upgrade CNI spec from 0.4.0 to 1.0.0 (#2632)

aws · Nov 1, 2023 · d31fd1b · d31fd1b
1 parent 1dd45b8
commit d31fd1b
Show file tree

Hide file tree

Showing 16 changed files with 77 additions and 98 deletions.
diff --git a/Makefile b/Makefile
@@ -206,6 +206,7 @@ multi-arch-cni-init-build-push:
 # Run unit tests
 unit-test: export AWS_VPC_K8S_CNI_LOG_FILE=stdout
 unit-test:    ## Run unit tests
+	go test -v $(VENDOR_OVERRIDE_FLAG) -coverprofile=coverage.txt -covermode=atomic ./cmd/...
 	go test -v $(VENDOR_OVERRIDE_FLAG) -coverprofile=coverage.txt -covermode=atomic ./pkg/...
 
 # Run unit tests with race detection (can only be run natively)

diff --git a/cmd/egress-cni-plugin/egressContext.go b/cmd/egress-cni-plugin/egressContext.go
@@ -20,7 +20,7 @@ import (
 	"time"
 
 	"github.com/containernetworking/cni/pkg/types"
-	"github.com/containernetworking/cni/pkg/types/current"
+	current "github.com/containernetworking/cni/pkg/types/100"
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/vishvananda/netlink"
@@ -116,7 +116,8 @@ func (ec *egressContext) setupContainerVethV4() (*current.Interface, *current.In
 	containerInterface := &current.Interface{}
 
 	err := ec.Ns.WithNetNSPath(ec.NsPath, func(hostNS ns.NetNS) error {
-		hostVeth, contVeth0, err := ec.Veth.Setup(ec.NetConf.IfName, ec.Mtu, hostNS)
+		// Empty veth MAC is passed
+		hostVeth, contVeth0, err := ec.Veth.Setup(ec.NetConf.IfName, ec.Mtu, "", hostNS)
 		if err != nil {
 			return err
 		}
@@ -481,7 +482,8 @@ func (ec *egressContext) setupContainerVethV6() (hostInterface, containerInterfa
 		var hostVeth net.Interface
 		var contVeth net.Interface
 
-		hostVeth, contVeth, err = ec.Veth.Setup(ec.NetConf.IfName, ec.Mtu, hostNS)
+		// Empty veth MAC is passed
+		hostVeth, contVeth, err = ec.Veth.Setup(ec.NetConf.IfName, ec.Mtu, "", hostNS)
 		if err != nil {
 			return err
 		}

diff --git a/cmd/egress-cni-plugin/main.go b/cmd/egress-cni-plugin/main.go
@@ -20,7 +20,7 @@ import (
 
 	"github.com/containernetworking/cni/pkg/skel"
 	"github.com/containernetworking/cni/pkg/types"
-	"github.com/containernetworking/cni/pkg/types/current"
+	current "github.com/containernetworking/cni/pkg/types/100"
 	cniversion "github.com/containernetworking/cni/pkg/version"
 	"github.com/containernetworking/plugins/pkg/utils"
 )

diff --git a/cmd/egress-cni-plugin/main_test.go b/cmd/egress-cni-plugin/main_test.go
@@ -44,7 +44,7 @@ func TestCmdAddV4(t *testing.T) {
 		ContainerID: containerIDV4,
 		IfName:      "eth0",
 		StdinData: []byte(`{
-				"cniVersion":"0.4.0",
+				"cniVersion":"1.0.0",
 				"mtu":"9001",
 				"name":"aws-cni",
 				"enabled":"true",
@@ -55,7 +55,7 @@ func TestCmdAddV4(t *testing.T) {
 				"podSGEnforcingMode":"strict",
 				"prevResult":
 					{
-					"cniVersion":"0.4.0",
+					"cniVersion":"1.0.0",
 					"interfaces":
 						[
 							{"name":"eni36e5b0ee702"},
@@ -94,13 +94,13 @@ func TestCmdAddV4(t *testing.T) {
 		fmt.Sprintf("nat POSTROUTING -s 169.254.172.10 -j %s -m comment --comment name: \"aws-cni\" id: \"%s\"", snatChainV4, containerIDV4)}
 	assert.EqualValues(t, expectIptablesRules, actualIptablesRules)
 
-	expectRouteDel := []string{"route del: {Ifindex: 2 Dst: 169.254.172.0/22 Src: <nil> Gw: <nil> Flags: [] Table: 0}"}
+	expectRouteDel := []string{"route del: {Ifindex: 2 Dst: 169.254.172.0/22 Src: <nil> Gw: <nil> Flags: [] Table: 0 Realm: 0}"}
 	assert.EqualValues(t, expectRouteDel, actualRouteDel)
 
 	expectRouteAdd := []string{
-		"route add: {Ifindex: 2 Dst: 169.254.172.1/32 Src: 169.254.172.10 Gw: <nil> Flags: [] Table: 0}",
-		"route add: {Ifindex: 2 Dst: 169.254.172.0/22 Src: 169.254.172.10 Gw: 169.254.172.1 Flags: [] Table: 0}",
-		"route add: {Ifindex: 100 Dst: 169.254.172.10/32 Src: <nil> Gw: <nil> Flags: [] Table: 0}"}
+		"route add: {Ifindex: 2 Dst: 169.254.172.1/32 Src: 169.254.172.10 Gw: <nil> Flags: [] Table: 0 Realm: 0}",
+		"route add: {Ifindex: 2 Dst: 169.254.172.0/22 Src: 169.254.172.10 Gw: 169.254.172.1 Flags: [] Table: 0 Realm: 0}",
+		"route add: {Ifindex: 100 Dst: 169.254.172.10/32 Src: <nil> Gw: <nil> Flags: [] Table: 0 Realm: 0}"}
 	assert.EqualValues(t, expectRouteAdd, actualRouteAdd)
 
 	// the unit test write some output string not ends with '\n' and this cause go runner unable to interpret that a test was run.
@@ -115,7 +115,7 @@ func TestCmdDelV4(t *testing.T) {
 		ContainerID: containerIDV4,
 		IfName:      "eth0",
 		StdinData: []byte(`{
-				"cniVersion":"0.4.0",
+				"cniVersion":"1.0.0",
 				"mtu":"9001",
 				"name":"aws-cni",
 				"enabled":"true",
@@ -126,7 +126,7 @@ func TestCmdDelV4(t *testing.T) {
 				"podSGEnforcingMode":"strict",
 				"prevResult":
 					{
-					"cniVersion":"0.4.0",
+					"cniVersion":"1.0.0",
 					"interfaces":
 						[
 							{"name":"eni36e5b0ee702"},
@@ -170,7 +170,7 @@ func TestCmdAddV6(t *testing.T) {
 		ContainerID: containerIDV6,
 		IfName:      "eth0",
 		StdinData: []byte(`{
-				"cniVersion":"0.4.0",
+				"cniVersion":"1.0.0",
 				"mtu":"9001",
 				"name":"aws-cni",
 				"enabled":"true",
@@ -181,7 +181,7 @@ func TestCmdAddV6(t *testing.T) {
 				"podSGEnforcingMode":"strict",
 				"prevResult":
 					{
-					"cniVersion":"0.4.0",
+					"cniVersion":"1.0.0",
 					"interfaces":
 						[
 							{"name":"eni36e5b0ee702"},
@@ -220,10 +220,10 @@ func TestCmdAddV6(t *testing.T) {
 		fmt.Sprintf("nat POSTROUTING -s fd00::10 -j %s -m comment --comment name: \"aws-cni\" id: \"%s\"", snatChainV6, containerIDV6)}
 	assert.EqualValues(t, expectIptablesRules, actualIptablesRules)
 
-	expectRouteAdd := []string{"{Ifindex: 100 Dst: fd00::10/128 Src: <nil> Gw: <nil> Flags: [] Table: 0}"}
+	expectRouteAdd := []string{"{Ifindex: 100 Dst: fd00::10/128 Src: <nil> Gw: <nil> Flags: [] Table: 0 Realm: 0}"}
 	assert.EqualValues(t, expectRouteAdd, actualRouteAdd)
 
-	expectRouteReplace := []string{"{Ifindex: 2 Dst: ::/0 Src: <nil> Gw: fe80::10 Flags: [] Table: 0}"}
+	expectRouteReplace := []string{"{Ifindex: 2 Dst: ::/0 Src: <nil> Gw: fe80::10 Flags: [] Table: 0 Realm: 0}"}
 	assert.EqualValues(t, expectRouteReplace, actualRouteReplace)
 
