fix: auto-fetch cloud public CIDRs without cloud sync permissions (#660)

Author: RomanMelnyk113

cmd/controller/app/app.go

@@ -137,7 +137,7 @@ func (a *App) Run(ctx context.Context) error {
 		k8sVersion,
 		clientset,
 		cfg.CloudProviderConfig.CloudProvider.Type,
-		cfg.CloudProviderConfig.VPCStateController.UseZoneID,
+		cfg.CloudProviderConfig.NetworkStateController.UseZoneID,
 	)
 
 	kubeClient.RegisterHandlers(informersFactory)
@@ -146,23 +146,35 @@ func (a *App) Run(ctx context.Context) error {
 		return kubeClient.Run(ctx)
 	})
 
-	vpcCfg := cfg.CloudProviderConfig.VPCStateController
+	vpcCfg := cfg.CloudProviderConfig.NetworkStateController
 
 	// Create and populate VPC index upfront (no cloud provider required for this)
-	var vpcIndex *kube.VPCIndex
-	if vpcCfg.Enabled || vpcCfg.StaticCIDRsFile != "" {
-		vpcIndex = kube.NewVPCIndex(
+	var networkIndex *kube.NetworkIndex
+	cloudProviderType := cfg.CloudProviderConfig.CloudProvider.Type
+	if vpcCfg.Enabled || vpcCfg.StaticCIDRsFile != "" || cloudProviderType != "" {
+		networkIndex = kube.NewNetworkIndex(
 			log,
-			kube.VPCConfig{
-				RefreshInterval: vpcCfg.RefreshInterval,
-				CacheSize:       vpcCfg.CacheSize,
-				UseAwsZoneId:    vpcCfg.UseZoneID,
+			kube.NetworkConfig{
+				NetworkRefreshInterval:     vpcCfg.NetworkRefreshInterval,
+				PublicCIDRsRefreshInterval: vpcCfg.PublicCIDRsRefreshInterval,
+				CacheSize:                  vpcCfg.CacheSize,
+				UseAwsZoneId:               vpcCfg.UseZoneID,
 			},
 		)
-		if err := controllers.LoadStaticCIDRsFromFile(log, vpcCfg.StaticCIDRsFile, vpcIndex); err != nil {
+		if err := controllers.LoadStaticCIDRsFromFile(log, vpcCfg.StaticCIDRsFile, networkIndex); err != nil {
 			log.Warnf("failed to load static CIDRs: %v", err)
 		}
-		kubeClient.SetVPCIndex(vpcIndex)
+		kubeClient.SetVPCIndex(networkIndex)
+
+		// Launch cloud public CIDR controller (fetches from public endpoints, no auth needed).
+		if cloudProviderType != "" {
+			errg.Go(func() error {
+				return controllers.NewCloudPublicCIDRController(log, controllers.CloudPublicCIDRControllerConfig{
+					CloudProviderType: cloudProviderType,
+					RefreshInterval:   vpcCfg.PublicCIDRsRefreshInterval,
+				}, networkIndex).Run(ctx)
+			})
+		}
 	}
 
 	// Initialize cloud provider for cloud-sync features
@@ -171,9 +183,9 @@ func (a *App) Run(ctx context.Context) error {
 		if err == nil {
 			log.Infof("cloud provider %s initialized successfully", provider.Type())
 
-			if vpcCfg.Enabled && vpcIndex != nil {
+			if vpcCfg.Enabled && networkIndex != nil {
 				errg.Go(func() error {
-					return controllers.NewVPCStateController(log, vpcCfg, provider, vpcIndex).Run(ctx)
+					return controllers.NewVPCStateController(log, vpcCfg, provider, networkIndex).Run(ctx)
 				})
 			}
 

cmd/controller/config/config.go

@@ -56,11 +56,11 @@ type AgentConfig struct {
 }
 
 type CloudProviderConfig struct {
-	CloudProvider         cloudtypes.ProviderConfig               `json:"cloudProvider"`
-	VPCStateController    controllers.VPCStateControllerConfig    `json:"vpcStateController"`
-	VolumeStateController controllers.VolumeStateControllerConfig `json:"volumeStateController"`
+	CloudProvider          cloudtypes.ProviderConfig                `json:"cloudProvider"`
+	NetworkStateController controllers.NetworkStateControllerConfig `json:"vpcStateController"`
+	VolumeStateController  controllers.VolumeStateControllerConfig  `json:"volumeStateController"`
 }
 
 func (c CloudProviderConfig) IsAnyControllerEnabled() bool {
-	return c.VPCStateController.Enabled || c.VolumeStateController.Enabled
+	return c.NetworkStateController.Enabled || c.VolumeStateController.Enabled
 }

