Gracefully handle v4 (unmanaged) ENIs on IPv6 node (#3489)

* Gracefully handle v4 (unmanaged) ENIs on IPv6 node

* fix panic

* nit

* fix unit tests

* remove dead code

* bumping go version to 1.24.9 to fix CVEs

* update go check-latest flag

* clean up

* correcting error handling

Author: jupdec

.github/workflows/pr-automated-tests.yaml

@@ -18,6 +18,7 @@ jobs:
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
           go-version: "1.24"
+          check-latest: true
       - name: Set up tools
         run: |
           go install golang.org/x/lint/golint@latest
@@ -54,6 +55,7 @@ jobs:
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
           go-version: "1.24"
+          check-latest: true
       - name: Build CNI images
         run: make multi-arch-cni-build
   docker-build-init:
@@ -70,5 +72,6 @@ jobs:
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # refs/tags/v6.0.0
         with:
           go-version: "1.24"
+          check-latest: true
       - name: Build CNI Init images
         run: make multi-arch-cni-init-build

go.mod

@@ -1,6 +1,6 @@
 module github.com/aws/amazon-vpc-cni-k8s
 
-go 1.24.6
+go 1.24.9
 
 require (
 	github.com/apparentlymart/go-cidr v1.1.0

pkg/awsutils/awsutils.go

@@ -736,7 +736,12 @@ func (cache *EC2InstanceMetadataCache) getENIMetadata(eniMAC string) (ENIMetadat
 			awsAPIErrInc("GetSubnetIPv6CIDRBlocks", err)
 			return ENIMetadata{}, err
 		} else {
-			subnetV6Cidr = v6cidr.String()
+			// Handle the case where GetSubnetIPv6CIDRBlocks returns empty IPNet for IPv4-only subnets
+			// IMPORTANT: This scenario includes cross-VPC IPv4 ENIs attached to IPv6 nodes
+			// where the ENI subnet is IPv4-only but the node is configured for IPv6
+			if v6cidr != nil && v6cidr.IP != nil && v6cidr.Mask != nil {
+				subnetV6Cidr = v6cidr.String()
+			}
 		}
 
 		imdsIPv6s, err := cache.imds.GetIPv6s(ctx, eniMAC)

pkg/awsutils/awsutils_test.go

@@ -100,6 +100,17 @@ const (
 	imdsMACFieldsEfaOnly = "security-group-ids subnet-id vpc-id vpc-ipv4-cidr-blocks device-number interface-id subnet-ipv4-cidr-block ipv4-prefix ipv6-prefix"
 	imdsMACFieldsV6Only  = "security-group-ids subnet-id vpc-id vpc-ipv4-cidr-blocks vpc-ipv6-cidr-blocks device-number interface-id subnet-ipv6-cidr-blocks ipv6s ipv6-prefix"
 	imdsMACFieldsV4AndV6 = "security-group-ids subnet-id vpc-id vpc-ipv4-cidr-blocks device-number interface-id subnet-ipv4-cidr-block subnet-ipv6-cidr-blocks ipv6s local-ipv4s ipv6-prefix"
+
+	// Cross-VPC ENI test constants
+	crossVPCMAC        = "12:ef:2a:98:e5:5c"
+	crossVPCENIID      = "eni-crossvpc123"
+	crossVPCDevice     = "2"
+	crossVPCPrivateIP  = "172.16.0.10"
+	crossVPCSubnetID   = "subnet-crossvpc456"
+	crossVPCSubnetCIDR = "172.16.0.0/24"
+	crossVPCVpcID      = "vpc-crossvpc789"
+	noManageTagKey     = "node.k8s.amazonaws.com/no_manage"
+	noManageTagValue   = "true"
 )
 
 func testMetadata(overrides map[string]interface{}) FakeIMDS {
@@ -2268,3 +2279,68 @@ func Test_IsTrunkingCompatible(t *testing.T) {
 		})
 	}
 }
+
+// TestCrossVPCENIWithFix demonstrates that getCIDR now handles 404 errors gracefully,
+// fixing GetSubnetIPv6CIDRBlocks and other CIDR functions for cross-VPC IPv4-only ENIs
+func TestCrossVPCENIWithFix(t *testing.T) {
+	// Set up the same cross-VPC scenario as the bug reproduction test
+	mockMetadata := testMetadata(map[string]interface{}{
+		// Primary VPC ENI with IPv6 support
+		metadataMACPath: primaryMAC + " " + crossVPCMAC,
+
+		// Cross-VPC ENI basic metadata (this succeeds)
+		metadataMACPath + crossVPCMAC:                      imdsMACFields,
+		metadataMACPath + crossVPCMAC + metadataDeviceNum:  crossVPCDevice,
+		metadataMACPath + crossVPCMAC + metadataInterface:  crossVPCENIID,
+		metadataMACPath + crossVPCMAC + metadataSubnetID:   crossVPCSubnetID,
+		metadataMACPath + crossVPCMAC + metadataVpcID:      crossVPCVpcID,
+		metadataMACPath + crossVPCMAC + metadataSubnetCIDR: crossVPCSubnetCIDR,
+		metadataMACPath + crossVPCMAC + metadataIPv4s:      crossVPCPrivateIP,
+		metadataMACPath + crossVPCMAC + metadataSGs:        sgs,
+
+		// IPv6 subnet CIDR request fails with 404 for cross-VPC IPv4-only subnet
+		// With the fix, this 404 should be handled gracefully
+		metadataMACPath + crossVPCMAC + metadataSubnetV6CIDR: newIMDSRequestError("test", &CustomRequestFailure{
+			code:       "NotFound",
+			message:    "IPv6 CIDR not found for cross-VPC IPv4-only subnet",
+			fault:      smithy.FaultUnknown,
+			statusCode: 404,
+			requestID:  "test-req-id",
+		}),
+	})
+
+	// Create cache with IPv6 enabled (same as bug test)
+	cache := &EC2InstanceMetadataCache{
+		imds:      TypedIMDS{mockMetadata},
+		v6Enabled: true, // IPv6 enabled cluster
+		v4Enabled: true,
+	}
+
+	// With the fix, GetAttachedENIs should now succeed
+	enis, err := cache.GetAttachedENIs()
+
+	// Verify the fix: initialization should now succeed
+	assert.NoError(t, err, "Should succeed with fix - getCIDR now handles 404 gracefully for all CIDR functions")
+	assert.NotNil(t, enis, "Should return ENI list")
+	assert.Equal(t, 2, len(enis), "Should return both primary and cross-VPC ENIs")
+
+	// Verify that both ENIs are present
+	var primaryFound, crossVPCFound bool
+	for _, eni := range enis {
+		if eni.ENIID == primaryeniID {
+			primaryFound = true
+		}
+		if eni.ENIID == crossVPCENIID {
+			crossVPCFound = true
+			// Cross-VPC ENI should have IPv4 data but no IPv6 (due to 404 handled gracefully)
+			assert.NotEmpty(t, eni.IPv4Addresses, "Cross-VPC ENI should have IPv4 addresses")
+			assert.Empty(t, eni.SubnetIPv6CIDR, "Cross-VPC ENI should have empty IPv6 CIDR (404 handled gracefully)")
+		}
+	}
+
+	assert.True(t, primaryFound, "Primary ENI should be found")
+	assert.True(t, crossVPCFound, "Cross-VPC ENI should be found")
+
+	t.Logf("Result: IPv6-enabled cluster successfully initializes with cross-VPC IPv4-only ENIs")
+	t.Logf("Found %d ENIs: Primary (%s) and Cross-VPC (%s)", len(enis), primaryeniID, crossVPCENIID)
+}

pkg/awsutils/imds.go

@@ -411,29 +411,39 @@ func (typedimds TypedIMDS) getIPs(ctx context.Context, key string) ([]net.IP, er
 	return ips, err
 }
 
-func (typedimds TypedIMDS) getCIDR(ctx context.Context, key string) (net.IPNet, error) {
+func (typedimds TypedIMDS) getCIDR(ctx context.Context, key string) (*net.IPNet, error) {
 	output, err := typedimds.GetMetadata(ctx, &imds.GetMetadataInput{
 		Path: key})
 	if err != nil {
-		return net.IPNet{}, err
+		imdsErr := new(imdsRequestError)
+		oe := new(smithy.OperationError)
+		if errors.As(err, &imdsErr) || errors.As(err, &oe) {
+			if IsNotFound(err) {
+				// No CIDR found. Not an error for IPv4-only subnets when requesting IPv6 CIDRs
+				return nil, nil
+			}
+			log.Warnf("%v", err)
+			return nil, newIMDSRequestError(err.Error(), err)
+		}
+		return nil, err
 	}
 	if output == nil || output.Content == nil {
-		return net.IPNet{}, newIMDSRequestError(key, fmt.Errorf("empty response"))
+		return nil, newIMDSRequestError(key, fmt.Errorf("empty response"))
 	}
 
 	defer output.Content.Close()
 	bytes, err := io.ReadAll(output.Content)
 	if err != nil {
-		return net.IPNet{}, newIMDSRequestError(key, fmt.Errorf("failed to read content: %w", err))
+		return nil, newIMDSRequestError(key, fmt.Errorf("failed to read content: %w", err))
 	}
 
 	data := strings.TrimSpace(string(bytes))
 	ip, network, err := net.ParseCIDR(data)
 	if err != nil {
-		return net.IPNet{}, err
+		return nil, err
 	}
 	// Why doesn't net.ParseCIDR just return values in this form?
-	cidr := net.IPNet{IP: ip, Mask: network.Mask}
+	cidr := &net.IPNet{IP: ip, Mask: network.Mask}
 	return cidr, err
 }
 
@@ -574,7 +584,7 @@ func (typedimds TypedIMDS) GetIPv6s(ctx context.Context, mac string) ([]net.IP,
 }
 
 // GetSubnetIPv4CIDRBlock returns the IPv4 CIDR block for the subnet in which the interface resides.
-func (typedimds TypedIMDS) GetSubnetIPv4CIDRBlock(ctx context.Context, mac string) (net.IPNet, error) {
+func (typedimds TypedIMDS) GetSubnetIPv4CIDRBlock(ctx context.Context, mac string) (*net.IPNet, error) {
 	key := fmt.Sprintf("network/interfaces/macs/%s/subnet-ipv4-cidr-block", mac)
 	return typedimds.getCIDR(ctx, key)
 }
@@ -616,7 +626,7 @@ func (typedimds TypedIMDS) GetVPCIPv6CIDRBlocks(ctx context.Context, mac string)
 }
 
 // GetSubnetIPv6CIDRBlocks returns the IPv6 CIDR block for the subnet in which the interface resides.
-func (typedimds TypedIMDS) GetSubnetIPv6CIDRBlocks(ctx context.Context, mac string) (net.IPNet, error) {
+func (typedimds TypedIMDS) GetSubnetIPv6CIDRBlocks(ctx context.Context, mac string) (*net.IPNet, error) {
 	key := fmt.Sprintf("network/interfaces/macs/%s/subnet-ipv6-cidr-blocks", mac)
 	return typedimds.getCIDR(ctx, key)
 }

pkg/awsutils/imds_test.go

@@ -202,7 +202,8 @@ func TestGetSubnetIPv4CIDRBlock(t *testing.T) {
 
 	ip, err := f.GetSubnetIPv4CIDRBlock(context.TODO(), "02:c5:f8:3e:6b:27")
 	if assert.NoError(t, err) {
-		assert.Equal(t, ip, net.IPNet{IP: net.IPv4(10, 0, 64, 0), Mask: net.CIDRMask(18, 32)})
+		expected := net.IPNet{IP: net.IPv4(10, 0, 64, 0), Mask: net.CIDRMask(18, 32)}
+		assert.Equal(t, *ip, expected)
 	}
 }
 
@@ -225,9 +226,9 @@ func TestGetSubnetIPv6CIDRBlocks(t *testing.T) {
 
 	ips, err := f.GetSubnetIPv6CIDRBlocks(context.TODO(), "02:c5:f8:3e:6b:27")
 	if assert.NoError(t, err) {
-		assert.Equal(t, ips,
-			net.IPNet{IP: net.IP{0x20, 0x1, 0xd, 0xb8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
-				Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}})
+		expected := net.IPNet{IP: net.IP{0x20, 0x1, 0xd, 0xb8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
+			Mask: net.IPMask{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
+		assert.Equal(t, *ips, expected)
 	}
 }