Adding support for upgrading eks hybrid nodes on EKS clusters (#8719)

pokearu · web-flow · commit d0798b31df98 · 2026-04-30T14:39:12.000-07:00
* adding support for upgrading eks hybrid nodes on EKS clusters

* adding logging for remotenodenetwork and remotepodnetwork both empty use case
diff --git a/pkg/actions/cluster/export_test.go b/pkg/actions/cluster/export_test.go
@@ -9,6 +9,8 @@ var (
 	DrainAllNodeGroups = drainAllNodeGroups
 )
 
+var UpdateRemoteNetworkConfig = (*OwnedCluster).updateRemoteNetworkConfig
+
 func (c *UnownedCluster) SetNewClientSet(newClientSet func() (kubernetes.Interface, error)) {
 	c.newClientSet = newClientSet
 }
diff --git a/pkg/actions/cluster/owned.go b/pkg/actions/cluster/owned.go
@@ -3,8 +3,12 @@ package cluster
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awseks "github.com/aws/aws-sdk-go-v2/service/eks"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
 	"github.com/kris-nova/logger"
 
 	"github.com/weaveworks/eksctl/pkg/actions/addon"
@@ -63,6 +67,11 @@ func (c *OwnedCluster) Upgrade(ctx context.Context, dryRun bool) error {
 		return err
 	}
 
+	remoteNetworkUpdateRequired, err := c.updateRemoteNetworkConfig(ctx, dryRun)
+	if err != nil {
+		return err
+	}
+
 	stackUpdateRequired, err := c.stackManager.AppendNewClusterStackResource(ctx, false, dryRun)
 	if err != nil {
 		return err
@@ -72,10 +81,47 @@ func (c *OwnedCluster) Upgrade(ctx context.Context, dryRun bool) error {
 		logger.Critical("failed checking nodegroups", err.Error())
 	}
 
-	cmdutils.LogPlanModeWarning(dryRun && (stackUpdateRequired || versionUpdateRequired))
+	cmdutils.LogPlanModeWarning(dryRun && (stackUpdateRequired || versionUpdateRequired || remoteNetworkUpdateRequired))
 	return nil
 }
 
