Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync node security groups to cache before node initialization #2427

Merged
merged 1 commit into from
Jun 16, 2023

Conversation

jdn5126
Copy link
Contributor

@jdn5126 jdn5126 commented Jun 16, 2023

What type of PR is this?
bug

Which issue does this PR fix:
#2426

What does this PR do / Why do we need it:
This PR fixes a bug in v1.13.0 where custom ENIs could not be created when an ENIConfig definition did not contain a security group ID. The expected behavior is that we fall back to the security group ID assigned to the primary ENI. The issue is that we were trying to create the ENI before the security group assigned to the primary ENI was synced to the EC2 metadata cache.

If an issue # is not available please add repro steps and logs from IPAMD/CNI showing the issue:
N/A

Testing done on this change:
Manually verified that ENIConfigs with no security group work following this change. Integration test coverage is pending, as this PR is being fast-tracked to make v1.13.1 release. The manual test cases that were run are being added to custom networking test suite.

Automation added to e2e:
Pending, will be added in a follow-up PR

Will this PR introduce any new dependencies?:
No

Will this break upgrades or downgrades. Has updating a running cluster been tested?:
No, Yes

Does this change require updates to the CNI daemonset config files to work?:
No

Does this PR introduce any user-facing change?:
Yes

Fix custom networking issue in v1.13.0 when ENIConfig did not include any security group IDs

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@jdn5126 jdn5126 requested a review from a team as a code owner June 16, 2023 16:25
Copy link
Member

@orsenthil orsenthil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@jdn5126 jdn5126 merged commit 6a0f74d into aws:master Jun 16, 2023
@jdn5126 jdn5126 deleted the custom_eni_fix branch June 16, 2023 21:30
jdn5126 added a commit that referenced this pull request Jul 11, 2023
* refactor canary test to access images from AWS registries (#2398)

* upgrade client-go and controller-runtime modules (#2396)

* updates for v1.13.0 release (#2400)

* chore: Added dependabot (#2403)

* dependency updates (#2412)

* deprecate ENABLE_NFTABLES and set iptables mode using iptables-wrapper script (#2402)

* update networking test agent to go1.20 and latest sys module (#2413)

* skip delete test cluster to debug (#2414)

* Revert "skip delete test cluster to debug (#2414)" (#2415)

This reverts commit 7c30943.

* authenticate to test image registry (#2417)

* update test agent image (#2419)

* update test agent hash in go.mod (#2422)

* fix hard-coded nitro instances (#2428)

* move authentication step from test canary script (#2429)

* node initialization must come after primary ENI's security groups are synced to cache (#2427)

* Add 1.27 to Rec Version Table (#2404)

* revise rec version table

* make DOCKER_ARGS a passable var from CLI builds (#2434)

Signed-off-by: jonahjon <jonahjones094@gmail.com>

* Update Kops cluster to latest and add parameter for kops version (#2435)

* Updates instance limits including c7gn (#2438)

* Update Kops cluster to latest and add parameter for kops version (#2440)

* update image tag to v1.13.2 (#2432)

* update docs and CNI logging (#2433)

* remove default canary test run from integration tests (#2443)

* Silences nightly cron jobs for forks (#2444)

* Silences weekly cron jobs for forks (#2459)

* refactor performance tests (#2455)

* add custom-networking test covering ENIConfig objects with no security (#2445)

groups

* k8s clients only need to access corev1; add pod selector (#2463)

---------

Signed-off-by: jonahjon <jonahjones094@gmail.com>
Co-authored-by: Olivia Song <sonyingy@amazon.com>
Co-authored-by: Ellis Tarn <ellistarn@gmail.com>
Co-authored-by: Geoffrey Cline <geoffreyc@outlook.com>
Co-authored-by: Jonah Jones <jonahjones094@gmail.com>
Co-authored-by: Jay Deokar <23660509+jaydeokar@users.noreply.github.com>
Co-authored-by: Matt <matt.merkes@gmail.com>
Co-authored-by: Matt <merkes@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants