fix: install missing kubenet ebtables drop rule (#4132)

e2e/scenario/scenario_marinerv2.go

@@ -16,6 +16,9 @@ func (t *Template) marinerv2() *Scenario {
 				nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-cblmariner-v2-gen2"
 				nbc.AgentPoolProfile.Distro = "aks-cblmariner-v2-gen2"
 			},
+			LiveVMValidators: []*LiveVMValidator{
+				KubenetEnsureNoDupEbtablesValidator(),
+			},
 		},
 	}
 }

e2e/scenario/scenario_ubuntu2204.go

@@ -16,6 +16,9 @@ func (t *Template) ubuntu2204() *Scenario {
 				nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-ubuntu-containerd-22.04-gen2"
 				nbc.AgentPoolProfile.Distro = "aks-ubuntu-containerd-22.04-gen2"
 			},
+			LiveVMValidators: []*LiveVMValidator{
+				KubenetEnsureNoDupEbtablesValidator(),
+			},
 		},
 	}
 }

e2e/scenario/validators.go

@@ -2,6 +2,7 @@ package scenario
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 )
 
@@ -126,6 +127,42 @@ func UlimitValidator(ulimits map[string]string) *LiveVMValidator {
 	}
 }
 
+// KubenetEnsureNoDupEbtablesValidator checks that ebtables rules were installed by
+// the ensure-no-dup.sh script to block duplicate packets from the promiscuous bridge.
+// This assumes at least one pod (without hostNetwork) has already run on the node.
+func KubenetEnsureNoDupEbtablesValidator() *LiveVMValidator {
+	// Use regex match for the rules because the MAC and IP addresses can vary.
+	expectedRulePatterns := []string{
+		`-j AKS-DEDUP-PROMISC`,
+		`-p IPv4 -s [0-9a-f:]+ -o veth\+ --ip-src [0-9.]+ -j ACCEPT`,
+		`-p IPv4 -s [0-9a-f:]+ -o veth\+ --ip-src [0-9.]+/[0-9]+ -j DROP`,
+	}
+	regexes := make(map[string]*regexp.Regexp, len(expectedRulePatterns))
+	for _, s := range expectedRulePatterns {
+		regexes[s] = regexp.MustCompile(s)
+	}
+
+	return &LiveVMValidator{
+		Description: "assert kubenet ensure-no-dup ebtables rules",
+		// Grep matches rules with "-" at start of line.
+		// This command will fail and be retried to account for delay between
+		// when the CNI creates the bridge and when the ensure-no-dup systemd unit completes.
+		Command: fmt.Sprintf(`ebtables -L | grep "^-"`),
+		Asserter: func(code, stdout, stderr string) error {
+			if code != "0" {
+				return fmt.Errorf("validator command terminated with exit code %q but expected code 0", code)
+			}
+
+			for pattern, re := range regexes {
+				if !re.MatchString(stdout) {
+					return fmt.Errorf("could not find expected ebtables rule matching pattern %q", pattern)
+				}
+			}
+			return nil
+		},
+	}
+}
+
 func containerdVersionValidator(version string) *LiveVMValidator {
 	return &LiveVMValidator{
 		Description: "assert containerd version",

parts/linux/cloud-init/artifacts/ensure-no-dup.sh

@@ -35,8 +35,11 @@ if [[ -z "${bridgeIP}" ]]; then
     exit 1
 fi
 
-podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.subnet")
-if [[ -z "${podSubnetAddr}" ]]; then
+# cloud-controller-manager assigns the node pod CIDR, then kubelet/containerd put it in the conflist.
+# Parse the conflist to retrieve the pod CIDR (IPv4 is always the first item in `ranges`).
+# If the field we expect isn't there, jq returns "null", so treat that as a failure.
+podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.ranges[0][0].subnet")
+if [[ -z "${podSubnetAddr}" || "${podSubnetAddr}" == 'null' ]]; then
     echo "could not determine this node's pod ipam subnet range from 10-containerd-net.conflist...exiting early"
     exit 1
 fi
@@ -53,4 +56,4 @@ echo "outputting newly added AKS-DEDUP-PROMISC rules:"
 ebtables -t filter -L OUTPUT 2>/dev/null
 ebtables -t filter -L AKS-DEDUP-PROMISC 2>/dev/null
 exit 0
-#EOF
+#EOF