 	// the unit test write some output string not ends with '\n' and this cause go runner unable to interpret that a test was run.
@@ -238,7 +238,7 @@ func TestCmdDelV6(t *testing.T) {
 		ContainerID: containerIDV6,
 		IfName:      "eth0",
 		StdinData: []byte(`{
-				"cniVersion":"0.4.0",
+				"cniVersion":"1.0.0",
 				"mtu":"9001",
 				"name":"aws-cni",
 				"enabled":"true",
@@ -249,7 +249,7 @@ func TestCmdDelV6(t *testing.T) {
 				"podSGEnforcingMode":"strict",
 				"prevResult":
 					{
-					"cniVersion":"0.4.0",
+					"cniVersion":"1.0.0",
 					"interfaces":
 						[
 							{"name":"eni36e5b0ee702"},

diff --git a/cmd/egress-cni-plugin/test_utils.go b/cmd/egress-cni-plugin/test_utils.go
@@ -17,7 +17,7 @@ import (
 	"fmt"
 	"net"
 
-	"github.com/containernetworking/cni/pkg/types/current"
+	current "github.com/containernetworking/cni/pkg/types/100"
 	_ns "github.com/containernetworking/plugins/pkg/ns"
 	"github.com/golang/mock/gomock"
 	"github.com/vishvananda/netlink"
@@ -44,10 +44,9 @@ func SetupAddExpectV4(ec egressContext, chain string, actualIptablesRules, actua
 
 	ec.Ipam.(*mock_ipam.MockHostIpam).EXPECT().ExecAdd("host-local", gomock.Any()).Return(
 		&current.Result{
-			CNIVersion: "0.4.0",
+			CNIVersion: "1.0.0",
 			IPs: []*current.IPConfig{
-				&current.IPConfig{
-					Version: "4",
+				{
 					Address: net.IPNet{
 						IP:   net.ParseIP("169.254.172.10"),
 						Mask: net.CIDRMask(22, 32),
@@ -66,7 +65,7 @@ func SetupAddExpectV4(ec egressContext, chain string, actualIptablesRules, actua
 		f(nsParent)
 	}).Return(nil)
 
-	ec.Veth.(*mock_veth.MockVeth).EXPECT().Setup(egressIPv4InterfaceName, 9001, gomock.Any()).Return(
+	ec.Veth.(*mock_veth.MockVeth).EXPECT().Setup(egressIPv4InterfaceName, 9001, "", gomock.Any()).Return(
 		net.Interface{
 			Name:         HostIfName,
 			HardwareAddr: macHost[:],
@@ -188,10 +187,9 @@ func SetupAddExpectV6(c egressContext, chain string, actualIptablesRules, actual
 
 	c.Ipam.(*mock_ipam.MockHostIpam).EXPECT().ExecAdd("host-local", gomock.Any()).Return(
 		&current.Result{
-			CNIVersion: "0.4.0",
+			CNIVersion: "1.0.0",
 			IPs: []*current.IPConfig{
-				&current.IPConfig{
-					Version: "6",
+				{
 					Address: net.IPNet{
 						IP:   net.ParseIP("fd00::10"),
 						Mask: net.CIDRMask(8, 128),
@@ -209,7 +207,7 @@ func SetupAddExpectV6(c egressContext, chain string, actualIptablesRules, actual
 		f(nsParent)
 	}).Return(nil).AnyTimes()
 
-	c.Veth.(*mock_veth.MockVeth).EXPECT().Setup(egressIPv6InterfaceName, 9001, gomock.Any()).Return(
+	c.Veth.(*mock_veth.MockVeth).EXPECT().Setup(egressIPv6InterfaceName, 9001, "", gomock.Any()).Return(
 		net.Interface{
 			Name:         HostIfName,
 			HardwareAddr: macHost[:],

diff --git a/cmd/routed-eni-cni-plugin/cni.go b/cmd/routed-eni-cni-plugin/cni.go
@@ -29,7 +29,7 @@ import (
 
 	"github.com/containernetworking/cni/pkg/skel"
 	"github.com/containernetworking/cni/pkg/types"
-	"github.com/containernetworking/cni/pkg/types/current"
+	current "github.com/containernetworking/cni/pkg/types/100"
 	cniSpecVersion "github.com/containernetworking/cni/pkg/version"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
@@ -187,24 +187,23 @@ func add(args *skel.CmdArgs, cniTypes typeswrapper.CNITYPES, grpcClient grpcwrap
 
