Skip instance profile cleanup in isolated VPCs (#8617)

Co-authored-by: Dominic Raven <[email protected]>

Author: dom-raven

pkg/controllers/controllers.go

@@ -92,7 +92,6 @@ func NewControllers(
 		nodeclasshash.NewController(kubeClient),
 		nodeclass.NewController(clk, kubeClient, cloudProvider, recorder, cfg.Region, subnetProvider, securityGroupProvider, amiProvider, instanceProfileProvider, instanceTypeProvider, launchTemplateProvider, capacityReservationProvider, ec2api, validationCache, recreationCache, amiResolver, options.FromContext(ctx).DisableDryRun),
 		nodeclaimgarbagecollection.NewController(kubeClient, cloudProvider),
-		nodeclassgarbagecollection.NewController(kubeClient, cloudProvider, instanceProfileProvider, cfg.Region),
 		nodeclaimtagging.NewController(kubeClient, cloudProvider, instanceProvider),
 		controllerspricing.NewController(pricingProvider),
 		controllersinstancetype.NewController(instanceTypeProvider),
@@ -104,6 +103,11 @@ func NewControllers(
 		crexpiration.NewController(clk, kubeClient, cloudProvider, capacityReservationProvider),
 		metrics.NewController(kubeClient, cloudProvider),
 	}
+	// Instance profile garbage collection requires IAM API access. Skip registering the controller when running
+	// in isolated VPC mode to avoid initiating calls to public AWS endpoints that won’t be reachable.
+	if !options.FromContext(ctx).IsolatedVPC {
+		controllers = append(controllers, nodeclassgarbagecollection.NewController(kubeClient, cloudProvider, instanceProfileProvider, cfg.Region))
+	}
 	if options.FromContext(ctx).InterruptionQueue != "" {
 		sqsAPI := servicesqs.NewFromConfig(cfg)
 		prov, _ := sqs.NewSQSProvider(ctx, sqsAPI)

pkg/controllers/nodeclass/controller.go

@@ -193,14 +193,17 @@ func (c *Controller) finalize(ctx context.Context, nodeClass *v1.EC2NodeClass) (
 		c.recorder.Publish(WaitingOnNodeClaimTerminationEvent(nodeClass, lo.Map(nodeClaims.Items, func(nc karpv1.NodeClaim, _ int) string { return nc.Name })))
 		return reconcile.Result{RequeueAfter: time.Minute * 10}, nil // periodically fire the event
 	}
-	// Deletes karpenter managed instance profiles for this nodeclass
-	if err := c.cleanupInstanceProfiles(ctx, nodeClass); err != nil {
-		return reconcile.Result{}, err
-	}
-	// Ensure to clean up instance profile that may have been created pre-upgrade
-	legacyProfileName := nodeClass.LegacyInstanceProfileName(options.FromContext(ctx).ClusterName, c.region)
-	if err := c.instanceProfileProvider.Delete(ctx, legacyProfileName); err != nil {
-		return reconcile.Result{}, serrors.Wrap(fmt.Errorf("deleting instance profile, %w", err), "instance-profile", legacyProfileName)
+	// Instance profile cleanup should be skipped in isolated VPCs to avoid IAM calls.
+	if !options.FromContext(ctx).IsolatedVPC {
+		// Deletes karpenter managed instance profiles for this nodeclass
+		if err := c.cleanupInstanceProfiles(ctx, nodeClass); err != nil {
+			return reconcile.Result{}, err
+		}
+		// Ensure to clean up instance profile that may have been created pre-upgrade
+		legacyProfileName := nodeClass.LegacyInstanceProfileName(options.FromContext(ctx).ClusterName, c.region)
+		if err := c.instanceProfileProvider.Delete(ctx, legacyProfileName); err != nil {
+			return reconcile.Result{}, serrors.Wrap(fmt.Errorf("deleting instance profile, %w", err), "instance-profile", legacyProfileName)
+		}
 	}
 
 	if err := c.launchTemplateProvider.DeleteAll(ctx, nodeClass); err != nil {

pkg/controllers/nodeclass/suite_test.go

@@ -82,6 +82,7 @@ var _ = AfterSuite(func() {
 
 var _ = BeforeEach(func() {
 	ctx = coreoptions.ToContext(ctx, coretest.Options(coretest.OptionsFields{FeatureGates: coretest.FeatureGates{ReservedCapacity: lo.ToPtr(true)}}))
+	ctx = options.ToContext(ctx, test.Options())
 	nodeClass = test.EC2NodeClass()
 	awsEnv.Reset()
 	Expect(awsEnv.InstanceTypesProvider.UpdateInstanceTypes(ctx)).To(Succeed())
@@ -328,4 +329,22 @@ var _ = Describe("NodeClass Termination", func() {
 		Expect(awsEnv.IAMAPI.DeleteInstanceProfileBehavior.Calls()).To(BeZero())
 		Expect(awsEnv.IAMAPI.RemoveRoleFromInstanceProfileBehavior.Calls()).To(BeZero())
 	})
+	It("should skip instance profile cleanup in isolated VPCs", func() {
+		ctx = options.ToContext(ctx, test.Options(test.OptionsFields{IsolatedVPC: lo.ToPtr(true)}))
+
+		controllerutil.AddFinalizer(nodeClass, v1.TerminationFinalizer)
+		ExpectApplied(ctx, env.Client, nodeClass)
+		ExpectObjectReconciled(ctx, env.Client, controller, nodeClass)
+
+		nodeClass = ExpectExists(ctx, env.Client, nodeClass)
+		Expect(awsEnv.IAMAPI.InstanceProfiles).To(HaveLen(1))
+
+		Expect(env.Client.Delete(ctx, nodeClass)).To(Succeed())
+		ExpectObjectReconciled(ctx, env.Client, controller, nodeClass)
+
+		Expect(awsEnv.IAMAPI.DeleteInstanceProfileBehavior.Calls()).To(BeZero())
+		Expect(awsEnv.IAMAPI.RemoveRoleFromInstanceProfileBehavior.Calls()).To(BeZero())
+		Expect(awsEnv.IAMAPI.InstanceProfiles).To(HaveLen(1))
+		ExpectNotFound(ctx, env.Client, nodeClass)
+	})
 })