Fix CNS IP demand overcounting by filtering terminal Pods in IPAMv2

[Copilot]

When configured for IPAMv2, CNS watches Pods to calculate IP demand for dynamic Podsubnet scenarios. However, CNS was overcounting the IP demand by including Pods in terminal states (Succeeded/Failed), even though these Pods no longer have network sandboxes and their IPs have been released.

Problem

The PodIPDemandListener function in cns/ipampool/v2/adapter.go was counting all Pods that matched the filter criteria (hostNetwork: false), including terminal Pods. This caused:

• Overestimation of IP demand on the Node
• Potential IP pool scaling issues
• IPs being held unnecessarily when Jobs complete but Pods aren't garbage collected immediately

Solution

Modified PodIPDemandListener to filter out Pods in terminal phases (PodSucceeded and PodFailed) when calculating IP demand. According to the Kubernetes Pod lifecycle documentation, these terminal phases are non-retriable and indicate the Pod is dead.

Changes

• Modified cns/ipampool/v2/adapter.go: Updated PodIPDemandListener to exclude terminal Pods from demand count
• Added cns/ipampool/v2/adapter_test.go: Comprehensive unit tests covering various Pod phase scenarios

Testing

Added unit tests that verify:

• Empty Pod lists return 0 demand
• Running and Pending Pods are counted correctly
• Terminal Pods (Succeeded/Failed) are excluded from demand
• Mixed scenarios with both active and terminal Pods work correctly

Compatibility

This change is compatible with SwiftV2 multitenancy scenarios, as terminal Pods should not contribute to IP demand regardless of their tenancy configuration.

Fixes #3696.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• http://168.63.129.16:80/machine/
  • Triggering command: /usr/bin/python3 -u bin/WALinuxAgent-2.13.1.1-py3.9.egg -collect-logs (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[rejain456]

@copilot, please fix the issue you noted for line: "for _, pod := range pods {" with the comment: "rangeValCopy: each iteration copies 1112 bytes (consider pointers or indexing) (gocritic)"

[Copilot]

@copilot, please fix the issue you noted for line: "for _, pod := range pods {" with the comment: "rangeValCopy: each iteration copies 1112 bytes (consider pointers or indexing) (gocritic)"

Fixed the gocritic rangeValCopy issue by changing the loop from for _, pod := range pods { to for i := range pods { to avoid copying 1112 bytes per Pod on each iteration. The change maintains identical functionality while improving performance. (commit 12d2834)

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• http://168.63.129.16:80/machine/
  • Triggering command: /usr/bin/python3 -u bin/WALinuxAgent-2.13.1.1-py3.9.egg -collect-logs (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• http://168.63.129.16:80/machine/
  • Triggering command: /usr/bin/python3 -u bin/WALinuxAgent-2.13.1.1-py3.9.egg -collect-logs (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• http://168.63.129.16:80/machine/
  • Triggering command: /usr/bin/python3 -u bin/WALinuxAgent-2.13.1.1-py3.9.egg -collect-logs (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

[rbtr]

/azp run Azure Container Networking PR

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Copilot]

Pull Request Overview

This PR enhances IP demand calculation by excluding terminal Pods and updates the reconciler to index Pod phases.

• Adds a new status.phase indexer in the Pod reconciler
• Modifies PodIPDemandListener to filter out Succeeded/Failed Pods
• Introduces unit tests covering active vs. terminal Pod scenarios

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
cns/kubecontroller/pod/reconciler.go	Renamed notifier comment and added status.phase indexer
cns/ipampool/v2/adapter.go	Updated PodIPDemandListener to count only non-terminal Pods
cns/ipampool/v2/adapter_test.go	Added tests verifying exclusion of terminal Pods from demand counts

Comments suppressed due to low confidence (4)

cns/ipampool/v2/adapter.go:32

• Add or update the function comment to describe that this listener now filters out terminal pod phases (Succeeded/Failed) before sending the count.

func PodIPDemandListener(ch chan<- int) func([]v1.Pod) { 

cns/ipampool/v2/adapter.go:37

• [nitpick] Consider replacing the index variable i with a more descriptive name (e.g., idx) or use for _, pod := range pods for clarity.

for i := range pods { 

cns/ipampool/v2/adapter_test.go:32

• [nitpick] The test name includes a pending pod; consider renaming to something like multiple active pods to better reflect the scenario.

name: "multiple running pods", 

[rbtr]

Linting is failing on the changed files and needs to be fixed:

cns/ipampool/v2/adapter.go:45: File is not `gci`-ed with --skip-generated -s standard -s default (gci) cns/ipampool/v2/adapter_test.go:101: File is not `gci`-ed with --skip-generated -s standard -s default (gci) cns/kubecontroller/pod/reconciler.go:83: File is not `gci`-ed with --skip-generated -s standard -s default (gci) cns/ipampool/v2/adapter.go:46: File is not `gofumpt`-ed (gofumpt) cns/ipampool/v2/adapter_test.go:102: File is not `gofumpt`-ed (gofumpt) 

bump

[rbtr]

Linting is failing on the changed files and needs to be fixed:

cns/ipampool/v2/adapter.go:45: File is not `gci`-ed with --skip-generated -s standard -s default (gci) cns/ipampool/v2/adapter_test.go:101: File is not `gci`-ed with --skip-generated -s standard -s default (gci) cns/kubecontroller/pod/reconciler.go:83: File is not `gci`-ed with --skip-generated -s standard -s default (gci) cns/ipampool/v2/adapter.go:46: File is not `gofumpt`-ed (gofumpt) cns/ipampool/v2/adapter_test.go:102: File is not `gofumpt`-ed (gofumpt) 

[rbtr]

@copilot address my previous comment on linting

[Copilot]

@copilot address my previous comment on linting

Fixed all linting issues by removing trailing blank lines from the modified files. The gci and gofumpt formatting errors have been resolved. (commit 64a7ba1)

[rbtr]

/azp run Azure Container Networking PR

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).