cmd/controller/controllers/cloud_public_cidr_controller.go

@@ -0,0 +1,98 @@
+package controllers
+
+import (
+	"context"
+	"time"
+
+	"github.com/castai/kvisor/cmd/controller/kube"
+	"github.com/castai/kvisor/pkg/cloudprovider/serviceranges"
+	cloudtypes "github.com/castai/kvisor/pkg/cloudprovider/types"
+	"github.com/castai/logging"
+)
+
+type CloudPublicCIDRControllerConfig struct {
+	CloudProviderType cloudtypes.Type
+	RefreshInterval   time.Duration
+}
+
+func NewCloudPublicCIDRController(
+	log *logging.Logger,
+	cfg CloudPublicCIDRControllerConfig,
+	vpcIndex *kube.NetworkIndex,
+) *CloudPublicCIDRController {
+	if cfg.RefreshInterval == 0 {
+		cfg.RefreshInterval = 24 * time.Hour
+	}
+	return &CloudPublicCIDRController{
+		log:      log.WithField("component", "cloud_public_cidr_controller"),
+		cfg:      cfg,
+		vpcIndex: vpcIndex,
+	}
+}
+
+type CloudPublicCIDRController struct {
+	log      *logging.Logger
+	cfg      CloudPublicCIDRControllerConfig
+	vpcIndex *kube.NetworkIndex
+}
+
+func (c *CloudPublicCIDRController) Run(ctx context.Context) error {
+	c.log.Infof("running cloud public CIDR fetch for provider: %s", c.cfg.CloudProviderType)
+	defer c.log.Info("stopping cloud public CIDR fetch")
+
+	c.fetchWithRetries(ctx)
+
+	ticker := time.NewTicker(c.cfg.RefreshInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+			c.fetchOnce(ctx)
+		}
+	}
+}
+
+func (c *CloudPublicCIDRController) fetchWithRetries(ctx context.Context) {
+	backoff := 2 * time.Second
+	maxRetries := 5
+
+	for i := 0; i < maxRetries; i++ {
+		if c.fetchOnce(ctx) {
+			return
+		}
+
+		if i < maxRetries-1 {
+			c.log.Warnf("cloud public CIDR fetch attempt %d/%d failed, retrying in %v", i+1, maxRetries, backoff)
+			select {
+			case <-ctx.Done():
+				return
+			case <-time.After(backoff):
+				backoff *= 2
+				if backoff > 30*time.Second {
+					backoff = 30 * time.Second
+				}
+			}
+		}
+	}
+
+	c.log.Errorf("failed to fetch cloud public CIDRs after %d attempts", maxRetries)
+}
+
+func (c *CloudPublicCIDRController) fetchOnce(ctx context.Context) bool {
+	ranges, domain, err := serviceranges.FetchServiceIPRanges(ctx, c.log, c.cfg.CloudProviderType)
+	if err != nil {
+		c.log.Errorf("fetching cloud public service IP ranges: %v", err)
+		return false
+	}
+
+	if err := c.vpcIndex.UpdateCloudPublicCIDRs(domain, ranges); err != nil {
+		c.log.Errorf("updating cloud public CIDRs in VPC index: %v", err)
+		return false
+	}
+
+	c.log.Infof("cloud public CIDRs updated successfully (%d region groups)", len(ranges))
+	return true
+}

cmd/controller/controllers/vpc_state_controller.go

@@ -13,13 +13,14 @@ import (
 	"github.com/castai/logging"
 )
 
-type VPCStateControllerConfig struct {
-	Enabled         bool          `json:"enabled"`
-	UseZoneID       bool          `json:"useZoneID"`
-	NetworkName     string        `json:"networkName"`
-	RefreshInterval time.Duration `json:"refreshInterval"`
-	CacheSize       uint32        `json:"cacheSize"`
-	StaticCIDRsFile string        `json:"staticCIDRsFile"` // Path to YAML file
+type NetworkStateControllerConfig struct {
+	Enabled                    bool          `json:"enabled"`
+	UseZoneID                  bool          `json:"useZoneID"`
+	NetworkName                string        `json:"networkName"`
+	NetworkRefreshInterval     time.Duration `json:"networkRefreshInterval"`
+	PublicCIDRsRefreshInterval time.Duration `json:"publicCIDRsRefreshInterval"`
+	CacheSize                  uint32        `json:"cacheSize"`
+	StaticCIDRsFile            string        `json:"staticCIDRsFile"` // Path to YAML file
 }
 
 // StaticCIDRMapping represents a manual CIDR to zone/region/service mapping.
@@ -38,9 +39,9 @@ type cloudProvider interface {
 	RefreshNetworkState(ctx context.Context, network string) error
 }
 
