kubernetes · rifelpet · Nov 29, 2023 · Nov 29, 2023 · Nov 29, 2023 · Nov 30, 2023
diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
@@ -1323,8 +1323,8 @@ func validateNetworkingCilium(cluster *kops.Cluster, v *kops.CiliumNetworkingSpe
 			if c.GetCloudProvider() != kops.CloudProviderAWS {
 				allErrs = append(allErrs, field.Forbidden(fldPath.Child("ipam"), "Cilum ENI IPAM is supported only in AWS"))
 			}
-			if v.Masquerade != nil && !*v.Masquerade {
-				allErrs = append(allErrs, field.Forbidden(fldPath.Child("masquerade"), "Masquerade must be enabled when ENI IPAM is used"))
+			if v.Masquerade != nil && *v.Masquerade {
+				allErrs = append(allErrs, field.Forbidden(fldPath.Child("masquerade"), "Masquerade must be disabled when ENI IPAM is used"))
 			}
 			if c.IsIPv6Only() {
 				allErrs = append(allErrs, field.Forbidden(fldPath.Child("ipam"), "Cilium ENI IPAM does not support IPv6"))

diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go
@@ -941,7 +941,7 @@ func Test_Validate_Cilium(t *testing.T) {
 		},
 		{
 			Cilium: kops.CiliumNetworkingSpec{
-				Masquerade: fi.PtrTo(true),
+				Masquerade: fi.PtrTo(false),
 				IPAM:       "eni",
 			},
 			Spec: kops.ClusterSpec{
@@ -958,7 +958,7 @@ func Test_Validate_Cilium(t *testing.T) {
 		},
 		{
 			Cilium: kops.CiliumNetworkingSpec{
-				Masquerade: fi.PtrTo(false),
+				Masquerade: fi.PtrTo(true),
 				IPAM:       "eni",
 			},
 			Spec: kops.ClusterSpec{

diff --git a/pkg/model/components/cilium.go b/pkg/model/components/cilium.go
@@ -112,7 +112,7 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
 	}
 
 	if c.Masquerade == nil {
-		c.Masquerade = fi.PtrTo(!clusterSpec.IsIPv6Only())
+		c.Masquerade = fi.PtrTo(!clusterSpec.IsIPv6Only() && c.IPAM != "eni")
 	}
 
 	if c.Tunnel == "" {
@@ -132,7 +132,7 @@ func (b *CiliumOptionsBuilder) BuildOptions(o interface{}) error {
 	}
 
 	if c.EnableBPFMasquerade == nil {
-		c.EnableBPFMasquerade = fi.PtrTo(c.IPAM == "eni")
+		c.EnableBPFMasquerade = fi.PtrTo(false)
 	}
 
 	if c.EnableL7Proxy == nil {

diff --git a/tests/e2e/kubetest2-kops/deployer/up.go b/tests/e2e/kubetest2-kops/deployer/up.go
@@ -154,6 +154,18 @@ func (d *deployer) createCluster(zones []string, adminAccess string, yes bool) e
 		if err != nil {
 			return err
 		}
+
+		if strings.Contains(d.CreateArgs, "cilium-eni") {
+			for i, arg := range createArgs {
+				if strings.Contains(arg, "ubuntu-jammy-22.04-arm64") {
+					createArgs[i] = "--image=099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20231127"
+				}
+				if strings.Contains(arg, "t4g.large") {
+					createArgs[i] = strings.ReplaceAll(arg, "t4g.large", "t3.large")
+				}
+			}
+		}
+
 		args = append(args, createArgs...)
 	}
 	args = appendIfUnset(args, "--admin-access", adminAccess)
@@ -175,7 +187,7 @@ func (d *deployer) createCluster(zones []string, adminAccess string, yes bool) e
 	switch d.CloudProvider {
 	case "aws":
 		if isArm {
-			args = appendIfUnset(args, "--master-size", "c6g.large")
+			args = appendIfUnset(args, "--master-size", "c5.large")
 			args = appendIfUnset(args, "--node-size", "c6g.large")
 		} else {
 			args = appendIfUnset(args, "--master-size", "c5.large")
@@ -216,6 +228,7 @@ func (d *deployer) createCluster(zones []string, adminAccess string, yes bool) e
 		args = appendIfUnset(args, "--kubernetes-feature-gates", d.KubernetesFeatureGates)
 	}
 
+	klog.Infof("Command: %v", args)
 	cmd := exec.Command(args[0], args[1:]...)
 	cmd.SetEnv(d.env()...)
 

diff --git a/tests/integration/conversion/cilium/v1alpha2.yaml b/tests/integration/conversion/cilium/v1alpha2.yaml
@@ -38,7 +38,7 @@ spec:
   networking:
     cilium:
       IPTablesRulesNoinstall: true
-      disableMasquerade: true
+      disableMasquerade: false
   nonMasqueradeCIDR: 100.64.0.0/10
   sshAccess:
   - 0.0.0.0/0

diff --git a/tests/integration/conversion/cilium/v1alpha3.yaml b/tests/integration/conversion/cilium/v1alpha3.yaml
@@ -38,7 +38,7 @@ spec:
   networking:
     cilium:
       installIptablesRules: false
-      masquerade: false
+      masquerade: true
     networkCIDR: 172.20.0.0/16
     nonMasqueradeCIDR: 100.64.0.0/10
     subnets:

diff --git a/...ration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content b/...ration/update_cluster/privatecilium-eni/data/aws_s3_object_cluster-completed.spec_content
@@ -202,8 +202,8 @@ spec:
       clusterName: default
       cpuRequest: 25m
       disableCNPStatusUpdates: true
-      disableMasquerade: false
-      enableBPFMasquerade: true
+      disableMasquerade: true
+      enableBPFMasquerade: false
       enableEndpointHealthChecking: true
       enableL7Proxy: true
       enableRemoteNodeIdentity: true

diff --git a/...r/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content b/...r/privatecilium-eni/data/aws_s3_object_privatecilium.example.com-addons-bootstrap_content
@@ -99,7 +99,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.14.yaml
-    manifestHash: dc0ffacc5b54ff7ce6d48ad648b291624ae47bbd80cbdd5268f48bc866a6cf3e
+    manifestHash: a9a4236d2cdb58dc75311938b87a39ea508c8c66237fff2f9687904ab500a67f
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

diff --git a/...data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content b/...data/aws_s3_object_privatecilium.example.com-addons-networking.cilium.io-k8s-1.16_content
@@ -45,11 +45,11 @@ data:
   debug: "false"
   disable-cnp-status-updates: "true"
   disable-endpoint-crd: "false"
-  enable-bpf-masquerade: "true"
+  enable-bpf-masquerade: "false"
   enable-endpoint-health-checking: "true"
   enable-endpoint-routes: "true"
   enable-ipv4: "true"
-  enable-ipv4-masquerade: "true"
+  enable-ipv4-masquerade: "false"
   enable-ipv6: "false"
   enable-ipv6-masquerade: "false"
   enable-l7-proxy: "true"

diff --git a/...on/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content b/...on/update_cluster/privateciliumadvanced/data/aws_s3_object_cluster-completed.spec_content
@@ -212,8 +212,8 @@ spec:
       clusterName: default
       cpuRequest: 25m
       disableCNPStatusUpdates: true
-      disableMasquerade: false
-      enableBPFMasquerade: true
+      disableMasquerade: true
+      enableBPFMasquerade: false
       enableEndpointHealthChecking: true
       enableL7Proxy: true
       enableNodePort: true

diff --git a/...iumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-bootstrap_content b/...iumadvanced/data/aws_s3_object_privateciliumadvanced.example.com-addons-bootstrap_content
@@ -99,7 +99,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.16
     manifest: networking.cilium.io/k8s-1.16-v1.14.yaml
-    manifestHash: 1dc85a0c4d6148f60695875f169977272f69564eb1ee8a5cf6c4c7687376449d
+    manifestHash: 521432d7456ba3384c8f43e1f0c1f0e2630e55c2c31f4f49d5713482a64d9cde
     name: networking.cilium.io
     needsRollingUpdate: all
     selector:

diff --git a/..._s3_object_privateciliumadvanced.example.com-addons-networking.cilium.io-k8s-1.16_content b/..._s3_object_privateciliumadvanced.example.com-addons-networking.cilium.io-k8s-1.16_content
@@ -45,11 +45,11 @@ data:
   debug: "false"
   disable-cnp-status-updates: "true"
   disable-endpoint-crd: "false"
-  enable-bpf-masquerade: "true"
+  enable-bpf-masquerade: "false"
   enable-endpoint-health-checking: "true"
   enable-endpoint-routes: "true"
   enable-ipv4: "true"
-  enable-ipv4-masquerade: "true"
+  enable-ipv4-masquerade: "false"
   enable-ipv6: "false"
   enable-ipv6-masquerade: "false"
   enable-k8s-event-handover: "true"

diff --git a/tests/integration/update_cluster/privateciliumadvanced/in-v1alpha2.yaml b/tests/integration/update_cluster/privateciliumadvanced/in-v1alpha2.yaml
@@ -34,7 +34,7 @@ spec:
     cilium:
       enableNodePort: true
       etcdManaged: true
-      disableMasquerade: false
+      disableMasquerade: true
       ipam: eni
   nonMasqueradeCIDR: 100.64.0.0/10
   sshAccess: