Skip to content

[network-driver] Add support for multi-pool Resource IPAM#44124

Merged
pippolo84 merged 4 commits intocilium:feature/dra-driverfrom
pippolo84:pr/pippolo84/network-driver-ipam-agent
Feb 26, 2026
Merged

[network-driver] Add support for multi-pool Resource IPAM#44124
pippolo84 merged 4 commits intocilium:feature/dra-driverfrom
pippolo84:pr/pippolo84/network-driver-ipam-agent

Conversation

@pippolo84
Copy link
Copy Markdown
Member

@pippolo84 pippolo84 commented Feb 2, 2026
edited
Loading

Multi-Pool Resource IPAM replicates the way Multi-Pool IPAM mode allocates IP addresses to pods, but specializes for DRA resources. When a pod with a ResourceClaim is scheduled on a node, the Cilium Network Driver is responsible for setting up the needed DRA resources to fulfill the claim. With Multi Pool Resource IPAM the claim may specify a pool (namely, a CiliumResourceIPPool object) from which the IP address should be taken and assigned to the resource.

This PR adds the agent part of Multi-Pool Resource IPAM (for more details refer to the Cilium Network Driver CfP). The needed IP addresses are taken from the pool specified in the ResourceClaim device request and assigned to the DRA resource in the PrepareResourceClaims hook.

How to test the PR manually

Enable the Cilium Network Driver in the Helm chart:

diff --git a/contrib/testing/kind-fast.yaml b/contrib/testing/kind-fast.yaml
index 02167d50b2..4940b66b95 100644
--- a/contrib/testing/kind-fast.yaml
+++ b/contrib/testing/kind-fast.yaml
@@ -75,3 +75,6 @@ cni:
   # binary we directly copied to the node. But we still want the configuration
   # to be created, which is also controlled by `cni.install`.
   binPath: /opt/dummy/
+
+networkDriver:
+  enabled: true
\ No newline at end of file

Create a two nodes kind cluster and install Cilium:

make kind && make kind-image-fast && make kind-install-cilium-fast

Enable Cilium Network Driver for dummy devices on each node, kind-worker and kind-control-plane:

cat <<EOF | kubectl apply -f -
apiVersion: cilium.io/v2alpha1
kind: CiliumNetworkDriverNodeConfig
metadata:
  name: kind-worker
spec:
  draRegistrationRetryInterval: 1
  draRegistrationTimeout: 600
  publishInterval: 10
  driverName: "dummy.cilium.k8s.io"
  pools:
    - name: "dummy-pool"
      filter:
        deviceManagers:
          - "dummy"
  deviceManagerConfigs:
    dummy:
      enabled: true
---
apiVersion: cilium.io/v2alpha1
kind: CiliumNetworkDriverNodeConfig
metadata:
  name: kind-control-plane
spec:
  draRegistrationRetryInterval: 1
  draRegistrationTimeout: 600
  publishInterval: 10
  driverName: "dummy.cilium.k8s.io"
  pools:
    - name: "dummy-pool"
      filter:
        deviceManagers:
          - "dummy"
  deviceManagerConfigs:
    dummy:
      enabled: true
EOF

Add two dummy devices on kind-worker:

$ docker exec -ti kind-worker bash
# ip link add dummy0 type dummy && ip link set dummy0 up && ip link add dummy1 type dummy && ip link set dummy1 up

Define the DeviceClass for dummy devices:

cat <<EOF | kubectl apply -f -
apiVersion: resource.k8s.io/v1
kind: DeviceClass
metadata:
  name: dummy.cilium.k8s.io
  namespace: kube-system
spec:
  selectors:
  - cel:
      expression: device.driver == "dummy.cilium.k8s.io"
EOF

