Allowlist controller: add node reconciler to sync allowlist on node creation

When a node joins the cluster, create a Job on that specific node to sync
the CNI sysctl allowlist configuration.

Implementation:
- Watch node creation events
- Skip any action if ConfigMap unchanged from the default (multus daemon
  installs default)
- Create Job with nodeSelector targeting specific node
- If job AlreadyExists, follow up the result
- Delete successful Jobs, preserve failed Jobs for debugging

Why not the daemonset approach:
 1. Jobs run only on the new node (1 pod) while DaemonSet runs on all
    nodes (100+ pods), so 10 new nodes create 10 Jobs vs 1000 pods.
 2. Each Job succeeds or fails independently with logs kept for 24
    hours, while DaemonSet waits for all pods to be ready so one stuck
    pod blocks the entire update.
 3. Multiple Jobs run in parallel without conflicts, while DaemonSet
    needs complex logic to handle multiple node events with delays and
    state checking.
 4. ConfigMap changes use DaemonSet (update all nodes), node additions
    use Jobs (update one node), each approach fits its purpose.

Known issues:
1. On restart both those jobs and the daemonset will at the same time.
2. On restart (or if new node is master node) job will fail after 10
   minutes because we do not tolerate by design

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Konstantinos Karampogias <karampok@gmail.com>

Author: karampok

go.mod

@@ -42,13 +42,13 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/logr v1.4.3
 	github.com/go-openapi/jsonpointer v0.22.1 // indirect
 	github.com/go-openapi/jsonreference v0.21.2 // indirect
 	github.com/go-openapi/swag v0.25.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
@@ -98,7 +98,7 @@ require (
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect
-	sigs.k8s.io/yaml v1.6.0 // indirect
+	sigs.k8s.io/yaml v1.6.0
 )
 
 require (

pkg/controller/add_networkconfig.go

@@ -27,6 +27,7 @@ func init() {
 		ingressconfig.Add,
 		infrastructureconfig.Add,
 		allowlist.Add,
+		allowlist.AddNodeReconciler,
 		dashboards.Add,
 	)
 }

