Add support for AL2023 AMI to use Amazon VPC CNI

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
kubernetes · Feb 12, 2024 · 1330a08 · 1330a08
1 parent f060b92
commit 1330a08
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 3 deletions.
diff --git a/nodeup/pkg/model/networking/amazon-vpc-routed-eni.go b/nodeup/pkg/model/networking/amazon-vpc-routed-eni.go
@@ -20,6 +20,7 @@ import (
 	"k8s.io/kops/nodeup/pkg/model"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
+	"k8s.io/kops/util/pkg/distributions"
 )
 
 // AmazonVPCRoutedENIBuilder writes the Amazon VPC CNI configuration
@@ -35,8 +36,39 @@ func (b *AmazonVPCRoutedENIBuilder) Build(c *fi.NodeupModelBuilderContext) error
 		return nil
 	}
 
-	// Running Amazon VPC CNI on Ubuntu 22.04 and later requires setting MACAddressPolicy to `none` (ref: https://github.com/aws/amazon-vpc-cni-k8s/issues/2103 & https://github.com/kubernetes/kops/issues/16255)
-	if b.Distribution.IsUbuntu() && b.Distribution.Version() >= 22.04 {
+	if b.Distribution == distributions.DistributionAmazonLinux2023 {
+		// Mask udev triggers installed by amazon-ec2-net-utils package
+		c.AddTask(&nodetasks.File{
+			Path:     "/etc/udev/rules.d/99-vpc-policy-routes.rules",
+			Contents: fi.NewStringResource(""),
+			Type:     nodetasks.FileType_File,
+			OnChangeExecute: [][]string{
+				{"udevadm", "control", "--reload-rules"},
+				{"udevadm", "trigger"},
+			},
+		})
+
+		// Make systemd-networkd ignore foreign settings, else it may
+		// unexpectedly delete IP rules and routes added by CNI
+		contents := `
+# Do not clobber any routes or rules added by CNI.
+[Network]
+ManageForeignRoutes=no
+ManageForeignRoutingPolicyRules=no
+`
+		c.AddTask(&nodetasks.File{
+			Path:            "/usr/lib/systemd/networkd.conf.d/80-release.conf",
+			Contents:        fi.NewStringResource(contents),
+			Type:            nodetasks.FileType_File,
+			OnChangeExecute: [][]string{{"systemctl", "restart", "systemd-networkd"}},
+		})
+	}
+
+	// Running Amazon VPC CNI on Ubuntu 22.04 and later or any version of al2023 requires
+	// setting MACAddressPolicy to `none` (ref: https://github.com/aws/amazon-vpc-cni-k8s/issues/2103
+	// & https://github.com/kubernetes/kops/issues/16255)
+	if (b.Distribution.IsUbuntu() && b.Distribution.Version() >= 22.04) ||
+		b.Distribution == distributions.DistributionAmazonLinux2023 {
 		contents := `
 [Match]
 OriginalName=*

diff --git a/nodeup/pkg/model/packages.go b/nodeup/pkg/model/packages.go
@@ -60,7 +60,12 @@ func (b *PackagesBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 		c.AddTask(&nodetasks.Package{Name: "conntrack-tools"})
 		c.AddTask(&nodetasks.Package{Name: "ebtables"})
 		c.AddTask(&nodetasks.Package{Name: "ethtool"})
-		c.AddTask(&nodetasks.Package{Name: "iptables"})
+		if b.Distribution == distributions.DistributionAmazonLinux2023 {
+			// install iptables-nft in al2023 (NOT the iptables-legacy!)
+			c.AddTask(&nodetasks.Package{Name: "iptables-nft"})
+		} else {
+			c.AddTask(&nodetasks.Package{Name: "iptables"})
+		}
 		c.AddTask(&nodetasks.Package{Name: "libseccomp"})
 		c.AddTask(&nodetasks.Package{Name: "libtool-ltdl"})
 		c.AddTask(&nodetasks.Package{Name: "socat"})