kubernetes-sigs
diff --git a/‎api/v1alpha3/conditions_consts.go‎
Lines changed: 8 additions & 0 deletions b/‎api/v1alpha3/conditions_consts.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎api/v1alpha3/tags.go‎
Lines changed: 6 additions & 1 deletion b/‎api/v1alpha3/tags.go‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎controlplane/eks/api/v1alpha3/awsmanagedcontrolplane_types.go‎
Lines changed: 5 additions & 0 deletions b/‎controlplane/eks/api/v1alpha3/awsmanagedcontrolplane_types.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎controlplane/eks/api/v1alpha3/awsmanagedcontrolplane_webhook.go‎
Lines changed: 40 additions & 0 deletions b/‎controlplane/eks/api/v1alpha3/awsmanagedcontrolplane_webhook.go‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎controlplane/eks/api/v1alpha3/awsmanagedcontrolplane_webhook_test.go‎
Lines changed: 144 additions & 0 deletions b/‎controlplane/eks/api/v1alpha3/awsmanagedcontrolplane_webhook_test.go‎
Lines changed: 144 additions & 0 deletions
diff --git a/‎controlplane/eks/api/v1alpha3/zz_generated.deepcopy.go‎
Lines changed: 5 additions & 0 deletions b/‎controlplane/eks/api/v1alpha3/zz_generated.deepcopy.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎controlplane/eks/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml‎
Lines changed: 3 additions & 0 deletions b/‎controlplane/eks/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎controlplane/eks/controllers/awsmanagedcontrolplane_controller.go‎
Lines changed: 7 additions & 0 deletions b/‎controlplane/eks/controllers/awsmanagedcontrolplane_controller.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 2 additions & 0 deletions b/‎go.mod‎
Lines changed: 2 additions & 0 deletions
@@ -61,6 +61,14 @@ const (
 	RouteTableReconciliationFailedReason = "RouteTableReconciliationFailed"
 )
 
+const (
+	// SecondaryCidrsReady condition reports successful reconciliation of secondary CIDR blocks.
+	// Only applicable to managed clusters.
+	SecondaryCidrsReadyCondition clusterv1.ConditionType = "SecondaryCidrsReady"
+	// SecondaryCidrReconciliationFailedReason used when any errors occur during reconciliation of secondary CIDR blocks.
+	SecondaryCidrReconciliationFailedReason = "SecondaryCidrReconciliationFailed"
+)
+
 const (
 	// ClusterSecurityGroupsReady condition reports successful reconciliation of security groups.
 	ClusterSecurityGroupsReadyCondition clusterv1.ConditionType = "ClusterSecurityGroupsReady"
 
@@ -18,8 +18,9 @@ package v1alpha3
 
 import (
 	"fmt"
-	"k8s.io/apimachinery/pkg/types"
 	"reflect"
+
+	"k8s.io/apimachinery/pkg/types"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1alpha3"
 )
 
@@ -106,6 +107,10 @@ const (
 	// dedicated to this cluster api provider implementation.
 	NameAWSClusterAPIRole = NameAWSProviderPrefix + "role"
 
+	NameAWSSubnetAssociation = NameAWSProviderPrefix + "association"
+
+	SecondarySubnetTagValue = "secondary"
+
 	// APIServerRoleTagValue describes the value for the apiserver role
 	APIServerRoleTagValue = "apiserver"
 
 
@@ -38,6 +38,11 @@ type AWSManagedControlPlaneSpec struct {
 	// NetworkSpec encapsulates all things related to AWS network.
 	NetworkSpec infrav1.NetworkSpec `json:"networkSpec,omitempty"`
 
+	// SecondaryCidrBlock is the additional CIDR range to use for pod IPs.
+	// Must be within the 100.64.0.0/10 or 198.19.0.0/16 range.
+	// +optional
+	SecondaryCidrBlock *string `json:"secondaryCidrBlock,omitempty"`
+
 	// The AWS Region the cluster lives in.
 	Region string `json:"region,omitempty"`
 
