kubernetes-sigs · k8s-ci-robot · Jun 23, 2022 · Jun 8, 2022
diff --git a/docs/book/src/topics/bring-your-own-aws-infrastructure.md b/docs/book/src/topics/bring-your-own-aws-infrastructure.md
@@ -44,6 +44,7 @@ Cluster API itself does tag AWS resources it creates. The `sigs.k8s.io/cluster-a
 When consuming existing AWS infrastructure, the Cluster API AWS provider does not require any tags to be present. The absence of the tags on an AWS resource indicates to Cluster API that it should not modify the resource or attempt to manage the lifecycle of the resource.
 
 However, the built-in Kubernetes AWS cloud provider _does_ require certain tags in order to function properly. Specifically, all subnets where Kubernetes nodes reside should have the `kubernetes.io/cluster/<cluster-name>` tag present. Private subnets should also have the `kubernetes.io/role/internal-elb` tag with a value of 1, and public subnets should have the `kubernetes.io/role/elb` tag with a value of 1. These latter two tags help the cloud provider understand which subnets to use when creating load balancers.
+> **Note**: The subnet tagging above is taken care by the CAPA controllers but additionalTags provided by users won't be propagated to the unmanaged VPC subnets.
 
 Finally, if the controller manager isn't started with the `--configure-cloud-routes: "false"` parameter, the route table(s) will also need the `kubernetes.io/cluster/<cluster-name>` tag. (This parameter can be added by customizing the `KubeadmConfigSpec` object of the `KubeadmControlPlane` object.)
 

diff --git a/pkg/cloud/services/network/subnets.go b/pkg/cloud/services/network/subnets.go
@@ -415,7 +415,11 @@ func (s *Service) deleteSubnet(id string) error {
 
 func (s *Service) getSubnetTagParams(unmanagedVPC bool, id string, public bool, zone string, manualTags infrav1.Tags) infrav1.BuildParams {
 	var role string
-	additionalTags := s.scope.AdditionalTags()
+	additionalTags := make(map[string]string)
+
+	if !unmanagedVPC {
+		additionalTags = s.scope.AdditionalTags()
+	}
 
 	if public {
 		role = infrav1.PublicRoleTagValue
@@ -428,11 +432,11 @@ func (s *Service) getSubnetTagParams(unmanagedVPC bool, id string, public bool,
 	// Add tag needed for Service type=LoadBalancer
 	additionalTags[infrav1.NameKubernetesAWSCloudProviderPrefix+s.scope.KubernetesClusterName()] = string(infrav1.ResourceLifecycleShared)
 
-	for k, v := range manualTags {
-		additionalTags[k] = v
-	}
-
 	if !unmanagedVPC {
+		for k, v := range manualTags {
+			additionalTags[k] = v
+		}
+
 		var name strings.Builder
 		name.WriteString(s.scope.Name())
 		name.WriteString("-subnet-")

diff --git a/pkg/cloud/services/network/subnets_test.go b/pkg/cloud/services/network/subnets_test.go
@@ -168,7 +168,8 @@ func TestReconcileSubnets(t *testing.T) {
 				},
 				Subnets: []infrav1.SubnetSpec{
 					{
-						ID: "subnet-1",
+						ID:   "subnet-1",
+						Tags: map[string]string{"foo": "bar"}, // adding additional tag here which won't be added in unmanaged subnet hence not present in expect calls
 					},
 					{
 						ID: "subnet-2",