+func (c *OwnedCluster) updateRemoteNetworkConfig(ctx context.Context, dryRun bool) (bool, error) {
+	if c.cfg.RemoteNetworkConfig == nil {
+		return false, nil
+	}
+
+	rnc := c.cfg.RemoteNetworkConfig
+	req := &ekstypes.RemoteNetworkConfigRequest{}
+	if rnc.RemoteNodeNetworks != nil {
+		req.RemoteNodeNetworks = make([]ekstypes.RemoteNodeNetwork, len(rnc.RemoteNodeNetworks))
+		for i, rn := range rnc.RemoteNodeNetworks {
+			req.RemoteNodeNetworks[i] = ekstypes.RemoteNodeNetwork{Cidrs: rn.CIDRs}
+		}
+	}
+	if rnc.RemotePodNetworks != nil {
+		req.RemotePodNetworks = make([]ekstypes.RemotePodNetwork, len(rnc.RemotePodNetworks))
+		for i, rp := range rnc.RemotePodNetworks {
+			req.RemotePodNetworks[i] = ekstypes.RemotePodNetwork{Cidrs: rp.CIDRs}
+		}
+	}
+
+	cmdutils.LogIntendedAction(dryRun, "update remote network config for cluster %q", c.cfg.Metadata.Name)
+	if !dryRun {
+		if err := c.ctl.UpdateClusterConfig(ctx, &awseks.UpdateClusterConfigInput{
+			Name:                aws.String(c.cfg.Metadata.Name),
+			RemoteNetworkConfig: req,
+		}); err != nil {
+			if strings.Contains(err.Error(), "No changes detected") {
+				logger.Info("remote network config is already up-to-date on cluster %q", c.cfg.Metadata.Name)
+				return false, nil
+			}
+			return false, fmt.Errorf("updating remote network config: %w", err)
+		}
+		logger.Success("remote network config updated successfully for cluster %q", c.cfg.Metadata.Name)
+	}
+	return true, nil
+}
+
 func (c *OwnedCluster) Delete(ctx context.Context, _, podEvictionWaitPeriod time.Duration, wait, force, disableNodegroupEviction bool, parallel int) error {
 	clusterOperable, err := c.ctl.CanOperate(c.cfg)
 	if err != nil {
diff --git a/pkg/actions/cluster/remote_network_config_test.go b/pkg/actions/cluster/remote_network_config_test.go
@@ -0,0 +1,194 @@
+package cluster_test
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awseks "github.com/aws/aws-sdk-go-v2/service/eks"
+	ekstypes "github.com/aws/aws-sdk-go-v2/service/eks/types"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/stretchr/testify/mock"
+
+	"github.com/weaveworks/eksctl/pkg/actions/cluster"
+	"github.com/weaveworks/eksctl/pkg/actions/cluster/mocks"
+	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
+	"github.com/weaveworks/eksctl/pkg/cfn/manager/fakes"
+	"github.com/weaveworks/eksctl/pkg/eks"
+	"github.com/weaveworks/eksctl/pkg/testutils"
+	"github.com/weaveworks/eksctl/pkg/testutils/mockprovider"
+)
+
+var _ = Describe("UpdateRemoteNetworkConfig", func() {
+	var (
+		clusterName      string
+		p                *mockprovider.MockProvider
+		cfg              *api.ClusterConfig
+		fakeStackManager *fakes.FakeStackManager
+		ctl              *eks.ClusterProvider
+		ownedCluster     *cluster.OwnedCluster
+	)
+
+	BeforeEach(func() {
+		clusterName = "test-cluster"
+		p = mockprovider.NewMockProvider()
+		cfg = api.NewClusterConfig()
+		cfg.Metadata.Name = clusterName
+		fakeStackManager = new(fakes.FakeStackManager)
+		ctl = &eks.ClusterProvider{AWSProvider: p, Status: &eks.ProviderStatus{
+			ClusterInfo: &eks.ClusterInfo{
+				Cluster: testutils.NewFakeCluster(clusterName, ekstypes.ClusterStatusActive),
+			},
+		}}
+		ownedCluster = cluster.NewOwnedCluster(cfg, ctl, nil, fakeStackManager, &mocks.AutoModeDeleter{})
+	})
+
+	mockSuccessfulUpdate := func() {
+		p.MockEKS().On("UpdateClusterConfig", mock.Anything, mock.Anything).
+			Return(&awseks.UpdateClusterConfigOutput{
+				Update: &ekstypes.Update{
+					Id:     aws.String("update-123"),
+					Status: ekstypes.UpdateStatusSuccessful,
+				},
+			}, nil)
+		p.MockEKS().On("DescribeUpdate", mock.Anything, mock.Anything, mock.Anything).
+			Return(&awseks.DescribeUpdateOutput{
+				Update: &ekstypes.Update{
+					Id:     aws.String("update-123"),
+					Status: ekstypes.UpdateStatusSuccessful,
+				},
+			}, nil)
+	}
+
+	It("skips when remoteNetworkConfig is nil", func() {
+		cfg.RemoteNetworkConfig = nil
+		updated, err := cluster.UpdateRemoteNetworkConfig(ownedCluster, context.Background(), false)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(updated).To(BeFalse())
+		p.MockEKS().AssertNotCalled(GinkgoT(), "UpdateClusterConfig", mock.Anything, mock.Anything)
+	})
+
+	It("calls UpdateClusterConfig with correct input for node and pod networks", func() {
+		cfg.RemoteNetworkConfig = &api.RemoteNetworkConfig{
+			RemoteNodeNetworks: []*api.RemoteNetwork{
+				{CIDRs: []string{"10.80.0.0/16", "10.81.0.0/16"}},
+			},
+			RemotePodNetworks: []*api.RemoteNetwork{
+				{CIDRs: []string{"10.90.0.0/16"}},
+			},
+		}