 	// We will let the values in result struct guide us in terms of IP Address Family configured.
 	var v4Addr, v6Addr, addr *net.IPNet
-	var addrFamily string
 
 	// We don't support dual stack mode currently so it has to be either v4 or v6 mode.
 	if r.IPv4Addr != "" {
 		v4Addr = &net.IPNet{
 			IP:   net.ParseIP(r.IPv4Addr),
 			Mask: net.CIDRMask(32, 32),
 		}
-		addrFamily = "4"
 		addr = v4Addr
 	} else if r.IPv6Addr != "" {
 		v6Addr = &net.IPNet{
 			IP:   net.ParseIP(r.IPv6Addr),
 			Mask: net.CIDRMask(128, 128),
 		}
-		addrFamily = "6"
 		addr = v6Addr
 	}
+	// AddNetwork guarantees that Gateway string is a valid IPNet
+	gw := net.ParseIP(r.PodENISubnetGW)
 
 	var hostVethName string
 	var dummyInterface *current.Interface
@@ -257,9 +256,9 @@ func add(args *skel.CmdArgs, cniTypes typeswrapper.CNITYPES, grpcClient grpcwrap
 	containerInterfaceIndex := 1
 	ips := []*current.IPConfig{
 		{
-			Version:   addrFamily,
-			Address:   *addr,
 			Interface: &containerInterfaceIndex,
+			Address:   *addr,
+			Gateway:   gw,
 		},
 	}
 

diff --git a/cmd/routed-eni-cni-plugin/cni_test.go b/cmd/routed-eni-cni-plugin/cni_test.go
@@ -22,7 +22,7 @@ import (
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/sgpp"
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/utils/logger"
 	"github.com/aws/aws-sdk-go/aws"
-	"github.com/containernetworking/cni/pkg/types/current"
+	current "github.com/containernetworking/cni/pkg/types/100"
 
 	"github.com/containernetworking/cni/pkg/skel"
 	"github.com/containernetworking/cni/pkg/types"
@@ -42,7 +42,7 @@ const (
 	containerID    = "test-container"
 	netNS          = "/proc/ns/1234"
 	ifName         = "eth0"
-	cniVersion     = "1.0"
+	cniVersion     = "1.1"
 	cniName        = "aws-cni"
 	pluginLogLevel = "Debug"
 	pluginLogFile  = "/var/log/aws-routed-eni/plugin.log"
@@ -233,8 +233,9 @@ func TestCmdDelErrDelNetwork(t *testing.T) {
 
 	mockC.EXPECT().DelNetwork(gomock.Any(), gomock.Any()).Return(delNetworkReply, errors.New("error on DelNetwork"))
 
+	// On DelNetwork fail, the CNI must not return an error to kubelet as deletes are best-effort.
 	err := del(cmdArgs, mocksTypes, mocksGRPC, mocksRPC, mocksNetwork)
-	assert.Error(t, err)
+	assert.Nil(t, err)
 }
 
 func TestCmdDelErrTeardown(t *testing.T) {
@@ -396,7 +397,6 @@ func Test_tryDelWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -449,7 +449,6 @@ func Test_tryDelWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -503,7 +502,6 @@ func Test_tryDelWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -541,7 +539,6 @@ func Test_tryDelWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -583,7 +580,6 @@ func Test_tryDelWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -625,7 +621,6 @@ func Test_tryDelWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -662,7 +657,6 @@ func Test_tryDelWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -796,7 +790,6 @@ func Test_teardownPodNetworkWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -849,7 +842,6 @@ func Test_teardownPodNetworkWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -886,7 +878,6 @@ func Test_teardownPodNetworkWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -928,7 +919,6 @@ func Test_teardownPodNetworkWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -969,7 +959,6 @@ func Test_teardownPodNetworkWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),
@@ -1010,7 +999,6 @@ func Test_teardownPodNetworkWithPrevResult(t *testing.T) {
 							},
 							IPs: []*current.IPConfig{
 								{
-									Version: "4",
 									Address: net.IPNet{
 										IP:   net.ParseIP("192.168.1.1"),
 										Mask: net.CIDRMask(32, 32),