pkg/controller/allowlist/nodeReconciler.go

@@ -0,0 +1,246 @@
+package allowlist
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	cnoclient "github.com/openshift/cluster-network-operator/pkg/client"
+	"github.com/openshift/cluster-network-operator/pkg/controller/statusmanager"
+	"github.com/openshift/cluster-network-operator/pkg/names"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/resource"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/klog/v2"
+	"k8s.io/utils/ptr"
+
+	crclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+const (
+	// allowlistJobTTL is the time to keep finished Jobs before automatic cleanup (24 hours)
+	allowlistJobTTL = 86400
+	// allowlistJobActiveDeadline is the maximum time a Job can run before termination (10 minutes)
+	allowlistJobActiveDeadline = 600
+	// reconcilerID is the identifier prefix for log messages
+	reconcilerID = "Allowlist node reconciler:"
+)
+
+var _ reconcile.Reconciler = &ReconcileNode{}
+
+type ReconcileNode struct {
+	client cnoclient.Client
+	status *statusmanager.StatusManager
+}
+
+// AddNodeReconciler creates a new node reconciler and adds it to the manager.
+// The node reconciler watches for node creation events and syncs the allowlist
+// to all nodes when a new node joins the cluster.
+func AddNodeReconciler(mgr manager.Manager, status *statusmanager.StatusManager, client cnoclient.Client, _ featuregates.FeatureGate) error {
+	r := &ReconcileNode{client: client, status: status}
+	c, err := controller.New("allowlist-node-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch when nodes are created.
+	// When a new node joins the cluster, reconcile to deploy the allowlist file to the new node.
+	return c.Watch(
+		source.Kind[crclient.Object](
+			mgr.GetCache(),
+			&corev1.Node{},
+			&handler.EnqueueRequestForObject{},
+			nodePredicate(),
+		),
+	)
+}
+
+func (r *ReconcileNode) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) {
+	defer utilruntime.HandleCrash(r.status.SetDegradedOnPanicAndCrash)
+
+	defaultCM := &corev1.ConfigMap{}
+	if err := r.client.Default().CRClient().Get(ctx,
+		types.NamespacedName{Name: names.DefaultAllowlistConfigName, Namespace: names.MultusNamespace},
+		defaultCM); err != nil {
+		klog.Infof("%s no default ConfigMap %v found", reconcilerID, err)
+		return reconcile.Result{}, err
+	}
+
+	allowlistCM := &corev1.ConfigMap{}
+	if err := r.client.Default().CRClient().Get(ctx,
+		types.NamespacedName{Name: names.AllowlistConfigName, Namespace: names.MultusNamespace},
+		allowlistCM); err != nil {
+		return reconcile.Result{}, crclient.IgnoreNotFound(err)
+	}
+
+	// Skip job creation if allowlist matches default configuration.
+	// The multus daemon already installs the default configmap on new nodes,
+	// so we only need to run a job when the allowlist has been customized.
+	if equality.Semantic.DeepEqual(allowlistCM.Data, defaultCM.Data) {
+		klog.Infof("%s ConfigMaps are identical, skipping job creation for node %s", reconcilerID, request.Name)
+		return reconcile.Result{}, nil
+	}
+
+	nodeName := request.Name
+
+	// Job name includes ConfigMap ResourceVersion to ensure old jobs with stale
+	// configs aren't reused when the allowlist is updated.
+	job := newAllowlistJobFor(nodeName, allowlistCM.ResourceVersion)
+	createErr := r.client.Default().CRClient().Create(ctx, job)
+
+	// Handle creation errors (excluding AlreadyExists)
+	if createErr != nil && !apierrors.IsAlreadyExists(createErr) {
+		klog.Infof("%s failed to create job %s: %v", reconcilerID, job.Name, createErr)
+		return reconcile.Result{}, createErr
+	}
+
+	// Job created successfully - requeue to check status later
+	if createErr == nil {
+		klog.Infof("%s job %s created", reconcilerID, job.Name)
+		return reconcile.Result{RequeueAfter: 30 * time.Second}, nil
+	}
+
+	// Job already exists - fetch it to check status immediately
+	if err := r.client.Default().CRClient().Get(ctx,
+		types.NamespacedName{Name: job.Name, Namespace: names.MultusNamespace}, job); err != nil {
+		klog.Infof("%s failed to get existing job %s: %v", reconcilerID, job.Name, err)
+		return reconcile.Result{}, err
+	}
+
+	// Check job status
+	for _, cond := range job.Status.Conditions {
+		if cond.Type == batchv1.JobComplete && cond.Status == corev1.ConditionTrue {
+			klog.Infof("%s job %s completed successfully, cleaning up", reconcilerID, job.Name)
+			err := r.client.Default().CRClient().Delete(ctx, job,
+				crclient.PropagationPolicy(metav1.DeletePropagationBackground))
+			return reconcile.Result{}, crclient.IgnoreNotFound(err)
+		}
+		if (cond.Type == batchv1.JobFailureTarget || cond.Type == batchv1.JobFailed) &&
+			cond.Status == corev1.ConditionTrue {
+			klog.Infof("%s job %s failed: %s (preserved for debugging, TTL cleanup in 24h)",
+				reconcilerID, job.Name, cond.Reason)
+			return reconcile.Result{}, nil
+		}
+	}
+
+	klog.Infof("%s job %s is in progress", reconcilerID, job.Name)
+
+	return reconcile.Result{RequeueAfter: 30 * time.Second}, nil
+}
+
+// nodePredicate returns a predicate that filters Node events.
+// Only node creations trigger reconciliation to distribute config to new nodes.
+func nodePredicate() predicate.Predicate {
+	return predicate.Funcs{
+		CreateFunc: func(_ event.CreateEvent) bool {
+			return true
+		},
+		UpdateFunc: func(_ event.UpdateEvent) bool {
+			return false
+		},
+		DeleteFunc: func(_ event.DeleteEvent) bool {
+			return false
+		},
+	}
+}
+
+func newAllowlistJobFor(nodeName string, configMapVersion string) *batchv1.Job {
+	jobName := fmt.Sprintf("cni-sysctl-allowlist-%.32s-%.8s", nodeName, configMapVersion)
+	return &batchv1.Job{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      jobName,
+			Namespace: names.MultusNamespace,
+			Labels: map[string]string{
+				"app":  "cni-sysctl-allowlist-job",
+				"node": nodeName,
+			},
+		},
+		Spec: batchv1.JobSpec{
+			BackoffLimit:            ptr.To(int32(3)),
+			TTLSecondsAfterFinished: ptr.To(int32(allowlistJobTTL)),
+			ActiveDeadlineSeconds:   ptr.To(int64(allowlistJobActiveDeadline)),
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"app":  "cni-sysctl-allowlist-job",
+						"node": nodeName,
+					},
+					Annotations: map[string]string{
+						"target.workload.openshift.io/management": `{"effect": "PreferredDuringScheduling"}`,
+					},
+				},
+				Spec: corev1.PodSpec{
+					RestartPolicy:     corev1.RestartPolicyNever,
+					PriorityClassName: "openshift-user-critical",
+					NodeSelector: map[string]string{
+						"kubernetes.io/hostname": nodeName,
+					},
+					Containers: []corev1.Container{
+						{
+							Name:    "kube-multus-additional-cni-plugins",
+							Image:   os.Getenv("MULTUS_IMAGE"),
+							Command: []string{"/bin/bash", "-c", "cp /entrypoint/allowlist.conf /host/etc/cni/tuning/"},
+							Resources: corev1.ResourceRequirements{
+								Requests: corev1.ResourceList{
+									corev1.ResourceCPU:    resource.MustParse("10m"),
+									corev1.ResourceMemory: resource.MustParse("10Mi"),
+								},
+							},
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: ptr.To(true),
+							},
+							TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
+							VolumeMounts: []corev1.VolumeMount{
+								{
+									Name:      "cni-sysctl-allowlist",
+									MountPath: "/entrypoint",
+								},
+								{
+									Name:      "tuning-conf-dir",
+									MountPath: "/host/etc/cni/tuning/",
+									ReadOnly:  false,
+								},
+							},
+						},
+					},
+					Volumes: []corev1.Volume{
+						{
+							Name: "cni-sysctl-allowlist",
+							VolumeSource: corev1.VolumeSource{
+								ConfigMap: &corev1.ConfigMapVolumeSource{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: names.AllowlistConfigName,
+									},
+									DefaultMode: ptr.To(int32(0644)),
+								},
+							},
+						},
+						{
+							Name: "tuning-conf-dir",
+							VolumeSource: corev1.VolumeSource{
+								HostPath: &corev1.HostPathVolumeSource{
+									Path: "/etc/cni/tuning/",
+									Type: ptr.To(corev1.HostPathDirectoryOrCreate),
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}