+		mockSuccessfulUpdate()
+
+		updated, err := cluster.UpdateRemoteNetworkConfig(ownedCluster, context.Background(), false)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(updated).To(BeTrue())
+
+		calls := p.MockEKS().Calls
+		var updateCall mock.Call
+		for _, call := range calls {
+			if call.Method == "UpdateClusterConfig" {
+				updateCall = call
+				break
+			}
+		}
+		input := updateCall.Arguments[1].(*awseks.UpdateClusterConfigInput)
+		Expect(*input.Name).To(Equal(clusterName))
+		Expect(input.RemoteNetworkConfig.RemoteNodeNetworks).To(HaveLen(1))
+		Expect(input.RemoteNetworkConfig.RemoteNodeNetworks[0].Cidrs).To(Equal([]string{"10.80.0.0/16", "10.81.0.0/16"}))
+		Expect(input.RemoteNetworkConfig.RemotePodNetworks).To(HaveLen(1))
+		Expect(input.RemoteNetworkConfig.RemotePodNetworks[0].Cidrs).To(Equal([]string{"10.90.0.0/16"}))
+	})
+
+	It("passes nil for omitted networks (no defaulting)", func() {
+		cfg.RemoteNetworkConfig = &api.RemoteNetworkConfig{
+			RemoteNodeNetworks: []*api.RemoteNetwork{
+				{CIDRs: []string{"10.80.0.0/16"}},
+			},
+		}
+		mockSuccessfulUpdate()
+
+		updated, err := cluster.UpdateRemoteNetworkConfig(ownedCluster, context.Background(), false)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(updated).To(BeTrue())
+
+		calls := p.MockEKS().Calls
+		var updateCall mock.Call
+		for _, call := range calls {
+			if call.Method == "UpdateClusterConfig" {
+				updateCall = call
+				break
+			}
+		}
+		input := updateCall.Arguments[1].(*awseks.UpdateClusterConfigInput)
+		Expect(input.RemoteNetworkConfig.RemoteNodeNetworks).To(HaveLen(1))
+		Expect(input.RemoteNetworkConfig.RemotePodNetworks).To(BeNil())
+	})
+
+	It("sends empty lists for remove-all case", func() {
+		cfg.RemoteNetworkConfig = &api.RemoteNetworkConfig{
+			RemoteNodeNetworks: []*api.RemoteNetwork{},
+			RemotePodNetworks:  []*api.RemoteNetwork{},
+		}
+		mockSuccessfulUpdate()
+
+		updated, err := cluster.UpdateRemoteNetworkConfig(ownedCluster, context.Background(), false)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(updated).To(BeTrue())
+
+		calls := p.MockEKS().Calls
+		var updateCall mock.Call
+		for _, call := range calls {
+			if call.Method == "UpdateClusterConfig" {
+				updateCall = call
+				break
+			}
+		}
+		input := updateCall.Arguments[1].(*awseks.UpdateClusterConfigInput)
+		Expect(input.RemoteNetworkConfig.RemoteNodeNetworks).To(BeEmpty())
+		Expect(input.RemoteNetworkConfig.RemoteNodeNetworks).NotTo(BeNil())
+		Expect(input.RemoteNetworkConfig.RemotePodNetworks).To(BeEmpty())
+		Expect(input.RemoteNetworkConfig.RemotePodNetworks).NotTo(BeNil())
+	})
+
+	It("treats 'No changes detected' as success", func() {
+		cfg.RemoteNetworkConfig = &api.RemoteNetworkConfig{
+			RemoteNodeNetworks: []*api.RemoteNetwork{
+				{CIDRs: []string{"10.80.0.0/16"}},
+			},
+		}
+		p.MockEKS().On("UpdateClusterConfig", mock.Anything, mock.Anything).
+			Return(nil, fmt.Errorf("operation error EKS: UpdateClusterConfig, https response error StatusCode: 400, InvalidParameterException: No changes detected for remoteNetworkConfig"))
+
+		updated, err := cluster.UpdateRemoteNetworkConfig(ownedCluster, context.Background(), false)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(updated).To(BeFalse())
+	})
+
+	It("propagates other API errors", func() {
+		cfg.RemoteNetworkConfig = &api.RemoteNetworkConfig{
+			RemoteNodeNetworks: []*api.RemoteNetwork{
+				{CIDRs: []string{"10.80.0.0/16"}},
+			},
+		}
+		p.MockEKS().On("UpdateClusterConfig", mock.Anything, mock.Anything).
+			Return(nil, fmt.Errorf("operation error EKS: UpdateClusterConfig, https response error StatusCode: 400, InvalidParameterException: Only one remoteNodeNetwork is allowed"))
+
+		_, err := cluster.UpdateRemoteNetworkConfig(ownedCluster, context.Background(), false)
+		Expect(err).To(MatchError(ContainSubstring("Only one remoteNodeNetwork is allowed")))
+	})
+
+	It("does not call API in dry-run mode", func() {
+		cfg.RemoteNetworkConfig = &api.RemoteNetworkConfig{
+			RemoteNodeNetworks: []*api.RemoteNetwork{
+				{CIDRs: []string{"10.80.0.0/16"}},
+			},
+		}
+
+		updated, err := cluster.UpdateRemoteNetworkConfig(ownedCluster, context.Background(), true)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(updated).To(BeTrue())
+		p.MockEKS().AssertNotCalled(GinkgoT(), "UpdateClusterConfig", mock.Anything, mock.Anything)
+	})
+})
diff --git a/pkg/apis/eksctl.io/v1alpha5/validation.go b/pkg/apis/eksctl.io/v1alpha5/validation.go
@@ -105,6 +105,12 @@ func (c *ClusterConfig) validateRemoteNetworkingConfig() error {
 	}
 
