Skip to content

feat: Preflight checks for validating pod and service CIDRs#1493

Open
legacyrj wants to merge 3 commits intomainfrom
raj/preflight_CIDR
Open

feat: Preflight checks for validating pod and service CIDRs#1493
legacyrj wants to merge 3 commits intomainfrom
raj/preflight_CIDR

Conversation

@legacyrj
Copy link
Contributor

@legacyrj legacyrj commented Feb 25, 2026
edited by faiq
Loading

What problem does this PR solve?:

Adding Preflight checks for Pod and Service CIDR.
Cases:
Pod CIDR vs Service CIDR
Pod CIDR vs Subnet CIDR
Service CIDR vs Subnet CIDR

Which issue(s) this PR fixes:
Fixes #
https://jira.nutanix.com/browse/NCN-112546

How Has This Been Tested?:

Manually Verified:

  • When Pod CIDR is configured with mask of /24:
+ kubectl --kubeconfig=/Users/raj.surve/.raj_k9s/dev_crn.kubeconfig apply -f cluster-raj-multi-subnet.yaml
The request is invalid: $.spec.clusterNetwork.pods.cidrBlocks: Pod CIDR "192.168.0.0/24" has prefix /24, which is too small for multi-node clusters. With a /24 node mask, this supports at most 1 node(s). Use a larger Pod CIDR (for example /16).
  • Pod CIDR overlaps with Nutanix subnet CIDR:
+ kubectl --kubeconfig=/Users/raj.surve/.raj_k9s/dev_crn.kubeconfig apply -f cluster-raj-multi-subnet.yaml
The request is invalid: $.spec.clusterNetwork.pods.cidrBlocks: Pod CIDR "172.16.0.0/16" overlaps with node subnet CIDR "172.16.0.0/24". Use non-overlapping ranges and retry.
  • Pod CIDR overlaps with Service CIDR:
+ kubectl --kubeconfig=/Users/raj.surve/.raj_k9s/dev_crn.kubeconfig apply -f cluster-raj-multi-subnet.yaml
The request is invalid: $.spec.clusterNetwork.pods.cidrBlocks: Pod CIDR "192.168.0.0/16" overlaps with Service CIDR "192.160.0.0/12". Use non-overlapping Pod and Service CIDR ranges and retry.
  • Service CIDR overlaps with secondary Nutanix Subnets:
+ kubectl --kubeconfig=/Users/raj.surve/.raj_k9s/dev_crn.kubeconfig apply -f cluster-raj-multi-subnet.yaml
The request is invalid: $.spec.clusterNetwork.services.cidrBlocks: Service CIDR "20.16.0.0/12" overlaps with node subnet CIDR "20.20.20.0/24". Use non-overlapping ranges and retry.
  • When Invalid Subnet was passed:
+ kubectl --kubeconfig=/Users/raj.surve/.raj_k9s/dev_crn.kubeconfig apply -f cluster-raj-multi-subnet.yaml
Error from server (InternalError): error when creating "cluster-raj-multi-subnet.yaml": admission webhook "preflight.cluster.caren.nutanix.com" denied the request: preflight checks failed due to an internal error

Special notes for your reviewer:

Most of the code was generated with Cursor AI, would appreciate any inputs on organizing.

@legacyrj
feat: add CIDR size validation preflight check
c7c85ec 
Add NutanixCIDRValidation preflight check to validate Pod and Service
CIDR sizes before cluster deployment:

- Block Pod CIDRs /24 or smaller (supports only 1 node with /24 node mask)
- Warn on Pod CIDRs /21-/23 with max-node capacity calculation
- Block Service CIDRs /24 or smaller (insufficient service IP capacity)
- Warn on Service CIDRs /21-/23 (tight capacity)

This prevents cluster deployment failures caused by IP exhaustion
during node scaling or upgrades.
@legacyrj
feat: add Pod/Service CIDR overlap detection
6cc085f 
Extend CIDR validation preflight check to detect and block overlapping
Pod and Service CIDR ranges.

Overlapping Pod and Service CIDRs cause routing conflicts in the
Kubernetes cluster network, leading to service connectivity failures.
@legacyrj legacyrj changed the title feat: Preflight Checks Validate pod and service CIDRs feat: Preflight checks for validating pod and service CIDRs Feb 25, 2026
@legacyrj legacyrj requested a review from dlipovetsky February 25, 2026 00:04
@github-actions github-actions bot added feature and removed feature labels Feb 25, 2026
@legacyrj
feat: add node subnet overlap detection via Prism Central
de82fa9 
Extend CIDR validation to detect overlaps between Pod/Service CIDRs
and node subnet CIDRs by querying Nutanix Prism Central:

- Collect subnet identifiers from Control Plane and Worker configs
- Resolve subnet CIDRs from Prism Central API (GetSubnetById/ListSubnets)
- Extract IPv4 prefixes from subnet ipConfig
- Detect Pod/Service CIDR overlaps with node subnets
- Gracefully handle missing Prism Central connection

This prevents infrastructure network conflicts where Pod or Service
traffic could be misrouted to node networks.
@github-actions github-actions bot added feature and removed feature labels Feb 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dlipovetsky dlipovetsky Awaiting requested review from dlipovetsky

@dkoshkin dkoshkin Awaiting requested review from dkoshkin

@supershal supershal Awaiting requested review from supershal

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@legacyrj