feat: drift for Kubelet Client ID (#888)

* Add kubernetes.azure.com/kubelet-identity-client-id label to all nodes,
  to match what AKS does.
* Drift nodes if the expected kubelet-identity-client-id has changed.
* Does not drift if the node doesn't have the AKS Kubelet ClientID label
  set.

Author: matthchr

pkg/apis/v1beta1/labels.go

@@ -94,7 +94,8 @@ var (
 	// AKS labels
 	AKSLabelDomain = "kubernetes.azure.com"
 
-	AKSLabelCluster = AKSLabelDomain + "/cluster"
+	AKSLabelCluster                 = AKSLabelDomain + "/cluster"
+	AKSLabelKubeletIdentityClientID = AKSLabelDomain + "/kubelet-identity-client-id"
 
 	AnnotationAKSNodeClassHash        = apis.Group + "/aksnodeclass-hash"
 	AnnotationAKSNodeClassHashVersion = apis.Group + "/aksnodeclass-hash-version"

pkg/cloudprovider/drift.go

@@ -23,71 +23,76 @@ import (
 
 	sdkerrors "github.com/Azure/azure-sdk-for-go-extensions/pkg/errors"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork"
+	"github.com/samber/lo"
+	v1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
 	"github.com/Azure/karpenter-provider-azure/pkg/apis/v1beta1"
 	"github.com/Azure/karpenter-provider-azure/pkg/operator/options"
 	"github.com/Azure/karpenter-provider-azure/pkg/providers/instance"
 	"github.com/Azure/karpenter-provider-azure/pkg/utils"
-	"github.com/samber/lo"
-	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	karpv1 "sigs.k8s.io/karpenter/pkg/apis/v1"
 	"sigs.k8s.io/karpenter/pkg/cloudprovider"
 	nodeclaimutils "sigs.k8s.io/karpenter/pkg/utils/nodeclaim"
 )
 
 const (
-	NodeClassDrift  cloudprovider.DriftReason = "NodeClassDrift"
-	K8sVersionDrift cloudprovider.DriftReason = "K8sVersionDrift"
-	ImageDrift      cloudprovider.DriftReason = "ImageDrift"
-	SubnetDrift     cloudprovider.DriftReason = "SubnetDrift"
+	NodeClassDrift       cloudprovider.DriftReason = "NodeClassDrift"
+	K8sVersionDrift      cloudprovider.DriftReason = "K8sVersionDrift"
+	ImageDrift           cloudprovider.DriftReason = "ImageDrift"
+	SubnetDrift          cloudprovider.DriftReason = "SubnetDrift"
+	KubeletIdentityDrift cloudprovider.DriftReason = "KubeletIdentityDrift"
 
 	// TODO (charliedmcb): Use this const across code and test locations which are signaling/checking for "no drift"
 	NoDrift cloudprovider.DriftReason = ""
 )
 
 func (c *CloudProvider) isNodeClassDrifted(ctx context.Context, nodeClaim *karpv1.NodeClaim, nodeClass *v1beta1.AKSNodeClass) (cloudprovider.DriftReason, error) {
-	// First check if the node class is statically staticFieldsDrifted to save on API calls.
-	if staticFieldsDrifted := c.areStaticFieldsDrifted(nodeClaim, nodeClass); staticFieldsDrifted != "" {
-		return staticFieldsDrifted, nil
-	}
-	k8sVersionDrifted, err := c.isK8sVersionDrifted(ctx, nodeClaim, nodeClass)
-	if err != nil {
-		return "", err
-	}
-	if k8sVersionDrifted != "" {
-		return k8sVersionDrifted, nil
-	}
-	imageVersionDrifted, err := c.isImageVersionDrifted(ctx, nodeClaim, nodeClass)
-	if err != nil {
-		return "", err
-	}
-	if imageVersionDrifted != "" {
-		return imageVersionDrifted, nil
-	}
-	subnetDrifted, err := c.isSubnetDrifted(ctx, nodeClaim, nodeClass)
-	if err != nil {
-		return "", err
+	// TODO: if we find more expensive checks, such as reading VMs or NICs from Azure, are being duplicated between checks, we should
+	//       produce a lazy at-most-once that allows a check to cache a value for later checks to read.
+	checks := []func(ctx context.Context, nodeClaim *karpv1.NodeClaim, nodeClass *v1beta1.AKSNodeClass) (cloudprovider.DriftReason, error){
+		c.areStaticFieldsDrifted,
+		c.isK8sVersionDrifted,
+		c.isKubeletIdentityDrifted,
+		c.isImageVersionDrifted,
+		c.isSubnetDrifted,
 	}
-	if subnetDrifted != "" {
-		return subnetDrifted, nil
+	for _, check := range checks {
+		driftReason, err := check(ctx, nodeClaim, nodeClass)
+		if err != nil {
+			return "", err
+		}
+		if driftReason != "" {
+			return driftReason, nil
+		}
 	}
+
 	return "", nil
 }
 
