Skip to content

Commit

Permalink
Remove helm condition for aws vpc cni deletion
Browse files Browse the repository at this point in the history
  • Loading branch information
jas-nik committed Jul 29, 2024
1 parent 1564094 commit 02198d3
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 17 deletions.
20 changes: 20 additions & 0 deletions docs/book/src/topics/eks/pod-networking.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,26 @@ spec:
disableVPCCNI: true
```

If you are replacing Amazon VPC CNI with your own helm managed instance, you will need to set `AWSManagedControlPlane.spec.disableVPCCNI` to `true` and add `"prevent-deletion": "true"` label on the Daemonset. This label is needed so `aws-node` daemonset is not reaped during CNI reconciliation.

The following example shows how to label your aws-node Daemonset.

```yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
...
generation: 1
labels:
app.kubernetes.io/instance: aws-vpc-cni
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: aws-node
app.kubernetes.io/version: v1.15.1
helm.sh/chart: aws-vpc-cni-1.15.1
prevent-deletion: true
```

> You cannot set **disableVPCCNI** to true if you are using the VPC CNI addon.

Some alternative CNIs provide for the replacement of kube-proxy, such as in [Calico](https://projectcalico.docs.tigera.io/maintenance/ebpf/enabling-ebpf#configure-kube-proxy) and [Cilium](https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/). When enabling the kube-proxy alternative, the kube-proxy installed by EKS must be deleted. This can be done via the **disable** property of **kubeProxy** in **AWSManagedControlPlane**:
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,6 @@ require (
sigs.k8s.io/cluster-api v1.7.1
sigs.k8s.io/cluster-api/test v1.7.1
sigs.k8s.io/controller-runtime v0.17.3
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3
sigs.k8s.io/yaml v1.4.0
)

Expand Down Expand Up @@ -226,6 +225,7 @@ require (
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/kind v0.22.0 // indirect
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/kustomize/kustomize/v5 v5.0.4-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
Expand Down
34 changes: 18 additions & 16 deletions pkg/cloud/services/awsnode/cni.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/klog/v2"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/kustomize/api/konfig"

infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/awserrors"
Expand Down Expand Up @@ -272,22 +271,25 @@ func (s *Service) deleteResource(ctx context.Context, remoteClient client.Client
return fmt.Errorf("deleting resource %s: %w", key, err)
}
s.scope.Debug(fmt.Sprintf("resource %s was not found, no action", key))
} else {
// resource found, delete if no label or not managed by helm
if val, ok := obj.GetLabels()[konfig.ManagedbyLabelKey]; !ok || val != "Helm" {
if err := remoteClient.Delete(ctx, obj, &client.DeleteOptions{}); err != nil {
if !apierrors.IsNotFound(err) {
return fmt.Errorf("deleting %s: %w", key, err)
}
s.scope.Debug(fmt.Sprintf(
"resource %s was not found, not deleted", key))
} else {
s.scope.Debug(fmt.Sprintf("resource %s was deleted", key))
}
} else {
s.scope.Debug(fmt.Sprintf("resource %s is managed by helm, not deleted", key))
return nil
}
// Don't delete if the `prevent-deletion` label exists. It could be there because CAPA added it (see below),
// or because it was added externally, for example if a custom version of AWS CNI was already installed.
// Either way, CAPA should not delete such a labelled CNI installation.
labels := obj.GetLabels()
if _, exists := labels["prevent-deletion"]; exists {
s.scope.Debug(fmt.Sprintf("resource %s has 'prevent-deletion' label, skipping deletion", key))
return nil
}
// Delete the resource
if err := remoteClient.Delete(ctx, obj, &client.DeleteOptions{}); err != nil {
if !apierrors.IsNotFound(err) {
return fmt.Errorf("failed to delete %s: %w", key, err)
}
s.scope.Debug(fmt.Sprintf(
"resource %s was not found, not deleted", key))
} else {
s.scope.Debug(fmt.Sprintf("resource %s was deleted", key))
}

return nil
}

0 comments on commit 02198d3

Please sign in to comment.