, can be empty in case if the prefix should be preallocated without assigning it for a specific node.

api/v1alpha1/cidrpool_test.go

@@ -284,6 +284,88 @@ var _ = Describe("CIDRPool", func() {
 			{StartIP: "10.10.33.25", EndIP: "10.10.33.33"},
 		}, false, ContainSubstring("spec.exclusions[0]")),
 	)
+	DescribeTable("PerNodeExclusions",
+		func(perNodeExclusions []v1alpha1.ExcludeIndexRange, isValid bool, errMatcher ...gomegaTypes.GomegaMatcher) {
+			cidrPool := v1alpha1.CIDRPool{
+				ObjectMeta: metav1.ObjectMeta{Name: "test"},
+				Spec: v1alpha1.CIDRPoolSpec{
+					CIDR:                 "192.168.0.0/16",
+					PerNodeNetworkPrefix: 24,
+					PerNodeExclusions:    perNodeExclusions,
+				},
+			}
+			validatePoolAndCheckErr(&cidrPool, isValid, errMatcher...)
+		},
+		Entry("valid - range", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: 10, EndIndex: 20},
+		}, true),
+		Entry("valid - single index", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: 5, EndIndex: 5},
+		}, true),
+		Entry("valid - index 0", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: 0, EndIndex: 10},
+		}, true),
+		Entry("valid - max index for /24 (255)", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: 250, EndIndex: 255},
+		}, true),
+		Entry("valid - multiple ranges", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: 0, EndIndex: 10},
+			{StartIndex: 100, EndIndex: 110},
+		}, true),
+		Entry("negative startIndex", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: -5, EndIndex: 20},
+		}, false, ContainSubstring("spec.perNodeExclusions[0].startIndex")),
+		Entry("negative endIndex", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: 5, EndIndex: -1},
+		}, false, ContainSubstring("spec.perNodeExclusions[0].endIndex")),
+		Entry("startIndex greater than endIndex", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: 25, EndIndex: 24},
+		}, false, ContainSubstring("spec.perNodeExclusions[0]")),
+		Entry("startIndex outside subnet range", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: 256, EndIndex: 260},
+		}, false, ContainSubstring("spec.perNodeExclusions[0].startIndex"), ContainSubstring("outside")),
+		Entry("endIndex outside subnet range", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: 250, EndIndex: 300},
+		}, false, ContainSubstring("spec.perNodeExclusions[0].endIndex"), ContainSubstring("outside")),
+		Entry("multiple errors in one entry", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: -5, EndIndex: -1},
+		}, false,
+			ContainSubstring("spec.perNodeExclusions[0].startIndex"),
+			ContainSubstring("spec.perNodeExclusions[0].endIndex")),
+		Entry("multiple entries with errors", []v1alpha1.ExcludeIndexRange{
+			{StartIndex: -5, EndIndex: 20},
+			{StartIndex: 300, EndIndex: 400},
+		}, false,
+			ContainSubstring("spec.perNodeExclusions[0]"),
+			ContainSubstring("spec.perNodeExclusions[1]")),
+	)
+	It("PerNodeExclusions - IPv6", func() {
+		cidrPool := v1alpha1.CIDRPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.CIDRPoolSpec{
+				CIDR:                 "fdf8:6aef:d1fe::/48",
+				PerNodeNetworkPrefix: 120, // 2^8 = 256 addresses
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 0, EndIndex: 10},
+					{StartIndex: 250, EndIndex: 255},
+				},
+			},
+		}
+		validatePoolAndCheckErr(&cidrPool, true)
+	})
+	It("PerNodeExclusions - IPv6 invalid", func() {
+		cidrPool := v1alpha1.CIDRPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.CIDRPoolSpec{
+				CIDR:                 "fdf8:6aef:d1fe::/48",
+				PerNodeNetworkPrefix: 120,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 0, EndIndex: 300}, // 300 > 255
+				},
+			},
+		}
+		validatePoolAndCheckErr(&cidrPool, false, ContainSubstring("spec.perNodeExclusions[0].endIndex"))
+	})
 	DescribeTable("StaticAllocations",
 		func(staticAllocations []v1alpha1.CIDRPoolStaticAllocation, isValid bool, errMatcher ...gomegaTypes.GomegaMatcher) {
 			cidrPool := v1alpha1.CIDRPool{