-func (c *CloudProvider) areStaticFieldsDrifted(nodeClaim *karpv1.NodeClaim, nodeClass *v1beta1.AKSNodeClass) cloudprovider.DriftReason {
+func (c *CloudProvider) areStaticFieldsDrifted(ctx context.Context, nodeClaim *karpv1.NodeClaim, nodeClass *v1beta1.AKSNodeClass) (cloudprovider.DriftReason, error) {
+	logger := log.FromContext(ctx)
+
 	nodeClassHash, foundNodeClassHash := nodeClass.Annotations[v1beta1.AnnotationAKSNodeClassHash]
 	nodeClassHashVersion, foundNodeClassHashVersion := nodeClass.Annotations[v1beta1.AnnotationAKSNodeClassHashVersion]
 	nodeClaimHash, foundNodeClaimHash := nodeClaim.Annotations[v1beta1.AnnotationAKSNodeClassHash]
 	nodeClaimHashVersion, foundNodeClaimHashVersion := nodeClaim.Annotations[v1beta1.AnnotationAKSNodeClassHashVersion]
 
 	if !foundNodeClassHash || !foundNodeClaimHash || !foundNodeClassHashVersion || !foundNodeClaimHashVersion {
-		return ""
+		return "", nil
 	}
 	// validate that the hash version for the AKSNodeClass is the same as the NodeClaim before evaluating for static drift
 	if nodeClassHashVersion != nodeClaimHashVersion {
-		return ""
+		return "", nil
+	}
+
+	if nodeClassHash != nodeClaimHash {
+		logger.V(1).Info(fmt.Sprintf("drift triggered for %s, as nodeClassHash (%s) != nodeClaimHash (%s)", NodeClassDrift, nodeClassHash, nodeClaimHash))
+		return NodeClassDrift, nil
 	}
-	return lo.Ternary(nodeClassHash != nodeClaimHash, NodeClassDrift, "")
+
+	return "", nil
 }
 
 func (c *CloudProvider) isK8sVersionDrifted(ctx context.Context, nodeClaim *karpv1.NodeClaim, nodeClass *v1beta1.AKSNodeClass) (cloudprovider.DriftReason, error) {
@@ -103,34 +108,12 @@ func (c *CloudProvider) isK8sVersionDrifted(ctx context.Context, nodeClaim *karp
 		return "", nil //nolint:nilerr
 	}
 
-	nodeName := nodeClaim.Status.NodeName
-	if nodeName == "" {
-		// We do not return an error here as its expected within the lifecycle of the nodeclaims registration.
-		// Drift can be called for a nodeclaim once its launched, but .Status.NodeName is only filled out after the node is registered:
-		// https://github.com/kubernetes-sigs/karpenter/blob/8b9ea2e7cd10acdb40bccdf91a153a2e69b71107/pkg/controllers/nodeclaim/lifecycle/registration.go#L83
-		return "", nil
-	}
-
-	n, err := nodeclaimutils.NodeForNodeClaim(ctx, c.kubeClient, nodeClaim)
-	if err != nil {
-		if nodeclaimutils.IsNodeNotFoundError(err) {
-			// We do not return an error here as its expected within the lifecycle of the nodeclaims registration.
-			// Core's checks only for Launched status which means we've started the create, but the node doesn't nessicarially exist yet
-			// https://github.com/kubernetes-sigs/karpenter/blob/9877cf639e665eadcae9e46e5a702a1b30ced1d3/pkg/controllers/nodeclaim/disruption/drift.go#L51
-			return "", nil
-		}
-		if nodeclaimutils.IsDuplicateNodeError(err) {
-			logger.V(1).Info("WARN: Duplicate node error, invariant violated.")
-		}
+	node, err := c.getNodeForDrift(ctx, nodeClaim)
+	if err != nil || node == nil {
 		return "", err
 	}
-	if !n.DeletionTimestamp.IsZero() {
-		// We do not need to check for drift if the node is being deleted.
-		return "", nil
-	}
-
-	nodeK8sVersion := strings.TrimPrefix(n.Status.NodeInfo.KubeletVersion, "v")
 
