EIP Multi NIC: do not config role primary secondary network namespaces

Signed-off-by: Martin Kennelly <mkennell@redhat.com>
ovn-org · Jul 24, 2024 · 9b18b4a · 9b18b4a
1 parent 07b2cf8
commit 9b18b4a
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 8 deletions.
diff --git a/go-controller/pkg/node/controllers/egressip/egressip.go b/go-controller/pkg/node/controllers/egressip/egressip.go
@@ -25,6 +25,8 @@ import (
 	"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/util"
 	utilerrors "github.com/ovn-org/ovn-kubernetes/go-controller/pkg/util/errors"
 
+	nadv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/client/informers/externalversions/k8s.cni.cncf.io/v1"
+	nadlister "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/client/listers/k8s.cni.cncf.io/v1"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -114,10 +116,10 @@ type Controller struct {
 	namespaceLister   corelisters.NamespaceLister
 	namespaceInformer cache.SharedIndexInformer
 	namespaceQueue    workqueue.RateLimitingInterface
-
-	podLister   corelisters.PodLister
-	podInformer cache.SharedIndexInformer
-	podQueue    workqueue.RateLimitingInterface
+	nadLister         nadlister.NetworkAttachmentDefinitionLister
+	podLister         corelisters.PodLister
+	podInformer       cache.SharedIndexInformer
+	podQueue          workqueue.RateLimitingInterface
 
 	// cache is a cache of configuration states for EIPs, key is EgressIP Name.
 	cache *syncmap.SyncMap[*state]
@@ -139,8 +141,9 @@ type Controller struct {
 	v6              bool
 }
 
-func NewController(k kube.Interface, eIPInformer egressipinformer.EgressIPInformer, nodeInformer cache.SharedIndexInformer, namespaceInformer coreinformers.NamespaceInformer,
-	podInformer coreinformers.PodInformer, routeManager *routemanager.Controller, v4, v6 bool, nodeName string, linkManager *linkmanager.Controller) (*Controller, error) {
+func NewController(k kube.Interface, eIPInformer egressipinformer.EgressIPInformer, nodeInformer cache.SharedIndexInformer,
+	namespaceInformer coreinformers.NamespaceInformer, nadInformer nadv1.NetworkAttachmentDefinitionInformer, podInformer coreinformers.PodInformer,
+	routeManager *routemanager.Controller, v4, v6 bool, nodeName string, linkManager *linkmanager.Controller) (*Controller, error) {
 
 	c := &Controller{
 		eIPLister:   eIPInformer.Lister(),
@@ -156,6 +159,7 @@ func NewController(k kube.Interface, eIPInformer egressipinformer.EgressIPInform
 			workqueue.NewItemFastSlowRateLimiter(time.Second, 5*time.Second, 5),
 			"eipnamespace",
 		),
+		nadLister:   nadInformer.Lister(),
 		podLister:   podInformer.Lister(),
 		podInformer: podInformer.Informer(),
 		podQueue: workqueue.NewNamedRateLimitingQueue(
@@ -553,6 +557,14 @@ func (c *Controller) processEIP(eip *eipv1.EgressIP) (*eIPConfig, sets.Set[strin
 		}
 		isEIPV6 := utilnet.IsIPv6(eIPNet.IP)
 		for _, namespace := range namespaces {
+			netInfo, err := util.GetActiveNetworkForNamespace(namespace.Name, c.nadLister)
+			if err != nil {
+				return nil, selectedNamespaces, selectedPods, selectedNamespacesPodIPs, fmt.Errorf("failed to get active network for namespace %s: %v", namespace.Name, err)
+			}
+			if netInfo.IsSecondary() {
+				// EIP for secondary host interfaces is not supported for secondary networks
+				continue
+			}
 			selectedNamespaces.Insert(namespace.Name)
 			pods, err := c.listPodsByNamespaceAndSelector(namespace.Name, &eip.Spec.PodSelector)
 			if err != nil {
@@ -986,6 +998,14 @@ func (c *Controller) repairNode() error {
 			for _, namespace := range namespaces {
 				namespaceLabels := labels.Set(namespace.Labels)
 				if namespaceSelector.Matches(namespaceLabels) {
+					netInfo, err := util.GetActiveNetworkForNamespace(namespace.Name, c.nadLister)
+					if err != nil {
+						return fmt.Errorf("failed to get active network for namespace %s: %v", namespace.Name, err)
+					}
+					if netInfo.IsSecondary() {
+						// EIP for secondary host interfaces is not supported for secondary networks
+						continue
+					}
 					pods, err := c.podLister.Pods(namespace.Name).List(podSelector)
 					if err != nil {
 						return fmt.Errorf("failed to list pods using selector %s to configure egress IP %s: %v",

diff --git a/go-controller/pkg/node/default_node_network_controller.go b/go-controller/pkg/node/default_node_network_controller.go
@@ -1132,8 +1132,8 @@ func (nc *DefaultNodeNetworkController) Start(ctx context.Context) error {
 
 	if config.OVNKubernetesFeature.EnableEgressIP && !util.PlatformTypeIsEgressIPCloudProvider() {
 		c, err := egressip.NewController(nc.Kube, nc.watchFactory.EgressIPInformer(), nc.watchFactory.NodeInformer(),
-			nc.watchFactory.NamespaceInformer(), nc.watchFactory.PodCoreInformer(), nc.routeManager, config.IPv4Mode,
-			config.IPv6Mode, nc.name, nc.linkManager)
+			nc.watchFactory.NamespaceInformer(), nc.watchFactory.NADInformer(), nc.watchFactory.PodCoreInformer(),
+			nc.routeManager, config.IPv4Mode, config.IPv6Mode, nc.name, nc.linkManager)
 		if err != nil {
 			return fmt.Errorf("failed to create egress IP controller: %v", err)
 		}