Add two CiliumResourceIPPool, a-ip-pool and b-ip-pool:

cat <<EOF | kubectl apply -f -
apiVersion: cilium.io/v2alpha1
kind: CiliumResourceIPPool
metadata:
  name: a-ip-pool
spec:
  ipv4:
    cidrs:
    - 10.10.0.0/16
    maskSize: 24
  ipv6:
    cidrs:
    - fd00:100:1::/48
    maskSize: 64
---
apiVersion: cilium.io/v2alpha1
kind: CiliumResourceIPPool
metadata:
  name: b-ip-pool
spec:
  ipv4:
    cidrs:
    - 10.20.0.0/16
    maskSize: 24
  ipv6:
    cidrs:
    - fd00:200:1::/48
    maskSize: 64
EOF

Create a ResourceClaimTemplate that requests two dummy devices, one with addresses from a-ip-pool and the other with addresses from b-ip-pool:

cat <<EOF | kubectl apply -f -
apiVersion: resource.k8s.io/v1
kind: ResourceClaimTemplate
metadata:
  name: dummy
spec:
  spec:
    devices:
      requests:
      - name: dummy-a
        exactly:
          deviceClassName: dummy.cilium.k8s.io
      - name: dummy-b
        exactly:
          deviceClassName: dummy.cilium.k8s.io
      config:
        - requests:
          - dummy-a
          opaque:
            driver: dummy.cilium.k8s.io
            parameters:
              ip-pool: a-ip-pool
        - requests:
          - dummy-b
          opaque:
            driver: dummy.cilium.k8s.io
            parameters:
              ip-pool: b-ip-pool
EOF

Add a pod using the ResourceClaim dummy to request two dummy devices:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: dummy-pod
spec:
  securityContext:
    runAsUser: 0
  containers:
  - name: app
    image: busybox
    command: ["sleep", "inf"]
  resourceClaims:
  - name: dummy
    resourceClaimTemplateName: dummy
EOF

The pod is scheduled on kind-worker node, with dummy0 and dummy1 devices having addresses from the a-ip-pool and b-ip-pool respectively:

$ kubectl exec -ti dummy-pod -- ip addr
8: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue qlen 1000
    link/ether 7a:1c:9c:df:da:97 brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.158/32 scope global dummy0
       valid_lft forever preferred_lft forever
    inet6 fd00:100:1::918e/128 scope global 
       valid_lft forever preferred_lft forever
9: dummy1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue qlen 1000
    link/ether 42:59:f4:ef:e6:c5 brd ff:ff:ff:ff:ff:ff
    inet 10.20.0.141/32 scope global dummy1
       valid_lft forever preferred_lft forever
    inet6 fd00:200:1::4fb1/128 scope global 
       valid_lft forever preferred_lft forever

The kind-worker CiliumNode reports the CIDRs requested from and allocated to the node:

$ ks get ciliumnode kind-worker -o yaml | yq .spec.ipam.resourcepools
allocated:
  - cidrs:
      - 10.10.0.0/24
      - fd00:100:1::/64
    pool: a-ip-pool
  - cidrs:
      - 10.20.0.0/24
      - fd00:200:1::/64
    pool: b-ip-pool
requested:
  - needed:
      ipv4-addrs: 1
      ipv6-addrs: 1
    pool: a-ip-pool
  - needed:
      ipv4-addrs: 1
      ipv6-addrs: 1
    pool: b-ip-pool

