AWS EC2 Instance tag filter

[prune998]

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Thanks for contributing!

Fixes: #18239

[maintainer-s-little-helper]

Commit 96133ab6cdcacf9eb4b9a91e00240502b91cb5a7 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[christarazi]

Why is the subnet tag filter not enough to do this job? AFAIU, interfaces are attached to subnets, so filtering out certain subnets allows you to filter out interfaces as well.

[prune998]

Why is the subnet tag filter not enough to do this job? AFAIU, interfaces are attached to subnets, so filtering out certain subnets allows you to filter out interfaces as well.

The theory is that you want Cilium to sync AWS resources that are used by the cluster.
While filtering by subnets may help in some situations, it can also be problematic:

• you may have multiple clusters using the same subnet
• your ec2 instances may not have any interface in the filtered subnet before Cilium kicks in (which is in fact the issue described in Cilium 1.11.0 does not start on EKS with pod subnet-filter #18239)

The real good way to filter resources is by targeting things that are in play in the cluster: instances / nodegroups.
The actual subnet filtering is actually a dirty hack, badly named and documented, racing and confusing with the CNI filter.

Ideally I would PR to remove the subnet filter, but that would be a breaking change. This PR is adding an instance filter that should be able to replace the subnet filter in most if not all of the possible scenarios.

I'm also wondering about the other part of the Resync function, as we're maintaining all the VPCs, subnets and securityGroups of the whole account... while there's almost no chances that they will be used/at play in one specific cluster.
While some people have one VPC, few subnets and one cluster per AWS account, some have TONS of stuff in a single account that may have an impact on Cilium-Operator performance.

Personally, in my DEV AWS account, I have currently 8 clusters * 5 nodes * 3 private subnets for ec2 instance IPs * 3 pod subnets for pod IPs... For this setup to work, I have to either don't use a filter, or filter on both instances and pods subnets -> each Cilium-Operator will maintain all the ENIs that existe in the account, instead of the ones from the cluster it's running in.

Note that same issue seems to exist with Alibaba, Azure and all.

I'm opened to any suggestion here. And if you think the subnet-filter hack is enough (once well documented) then I'll close this PR :)

[maintainer-s-little-helper]

Commit ef1fe5b831034982f3f0c6989ff0376041c8a3f2 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[prune998]

latest commit msg with some infos:

This PR is adding the basic code to add a new command line option of the Cilium-Operator to filter AWS EC2 instances (and available ENI/subnets) based on EC2 instance tags

Technically, if an instance tag filter is provided, instead of searching ALL the ENIs that exist in the AWS account, we:

• search all instances matching the tags
• grab all the ENIS of the selected instances

We have to search twice, once to filter instances and ENIS (giving us ec2_types.InstanceNetworkInterface) and sadly, another one to grab the ec2_types.NetworkInterface that is needed down the line.

This could also be refactored... We could filter both on instance tags and subnets in the same function (even if it seems useless to do so).

[prune998]

Usage:
your EKS cluster where you're deploying Cilium is made on EC2 Instances. Those Instances have some tags set at creation time (for unmanaged instances, set some tags if needed !)
ex:

When starting Cilium, you can use the new --instance-tags-filter option to filter the instances by tags:

--instance-tags-filter=eks:cluster-name=prune-feature-cluster-us-east-1

[gandro]

Overall this looks very solid to me, thanks a lot for taking care of this! 🚀

I have a few minor nits that need to be addressed, and an overall question about what the interaction with this and the old subnet tag filter should be.

[prune998]

/test

[gandro]

/test

[prune998]

I just corrected to docs wordlist, but i'm clueless about the other tests failing... how to get this PR merged ?

[gandro]

I just corrected to docs wordlist, but i'm clueless about the other tests failing... how to get this PR merged ?

Thanks! So to get the PR merged, we want to make sure CI runs completely and doesn't uncover any issues. Our CI tends to be unreliable at times, so not every failure is necessarily related to the PR. I'll trigger a CI run (the /test is only available to Cilium core committers) and once it finishes, we can triage any failing tests.

As a side note: Please avoid pushing to the branch before we have had a change to look at any failing tests. Re-pushing invalidates the CI results.

[gandro]

/test

Job 'Cilium-PR-K8s-GKE' hit: #19014 (97.44% similarity)

next-next hit #19264

[prune998]

@gandro any news ?

[sayboras]

/test

[sayboras]

I have re-triggered the tests, normally it will take 2-3 hours for full CI. Will check back once it's completed.

[pchaigno]

GKE failed with known flake #17307 but shouldn't be affected by these changes anyway. Other tests are passing and reviews are in. Marking ready to merge.

[nbusseneau]

@prune998 Thanks for the contribution!