amazon-vpc-cni-k8s icon indicating copy to clipboard operation
amazon-vpc-cni-k8s copied to clipboard
verified publisher icon aws

disable leaked eni cleanup routine if vpc-resource-controller is running

Open sushrk opened this issue 1 year ago • 1 comments

What type of PR is this? feature

Which issue does this PR fix?: N/A

What does this PR do / Why do we need it?: PR to disable leaked ENI cleanup routine on the VPC-CNI when VPC-Resource-Controller is running. VPC-Resource-Controller is responsible for creating CNINode CRD in an EKS cluster and add the cluster name tag key/value to the CRD. When VPC-CNI reads the CNINode and cluster tag key exists, we tag the ENIs provisioned by VPC-CNI with additional new tags:

eks:eni:owner: amazon-vpc-cni
kubernetes.io/cluster/<cluster-name>: owned
node.k8s.amazonaws.com/nodename: <node name>

To be backward compatible, we also tag the ENIs with cluster.k8s.amazonaws.com/name: <cluster name> when CLUSTER_NAME ENV is set as before.

The controller is running a cleanup routine periodically and at node termination to fetch all leaked(available ENIs) filtered on the above tags as:

  • During the periodic cleanup, the controller does a cluster-wide cleanup filtering on kubernetes.io/cluster/<cluster-name>: owned and eks:eni:owner: amazon-vpc-cni
  • At node termination, controller does a node-level cleanup by filtering on node.k8s.amazonaws.com/nodename: <node name> and eks:eni:owner: amazon-vpc-cni

Testing done on this change: Added unit test cases.

ipamd integration test: Screenshot 2024-03-19 at 10 20 50 PM

Will this PR introduce any new dependencies?: Dependency on the next vpc-resource-controller release

Will this break upgrades or downgrades? Has updating a running cluster been tested?: Upgrade has been tested.

Does this change require updates to the CNI daemonset config files to work?: No

Does this PR introduce any user-facing change?:

Disable leaked ENI cleanup routine on VPC-CNI if VPC-Resource-Controller is running.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

sushrk avatar Mar 20 '24 00:03 sushrk

Would love this feature. We were planning on contributing something similar

GnatorX avatar Apr 26 '24 20:04 GnatorX

For CVE 2024-2888 https://pkg.go.dev/vuln/GO-2024-2888 published today, EKS-D golang image is not yet available.

sushrk avatar Jun 05 '24 00:06 sushrk

The code changes look good to me.

orsenthil avatar Jun 12 '24 18:06 orsenthil