Related: #44081
Depends on #44081

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 2, 2026
@pippolo84 pippolo84 force-pushed the pr/pippolo84/network-driver-ipam-agent branch 4 times, most recently from cd1eb8e to bd21c60 Compare February 3, 2026 17:34
@pippolo84 pippolo84 force-pushed the pr/pippolo84/network-driver-ipam-agent branch 3 times, most recently from 7ac8ba1 to a404e1f Compare February 3, 2026 21:03
@pippolo84 pippolo84 mentioned this pull request Feb 4, 2026
Merged
@pippolo84 pippolo84 force-pushed the pr/pippolo84/network-driver-ipam-agent branch 2 times, most recently from 9b6edda to f6b597f Compare February 5, 2026 15:49
@pippolo84 pippolo84 mentioned this pull request Feb 5, 2026
Draft
@pippolo84 pippolo84 added area/daemon Impacts operation of the Cilium daemon. release-note/misc This PR makes changes that have no direct user impact. area/ipam IP address management, including cloud IPAM labels Feb 5, 2026
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 5, 2026
@pippolo84 pippolo84 force-pushed the pr/pippolo84/network-driver-ipam-agent branch from f6b597f to 371add5 Compare February 6, 2026 11:53
@pippolo84 pippolo84 force-pushed the pr/pippolo84/network-driver-ipam-agent branch 2 times, most recently from c4333ad to fc2ddb6 Compare February 10, 2026 17:48
@julianwiedmann julianwiedmann added the area/dra-plugin Impacts the Cilium Network Driver DRA plugin. label Feb 11, 2026
@pippolo84 pippolo84 force-pushed the pr/pippolo84/network-driver-ipam-agent branch from fc2ddb6 to b743b4e Compare February 11, 2026 14:06
@pippolo84 pippolo84 marked this pull request as ready for review February 11, 2026 15:08
@pippolo84 pippolo84 requested a review from a team as a code owner February 11, 2026 15:08
@pippolo84 pippolo84 requested review from antonipp and removed request for a team February 11, 2026 15:08
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Feb 11, 2026

/test

gandro
gandro reviewed Feb 17, 2026
View reviewed changes
antonipp
antonipp reviewed Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@antonipp antonipp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still catching up on the full context of the feature you are working on but generally LGTM, just have 1 question

@pippolo84 pippolo84 force-pushed the pr/pippolo84/network-driver-ipam-agent branch from b743b4e to d6c7fb1 Compare February 23, 2026 11:32
@pippolo84 pippolo84 requested review from antonipp and gandro February 23, 2026 11:33
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Feb 23, 2026

/test

gandro
gandro approved these changes Feb 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@gandro gandro left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from an IPAM perspective. One issue that probably should be addressed

@pippolo84
network-driver: Preload all devices config from claim
afc2c14 
This avoid the linear search for each device configuration and allows to
ask all the needed IP addresses in one go, so that multi-pool resource
IPAM can immediately start to allocate the needed CIDRs from the
operator.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
ipam/multi-pool: Export multiPoolManager
ade3a75 
In order to instantiate a new manager for DRA resource IPAM in the
Cilium Network Driver, let's export the multiPoolManager and its methods
useful for the driver.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
network-driver/ipam: Add multi-pool Resource IPAM
1a5076b 
Allocate IP addresses to claimed resources from pools defined in
CiliumResourceIPPool k8s objects. The Cilium Network Driver embeds a
multi-pool manager that handles the requests and interact with the
operator to get the needed CIDRs from the referenced pool. Then, the
single IPs are allocated based on the ResourceClaim specification in the
PrepareResourceClaim DRA hook.

In case the ResourceClaim specifies statis IP addresses instead of
referencing a pool, those have precedence over multi-pool allocation.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
network-driver/ipam: Add network driver unit tests
65644bf 
Add integration style unit tests for network driver IPAM. The tests
verifies the management of both static IP addresses and dynamic
allocation with multi pool Resource IPAM.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 force-pushed the pr/pippolo84/network-driver-ipam-agent branch from d6c7fb1 to 65644bf Compare February 23, 2026 17:31
@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Feb 23, 2026

/test

@pippolo84
Copy link
Copy Markdown
Member Author

pippolo84 commented Feb 26, 2026

sig-ipam covered by Sebastian and already addressed the feedback from Anton. Merging now.

@pippolo84 pippolo84 merged commit 6267a27 into cilium:feature/dra-driver Feb 26, 2026
73 of 74 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gandro gandro gandro approved these changes

@antonipp antonipp Awaiting requested review from antonipp

Assignees

No one assigned

Labels

area/daemon Impacts operation of the Cilium daemon. area/dra-plugin Impacts the Cilium Network Driver DRA plugin. area/ipam IP address management, including cloud IPAM release-note/misc This PR makes changes that have no direct user impact.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pippolo84 @gandro @antonipp @msune @julianwiedmann