api/v1alpha1/cidrpool_type.go

@@ -44,6 +44,8 @@ type CIDRPoolSpec struct {
 	PerNodeNetworkPrefix int32 `json:"perNodeNetworkPrefix"`
 	// contains reserved IP addresses that should not be allocated by nv-ipam
 	Exclusions []ExcludeRange `json:"exclusions,omitempty"`
+	// contains reserved indexes of IPs that should not be allocated by nv-ipam
+	PerNodeExclusions []ExcludeIndexRange `json:"perNodeExclusions,omitempty"`
 	// static allocations for the pool
 	StaticAllocations []CIDRPoolStaticAllocation `json:"staticAllocations,omitempty"`
 	// selector for nodes, if empty match all nodes

api/v1alpha1/cidrpool_validate.go

@@ -88,6 +88,8 @@ func (r *CIDRPool) validateCIDR() field.ErrorList {
 			r.Spec.GatewayIndex, "gateway index is outside of the node prefix"))
 	}
 	errList = append(errList, validateExclusions(network, r.Spec.Exclusions, field.NewPath("spec"))...)
+	errList = append(errList, validatePerNodeExclusions(
+		network, r.Spec.PerNodeNetworkPrefix, r.Spec.PerNodeExclusions, field.NewPath("spec"))...)
 	errList = append(errList, r.validateStaticAllocations(network)...)
 	return errList
 }

api/v1alpha1/common_type.go

@@ -20,6 +20,19 @@ type ExcludeRange struct {
 	EndIP   string `json:"endIP"`
 }
 
+// ExcludeIndexRange contains range of indexes of IPs to exclude from allocation
+// startIndex and endIndex are part of the ExcludeIndexRange
+//
+// +kubebuilder:validation:XValidation:rule="self.endIndex >= self.startIndex",message="endIndex must be greater than or equal to startIndex"
+//
+//nolint:lll // kubebuilder annotation exceeds line length
+type ExcludeIndexRange struct {
+	// +kubebuilder:validation:Minimum=0
+	StartIndex int `json:"startIndex"`
+	// +kubebuilder:validation:Minimum=0
+	EndIndex int `json:"endIndex"`
+}
+
 // Route contains static route parameters
 type Route struct {
 	// The destination of the route, in CIDR notation