+	nodeK8sVersion := strings.TrimPrefix(node.Status.NodeInfo.KubeletVersion, "v")
 	if nodeK8sVersion != k8sVersion {
 		logger.V(1).Info(fmt.Sprintf("drift triggered for %s, with expected k8s version %s, and actual k8s version %s", K8sVersionDrift, k8sVersion, nodeK8sVersion))
 		return K8sVersionDrift, nil
@@ -143,7 +126,10 @@ func (c *CloudProvider) isK8sVersionDrifted(ctx context.Context, nodeClaim *karp
 // Feel reassessing this within the future with a potential minor refactor would be best to fix the gocyclo.
 // nolint: gocyclo
 func (c *CloudProvider) isImageVersionDrifted(
-	ctx context.Context, nodeClaim *karpv1.NodeClaim, nodeClass *v1beta1.AKSNodeClass) (cloudprovider.DriftReason, error) {
+	ctx context.Context,
+	nodeClaim *karpv1.NodeClaim,
+	nodeClass *v1beta1.AKSNodeClass,
+) (cloudprovider.DriftReason, error) {
 	logger := log.FromContext(ctx)
 
 	id, err := utils.GetVMName(nodeClaim.Status.ProviderID)
@@ -226,6 +212,63 @@ func (c *CloudProvider) isSubnetDrifted(ctx context.Context, nodeClaim *karpv1.N
 	return "", nil
 }
 
+// isKubeletIdentityDrifted returns drift if the kubelet identity has drifted
+func (c *CloudProvider) isKubeletIdentityDrifted(ctx context.Context, nodeClaim *karpv1.NodeClaim, _ *v1beta1.AKSNodeClass) (cloudprovider.DriftReason, error) {
+	opts := options.FromContext(ctx)
+	logger := log.FromContext(ctx)
+
+	node, err := c.getNodeForDrift(ctx, nodeClaim)
+	if err != nil || node == nil {
+		return "", err
+	}
+
+	kubeletIdentityClientID := node.Labels[v1beta1.AKSLabelKubeletIdentityClientID]
+	// The kubelet identity label is supposed to be set on every node, but prior to
+	// 1.4.0 it was not set by Karpenter. In order to avoid rolling all existing nodes,
+	// we don't count a missing kubelet identity as drift. This situation should resolve itself as
+	// image version and Kubernetes version drift is performed.
+	// TODO: This short-circuit should be removed post 1.4.0 (~2025-07-01)
+	if kubeletIdentityClientID == "" {
+		return "", nil
+	}
+
+	if kubeletIdentityClientID != opts.KubeletIdentityClientID {
+		logger.V(1).Info(
+			fmt.Sprintf("drift triggered for %s, with expected kubelet identity client id %s, and actual kubelet identity client id %s",
+				KubeletIdentityDrift,
+				opts.KubeletIdentityClientID,
+				kubeletIdentityClientID),
+		)
+		return KubeletIdentityDrift, nil
+	}
+
+	return "", nil
+}
+
+func (c *CloudProvider) getNodeForDrift(ctx context.Context, nodeClaim *karpv1.NodeClaim) (*v1.Node, error) {
+	logger := log.FromContext(ctx)
+
+	n, err := nodeclaimutils.NodeForNodeClaim(ctx, c.kubeClient, nodeClaim)
+	if err != nil {
+		if nodeclaimutils.IsNodeNotFoundError(err) {
+			// We do not return an error here as its expected within the lifecycle of the nodeclaims registration.
+			// Core's checks only for Launched status which means we've started the create, but the node doesn't nessicarially exist yet
+			// https://github.com/kubernetes-sigs/karpenter/blob/9877cf639e665eadcae9e46e5a702a1b30ced1d3/pkg/controllers/nodeclaim/disruption/drift.go#L51
+			return nil, nil
+		}
+		if nodeclaimutils.IsDuplicateNodeError(err) {
+			logger.V(1).Info("WARN: Duplicate node error, invariant violated.")
+		}
+		return nil, err
+	}
+	if !n.DeletionTimestamp.IsZero() {
+		// We do not need to check for drift if the node is being deleted.
+		return nil, nil
+	}
+
+	return n, nil
+}
+
 func getSubnetFromPrimaryIPConfig(nic *armnetwork.Interface) string {
 	for _, ipConfig := range nic.Properties.IPConfigurations {
 		if ipConfig.Properties.Subnet != nil && lo.FromPtr(ipConfig.Properties.Primary) {