 
@@ -18,7 +18,9 @@ package v1alpha3
 
 import (
 	"fmt"
+	"net"
 
+	"github.com/apparentlymart/go-cidr/cidr"
 	"github.com/pkg/errors"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -37,6 +39,11 @@ import (
 // log is for logging in this package.
 var mcpLog = logf.Log.WithName("awsmanagedcontrolplane-resource")
 
+const (
+	cidrSizeMax = 65536
+	cidrSizeMin = 16
+)
+
 // SetupWebhookWithManager will setup the webhooks for the AWSManagedControlPlane
 func (r *AWSManagedControlPlane) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
@@ -80,6 +87,7 @@ func (r *AWSManagedControlPlane) ValidateCreate() error {
 	allErrs = append(allErrs, r.validateEKSVersion(nil)...)
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
 	allErrs = append(allErrs, r.validateIAMAuthConfig()...)
+	allErrs = append(allErrs, r.validateSecondaryCIDR()...)
 
 	if len(allErrs) == 0 {
 		return nil
@@ -108,6 +116,7 @@ func (r *AWSManagedControlPlane) ValidateUpdate(old runtime.Object) error {
 	allErrs = append(allErrs, r.validateEKSVersion(oldAWSManagedControlplane)...)
 	allErrs = append(allErrs, r.Spec.Bastion.Validate()...)
 	allErrs = append(allErrs, r.validateIAMAuthConfig()...)
+	allErrs = append(allErrs, r.validateSecondaryCIDR()...)
 
 	if r.Spec.Region != oldAWSManagedControlplane.Spec.Region {
 		allErrs = append(allErrs,
@@ -207,6 +216,37 @@ func (r *AWSManagedControlPlane) validateIAMAuthConfig() field.ErrorList {
 	return allErrs
 }
 
+func (r *AWSManagedControlPlane) validateSecondaryCIDR() field.ErrorList {
+	var allErrs field.ErrorList
+	if r.Spec.SecondaryCidrBlock != nil {
+		cidrField := field.NewPath("spec", "secondaryCidrBlock")
+		_, validRange1, _ := net.ParseCIDR("100.64.0.0/10")
+		_, validRange2, _ := net.ParseCIDR("198.19.0.0/16")
+
+		_, ipv4Net, err := net.ParseCIDR(*r.Spec.SecondaryCidrBlock)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(cidrField, *r.Spec.SecondaryCidrBlock, "must be valid CIDR range"))
+			return allErrs
+		}
+
+		cidrSize := cidr.AddressCount(ipv4Net)
+		if cidrSize > cidrSizeMax || cidrSize < cidrSizeMin {
+			allErrs = append(allErrs, field.Invalid(cidrField, *r.Spec.SecondaryCidrBlock, "CIDR block sizes must be between a /16 netmask and /28 netmask"))
+		}
+
+		start, end := cidr.AddressRange(ipv4Net)
+		if (!validRange1.Contains(start) || !validRange1.Contains(end)) && (!validRange2.Contains(start) || !validRange2.Contains(end)) {
+			allErrs = append(allErrs, field.Invalid(cidrField, *r.Spec.SecondaryCidrBlock, "must be within the 100.64.0.0/10 or 198.19.0.0/16 range"))
+		}
+
+	}
+
+	if len(allErrs) == 0 {
+		return nil
+	}
+	return allErrs
+}
+
 // Default will set default values for the AWSManagedControlPlane
 func (r *AWSManagedControlPlane) Default() {
 	mcpLog.Info("AWSManagedControlPlane setting defaults", "name", r.Name)
 
@@ -116,6 +116,13 @@ func TestDefaultingWebhook(t *testing.T) {
 			spec:         AWSManagedControlPlaneSpec{NetworkSpec: infrav1.NetworkSpec{CNI: &infrav1.CNISpec{}}},
 			expectSpec:   AWSManagedControlPlaneSpec{EKSClusterName: "default_cluster1", Bastion: defaultTestBastion, NetworkSpec: infrav1.NetworkSpec{CNI: &infrav1.CNISpec{}, VPC: defaultVPCSpec}, TokenMethod: &EKSTokenMethodIAMAuthenticator},
 		},
+		{
+			name:         "secondary CIDR",
+			resourceName: "cluster1",
+			resourceNS:   "default",
+			expectHash:   false,
+			expectSpec:   AWSManagedControlPlaneSpec{EKSClusterName: "default_cluster1", Bastion: defaultTestBastion, NetworkSpec: defaultNetworkSpec, SecondaryCidrBlock: nil, TokenMethod: &EKSTokenMethodIAMAuthenticator},
+		},
 	}
 
 	for _, tc := range tests {
@@ -304,3 +311,140 @@ func TestWebhookUpdate(t *testing.T) {
 		})
 	}
 }
+
+func TestValidatingWebhookCreate_SecondaryCidr(t *testing.T) {
+	tests := []struct {
+		name        string
+		expectError bool
+		cidrRange   string
+	}{
+		{
+			name:        "complete range 1",
+			cidrRange:   "100.64.0.0/10",
+			expectError: true,
+		},
+		{
+			name:        "complete range 2",
+			cidrRange:   "198.19.0.0/16",
+			expectError: false,
+		},
+		{
+			name:        "subrange",
+			cidrRange:   "100.67.0.0/16",
+			expectError: false,
+		},
+		{
+			name:        "invalid value",
+			cidrRange:   "not a cidr range",
+			expectError: true,
+		},
+		{
+			name:        "unsupported range",
+			cidrRange:   "10.0.0.1/20",
+			expectError: true,
+		},
+		{
+			name:        "too large",
+			cidrRange:   "100.64.0.0/15",
+			expectError: true,
+		},
+		{
+			name:        "too small",
+			cidrRange:   "100.64.0.0/29",
+			expectError: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			mcp := &AWSManagedControlPlane{
+				Spec: AWSManagedControlPlaneSpec{
+					EKSClusterName: "default_cluster1",
+				},
+			}
+			if tc.cidrRange != "" {
+				mcp.Spec.SecondaryCidrBlock = &tc.cidrRange
+			}
+			err := mcp.ValidateCreate()
+
+			if tc.expectError {
+				g.Expect(err).ToNot(BeNil())
+			} else {
+				g.Expect(err).To(BeNil())
+			}
+		})
+	}
+}
+
+func TestValidatingWebhookUpdate_SecondaryCidr(t *testing.T) {
+	tests := []struct {
+		name        string
+		cidrRange   string
+		expectError bool
+	}{
+		{
+			name:        "complete range 1",
+			cidrRange:   "100.64.0.0/10",
+			expectError: true,
+		},
+		{
+			name:        "complete range 2",
+			cidrRange:   "198.19.0.0/16",
+			expectError: false,
+		},
+		{
+			name:        "subrange",
+			cidrRange:   "100.67.0.0/16",
+			expectError: false,
+		},
+		{
+			name:        "invalid value",
+			cidrRange:   "not a cidr range",
+			expectError: true,
+		},
+		{
+			name:        "unsupported range",
+			cidrRange:   "10.0.0.1/20",
+			expectError: true,
+		},
+		{
+			name:        "too large",
+			cidrRange:   "100.64.0.0/15",
+			expectError: true,
+		},
+		{
+			name:        "too small",
+			cidrRange:   "100.64.0.0/29",
+			expectError: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			newMCP := &AWSManagedControlPlane{
+				Spec: AWSManagedControlPlaneSpec{
+					EKSClusterName:     "default_cluster1",
+					SecondaryCidrBlock: &tc.cidrRange,
+				},
+			}
+			oldMCP := &AWSManagedControlPlane{
+				Spec: AWSManagedControlPlaneSpec{
+					EKSClusterName:     "default_cluster1",
+					SecondaryCidrBlock: nil,
+				},
+			}
+
+			err := newMCP.ValidateUpdate(oldMCP)
+
+			if tc.expectError {
+				g.Expect(err).ToNot(BeNil())
+			} else {
+				g.Expect(err).To(BeNil())
+			}
+		})
+	}
+}
@@ -324,6 +324,9 @@ spec:
                 description: RoleName specifies the name of IAM role that gives EKS permission to make API calls. If the role is pre-existing we will treat it as unmanaged and not delete it on deletion. If the EKSEnableIAM feature flag is true and no name is supplied then a role is created.
                 minLength: 2
                 type: string
+              secondaryCidrBlock:
+                description: SecondaryCidrBlock is the additional CIDR range to use for pod IPs. Must be within the 100.64.0.0/10 or 198.19.0.0/16 range.
+                type: string
               sshKeyName:
                 description: SSHKeyName is the name of the ssh key to attach to the bastion host. Valid values are empty string (do not use SSH keys), a valid SSH key name, or omitted (use the default SSH key name)
                 type: string
 
