aws · yash97 · Nov 18, 2024 · Apr 5, 2024 · Apr 11, 2024 · Apr 21, 2024
@@ -67,5 +67,5 @@ jobs:
       - name: Install `gosec`
         run: go install github.com/securego/gosec/v2/cmd/gosec@latest
       - name: Run Gosec Security Scanner
-        run: ~/go/bin/gosec -exclude-dir test -exclude-generated -severity medium -exclude=G108,G114 ./...
+        run: ~/go/bin/gosec -exclude-dir test -exclude-generated -severity medium ./...
 
@@ -8,7 +8,16 @@
 
 Controller running on EKS Control Plane for managing Branch & Trunk Network Interface for [Kubernetes Pod](https://kubernetes.io/docs/concepts/workloads/pods/) using the [Security Group for Pod](https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html) feature and IPv4 Address Management(IPAM) of [Windows Nodes](https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html).
 
-The controller broadcasts its version to nodes. Describing any node will provide the version information in node `Events`. The mapping between the controller's version and the cluster's platform version is also available in release notes.
+The controller broadcasts its version to nodes. Describing any node will provide the version information in node `Events`. The mapping between the controller's version and the cluster's platform version is also available in release notes. Please be aware that kubernetes events last for one hour in general and you may have to check the version information events in newly created nodes.
+
+Version events example:
+```
+Events:
+  Type     Reason                   Age                    From                     Message
+  ----     ------                   ----                   ----                     -------
+  Normal   ControllerVersionNotice  2m58s                  vpc-resource-controller  The node is managed by VPC resource controller version v1.4.9
+  Normal   NodeTrunkInitiated       2m55s                  vpc-resource-controller  The node has trunk interface initialized successfully
+```
 
 ## Security Group for Pods
 

@@ -10,7 +10,7 @@ spec:
     spec:
       containers:
       - name: kube-rbac-proxy
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
+        image: registry.k8s.io/kubebuilder/kube-rbac-proxy:v0.5.0
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

@@ -168,6 +168,12 @@ func (r *NodeReconciler) Check() healthz.Checker {
 			return nil
 		}
 
+		if r.Manager.SkipHealthCheck() {
+			// node manager observes EC2 error on processing node, pausing reconciler check to avoid stressing the system
+			r.Log.Info("due to EC2 error, node controller skips node reconciler health check for now")
+			return nil
+		}
+
 		err := rcHealthz.PingWithTimeout(func(c chan<- error) {
 			// when the reconciler is ready, testing the reconciler with a fake node request
 			pingRequest := &ctrl.Request{

@@ -27,6 +27,7 @@ import (
 	"github.com/aws/amazon-vpc-resource-controller-k8s/pkg/node"
 	"github.com/aws/amazon-vpc-resource-controller-k8s/pkg/node/manager"
 	"github.com/aws/amazon-vpc-resource-controller-k8s/pkg/resource"
+	"github.com/aws/amazon-vpc-resource-controller-k8s/pkg/utils"
 	"github.com/google/uuid"
 
 	"github.com/go-logr/logr"
@@ -56,7 +57,7 @@ type PodReconciler struct {
 
 var (
 	PodRequeueRequest          = ctrl.Result{Requeue: true, RequeueAfter: time.Second}
-	MaxPodConcurrentReconciles = 10
+	MaxPodConcurrentReconciles = 20
 )
 
 // Reconcile handles create/update/delete event by delegating the request to the  handler
@@ -112,6 +113,10 @@ func (r *PodReconciler) Reconcile(request custom.Request) (ctrl.Result, error) {
 			logger.V(1).Info("pod's node is not yet initialized by the manager, will retry", "Requested", request.NamespacedName.String(), "Cached pod name", pod.ObjectMeta.Name, "Cached pod namespace", pod.ObjectMeta.Namespace)
 			return PodRequeueRequest, nil
 		} else if !node.IsManaged() {
+			if utils.PodHasENIRequest(pod) {
+				r.Log.Info("pod's node is not managed, but has eni request, will retry", "Requested", request.NamespacedName.String(), "Cached pod name", pod.ObjectMeta.Name, "Cached pod namespace", pod.ObjectMeta.Namespace)
+				return PodRequeueRequest, nil
+			}
 			logger.V(1).Info("pod's node is not managed, skipping pod event", "Requested", request.NamespacedName.String(), "Cached pod name", pod.ObjectMeta.Name, "Cached pod namespace", pod.ObjectMeta.Namespace)
 			return ctrl.Result{}, nil
 		} else if !node.IsReady() {

@@ -16,6 +16,7 @@ package controllers
 import (
 	"errors"
 	"testing"
+	"time"
 
 	"github.com/aws/amazon-vpc-resource-controller-k8s/controllers/custom"
 	mock_condition "github.com/aws/amazon-vpc-resource-controller-k8s/mocks/amazon-vcp-resource-controller-k8s/pkg/condition"
@@ -188,7 +189,7 @@ func TestPodReconciler_Reconcile_NonManaged(t *testing.T) {
 
 	result, err := mock.PodReconciler.Reconcile(mockReq)
 	assert.NoError(t, err)
-	assert.Equal(t, result, controllerruntime.Result{})
+	assert.Equal(t, controllerruntime.Result{Requeue: true, RequeueAfter: time.Second}, result)
 }
 