 	if len(rnc.RemoteNodeNetworks) == 0 {
+		// Both lists being explicitly empty is valid for upgrades (removes all remote networks).
+		// For creates, this is a no-op since HasRemoteNetworkingConfigured() gates the CFN builder.
+		if rnc.RemotePodNetworks != nil && len(rnc.RemotePodNetworks) == 0 {
+			logger.Warning("remoteNetworkConfig has empty remoteNodeNetworks and remotePodNetworks; this will remove all remote networks on upgrade, or be ignored on create")
+			return nil
+		}
 		return setNonEmpty("remoteNetworkConfig.remoteNodeNetworks")
 	}
 
diff --git a/pkg/apis/eksctl.io/v1alpha5/validation_test.go b/pkg/apis/eksctl.io/v1alpha5/validation_test.go
@@ -1035,6 +1035,14 @@ var _ = Describe("ClusterConfig validation", func() {
 			},
 			expectedErr: "remoteNetworkConfig.remoteNodeNetworks must be set and non-empty",
 		}),
+		Entry("remoteNodeNetworks is empty with nil remotePodNetworks", remoteNetworkConfigEntry{
+			overrideConfig: func(cc *api.ClusterConfig) {
+				cc.RemoteNetworkConfig = &api.RemoteNetworkConfig{
+					RemoteNodeNetworks: []*api.RemoteNetwork{},
+				}
+			},
+			expectedErr: "remoteNetworkConfig.remoteNodeNetworks must be set and non-empty",
+		}),
 		Entry("both vpcGatewayID and pre-existing VPC are set", remoteNetworkConfigEntry{
 			overrideConfig: func(cc *api.ClusterConfig) {
 				cc.VPC.ID = "vpc-1234"
@@ -1066,6 +1074,18 @@ var _ = Describe("ClusterConfig validation", func() {
 		}),
 	)
 