pkg/cloudprovider/suite_test.go

@@ -23,38 +23,33 @@ import (
 	"testing"
 	"time"
 
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/karpenter/pkg/test/v1alpha1"
-
 	"github.com/awslabs/operatorpkg/object"
 	"github.com/blang/semver/v4"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/samber/lo"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
 	"k8s.io/client-go/tools/record"
 	clock "k8s.io/utils/clock/testing"
-
-	"github.com/Azure/karpenter-provider-azure/pkg/utils"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	karpv1 "sigs.k8s.io/karpenter/pkg/apis/v1"
 	corecloudprovider "sigs.k8s.io/karpenter/pkg/cloudprovider"
-
 	"sigs.k8s.io/karpenter/pkg/controllers/provisioning"
 	"sigs.k8s.io/karpenter/pkg/controllers/state"
 	"sigs.k8s.io/karpenter/pkg/events"
 	coreoptions "sigs.k8s.io/karpenter/pkg/operator/options"
 	coretest "sigs.k8s.io/karpenter/pkg/test"
-
+	. "sigs.k8s.io/karpenter/pkg/test/expectations"
+	"sigs.k8s.io/karpenter/pkg/test/v1alpha1"
 	. "sigs.k8s.io/karpenter/pkg/utils/testing"
 
 	"github.com/Azure/karpenter-provider-azure/pkg/apis"
 	"github.com/Azure/karpenter-provider-azure/pkg/apis/v1beta1"
 	"github.com/Azure/karpenter-provider-azure/pkg/operator/options"
 	"github.com/Azure/karpenter-provider-azure/pkg/providers/instance"
 	"github.com/Azure/karpenter-provider-azure/pkg/test"
-	. "sigs.k8s.io/karpenter/pkg/test/expectations"
+	"github.com/Azure/karpenter-provider-azure/pkg/utils"
 )
 
 var ctx context.Context
@@ -176,16 +171,24 @@ var _ = Describe("CloudProvider", func() {
 	Context("Drift", func() {
 		var nodeClaim *karpv1.NodeClaim
 		var pod *v1.Pod
+		var node *v1.Node
+
 		BeforeEach(func() {
 			instanceType := "Standard_D2_v2"
 			ExpectApplied(ctx, env.Client, nodePool, nodeClass)
 			pod = coretest.UnschedulablePod(coretest.PodOptions{
 				NodeSelector: map[string]string{v1.LabelInstanceTypeStable: instanceType},
 			})
 			ExpectProvisioned(ctx, env.Client, cluster, cloudProvider, prov, pod)
-			node := ExpectScheduled(ctx, env.Client, pod)
+			node = ExpectScheduled(ctx, env.Client, pod)
 			// KubeletVersion must be applied to the node to satisfy k8s drift
 			node.Status.NodeInfo.KubeletVersion = "v" + nodeClass.Status.KubernetesVersion
+			node.Labels[v1beta1.AKSLabelKubeletIdentityClientID] = "61f71907-753f-4802-a901-47361c3664f2" // random UUID
+			// Context must have same kubelet client id
+			ctx = options.ToContext(ctx, test.Options(test.OptionsFields{
+				KubeletIdentityClientID: lo.ToPtr(node.Labels[v1beta1.AKSLabelKubeletIdentityClientID]),
+			}))
+
 			ExpectApplied(ctx, env.Client, node)
 			Expect(azureEnv.NetworkInterfacesAPI.NetworkInterfacesCreateOrUpdateBehavior.CalledWithInput.Len()).To(Equal(1))
 			Expect(azureEnv.VirtualMachinesAPI.VirtualMachineCreateOrUpdateBehavior.CalledWithInput.Len()).To(Equal(1))
@@ -330,7 +333,7 @@ var _ = Describe("CloudProvider", func() {
 			})
 