 // TestPodReconciler_Reconcile_NoNodeAssigned tests that the request for a Pod with no Node assigned

@@ -113,15 +113,16 @@ func (b *Builder) Complete(reconciler Reconciler) (healthz.Checker, error) {
 		workqueue.DefaultControllerRateLimiter(), b.options.Name)
 
 	optimizedListWatch := newOptimizedListWatcher(b.ctx, b.clientSet.CoreV1().RESTClient(),
-		b.converter.Resource(), b.options.Namespace, b.options.PageLimit, b.converter)
+		b.converter.Resource(), b.options.Namespace, b.converter, b.log.WithName("listWatcher"))
 
 	// Create the config for low level controller with the custom converter
 	// list and watch
 	config := &cache.Config{
-		Queue:            cache.NewDeltaFIFO(b.converter.Indexer, b.dataStore),
-		ListerWatcher:    optimizedListWatch,
-		ObjectType:       b.converter.ResourceType(),
-		FullResyncPeriod: b.options.ResyncPeriod,
+		Queue:             cache.NewDeltaFIFO(b.converter.Indexer, b.dataStore),
+		ListerWatcher:     optimizedListWatch,
+		WatchListPageSize: int64(b.options.PageLimit),
+		ObjectType:        b.converter.ResourceType(),
+		FullResyncPeriod:  b.options.ResyncPeriod,
 		Process: func(obj interface{}, _ bool) error {
 			// from oldest to newest
 			for _, d := range obj.(cache.Deltas) {

@@ -21,6 +21,7 @@ import (
 
 	"github.com/aws/amazon-vpc-resource-controller-k8s/pkg/condition"
 	"github.com/go-logr/logr"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -178,23 +179,26 @@ func (c *CustomController) WaitForCacheSync(controller cache.Controller) {
 
 // newOptimizedListWatcher returns a list watcher with a custom list function that converts the
 // response for each page using the converter function and returns a general watcher
-func newOptimizedListWatcher(ctx context.Context, restClient cache.Getter, resource string, namespace string, limit int,
-	converter Converter) *cache.ListWatch {
+func newOptimizedListWatcher(ctx context.Context, restClient cache.Getter, resource string, namespace string,
+	converter Converter, log logr.Logger) *cache.ListWatch {
 
 	listFunc := func(options metav1.ListOptions) (runtime.Object, error) {
 		list, err := restClient.Get().
 			Namespace(namespace).
 			Resource(resource).
-			// This needs to be done because just setting the limit using option's
-			// Limit is being overridden and the response is returned without pagination.
 			VersionedParams(&metav1.ListOptions{
-				Limit:    int64(limit),
+				Limit:    options.Limit,
 				Continue: options.Continue,
 			}, metav1.ParameterCodec).
 			Do(ctx).
 			Get()
 		if err != nil {
-			return list, err
+			if statusErr, ok := err.(*apierrors.StatusError); ok {
+				log.Error(err, "List operation error", "code", statusErr.Status().Code)
+			} else {
+				log.Error(err, "List operation error")
+			}
+			return nil, err
 		}
 		// Strip down the the list before passing the paginated response back to
 		// the pager function
@@ -206,11 +210,20 @@ func newOptimizedListWatcher(ctx context.Context, restClient cache.Getter, resou
 	// before storing the object in the data store.
 	watchFunc := func(options metav1.ListOptions) (watch.Interface, error) {
 		options.Watch = true
-		return restClient.Get().
+		watch, err := restClient.Get().
 			Namespace(namespace).
 			Resource(resource).
 			VersionedParams(&options, metav1.ParameterCodec).
 			Watch(ctx)
+		if err != nil {
+			if statusErr, ok := err.(*apierrors.StatusError); ok {
+				log.Error(err, "Watch operation error", "code", statusErr.Status().Code)
+			} else {
+				log.Error(err, "Watch operation error")
+			}
+			return nil, err
+		}
+		return watch, err
 	}
 	return &cache.ListWatch{ListFunc: listFunc, WatchFunc: watchFunc}
 }

@@ -9,14 +9,14 @@ require (
 	github.com/go-logr/zapr v1.3.0
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.6.0
-	github.com/onsi/ginkgo/v2 v2.17.1
-	github.com/onsi/gomega v1.31.1
+	github.com/onsi/ginkgo/v2 v2.19.0
+	github.com/onsi/gomega v1.33.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.19.0
-	github.com/prometheus/client_model v0.6.0
-	github.com/prometheus/common v0.52.2
+	github.com/prometheus/client_model v0.6.1
+	github.com/prometheus/common v0.53.0
 	github.com/stretchr/testify v1.9.0
-	go.uber.org/zap v1.26.0
+	go.uber.org/zap v1.27.0
 	golang.org/x/time v0.5.0
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	k8s.io/api v0.29.3
@@ -26,6 +26,7 @@ require (
 )
 
 require (
+	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
@@ -42,13 +43,12 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect
+	github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -60,16 +60,16 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
-	github.com/samber/lo v1.39.0
+	github.com/samber/lo v1.47.0
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
-	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
 	golang.org/x/oauth2 v0.18.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	golang.org/x/tools v0.17.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/term v0.20.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect