refactor: Update apipa nic as separate entry in podIPInfo

tamilmani1989 · tamilmani1989 · commit d55e395ddc53 · 2025-09-05T14:16:05.000-07:00
This PR updates both CNS and CNI code to construct apipa nic as separate entry
in podIpInfo if either of allowhostonc or allownctohost set. This allows CNI to
treat this as separate endpoint and align with current cni design/model of
1 nic per endpoint info. CNI then iterates through endpoint info and creates one
nic at a time.

Signed-off-by: Tamilmani &lt;tamanoha@microsoft.com&gt;
diff --git a/cni/network/invoker_cns.go b/cni/network/invoker_cns.go
@@ -192,6 +192,11 @@ func (invoker *CNSIPAMInvoker) Add(addConfig IPAMAddConfig) (IPAMAddResult, erro
 			if err := addBackendNICToResult(&info, &addResult, key); err != nil {
 				return IPAMAddResult{}, err
 			}
+		case cns.ApipaNIC:
+			if err := configureApipaAddResult(&info, &addResult, &response.PodIPInfo[i].PodIPConfig, key); err != nil {
+				return IPAMAddResult{}, err
+			}
+
 		case cns.InfraNIC, "":
 			// if we change from legacy cns, the nicType will be empty, so we assume it is infra nic
 			info.nicType = cns.InfraNIC
@@ -508,6 +513,29 @@ func configureSecondaryAddResult(info *IPResultInfo, addResult *IPAMAddResult, p
 	return nil
 }
 
+func configureApipaAddResult(info *IPResultInfo, addResult *IPAMAddResult, podIPConfig *cns.IPSubnet, key string) error {
+	ip, ipnet, err := podIPConfig.GetIPNet()
+	if ip == nil {
+		return errors.Wrap(err, "Unable to parse IP from response: "+info.podIPAddress+" with err %w")
+	}
+
+	addResult.interfaceInfo[key] = network.InterfaceInfo{
+		IPConfigs: []*network.IPConfig{
+			{
+				Address: net.IPNet{
+					IP:   ip,
+					Mask: ipnet.Mask,
+				},
+				Gateway: net.ParseIP(info.ncGatewayIPAddress),
+			},
+		},
+		NICType:           info.nicType,
+		SkipDefaultRoutes: true,
+	}
+
+	return nil
+}
+
 func addBackendNICToResult(info *IPResultInfo, addResult *IPAMAddResult, key string) error {
 	macAddress, err := net.ParseMAC(info.macAddress)
 	if err != nil {
diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go
@@ -93,6 +93,9 @@ const (
 	NodeNetworkInterfaceFrontendNIC NICType = "FrontendNIC"
 	// NodeNetworkInterfaceBackendNIC is the new name for BackendNIC
 	NodeNetworkInterfaceBackendNIC NICType = "BackendNIC"
+
+	// ApipaNIC is used for internal communication between host and container
+	ApipaNIC NICType = "ApipaNIC"
 )
 
 // ChannelMode :- CNS channel modes
@@ -516,6 +519,10 @@ type PodIpInfo struct {
 	PnPID string
 	// Default Deny ACL's to configure on HNS endpoints for Swiftv2 window nodes
 	EndpointPolicies []policy.Policy
+	// This flag is in effect only if nic type is apipa. This allows connection originating from host to container via apipa nic and not other way.
+	AllowHostToNCCommunication bool
+	// This flag is in effect only if nic type is apipa. This allows connection originating from container to host via apipa nic and not other way.
+	AllowNCToHostCommunication bool
 }
 
 type HostIPInfo struct {
diff --git a/cns/restserver/ipam.go b/cns/restserver/ipam.go
@@ -149,6 +149,7 @@ func (service *HTTPRestService) requestIPConfigHandlerHelperStandalone(ctx conte
 
 	// assign NICType and MAC Address for SwiftV2. we assume that there won't be any SwiftV1 NCs here
 	podIPInfoList := make([]cns.PodIpInfo, 0, len(resp))
+	apipaIndex := -1
 	for i := range resp {
 		podIPInfo := cns.PodIpInfo{
 			PodIPConfig:                     resp[i].IPConfiguration.IPSubnet,
@@ -157,6 +158,21 @@ func (service *HTTPRestService) requestIPConfigHandlerHelperStandalone(ctx conte
 			NetworkContainerPrimaryIPConfig: resp[i].IPConfiguration,
 		}
 		podIPInfoList = append(podIPInfoList, podIPInfo)
+		if resp[i].AllowHostToNCCommunication || resp[i].AllowNCToHostCommunication {
+			apipaIndex = i
+		}
+	}
+
+	if apipaIndex != -1 {
+		apipaPodIPInfo := cns.PodIpInfo{
+			PodIPConfig:                     resp[apipaIndex].LocalIPConfiguration.IPSubnet,
+			NICType:                         cns.ApipaNIC,
+			NetworkContainerPrimaryIPConfig: resp[apipaIndex].LocalIPConfiguration,
+			SkipDefaultRoutes:               true,
+			AllowHostToNCCommunication:      resp[apipaIndex].AllowHostToNCCommunication,
+			AllowNCToHostCommunication:      resp[apipaIndex].AllowNCToHostCommunication,
+		}
+		podIPInfoList = append(podIPInfoList, apipaPodIPInfo)
 	}
 
 	ipConfigsResp := &cns.IPConfigsResponse{
diff --git a/network/network_windows.go b/network/network_windows.go
@@ -342,7 +342,8 @@ func (nm *networkManager) addIPv6DefaultRoute() error {
 // newNetworkImplHnsV2 creates a new container network for HNSv2.
 func (nm *networkManager) newNetworkImplHnsV2(nwInfo *EndpointInfo, extIf *externalInterface) (*network, error) {
 	// network creation is not required for IB
-	if nwInfo.NICType == cns.BackendNIC {
+	// For apipa nic, we create network as part of endpoint creation
+	if nwInfo.NICType == cns.BackendNIC || nwInfo.NICType == cns.ApipaNIC {
 		return &network{Endpoints: make(map[string]*endpoint)}, nil
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -342,7 +342,8 @@ func (nm *networkManager) addIPv6DefaultRoute() error {`
`342`	`342`	`// newNetworkImplHnsV2 creates a new container network for HNSv2.`
`343`	`343`	`func (nm networkManager) newNetworkImplHnsV2(nwInfo EndpointInfo, extIf externalInterface) (network, error) {`
`344`	`344`	`// network creation is not required for IB`
`345`		`- if nwInfo.NICType == cns.BackendNIC {`
	`345`	`+ // For apipa nic, we create network as part of endpoint creation`
	`346`	`+ if nwInfo.NICType == cns.BackendNIC \|\| nwInfo.NICType == cns.ApipaNIC {`
`346`	`347`	`return &network{Endpoints: make(map[string]*endpoint)}, nil`
`347`	`348`	`}`
`348`	`349`