@@ -44,6 +44,7 @@ import (
 	infrav1exp "sigs.k8s.io/cluster-api-provider-aws/exp/api/v1alpha3"
 	"sigs.k8s.io/cluster-api-provider-aws/feature"
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/scope"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/services/awsnode"
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/services/ec2"
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/services/eks"
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/services/iamauth"
@@ -214,6 +215,7 @@ func (r *AWSManagedControlPlaneReconciler) reconcileNormal(ctx context.Context,
 	ekssvc := eks.NewService(managedScope)
 	sgService := securitygroup.NewServiceWithRoles(managedScope, sgRoles)
 	authService := iamauth.NewService(managedScope, iamauth.BackendTypeConfigMap, managedScope.Client)
+	awsnodeService := awsnode.NewService(managedScope)
 
 	if err := networkSvc.ReconcileNetwork(); err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to reconcile network for AWSManagedControlPlane %s/%s: %w", awsManagedControlPlane.Namespace, awsManagedControlPlane.Name, err)
@@ -233,6 +235,11 @@ func (r *AWSManagedControlPlaneReconciler) reconcileNormal(ctx context.Context,
 		return reconcile.Result{}, fmt.Errorf("failed to reconcile control plane for AWSManagedControlPlane %s/%s: %w", awsManagedControlPlane.Namespace, awsManagedControlPlane.Name, err)
 	}
 
+	if err := awsnodeService.ReconcileCNI(); err != nil {
+		conditions.MarkFalse(managedScope.InfraCluster(), infrav1.SecondaryCidrsReadyCondition, infrav1.SecondaryCidrReconciliationFailedReason, clusterv1.ConditionSeverityError, err.Error())
+		return reconcile.Result{}, fmt.Errorf("failed to reconcile control plane for AWSManagedControlPlane %s/%s: %w", awsManagedControlPlane.Namespace, awsManagedControlPlane.Name, err)
+	}
+
 	if err := authService.ReconcileIAMAuthenticator(ctx); err != nil {
 		conditions.MarkFalse(awsManagedControlPlane, controlplanev1.IAMAuthenticatorConfiguredCondition, controlplanev1.IAMAuthenticatorConfigurationFailedReason, clusterv1.ConditionSeverityError, err.Error())
 		return reconcile.Result{}, errors.Wrapf(err, "failed to reconcile aws-iam-authenticator config for AWSManagedControlPlane %s/%s", awsManagedControlPlane.Namespace, awsManagedControlPlane.Name)
 
@@ -3,6 +3,8 @@ module sigs.k8s.io/cluster-api-provider-aws
 go 1.13
 
 require (
+	github.com/apparentlymart/go-cidr v1.1.0
+	github.com/aws/amazon-vpc-cni-k8s v1.7.5
 	github.com/aws/aws-sdk-go v1.36.26
 	github.com/awslabs/goformation/v4 v4.15.0
 	github.com/blang/semver v3.5.1+incompatible