siderolabs
diff --git a/‎api/resource/definitions/k8s/k8s.proto‎
Lines changed: 1 addition & 0 deletions b/‎api/resource/definitions/k8s/k8s.proto‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎internal/app/machined/pkg/controllers/cluster/local_affiliate.go‎
Lines changed: 9 additions & 4 deletions b/‎internal/app/machined/pkg/controllers/cluster/local_affiliate.go‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go‎
Lines changed: 7 additions & 7 deletions b/‎internal/app/machined/pkg/controllers/cluster/local_affiliate_test.go‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎internal/app/machined/pkg/controllers/k8s/address_filter.go‎
Lines changed: 30 additions & 1 deletion b/‎internal/app/machined/pkg/controllers/k8s/address_filter.go‎
Lines changed: 30 additions & 1 deletion
diff --git a/‎internal/app/machined/pkg/controllers/k8s/address_filter_test.go‎
Lines changed: 60 additions & 112 deletions b/‎internal/app/machined/pkg/controllers/k8s/address_filter_test.go‎
Lines changed: 60 additions & 112 deletions
diff --git a/‎internal/app/machined/pkg/controllers/k8s/node_status.go‎
Lines changed: 14 additions & 0 deletions b/‎internal/app/machined/pkg/controllers/k8s/node_status.go‎
Lines changed: 14 additions & 0 deletions
@@ -213,6 +213,7 @@ message NodeStatusSpec {
   bool unschedulable = 3;
   map<string, string> labels = 4;
   map<string, string> annotations = 5;
+  repeated common.NetIPPrefix pod_cid_rs = 6;
 }
 
 // NodeTaintSpecSpec represents a label that's attached to a Talos node.
 
@@ -68,6 +68,11 @@ func (ctrl *LocalAffiliateController) Inputs() []controller.Input {
 			Type:      network.NodeAddressType,
 			Kind:      controller.InputWeak,
 		},
+		{
+			Namespace: k8s.NamespaceName,
+			Type:      k8s.NodeStatusType,
+			Kind:      controller.InputWeak,
+		},
 		{
 			Namespace: kubespan.NamespaceName,
 			Type:      kubespan.IdentityType,
@@ -196,9 +201,9 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
 			return fmt.Errorf("error getting kubespan config: %w", err)
 		}
 
-		ksAdditionalAddresses, err := safe.ReaderGetByID[*network.NodeAddress](ctx, r, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterOnlyK8s))
+		nodeStatus, err := safe.ReaderGetByID[*k8s.NodeStatus](ctx, r, nodename.TypedSpec().Nodename)
 		if err != nil && !state.IsNotFoundError(err) {
-			return fmt.Errorf("error getting kubespan additional addresses: %w", err)
+			return fmt.Errorf("error getting node status: %w", err)
 		}
 
 		discoveredPublicIPs, err := safe.ReaderList[*network.AddressStatus](ctx, r, resource.NewMetadata(cluster.NamespaceName, network.AddressStatusType, "", resource.VersionUndefined))
@@ -245,8 +250,8 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt
 					spec.KubeSpan.Address = kubespanIdentity.TypedSpec().Address.Addr()
 					spec.KubeSpan.PublicKey = kubespanIdentity.TypedSpec().PublicKey
 
-					if kubespanConfig.TypedSpec().AdvertiseKubernetesNetworks && ksAdditionalAddresses != nil {
-						spec.KubeSpan.AdditionalAddresses = slices.Clone(ksAdditionalAddresses.TypedSpec().Addresses)
+					if kubespanConfig.TypedSpec().AdvertiseKubernetesNetworks && nodeStatus != nil {
+						spec.KubeSpan.AdditionalAddresses = slices.Clone(nodeStatus.TypedSpec().PodCIDRs)
 					} else {
 						spec.KubeSpan.AdditionalAddresses = nil
 					}
 
@@ -37,7 +37,7 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 
 	suite.Require().NoError(suite.runtime.RegisterController(&clusterctrl.LocalAffiliateController{}))
 
-	nodeIdentity, nonK8sRoutedAddresses, discoveryConfig := suite.createResources()
+	nodeIdentity, nonK8sRoutedAddresses, nodeName, discoveryConfig := suite.createResources()
 
 	machineType := config.NewMachineType()
 	machineType.SetMachineType(machine.TypeWorker)
@@ -82,9 +82,9 @@ func (suite *LocalAffiliateSuite) TestGeneration() {
 	nonK8sRoutedAddresses.TypedSpec().Addresses = append(nonK8sRoutedAddresses.TypedSpec().Addresses, ksIdentity.TypedSpec().Address)
 	suite.Require().NoError(suite.state.Update(suite.ctx, nonK8sRoutedAddresses))
 
-	onlyK8sAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressCurrentID, k8s.NodeAddressFilterOnlyK8s))
-	onlyK8sAddresses.TypedSpec().Addresses = []netip.Prefix{netip.MustParsePrefix("10.244.1.0/24")}
-	suite.Require().NoError(suite.state.Create(suite.ctx, onlyK8sAddresses))
+	nodeStatus := k8s.NewNodeStatus(k8s.NamespaceName, nodeName.TypedSpec().Nodename)
+	nodeStatus.TypedSpec().PodCIDRs = []netip.Prefix{netip.MustParsePrefix("10.244.1.0/24")}
+	suite.Require().NoError(suite.state.Create(suite.ctx, nodeStatus))
 
 	// add discovered public IPs
 	for _, addr := range []netip.Addr{
@@ -151,7 +151,7 @@ func (suite *LocalAffiliateSuite) TestCPGeneration() {
 
 	suite.Require().NoError(suite.runtime.RegisterController(&clusterctrl.LocalAffiliateController{}))
 
-	nodeIdentity, _, discoveryConfig := suite.createResources()
+	nodeIdentity, _, _, discoveryConfig := suite.createResources()
 
 	machineType := config.NewMachineType()
 	machineType.SetMachineType(machine.TypeControlPlane)
@@ -185,7 +185,7 @@ func (suite *LocalAffiliateSuite) TestCPGeneration() {
 	ctest.AssertNoResource[*cluster.Affiliate](suite, nodeIdentity.TypedSpec().NodeID)
 }
 
-func (suite *LocalAffiliateSuite) createResources() (*cluster.Identity, *network.NodeAddress, *cluster.Config) {
+func (suite *LocalAffiliateSuite) createResources() (*cluster.Identity, *network.NodeAddress, *k8s.Nodename, *cluster.Config) {
 	// regular discovery affiliate
 	discoveryConfig := cluster.NewConfig(config.NamespaceName, cluster.ConfigID)
 	discoveryConfig.TypedSpec().DiscoveryEnabled = true
@@ -224,7 +224,7 @@ func (suite *LocalAffiliateSuite) createResources() (*cluster.Identity, *network
 	}
 	suite.Require().NoError(suite.state.Create(suite.ctx, nonK8sRoutedAddresses))
 
-	return nodeIdentity, nonK8sRoutedAddresses, discoveryConfig
+	return nodeIdentity, nonK8sRoutedAddresses, nodename, discoveryConfig
 }
 
 func TestLocalAffiliateSuite(t *testing.T) {
 
@@ -38,6 +38,17 @@ func (ctrl *AddressFilterController) Inputs() []controller.Input {
 			ID:        optional.Some(config.ActiveID),
 			Kind:      controller.InputWeak,
 		},
+		{
+			Namespace: k8s.NamespaceName,
+			Type:      k8s.NodenameType,
+			ID:        optional.Some(k8s.NodenameID),
+			Kind:      controller.InputWeak,
+		},
+		{
+			Namespace: k8s.NamespaceName,
+			Type:      k8s.NodeStatusType,
+			Kind:      controller.InputWeak,
+		},
 	}
 }
 
@@ -53,7 +64,7 @@ func (ctrl *AddressFilterController) Outputs() []controller.Output {
 
 // Run implements controller.Controller interface.
 //
-//nolint:gocyclo
+//nolint:gocyclo,cyclop
 func (ctrl *AddressFilterController) Run(ctx context.Context, r controller.Runtime, _ *zap.Logger) error {
 	for {
 		select {
@@ -67,6 +78,20 @@ func (ctrl *AddressFilterController) Run(ctx context.Context, r controller.Runti
 			return fmt.Errorf("error getting config: %w", err)
 		}
 
+		nodeName, err := safe.ReaderGetByID[*k8s.Nodename](ctx, r, k8s.NodenameID)
+		if err != nil && !state.IsNotFoundError(err) {
+			return fmt.Errorf("error getting nodename: %w", err)
+		}
+
+		var nodeStatus *k8s.NodeStatus
+
+		if nodeName != nil {
+			nodeStatus, err = safe.ReaderGetByID[*k8s.NodeStatus](ctx, r, nodeName.TypedSpec().Nodename)
+			if err != nil && !state.IsNotFoundError(err) {
+				return fmt.Errorf("error getting nodename: %w", err)
+			}
+		}
+
 		r.StartTrackingOutputs()
 
 		if cfg != nil && cfg.Config().Cluster() != nil {
@@ -85,6 +110,10 @@ func (ctrl *AddressFilterController) Run(ctx context.Context, r controller.Runti
 				podCIDRs = append(podCIDRs, ipPrefix)
 			}
 
+			if nodeStatus != nil {
+				podCIDRs = append(podCIDRs, nodeStatus.TypedSpec().PodCIDRs...)
+			}
+
 			for _, cidr := range cfgProvider.Cluster().Network().ServiceCIDRs() {
 				var ipPrefix netip.Prefix
 
 
@@ -6,22 +6,16 @@
 package k8s_test
 
 import (
-	"context"
 	"fmt"
+	"net/netip"
 	"net/url"
-	"sync"
 	"testing"
 	"time"
 
-	"github.com/cosi-project/runtime/pkg/controller/runtime"
-	"github.com/cosi-project/runtime/pkg/resource"
-	"github.com/cosi-project/runtime/pkg/state"
-	"github.com/cosi-project/runtime/pkg/state/impl/inmem"
-	"github.com/cosi-project/runtime/pkg/state/impl/namespaced"
-	"github.com/siderolabs/go-retry/retry"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
-	"go.uber.org/zap/zaptest"
 
+	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
 	k8sctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/k8s"
 	"github.com/siderolabs/talos/pkg/machinery/config/container"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
@@ -31,55 +25,7 @@ import (
 )
 
 type K8sAddressFilterSuite struct {
-	suite.Suite
-
-	state state.State
-
-	runtime *runtime.Runtime
-	wg      sync.WaitGroup
-
-	//nolint:containedctx
-	ctx       context.Context
-	ctxCancel context.CancelFunc
-}
-
-func (suite *K8sAddressFilterSuite) SetupTest() {
-	suite.ctx, suite.ctxCancel = context.WithTimeout(context.Background(), 3*time.Minute)
-
-	suite.state = state.WrapCore(namespaced.NewState(inmem.Build))
-
-	var err error
-
-	suite.runtime, err = runtime.NewRuntime(suite.state, zaptest.NewLogger(suite.T()))
-	suite.Require().NoError(err)
-
-	suite.Require().NoError(suite.runtime.RegisterController(&k8sctrl.AddressFilterController{}))
-
-	suite.startRuntime()
-}
-
-func (suite *K8sAddressFilterSuite) startRuntime() {
-	suite.wg.Go(func() {
-		suite.Assert().NoError(suite.runtime.Run(suite.ctx))
-	})
-}
-
-func (suite *K8sAddressFilterSuite) assertResource(
-	md resource.Metadata,
-	check func(res resource.Resource) error,
-) func() error {
-	return func() error {
-		r, err := suite.state.Get(suite.ctx, md)
-		if err != nil {
-			if state.IsNotFoundError(err) {
-				return retry.ExpectedError(err)
-			}
-
-			return err
-		}
-
-		return check(r)
-	}
+	ctest.DefaultSuite
 }
 
