Merge pull request #43 from worldcoin/feat/limit-warm-ip-target-to-4-and-disable-pod-eni

marcin-janas · web-flow · commit cd8a58ee8e9e · 2025-11-06T11:47:53.000+01:00
INFRA-5508 &amp; INFRA-5506: Limit `warm_ip_target` to 4 and disable POD ENI
diff --git a/cluster-addons.tf b/cluster-addons.tf
@@ -74,14 +74,15 @@ resource "aws_eks_addon" "vpc_cni" {
   resolve_conflicts_on_create = "OVERWRITE"
   resolve_conflicts_on_update = "OVERWRITE"
   configuration_values = jsonencode({
-    env : {
+    env : merge({
       ENABLE_PREFIX_DELEGATION : lower(tostring(var.vpc_cni_enable_prefix_delegation)),                   # Enable prefix delegation for IPv6, allocate IPs in /28 blocks (instead of all at once)
-      WARM_IP_TARGET : var.vpc_cni_warm_ip_target,                                                        # Keep +8 IPs warm for each node to speed up pod scheduling
+      WARM_IP_TARGET : var.vpc_cni_warm_ip_target,                                                        # Keep +4 IPs warm for each node to speed up pod scheduling
       WARM_ENI_TARGET : var.vpc_cni_warm_eni_target,                                                      # Keep +1 ENI warm for each node to speed up pod scheduling
-      ENABLE_POD_ENI : lower(tostring(var.vpc_cni_enable_pod_eni)),                                       # Enable pod ENI support
       POD_SECURITY_GROUP_ENFORCING_MODE : lower(tostring(var.vpc_cni_pod_security_group_enforcing_mode)), # Enable pod security group enforcing mode
       AWS_VPC_K8S_CNI_EXTERNALSNAT : lower(tostring(var.vpc_cni_external_snat)),                          # Enable external SNAT to enable pod to pod communication across different vpc's
-    }
+      }, var.vpc_cni_enable_pod_eni ? {
+      ENABLE_POD_ENI : lower(tostring(var.vpc_cni_enable_pod_eni)), # Enable pod ENI support
+    } : {})
   })
 }
 
@@ -194,8 +195,8 @@ resource "aws_eks_addon" "metrics_server" {
           memory = "200Mi"
         }
         limits = {
-          cpu: "100m"
-          memory: "200Mi"
+          cpu : "100m"
+          memory : "200Mi"
         }
       }
     }
diff --git a/variables.tf b/variables.tf
@@ -250,7 +250,7 @@ variable "vpc_cni_enable_prefix_delegation" {
 variable "vpc_cni_warm_ip_target" {
   description = "Number of IPs to keep warm for each node to speed up pod scheduling"
   type        = string
-  default     = "8"
+  default     = "4"
 }
 
 variable "vpc_cni_warm_eni_target" {
@@ -432,7 +432,7 @@ variable "public_access_cidrs" {
   type        = list(string)
   default     = ["0.0.0.0/0"]
   validation {
-    condition = alltrue([for cidr in var.public_access_cidrs : can(cidrnetmask(cidr))])
+    condition     = alltrue([for cidr in var.public_access_cidrs : can(cidrnetmask(cidr))])
     error_message = "All public access CIDRs must be valid CIDR blocks."
   }
 }
@@ -685,7 +685,7 @@ variable "deploy_desired_vs_status_evaluation_period" {
 variable "vpc_cni_enable_pod_eni" {
   description = "Enable pod ENI support"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "vpc_cni_pod_security_group_enforcing_mode" {

Original file line number	Diff line number	Diff line change
`@@ -74,14 +74,15 @@ resource "aws_eks_addon" "vpc_cni" {`
`74`	`74`	`resolve_conflicts_on_create = "OVERWRITE"`
`75`	`75`	`resolve_conflicts_on_update = "OVERWRITE"`
`76`	`76`	`configuration_values = jsonencode({`
`77`		`- env : {`
	`77`	`+ env : merge({`
`78`	`78`	`ENABLE_PREFIX_DELEGATION : lower(tostring(var.vpc_cni_enable_prefix_delegation)), # Enable prefix delegation for IPv6, allocate IPs in /28 blocks (instead of all at once)`
`79`		`- WARM_IP_TARGET : var.vpc_cni_warm_ip_target, # Keep +8 IPs warm for each node to speed up pod scheduling`
	`79`	`+ WARM_IP_TARGET : var.vpc_cni_warm_ip_target, # Keep +4 IPs warm for each node to speed up pod scheduling`
`80`	`80`	`WARM_ENI_TARGET : var.vpc_cni_warm_eni_target, # Keep +1 ENI warm for each node to speed up pod scheduling`
`81`		`- ENABLE_POD_ENI : lower(tostring(var.vpc_cni_enable_pod_eni)), # Enable pod ENI support`
`82`	`81`	`POD_SECURITY_GROUP_ENFORCING_MODE : lower(tostring(var.vpc_cni_pod_security_group_enforcing_mode)), # Enable pod security group enforcing mode`
`83`	`82`	`AWS_VPC_K8S_CNI_EXTERNALSNAT : lower(tostring(var.vpc_cni_external_snat)), # Enable external SNAT to enable pod to pod communication across different vpc's`
`84`		`- }`
	`83`	`+ }, var.vpc_cni_enable_pod_eni ? {`
	`84`	`+ ENABLE_POD_ENI : lower(tostring(var.vpc_cni_enable_pod_eni)), # Enable pod ENI support`
	`85`	`+ } : {})`
`85`	`86`	`})`
`86`	`87`	`}`
`87`	`88`
`@@ -194,8 +195,8 @@ resource "aws_eks_addon" "metrics_server" {`
`194`	`195`	`memory = "200Mi"`
`195`	`196`	`}`
`196`	`197`	`limits = {`
`197`		`- cpu: "100m"`
`198`		`- memory: "200Mi"`
	`198`	`+ cpu : "100m"`
	`199`	`+ memory : "200Mi"`
`199`	`200`	`}`
`200`	`201`	`}`
`201`	`202`	`}`
Original file line number	Diff line number	Diff line change
`@@ -250,7 +250,7 @@ variable "vpc_cni_enable_prefix_delegation" {`
`250`	`250`	`variable "vpc_cni_warm_ip_target" {`
`251`	`251`	`description = "Number of IPs to keep warm for each node to speed up pod scheduling"`
`252`	`252`	`type = string`
`253`		`- default = "8"`
	`253`	`+ default = "4"`
`254`	`254`	`}`
`255`	`255`
`256`	`256`	`variable "vpc_cni_warm_eni_target" {`
`@@ -432,7 +432,7 @@ variable "public_access_cidrs" {`
`432`	`432`	`type = list(string)`
`433`	`433`	`default = ["0.0.0.0/0"]`
`434`	`434`	`validation {`
`435`		`- condition = alltrue([for cidr in var.public_access_cidrs : can(cidrnetmask(cidr))])`
	`435`	`+ condition = alltrue([for cidr in var.public_access_cidrs : can(cidrnetmask(cidr))])`
`436`	`436`	`error_message = "All public access CIDRs must be valid CIDR blocks."`
`437`	`437`	`}`
`438`	`438`	`}`
`@@ -685,7 +685,7 @@ variable "deploy_desired_vs_status_evaluation_period" {`
`685`	`685`	`variable "vpc_cni_enable_pod_eni" {`
`686`	`686`	`description = "Enable pod ENI support"`
`687`	`687`	`type = bool`
`688`		`- default = true`
	`688`	`+ default = false`
`689`	`689`	`}`
`690`	`690`
`691`	`691`	`variable "vpc_cni_pod_security_group_enforcing_mode" {`