-func NewVPCStateController(log *logging.Logger, cfg VPCStateControllerConfig, cloudProvider cloudProvider, vpcIndex *kube.VPCIndex) *VPCStateController {
-	if cfg.RefreshInterval == 0 {
-		cfg.RefreshInterval = 1 * time.Hour
+func NewVPCStateController(log *logging.Logger, cfg NetworkStateControllerConfig, cloudProvider cloudProvider, vpcIndex *kube.NetworkIndex) *VPCStateController {
+	if cfg.NetworkRefreshInterval == 0 {
+		cfg.NetworkRefreshInterval = 1 * time.Hour
 	}
 	return &VPCStateController{
 		log:           log.WithField("component", "vpc_state_controller"),
@@ -52,9 +53,9 @@ func NewVPCStateController(log *logging.Logger, cfg VPCStateControllerConfig, cl
 
 type VPCStateController struct {
 	log           *logging.Logger
-	cfg           VPCStateControllerConfig
+	cfg           NetworkStateControllerConfig
 	cloudProvider cloudProvider
-	vpcIndex      *kube.VPCIndex
+	vpcIndex      *kube.NetworkIndex
 }
 
 func (c *VPCStateController) Run(ctx context.Context) error {
@@ -63,34 +64,29 @@ func (c *VPCStateController) Run(ctx context.Context) error {
 
 	if err := c.fetchInitialNetworkState(ctx, c.vpcIndex); err != nil {
 		c.log.Errorf("failed to fetch initial VPC state: %v", err)
-		return nil
+		return err
 	}
 
 	return c.runRefreshLoop(ctx, c.vpcIndex)
 }
 
-func (c *VPCStateController) fetchInitialNetworkState(ctx context.Context, vpcIndex *kube.VPCIndex) error {
+func (c *VPCStateController) fetchInitialNetworkState(ctx context.Context, vpcIndex *kube.NetworkIndex) error {
 	backoff := 2 * time.Second
 	maxRetries := 5
 
 	for i := 0; i < maxRetries; i++ {
-		err := c.cloudProvider.RefreshNetworkState(ctx, c.cfg.NetworkName)
-		if err != nil {
-			c.log.Errorf("VPC state refresh failed: %v", err)
-			continue
-		}
-		state, err := c.cloudProvider.GetNetworkState(ctx)
-		if err == nil {
-			if err := vpcIndex.Update(state); err != nil {
-				c.log.Errorf("failed to update VPC index: %v", err)
-			} else {
-				c.log.Info("initial VPC state loaded successfully")
-				return nil
-			}
+		if err := c.cloudProvider.RefreshNetworkState(ctx, c.cfg.NetworkName); err != nil {
+			c.log.Warnf("VPC state refresh failed (attempt %d/%d): %v", i+1, maxRetries, err)
+		} else if state, err := c.cloudProvider.GetNetworkState(ctx); err != nil {
+			c.log.Warnf("VPC state fetch failed (attempt %d/%d): %v", i+1, maxRetries, err)
+		} else if err := vpcIndex.Update(state); err != nil {
+			c.log.Errorf("failed to update VPC index: %v", err)
+		} else {
+			c.log.Info("initial VPC state loaded successfully")
+			return nil
 		}
 
 		if i < maxRetries-1 {
-			c.log.Warnf("VPC state fetch attempt %d/%d failed: %v, retrying in %v", i+1, maxRetries, err, backoff)
 			select {
 			case <-ctx.Done():
 				return ctx.Err()
@@ -103,15 +99,14 @@ func (c *VPCStateController) fetchInitialNetworkState(ctx context.Context, vpcIn
 		}
 	}
 
-	c.log.Errorf("failed to fetch initial VPC state after %d attempts", maxRetries)
-	return nil
+	return fmt.Errorf("failed to fetch initial VPC state after %d attempts", maxRetries)
 }
 
-func (c *VPCStateController) runRefreshLoop(ctx context.Context, vpcIndex *kube.VPCIndex) error {
-	ticker := time.NewTicker(c.cfg.RefreshInterval)
+func (c *VPCStateController) runRefreshLoop(ctx context.Context, vpcIndex *kube.NetworkIndex) error {
+	ticker := time.NewTicker(c.cfg.NetworkRefreshInterval)
 	defer ticker.Stop()
 
-	c.log.Infof("starting VPC state refresh (interval: %v)", c.cfg.RefreshInterval)
+	c.log.Infof("starting VPC state refresh (interval: %v)", c.cfg.NetworkRefreshInterval)
 
 	for {
 		select {
@@ -135,13 +130,13 @@ func (c *VPCStateController) runRefreshLoop(ctx context.Context, vpcIndex *kube.
 				continue
 			}
 
-			c.log.Debug("VPC state refreshed successfully")
+			c.log.Infof("VPC state refreshed successfully")
 		}
 	}
 }
 
