Do not allocate IPs or prefixes to trunk ENIs; enable Custom Networking before Security Groups for Pods

pkg/ipamd/datastore/data_store.go

@@ -978,8 +978,8 @@ func (ds *DataStore) GetENINeedsIP(maxIPperENI int, skipPrimary bool) *ENI {
 	ds.lock.Lock()
 	defer ds.lock.Unlock()
 	for _, eni := range ds.eniPool {
-		if skipPrimary && eni.IsPrimary {
-			ds.log.Debugf("Skip the primary ENI for need IP check")
+		if (skipPrimary && eni.IsPrimary) || eni.IsTrunk {
+			ds.log.Debugf("Skip needs IP check for trunk ENI of primary ENI when Custom Networking is enabled")
 			continue
 		}
 		if len(eni.AvailableIPv4Cidrs) < maxIPperENI {

pkg/ipamd/ipamd.go

@@ -455,12 +455,12 @@ func (c *IPAMContext) nodeInit() error {
 		return err
 	}
 
-	if c.enablePodENI {
-		// Try to patch CNINode with Security Groups for Pods feature.
-		c.tryEnableSecurityGroupsForPods(ctx)
-	}
-
 	if c.enableIPv6 {
+		// Security Groups for Pods cannot be enabled for IPv4 at this point, as Custom Networking must be enabled first.
+		if c.enablePodENI {
+			// Try to patch CNINode with Security Groups for Pods feature.
+			c.tryEnableSecurityGroupsForPods(ctx)
+		}
 		// We will not support upgrading/converting an existing IPv4 cluster to operate in IPv6 mode. So, we will always
 		// start with a clean slate in IPv6 mode. We also do not have to deal with dynamic update of Prefix Delegation
 		// feature in IPv6 mode as we do not support (yet) a non-PD v6 option. In addition, we do not support custom
@@ -540,6 +540,11 @@ func (c *IPAMContext) nodeInit() error {
 		}
 	}
 
+	// Now that Custom Networking is (potentially) enabled, Security Groups for Pods can be enabled for IPv4 nodes.
+	if c.enablePodENI {
+		c.tryEnableSecurityGroupsForPods(ctx)
+	}
+
 	// On node init, check if datastore pool needs to be increased. If so, attach CIDRs from existing ENIs and attach new ENIs.
 	datastorePoolTooLow, _ := c.isDatastorePoolTooLow()
 	if !c.disableENIProvisioning && datastorePoolTooLow {