kubernetes-sigs · georgeedward2000 · Jan 17, 2025 · Jan 20, 2025 · Jan 27, 2025 · Jan 30, 2025
diff --git a/internal/testutil/fixture/azure_loadbalancer.go b/internal/testutil/fixture/azure_loadbalancer.go
@@ -47,6 +47,18 @@ func (f *AzureLoadBalancerFixture) IPv4Addresses() []string {
 	}
 }
 
+func (f *AzureLoadBalancerFixture) IPv4PrefixAddress() []string {
+	return []string{
+		"10.0.0.1/32",
+	}
+}
+
+func (f *AzureLoadBalancerFixture) IPv6PrefixAddress() []string {
+	return []string{
+		"2001:db8:ac10:fe01::1/128",
+	}
+}
+
 func (f *AzureLoadBalancerFixture) IPv6Addresses() []string {
 	return []string{
 		"2001:db8:ac10:fe01::",

diff --git a/internal/testutil/fixture/azure_managedcluster.go b/internal/testutil/fixture/azure_managedcluster.go
@@ -0,0 +1,27 @@
+package fixture
+
+import (
+	armcontainerservice "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6"
+	"k8s.io/utils/ptr"
+)
+
+func (f *AzureFixture) ManagedCluster() *AzureManagedClusterFixture {
+	return &AzureManagedClusterFixture{
+		mc: &armcontainerservice.ManagedCluster{
+			Name: ptr.To("mangaedcluster"),
+			Properties: &armcontainerservice.ManagedClusterProperties{
+				NetworkProfile: &armcontainerservice.NetworkProfile{
+					PodCidrs: []*string{ptr.To("192.1.0.0/16")},
+				},
+			},
+		},
+	}
+}
+
+type AzureManagedClusterFixture struct {
+	mc *armcontainerservice.ManagedCluster
+}
+
+func (f *AzureManagedClusterFixture) Build() *armcontainerservice.ManagedCluster {
+	return f.mc
+}
diff --git a/internal/testutil/fixture/kubernetes.go b/internal/testutil/fixture/kubernetes.go
@@ -159,6 +159,42 @@ func (f *KubernetesServiceFixture) WithIngressIPs(ips []string) *KubernetesServi
 	return f
 }
 
+func (f *KubernetesServiceFixture) WithOnlyTCPPorts() *KubernetesServiceFixture {
+	f.svc.Spec.Ports = []v1.ServicePort{
+		{
+			Name:     "http",
+			Protocol: v1.ProtocolTCP,
+			Port:     80,
+			NodePort: 50080,
+		},
+		{
+			Name:     "dns-tcp",
+			Protocol: v1.ProtocolTCP,
+			Port:     53,
+			NodePort: 50053,
+		},
+		{
+			Name:     "https",
+			Protocol: v1.ProtocolTCP,
+			Port:     443,
+			NodePort: 50443,
+		},
+	}
+	return f
+}
+
+func (f *KubernetesServiceFixture) WithOnlyUDPPorts() *KubernetesServiceFixture {
+	f.svc.Spec.Ports = []v1.ServicePort{
+		{
+			Name:     "dns-udp",
+			Protocol: v1.ProtocolUDP,
+			Port:     53,
+			NodePort: 50053,
+		},
+	}
+	return f
+}
+
 func (f *KubernetesServiceFixture) Build() v1.Service {
 	return f.svc
 }
diff --git a/pkg/consts/consts.go b/pkg/consts/consts.go
@@ -381,9 +381,8 @@ const (
 	LoadBalancerBackendPoolConfigurationTypeNodeIPConfiguration = "nodeIPConfiguration"
 	// LoadBalancerBackendPoolConfigurationTypeNodeIP is the lb backend pool config type node ip
 	LoadBalancerBackendPoolConfigurationTypeNodeIP = "nodeIP"
-	// LoadBalancerBackendPoolConfigurationTypePODIP is the lb backend pool config type pod ip
-	// TODO (nilo19): support pod IP in the future
-	LoadBalancerBackendPoolConfigurationTypePODIP = "podIP"
+	// LoadBalancerBackendPoolConfigurationTypePodIP is the lb backend pool config type pod ip
+	LoadBalancerBackendPoolConfigurationTypePodIP = "podIP"
 )
 