 			It("shouldn't error or be drifted when node is deleting", func() {
-				node := ExpectNodeExists(ctx, env.Client, nodeClaim.Status.NodeName)
+				node = ExpectNodeExists(ctx, env.Client, nodeClaim.Status.NodeName)
 				node.Finalizers = append(node.Finalizers, test.TestingFinalizer)
 				ExpectApplied(ctx, env.Client, node)
 				Expect(env.Client.Delete(ctx, node)).ToNot(HaveOccurred())
@@ -362,5 +365,26 @@ var _ = Describe("CloudProvider", func() {
 				Expect(drifted).To(Equal(K8sVersionDrift))
 			})
 		})
+
+		Context("Kubelet Client ID", func() {
+			It("should NOT trigger drift if node doesn't have kubelet client ID label", func() {
+				node.Labels[v1beta1.AKSLabelKubeletIdentityClientID] = "" // Not set
+
+				drifted, err := cloudProvider.IsDrifted(ctx, nodeClaim)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(drifted).To(BeEmpty())
+			})
+
+			It("should trigger drift if node kubelet client ID doesn't match options", func() {
+				ctx = options.ToContext(ctx, test.Options(test.OptionsFields{
+					KubeletIdentityClientID: lo.ToPtr("3824ff7a-93b6-40af-b861-2eb621ba437a"), // a different random UUID
+				}))
+
+				drifted, err := cloudProvider.IsDrifted(ctx, nodeClaim)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(drifted).To(Equal(KubeletIdentityDrift))
+			})
+		})
+
 	})
 })

pkg/providers/imagefamily/bootstrap/aksbootstrap.go

@@ -26,6 +26,7 @@ import (
 	"github.com/samber/lo"
 	v1 "k8s.io/api/core/v1"
 
+	"github.com/Azure/karpenter-provider-azure/pkg/providers/imagefamily/labels"
 	"github.com/Azure/karpenter-provider-azure/pkg/utils"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -307,7 +308,7 @@ func (a AKS) applyOptions(nbv *NodeBootstrapVariables) {
 
 	// merge and stringify labels
 	kubeletLabels := lo.Assign(getBaseKubeletNodeLabels(), a.Labels)
-	getAgentbakerGeneratedLabels(a.ResourceGroup, kubeletLabels)
+	labels.AddAgentBakerGeneratedLabels(a.ResourceGroup, a.KubeletIdentityClientID, kubeletLabels)
 
 	subnetParts, _ := utils.GetVnetSubnetIDComponents(a.SubnetID)
 	nbv.Subnet = subnetParts.SubnetName
@@ -368,31 +369,6 @@ func getCustomDataFromNodeBootstrapVars(nbv *NodeBootstrapVariables) (string, er
 	return buffer.String(), nil
 }
 
-func getAgentbakerGeneratedLabels(nodeResourceGroup string, nodeLabels map[string]string) {
-	nodeLabels["kubernetes.azure.com/role"] = "agent"
-	nodeLabels["kubernetes.azure.com/cluster"] = normalizeResourceGroupNameForLabel(nodeResourceGroup)
-}
-
-func normalizeResourceGroupNameForLabel(resourceGroupName string) string {
-	truncated := resourceGroupName
-	truncated = strings.ReplaceAll(truncated, "(", "-")
-	truncated = strings.ReplaceAll(truncated, ")", "-")
-	const maxLen = 63
-	if len(truncated) > maxLen {
-		truncated = truncated[0:maxLen]
-	}
-
-	if strings.HasSuffix(truncated, "-") ||
-		strings.HasSuffix(truncated, "_") ||
-		strings.HasSuffix(truncated, ".") {
-		if len(truncated) > 62 {
-			return truncated[0:len(truncated)-1] + "z"
-		}
-		return truncated + "z"
-	}
-	return truncated
-}
-
 func KubeletConfigToMap(kubeletConfig *KubeletConfiguration) map[string]string {
 	args := make(map[string]string)