 // LoadStaticCIDRsFromFile loads static CIDRs from a YAML file.
-func LoadStaticCIDRsFromFile(log *logging.Logger, path string, vpcIndex *kube.VPCIndex) error {
+func LoadStaticCIDRsFromFile(log *logging.Logger, path string, vpcIndex *kube.NetworkIndex) error {
 	if path == "" {
 		return nil
 	}
@@ -164,7 +159,7 @@ func LoadStaticCIDRsFromFile(log *logging.Logger, path string, vpcIndex *kube.VP
 	return vpcIndex.AddStaticCIDRs(entries)
 }
 
-// convertStaticMappingsToEntries converts config mappings to VPCIndex entries.
+// convertStaticMappingsToEntries converts config mappings to NetworkIndex entries.
 func convertStaticMappingsToEntries(mappings []StaticCIDRMapping) []kube.StaticCIDREntry {
 	entries := make([]kube.StaticCIDREntry, len(mappings))
 	for i, m := range mappings {

cmd/controller/controllers/vpc_state_controller_test.go

@@ -22,12 +22,12 @@ func TestVPCStateController(t *testing.T) {
 
 		provider := noop.NewProvider()
 
-		cfg := VPCStateControllerConfig{
-			NetworkName:     "test-network",
-			RefreshInterval: 1 * time.Hour,
+		cfg := NetworkStateControllerConfig{
+			NetworkName:            "test-network",
+			NetworkRefreshInterval: 1 * time.Hour,
 		}
 
-		vpcIndex := kube.NewVPCIndex(log, kube.VPCConfig{RefreshInterval: time.Hour, CacheSize: 1000})
+		vpcIndex := kube.NewNetworkIndex(log, kube.NetworkConfig{NetworkRefreshInterval: time.Hour, CacheSize: 1000})
 		ctrl := NewVPCStateController(log, cfg, provider, vpcIndex)
 
 		err := ctrl.Run(ctx)
@@ -42,14 +42,14 @@ func TestVPCStateController(t *testing.T) {
 
 		provider := noop.NewProvider()
 
-		cfg := VPCStateControllerConfig{
-			NetworkName:     "test-network",
-			RefreshInterval: 0,
+		cfg := NetworkStateControllerConfig{
+			NetworkName:            "test-network",
+			NetworkRefreshInterval: 0,
 		}
 
-		vpcIndex := kube.NewVPCIndex(log, kube.VPCConfig{RefreshInterval: time.Hour, CacheSize: 1000})
+		vpcIndex := kube.NewNetworkIndex(log, kube.NetworkConfig{NetworkRefreshInterval: time.Hour, CacheSize: 1000})
 		ctrl := NewVPCStateController(log, cfg, provider, vpcIndex)
-		r.Equal(1*time.Hour, ctrl.cfg.RefreshInterval)
+		r.Equal(1*time.Hour, ctrl.cfg.NetworkRefreshInterval)
 	})
 
 	t.Run("uses configured refresh interval", func(t *testing.T) {
@@ -58,13 +58,13 @@ func TestVPCStateController(t *testing.T) {
 		provider := noop.NewProvider()
 
 		customInterval := 30 * time.Minute
-		cfg := VPCStateControllerConfig{
-			NetworkName:     "test-network",
-			RefreshInterval: customInterval,
+		cfg := NetworkStateControllerConfig{
+			NetworkName:            "test-network",
+			NetworkRefreshInterval: customInterval,
 		}
 
-		vpcIndex := kube.NewVPCIndex(log, kube.VPCConfig{RefreshInterval: time.Hour, CacheSize: 1000})
+		vpcIndex := kube.NewNetworkIndex(log, kube.NetworkConfig{NetworkRefreshInterval: time.Hour, CacheSize: 1000})
 		ctrl := NewVPCStateController(log, cfg, provider, vpcIndex)
-		r.Equal(customInterval, ctrl.cfg.RefreshInterval)
+		r.Equal(customInterval, ctrl.cfg.NetworkRefreshInterval)
 	})
 }

cmd/controller/kube/client.go

@@ -67,7 +67,7 @@ type Client struct {
 	kvisorControllerPodSpec *corev1.PodSpec
 
 	index       *Index
-	vpcIndex    *VPCIndex
+	vpcIndex    *NetworkIndex
 	volumeIndex *VolumeIndex
 
 	clusterInfo *ClusterInfo
@@ -106,12 +106,12 @@ func NewClient(
 }
 
 // SetVPCIndex sets the VPC index for enriching external IPs with VPC metadata.
-func (c *Client) SetVPCIndex(vpcIndex *VPCIndex) {
+func (c *Client) SetVPCIndex(vpcIndex *NetworkIndex) {
 	c.vpcIndex = vpcIndex
 }
 
 // GetVPCIndex returns the VPC index if available.
-func (c *Client) GetVPCIndex() *VPCIndex {
+func (c *Client) GetVPCIndex() *NetworkIndex {
 	return c.vpcIndex
 }