Filter CNI subnets when creating EKS NodeGroup

Author: mnitchev

api/v1beta2/network_types.go

@@ -510,6 +510,17 @@ func (s Subnets) FilterPrivate() (res Subnets) {
 	return
 }
 
+// FilterNonCni returns the subnets that are NOT intended for usage with the CNI pod network
+// (i.e. do NOT have the `sigs.k8s.io/cluster-api-provider-aws/association=secondary` tag).
+func (s Subnets) FilterNonCni() (res Subnets) {
+	for _, x := range s {
+		if x.Tags[NameAWSSubnetAssociation] != SecondarySubnetTagValue {
+			res = append(res, x)
+		}
+	}
+	return
+}
+
 // FilterPublic returns a slice containing all subnets marked as public.
 func (s Subnets) FilterPublic() (res Subnets) {
 	for _, x := range s {

pkg/cloud/scope/shared.go

@@ -122,6 +122,7 @@ func (p *defaultSubnetPlacementStrategy) getSubnetsForAZs(azs []string, controlP
 				subnets = subnets.FilterPublic()
 			case expinfrav1.AZSubnetTypePrivate:
 				subnets = subnets.FilterPrivate()
+				subnets = subnets.FilterNonCni()
 			}
 		}
 		if len(subnets) == 0 {

pkg/cloud/scope/shared_test.go

@@ -182,6 +182,14 @@ func TestSubnetPlacement(t *testing.T) {
 					AvailabilityZone: "eu-west-1c",
 					IsPublic:         false,
 				},
+				infrav1.SubnetSpec{
+					ID:               "subnet-az6",
+					AvailabilityZone: "eu-west-1c",
+					IsPublic:         false,
+					Tags: infrav1.Tags{
+						infrav1.NameAWSSubnetAssociation: infrav1.SecondarySubnetTagValue,
+					},
+				},
 			},
 			logger:            logger.NewLogger(klog.Background()),
 			expectedSubnetIDs: []string{"subnet-az3"},