 // error messages

diff --git a/pkg/provider/azure.go b/pkg/provider/azure.go
@@ -294,13 +294,13 @@ func (az *Cloud) InitializeCloudFromConfig(ctx context.Context, config *config.C
 
 	if config.LoadBalancerBackendPoolConfigurationType == "" ||
 		// TODO(nilo19): support pod IP mode in the future
-		strings.EqualFold(config.LoadBalancerBackendPoolConfigurationType, consts.LoadBalancerBackendPoolConfigurationTypePODIP) {
+		strings.EqualFold(config.LoadBalancerBackendPoolConfigurationType, consts.LoadBalancerBackendPoolConfigurationTypePodIP) {
 		config.LoadBalancerBackendPoolConfigurationType = consts.LoadBalancerBackendPoolConfigurationTypeNodeIPConfiguration
 	} else {
 		supportedLoadBalancerBackendPoolConfigurationTypes := utilsets.NewString(
 			strings.ToLower(consts.LoadBalancerBackendPoolConfigurationTypeNodeIPConfiguration),
 			strings.ToLower(consts.LoadBalancerBackendPoolConfigurationTypeNodeIP),
-			strings.ToLower(consts.LoadBalancerBackendPoolConfigurationTypePODIP))
+			strings.ToLower(consts.LoadBalancerBackendPoolConfigurationTypePodIP))
 		if !supportedLoadBalancerBackendPoolConfigurationTypes.Has(strings.ToLower(config.LoadBalancerBackendPoolConfigurationType)) {
 			return fmt.Errorf("loadBalancerBackendPoolConfigurationType %s is not supported, supported values are %v", config.LoadBalancerBackendPoolConfigurationType, supportedLoadBalancerBackendPoolConfigurationTypes.UnsortedList())
 		}

diff --git a/pkg/provider/azure_fakes.go b/pkg/provider/azure_fakes.go
@@ -29,6 +29,7 @@ import (
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/diskclient/mock_diskclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/interfaceclient/mock_interfaceclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/loadbalancerclient/mock_loadbalancerclient"
+	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/managedclusterclient/mock_managedclusterclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/mock_azclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/privateendpointclient/mock_privateendpointclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azclient/privatelinkserviceclient/mock_privatelinkserviceclient"
@@ -134,6 +135,8 @@ func GetTestCloud(ctrl *gomock.Controller) (az *Cloud) {
 	clientFactory.EXPECT().GetVirtualMachineScaleSetClient().Return(virtualMachineScaleSetsClient).AnyTimes()
 	virtualMachineScaleSetVMsClient := mock_virtualmachinescalesetvmclient.NewMockInterface(ctrl)
 	clientFactory.EXPECT().GetVirtualMachineScaleSetVMClient().Return(virtualMachineScaleSetVMsClient).AnyTimes()
+	managedClusterClient := mock_managedclusterclient.NewMockInterface(ctrl)
+	clientFactory.EXPECT().GetManagedClusterClient().Return(managedClusterClient).AnyTimes()
 
 	virtualMachinesClient := mock_virtualmachineclient.NewMockInterface(ctrl)
 	clientFactory.EXPECT().GetVirtualMachineClient().Return(virtualMachinesClient).AnyTimes()
@@ -185,3 +188,10 @@ func GetTestCloudWithExtendedLocation(ctrl *gomock.Controller) (az *Cloud) {
 	az.Config.ExtendedLocationType = "EdgeZone"
 	return az
 }
+
+// GetTestCloudWithContainerLoadBalancer returns a fake azure cloud for unit tests in Azure supporting container load balancer.
+func GetTestCloudWithContainerLoadBalancer(ctrl *gomock.Controller) (az *Cloud) {
+	az = GetTestCloud(ctrl)
+	az.LoadBalancerBackendPoolConfigurationType = consts.LoadBalancerBackendPoolConfigurationTypePodIP
+	return az
+}
diff --git a/pkg/provider/azure_loadbalancer.go b/pkg/provider/azure_loadbalancer.go
@@ -3063,48 +3063,84 @@ func (az *Cloud) reconcileSecurityGroup(
 	}
 