 func (suite *K8sAddressFilterSuite) TestReconcile() {
@@ -111,67 +57,69 @@ func (suite *K8sAddressFilterSuite) TestReconcile() {
 			},
 		),
 	)
-	suite.Require().NoError(suite.state.Create(suite.ctx, cfg))
-
-	suite.Assert().NoError(
-		retry.Constant(3*time.Second, retry.WithUnits(100*time.Millisecond)).Retry(
-			suite.assertResource(
-				resource.NewMetadata(
-					network.NamespaceName,
-					network.NodeAddressFilterType,
-					k8s.NodeAddressFilterOnlyK8s,
-					resource.VersionUndefined,
-				),
-				func(res resource.Resource) error {
-					spec := res.(*network.NodeAddressFilter).TypedSpec()
-
-					suite.Assert().Equal(
-						"[10.32.0.0/12 fd00:10:32::/102 10.200.0.0/22 fd40:10:200::/112]",
-						fmt.Sprintf("%s", spec.IncludeSubnets),
-					)
-					suite.Assert().Empty(spec.ExcludeSubnets)
-
-					return nil
-				},
-			),
-		),
-	)
+	suite.Create(cfg)
 
-	suite.Assert().NoError(
-		retry.Constant(3*time.Second, retry.WithUnits(100*time.Millisecond)).Retry(
-			suite.assertResource(
-				resource.NewMetadata(
-					network.NamespaceName,
-					network.NodeAddressFilterType,
-					k8s.NodeAddressFilterNoK8s,
-					resource.VersionUndefined,
-				),
-				func(res resource.Resource) error {
-					spec := res.(*network.NodeAddressFilter).TypedSpec()
-
-					suite.Assert().Empty(spec.IncludeSubnets)
-					suite.Assert().Equal(
-						"[10.32.0.0/12 fd00:10:32::/102 10.200.0.0/22 fd40:10:200::/112]",
-						fmt.Sprintf("%s", spec.ExcludeSubnets),
-					)
-
-					return nil
-				},
-			),
-		),
-	)
-}
+	ctest.AssertResource(suite, k8s.NodeAddressFilterOnlyK8s, func(res *network.NodeAddressFilter, asrt *assert.Assertions) {
+		spec := res.TypedSpec()
+
+		asrt.Equal(
+			"[10.32.0.0/12 fd00:10:32::/102 10.200.0.0/22 fd40:10:200::/112]",
+			fmt.Sprintf("%s", spec.IncludeSubnets),
+		)
+		asrt.Empty(spec.ExcludeSubnets)
+	})
+
+	ctest.AssertResource(suite, k8s.NodeAddressFilterNoK8s, func(res *network.NodeAddressFilter, asrt *assert.Assertions) {
+		spec := res.TypedSpec()
+
+		asrt.Empty(spec.IncludeSubnets)
+		asrt.Equal(
+			"[10.32.0.0/12 fd00:10:32::/102 10.200.0.0/22 fd40:10:200::/112]",
+			fmt.Sprintf("%s", spec.ExcludeSubnets),
+		)
+	})
+
+	// create NodeStatus with PodCIDRs
+	nodeName := k8s.NewNodename(k8s.NamespaceName, k8s.NodenameID)
+	nodeName.TypedSpec().Nodename = "test-node"
+	suite.Create(nodeName)
 
-func (suite *K8sAddressFilterSuite) TearDownTest() {
-	suite.T().Log("tear down")
+	nodeStatus := k8s.NewNodeStatus(k8s.NamespaceName, "test-node")
+	nodeStatus.TypedSpec().PodCIDRs = []netip.Prefix{
+		netip.MustParsePrefix("192.168.0.0/24"),
+	}
+	suite.Create(nodeStatus)
 
-	suite.ctxCancel()
+	ctest.AssertResource(suite, k8s.NodeAddressFilterOnlyK8s, func(res *network.NodeAddressFilter, asrt *assert.Assertions) {
+		spec := res.TypedSpec()
+
+		asrt.Equal(
+			"[10.32.0.0/12 fd00:10:32::/102 192.168.0.0/24 10.200.0.0/22 fd40:10:200::/112]",
+			fmt.Sprintf("%s", spec.IncludeSubnets),
+		)
+		asrt.Empty(spec.ExcludeSubnets)
+	})
 
-	suite.wg.Wait()
+	ctest.AssertResource(suite, k8s.NodeAddressFilterNoK8s, func(res *network.NodeAddressFilter, asrt *assert.Assertions) {
+		spec := res.TypedSpec()
+
+		asrt.Empty(spec.IncludeSubnets)
+		asrt.Equal(
+			"[10.32.0.0/12 fd00:10:32::/102 192.168.0.0/24 10.200.0.0/22 fd40:10:200::/112]",
+			fmt.Sprintf("%s", spec.ExcludeSubnets),
+		)
+	})
 }
 
 func TestK8sAddressFilterSuite(t *testing.T) {
 	t.Parallel()
 
-	suite.Run(t, new(K8sAddressFilterSuite))
+	suite.Run(t, &K8sAddressFilterSuite{
+		DefaultSuite: ctest.DefaultSuite{
+			Timeout: 10 * time.Second,
+			AfterSetup: func(suite *ctest.DefaultSuite) {
+				suite.Require().NoError(suite.Runtime().RegisterController(&k8sctrl.AddressFilterController{}))
+			},
+		},
+	})
 }
@@ -7,6 +7,7 @@ package k8s
 import (
 	"context"
 	"fmt"
+	"net/netip"
 
 	"github.com/cosi-project/runtime/pkg/controller"
 	"github.com/cosi-project/runtime/pkg/resource"
@@ -179,13 +180,26 @@ func (ctrl *NodeStatusController) Run(ctx context.Context, r controller.Runtime,
 		}
 
 		if node != nil {
+			podCIDRs := make([]netip.Prefix, 0, len(node.Spec.PodCIDRs))
+			for _, cidr := range node.Spec.PodCIDRs {
+				prefix, err := netip.ParsePrefix(cidr)
+				if err != nil {
+					logger.Warn("error parsing pod CIDR", zap.String("cidr", cidr), zap.Error(err))
+
+					continue
+				}
+
+				podCIDRs = append(podCIDRs, prefix)
+			}
+
 			if err = safe.WriterModify(ctx, r, k8s.NewNodeStatus(k8s.NamespaceName, node.Name),
 				func(res *k8s.NodeStatus) error {
 					res.TypedSpec().Nodename = node.Name
 					res.TypedSpec().Unschedulable = node.Spec.Unschedulable
 					res.TypedSpec().Labels = node.Labels
 					res.TypedSpec().Annotations = node.Annotations
 					res.TypedSpec().NodeReady = false
+					res.TypedSpec().PodCIDRs = podCIDRs
 
 					for _, condition := range node.Status.Conditions {
 						if condition.Type == v1.NodeReady {
Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,7 @@ message NodeStatusSpec {`
`213`	`213`	`bool unschedulable = 3;`
`214`	`214`	`map<string, string> labels = 4;`
`215`	`215`	`map<string, string> annotations = 5;`
	`216`	`+ repeated common.NetIPPrefix pod_cid_rs = 6;`
`216`	`217`	`}`
`217`	`218`
`218`	`219`	`// NodeTaintSpecSpec represents a label that's attached to a Talos node.`