api/v1alpha1/ippool_test.go

@@ -249,7 +249,7 @@ var _ = Describe("Validate", func() {
 			Spec: v1alpha1.IPPoolSpec{
 				Subnet:           "2001:db8:3333:4444::0/64",
 				PerNodeBlockSize: 128,
-				DefaultGateway: true,
+				DefaultGateway:   true,
 				Routes: []v1alpha1.Route{
 					{
 						Dst: "::/0",
@@ -268,7 +268,7 @@ var _ = Describe("Validate", func() {
 			Spec: v1alpha1.IPPoolSpec{
 				Subnet:           "192.168.0.0/16",
 				PerNodeBlockSize: 128,
-				DefaultGateway: true,
+				DefaultGateway:   true,
 				Routes: []v1alpha1.Route{
 					{
 						Dst: "0.0.0.0/0",
@@ -281,4 +281,170 @@ var _ = Describe("Validate", func() {
 				ContainSubstring("spec.routes"),
 			)
 	})
+	It("Valid - PerNodeExclusions", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "192.168.0.0/16",
+				PerNodeBlockSize: 128,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 0, EndIndex: 10},
+					{StartIndex: 100, EndIndex: 127},
+				},
+			},
+		}
+		Expect(ipPool.Validate()).To(BeEmpty())
+	})
+	It("Valid - PerNodeExclusions single index", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "192.168.0.0/16",
+				PerNodeBlockSize: 128,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 5, EndIndex: 5},
+				},
+			},
+		}
+		Expect(ipPool.Validate()).To(BeEmpty())
+	})
+	It("Valid - PerNodeExclusions max index", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "192.168.0.0/16",
+				PerNodeBlockSize: 128,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 120, EndIndex: 127}, // 127 is max for block size 128
+				},
+			},
+		}
+		Expect(ipPool.Validate()).To(BeEmpty())
+	})
+	It("Invalid - PerNodeExclusions negative startIndex", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "192.168.0.0/16",
+				PerNodeBlockSize: 128,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: -5, EndIndex: 20},
+				},
+			},
+		}
+		Expect(ipPool.Validate().ToAggregate().Error()).
+			To(
+				ContainSubstring("spec.perNodeExclusions[0].startIndex"),
+			)
+	})
+	It("Invalid - PerNodeExclusions negative endIndex", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "192.168.0.0/16",
+				PerNodeBlockSize: 128,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 5, EndIndex: -1},
+				},
+			},
+		}
+		Expect(ipPool.Validate().ToAggregate().Error()).
+			To(
+				ContainSubstring("spec.perNodeExclusions[0].endIndex"),
+			)
+	})
+	It("Invalid - PerNodeExclusions startIndex greater than endIndex", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "192.168.0.0/16",
+				PerNodeBlockSize: 128,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 25, EndIndex: 24},
+				},
+			},
+		}
+		Expect(ipPool.Validate().ToAggregate().Error()).
+			To(
+				ContainSubstring("spec.perNodeExclusions[0]"),
+			)
+	})
+	It("Invalid - PerNodeExclusions startIndex outside block range", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "192.168.0.0/16",
+				PerNodeBlockSize: 128,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 128, EndIndex: 130}, // max is 127 for block size 128
+				},
+			},
+		}
+		Expect(ipPool.Validate().ToAggregate().Error()).
+			To(And(
+				ContainSubstring("spec.perNodeExclusions[0].startIndex"),
+				ContainSubstring("outside"),
+			))
+	})
+	It("Invalid - PerNodeExclusions endIndex outside block range", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "192.168.0.0/16",
+				PerNodeBlockSize: 128,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 120, EndIndex: 200},
+				},
+			},
+		}
+		Expect(ipPool.Validate().ToAggregate().Error()).
+			To(And(
+				ContainSubstring("spec.perNodeExclusions[0].endIndex"),
+				ContainSubstring("outside"),
+			))
+	})
+	It("Valid - PerNodeExclusions IPv6", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "2001:db8:3333:4444::0/64",
+				PerNodeBlockSize: 256,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 0, EndIndex: 10},
+					{StartIndex: 250, EndIndex: 255},
+				},
+			},
+		}
+		Expect(ipPool.Validate()).To(BeEmpty())
+	})
+	It("PerNodeExclusions - IPv6 large subnet", func() {
+		cidrPool := v1alpha1.CIDRPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.CIDRPoolSpec{
+				CIDR:                 "fdf8:6aef:d1fe::/48",
+				PerNodeNetworkPrefix: 64,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 0, EndIndex: 10},
+					{StartIndex: 250, EndIndex: 255},
+				},
+			},
+		}
+		validatePoolAndCheckErr(&cidrPool, true)
+	})
+	It("Invalid - PerNodeExclusions IPv6 outside range", func() {
+		ipPool := v1alpha1.IPPool{
+			ObjectMeta: metav1.ObjectMeta{Name: "test"},
+			Spec: v1alpha1.IPPoolSpec{
+				Subnet:           "2001:db8:3333:4444::0/64",
+				PerNodeBlockSize: 256,
+				PerNodeExclusions: []v1alpha1.ExcludeIndexRange{
+					{StartIndex: 0, EndIndex: 300}, // max is 255 for block size 256
+				},
+			},
+		}
+		Expect(ipPool.Validate().ToAggregate().Error()).
+			To(
+				ContainSubstring("spec.perNodeExclusions[0].endIndex"),
+			)
+	})
 })

api/v1alpha1/ippool_type.go

@@ -41,6 +41,8 @@ type IPPoolSpec struct {
 	PerNodeBlockSize int `json:"perNodeBlockSize"`
 	// contains reserved IP addresses that should not be allocated by nv-ipam
 	Exclusions []ExcludeRange `json:"exclusions,omitempty"`
+	// contains reserved indexes of IPs that should not be allocated by nv-ipam
+	PerNodeExclusions []ExcludeIndexRange `json:"perNodeExclusions,omitempty"`
 	// gateway for the pool
 	Gateway string `json:"gateway,omitempty"`
 	// selector for nodes, if empty match all nodes

api/v1alpha1/ippool_validate.go

@@ -52,6 +52,10 @@ func (r *IPPool) Validate() field.ErrorList {
 	if network != nil {
 		errList = append(errList, validateExclusions(network, r.Spec.Exclusions, field.NewPath("spec"))...)
 	}
+	if r.Spec.PerNodeBlockSize >= 1 {
+		errList = append(errList, validatePerNodeExclusionsForBlockSize(
+			r.Spec.PerNodeBlockSize, r.Spec.PerNodeExclusions, field.NewPath("spec"))...)
+	}
 	var parsedGW net.IP
 	if r.Spec.Gateway != "" {
 		parsedGW = net.ParseIP(r.Spec.Gateway)