 	var (
-		disableFloatingIP                                = consts.IsK8sServiceDisableLoadBalancerFloatingIP(service)
-		lbIPAddresses, _                                 = iputil.ParseAddresses(lbIPs)
-		lbIPv4Addresses, lbIPv6Addresses                 = iputil.GroupAddressesByFamily(lbIPAddresses)
-		additionalIPv4Addresses, additionalIPv6Addresses = iputil.GroupAddressesByFamily(additionalIPs)
-		backendIPv4Addresses, backendIPv6Addresses       []netip.Addr
+		dstIPv4Addresses, dstIPv6Addresses         []netip.Addr
+		dstIpv4AddressPrefix, dstIpv6AddressPrefix []netip.Prefix
 	)
-	{
-		// Get backend node IPs
-		lb, lbFound, err := az.getAzureLoadBalancer(ctx, lbName, azcache.CacheReadTypeDefault)
-		{
+
+	if az.IsLBBackendPoolTypePodIP() {
+		if !az.RetrievedClusterPodCidr {
+			mcClient := az.NetworkClientFactory.GetManagedClusterClient()
+			managedCluster, err := mcClient.Get(ctx, az.ResourceGroup, clusterName)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("failed to get managed cluster: %w", err)
+			}
+
+			if managedCluster.Properties == nil || managedCluster.Properties.NetworkProfile == nil ||
+				managedCluster.Properties.NetworkProfile.PodCidrs == nil {
+				klog.Errorf("Failed to get PodCidrs for cluster %q", clusterName)
+				return nil, fmt.Errorf("failed to get PodCidrs for cluster %q", clusterName)
 			}
-			if wantLb && !lbFound {
-				logger.Error(err, "Failed to get load balancer")
-				return nil, fmt.Errorf("unable to get lb %s", lbName)
+			podCidrs := managedCluster.Properties.NetworkProfile.PodCidrs
+			if len(podCidrs) == 0 {
+				klog.Errorf("Failed to get PodCidrs for cluster %q", clusterName)
+				return nil, fmt.Errorf("failed to get PodCidrs for cluster %q", clusterName)
 			}
+			for _, podCidr := range podCidrs {
+				prefix, parseErr := netip.ParsePrefix(*podCidr)
+				if parseErr != nil {
+					klog.Errorf("Failed to parse PodCidr %q: %v", *podCidr, parseErr)
+					return nil, fmt.Errorf("failed to parse PodCidr %q: %w", *podCidr, parseErr)
+				}
+				if prefix.Addr().Is4() {
+					dstIpv4AddressPrefix = append(dstIpv4AddressPrefix, prefix)
+					az.PodCidrIPv4 = prefix
+				} else {
+					dstIpv6AddressPrefix = append(dstIpv6AddressPrefix, prefix)
+					az.PodCidrIPv6 = prefix
+				}
+			}
+			az.RetrievedClusterPodCidr = true
+		} else {
+			dstIpv4AddressPrefix = []netip.Prefix{az.PodCidrIPv4}
+			dstIpv6AddressPrefix = []netip.Prefix{az.PodCidrIPv6}
+		}
+	} else {
+		var (
+			disableFloatingIP                                = consts.IsK8sServiceDisableLoadBalancerFloatingIP(service)
+			lbIPAddresses, _                                 = iputil.ParseAddresses(lbIPs)
+			lbIPv4Addresses, lbIPv6Addresses                 = iputil.GroupAddressesByFamily(lbIPAddresses)
+			additionalIPv4Addresses, additionalIPv6Addresses = iputil.GroupAddressesByFamily(additionalIPs)
+			backendIPv4Addresses, backendIPv6Addresses       []netip.Addr
+		)
+		// Get backend node IPs
+		lb, lbFound, err := az.getAzureLoadBalancer(ctx, lbName, azcache.CacheReadTypeDefault)
+		if err != nil {
+			return nil, err
+		}
+		if wantLb && !lbFound {
+			logger.Error(err, "Failed to get load balancer")
+			return nil, fmt.Errorf("unable to get lb %s", lbName)
 		}
 		var backendIPv4List, backendIPv6List []string
 		if lbFound {
 			backendIPv4List, backendIPv6List = az.LoadBalancerBackendPool.GetBackendPrivateIPs(ctx, clusterName, service, lb)
 		}
 		backendIPv4Addresses, _ = iputil.ParseAddresses(backendIPv4List)
 		backendIPv6Addresses, _ = iputil.ParseAddresses(backendIPv6List)
-	}
 
-	var (
 		dstIPv4Addresses = additionalIPv4Addresses
 		dstIPv6Addresses = additionalIPv6Addresses
-	)
 
-	if disableFloatingIP {
-		// use the backend node IPs
-		dstIPv4Addresses = append(dstIPv4Addresses, backendIPv4Addresses...)
-		dstIPv6Addresses = append(dstIPv6Addresses, backendIPv6Addresses...)
-	} else {
-		// use the LoadBalancer IPs
-		dstIPv4Addresses = append(dstIPv4Addresses, lbIPv4Addresses...)
-		dstIPv6Addresses = append(dstIPv6Addresses, lbIPv6Addresses...)
-	}
+		if disableFloatingIP {
+			// use the backend node IPs
+			dstIPv4Addresses = append(dstIPv4Addresses, backendIPv4Addresses...)
+			dstIPv6Addresses = append(dstIPv6Addresses, backendIPv6Addresses...)
+		} else {
+			// use the LoadBalancer IPs
+			dstIPv4Addresses = append(dstIPv4Addresses, lbIPv4Addresses...)
+			dstIPv6Addresses = append(dstIPv6Addresses, lbIPv6Addresses...)
+		}
 
-	{
 		retainPortRanges, err := az.listSharedIPPortMapping(ctx, service, append(dstIPv4Addresses, dstIPv6Addresses...))
 		if err != nil {
 			logger.Error(err, "Failed to list retain port ranges")
@@ -3118,7 +3154,7 @@ func (az *Cloud) reconcileSecurityGroup(
 	}
 
 	if wantLb {
-		err := accessControl.PatchSecurityGroup(dstIPv4Addresses, dstIPv6Addresses)
+		err := accessControl.PatchSecurityGroup(dstIPv4Addresses, dstIPv6Addresses, dstIpv4AddressPrefix, dstIpv6AddressPrefix)
 		if err != nil {
 			logger.Error(err, "Failed to patch security group")
 			return nil, err