+	It("should allow both remoteNodeNetworks and remotePodNetworks to be empty for updates", func() {
+		cfg := api.NewClusterConfig()
+		api.SetClusterConfigDefaults(cfg)
+		api.SetClusterEndpointAccessDefaults(cfg.VPC)
+		cfg.RemoteNetworkConfig = &api.RemoteNetworkConfig{
+			RemoteNodeNetworks: []*api.RemoteNetwork{},
+			RemotePodNetworks:  []*api.RemoteNetwork{},
+		}
+		err := api.ValidateClusterConfig(cfg)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
 	Describe("network config", func() {
 		var (
 			cfg *api.ClusterConfig
diff --git a/userdocs/src/usage/hybrid-nodes.md b/userdocs/src/usage/hybrid-nodes.md
@@ -4,7 +4,7 @@
 
 AWS EKS introduces Hybrid Nodes, a new feature that enables you to run on-premises and edge applications on customer-managed infrastructure with the same AWS EKS clusters, features, and tools you use in the AWS Cloud. AWS EKS Hybird Nodes brings an AWS-managed Kubernetes experience to on-premises environments for customers to simplify and standardize how you run applications across on-premises, edge and cloud environments. Read more at [EKS Hybrid Nodes][eks-hybrid-nodes].
 
-To facilitate support for this feature, eksctl introduces a new top-level field called `remoteNetworkConfig`. Any Hybrid Nodes related configuration shall be set up via this field, as part of the config file; there are no CLI flags counterparts. Additionally, at launch, any remote network config can only be set up during cluster creation and cannot be updated afterwards. This means, you won't be able to update existing clusters to use Hybrid Nodes. 
+To facilitate support for this feature, eksctl introduces a new top-level field called `remoteNetworkConfig`. Any Hybrid Nodes related configuration shall be set up via this field, as part of the config file; there are no CLI flags counterparts. You can enable or update Hybrid Nodes on existing clusters by adding `remoteNetworkConfig` to your config file and running `eksctl upgrade cluster`.
 
 The `remoteNetworkConfig` section of the config file allows you to setup the two core areas when it comes to joining remote nodes to you EKS clusters: **networking** and **credentials**.  
 
@@ -96,4 +96,4 @@ Container Networking Interface (CNI): The AWS VPC CNI can’t be used with hybri
 - [Launch Announcement][launch-announcement]
 
 [eks-hybrid-nodes]: https://docs.aws.amazon.com/eks/latest/userguide/hybrid-nodes-overview.html
-[launch-announcement]: https://aws.amazon.com/about-aws/whats-new/2024/12/amazon-eks-hybrid-nodes
+[launch-announcement]: https://aws.amazon.com/about-aws/whats-new/2024/12/amazon-eks-hybrid-nodes

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,8 @@ var (`
`9`	`9`	`DrainAllNodeGroups = drainAllNodeGroups`
`10`	`10`	`)`
`11`	`11`
	`12`	`+var UpdateRemoteNetworkConfig = (*OwnedCluster).updateRemoteNetworkConfig`
	`13`	`+`
`12`	`14`	`func (c *UnownedCluster) SetNewClientSet(newClientSet func() (kubernetes.Interface, error)) {`
`13`	`15`	`c.newClientSet = newClientSet`
`14`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,12 @@ func (c *ClusterConfig) validateRemoteNetworkingConfig() error {`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`if len(rnc.RemoteNodeNetworks) == 0 {`
	`108`	`+ // Both lists being explicitly empty is valid for upgrades (removes all remote networks).`
	`109`	`+ // For creates, this is a no-op since HasRemoteNetworkingConfigured() gates the CFN builder.`
	`110`	`+ if rnc.RemotePodNetworks != nil && len(rnc.RemotePodNetworks) == 0 {`
	`111`	`+ logger.Warning("remoteNetworkConfig has empty remoteNodeNetworks and remotePodNetworks; this will remove all remote networks on upgrade, or be ignored on create")`
	`112`	`+ return nil`
	`113`	`+ }`
`108`	`114`	`return setNonEmpty("remoteNetworkConfig.remoteNodeNetworks")`
`109`	`115`	`}`
`110`	`116`