pkg/agent/testdata/AKSUbuntu1604+Containerd/CustomData

@@ -219,7 +219,7 @@ write_files:
   owner: root
   encoding: gzip
   content: !!binary |
-    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIL7yTE7r1ZpvYhCiTqpWC+ueKcmHiA3EV7NR26Fjhu08hYYM23eik9Q6c4/M753mOjg8PwrFU4Zjb2PM8Gjs+TsiCOUxk4siAnaH99ZKddE+uB2xw0e+dXnbw9lMoaB6qLEk8OcFwiNpnMLpDE6PRR7iYlAcAFMUa/tP7JksIPDHExQKWnF9Ef5MOTW8iy5wHYBOE5KIwUjJU5AIRHjVZpJXjUpERLD+LtJok0roqcqQk8u9yCqUdshQLckEQ5CSppiBuksUW/CiHe2MjxZTO+YxatXrE3QtqwBK3d2AGfpAm2VQqOxxhCUsJRa4euEVKaLVw4xeMG7+BJYLij9/wUqNn0kY9LV4LvUX0G6Xufu1h63jl46AF35mM/CqNi3SoPfySbbVWWyqUaTKdWcy0oN9Iv/Z9x3i7sGGUcGvz3sOd/CEXwpC1L6pnT/dL+08HrVpdpshJsLG+f5RxiamhFKyr4UtFDvVhk70f/X8TNB7erYrf/k5UVcBGcvY9V31DXu0vtNBk193FfE7gCjKdH6OU54+9plpcZmNFri2EeaWJkymfBXZNfdT+TjXVGkQ6S8S6X0GOzEwqgotlLoGg/yxSLZADUABguJoSJkbP8Hwjey6EXruzkWiP0Wx4XlEyFyLP/HQJlssWUcyl8it373nFtcrAdkUgS3E6mB+D2Z8z02t3VmAac3LxGzAmU2ZNhK3JA7tFu9PpDq7+CWfX4hx2ctEfPIPqX18Nrq/WFT1VoVRXZy7N3No7RffJIh99EhUX8ifHfqiW+WyD2n7X/uYtLDfZYbf/5UcAAAD//4wWzb9ZBwAA
+    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIhfeVE/q+vdkmNiHKpGqloP65olyY+EBcBTu1HTpW+O5TQtigTTc6ab0D5/g8j3/n+PjwIBxLFY65jT3Po7Hj44QsmMNEJo4M2DnaX67Yaff0ZsAGl/3e2VUH/30MBc1DlSWJJycYDlH7BEb3aGI0+gAXk/IAgKJYw3++32QJgSeGuFjAkvPX0V+lQ9ObyDLnAdgEIbkojJQMFblAhMdNFmnluFRkBMvXIq0mibSuSjlSEvl3OYXSDlmKBbkgCHIlqaYgbpLFlvhxLu6NjRRTuuAzatXqEXev8IAl7u7BDPwgTbKpVHY4whKWEopcPXCLlNBq4dZfa9z6DSwRrP/4DS81eiZt1NPiraS3FP1Gyd2vPW4tr3wctOA7k5FfxXidDrXHn9hWBW2pUKbJdGYx04J+gb6o+07h7cKGUcKtzc8e7uQPuRCGrH2Vnz2rX5b/bNCq1WWKXAk21g9PMi4xNZSCdTV8qcihPmyyd6N/boPG4/+r9W9/J6oqYIOcfcupb5RX+4MWmmxxupjPCVxBpvMTlHh+e9ZUi6tsrMi1hTBv1HEy5bPAcDUlO2yOhs1RYAsLT1jsWFv5WC6rVlstHOVT6Kjy9ussEQUcQY7MTCqCi2XOS9CRRaoFcjdYG0BhChOjZ3j51HtOj167s+G5Rx83PG9tmQuRZ34+McvJjCjmUvmVg/qiYltlYLsikKU4G8xPwOyPBuu1OyswjTm5+F8wJlNmTYStNgW7Q7vT6Q6u/4rObrFzsdPL/uAFqf7N9eDmunD0nEJJV2cuzVxRO0UPySK/JyQqNuTvk31fjfl8I7X9CP7Jw1mOvcNu/7P3PQAA//92JikohwcAAA==
 
 - path: /etc/systemd/system/teleportd.service
   permissions: "0644"

pkg/agent/testdata/AKSUbuntu1604+Containerd/line222.sh

@@ -30,8 +30,8 @@ if [[ -z "${bridgeIP}" ]]; then
     exit 1
 fi
 
-podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.subnet")
-if [[ -z "${podSubnetAddr}" ]]; then
+podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.ranges[0][0].subnet")
+if [[ -z "${podSubnetAddr}" || "${podSubnetAddr}" == 'null' ]]; then
     echo "could not determine this node's pod ipam subnet range from 10-containerd-net.conflist...exiting early"
     exit 1
 fi
@@ -48,4 +48,4 @@ echo "outputting newly added AKS-DEDUP-PROMISC rules:"
 ebtables -t filter -L OUTPUT 2>/dev/null
 ebtables -t filter -L AKS-DEDUP-PROMISC 2>/dev/null
 exit 0
-#EOF
+#EOF

pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+CustomLinuxOSConfig/CustomData

@@ -219,7 +219,7 @@ write_files:
   owner: root
   encoding: gzip
   content: !!binary |
-    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIL7yTE7r1ZpvYhCiTqpWC+ueKcmHiA3EV7NR26Fjhu08hYYM23eik9Q6c4/M753mOjg8PwrFU4Zjb2PM8Gjs+TsiCOUxk4siAnaH99ZKddE+uB2xw0e+dXnbw9lMoaB6qLEk8OcFwiNpnMLpDE6PRR7iYlAcAFMUa/tP7JksIPDHExQKWnF9Ef5MOTW8iy5wHYBOE5KIwUjJU5AIRHjVZpJXjUpERLD+LtJok0roqcqQk8u9yCqUdshQLckEQ5CSppiBuksUW/CiHe2MjxZTO+YxatXrE3QtqwBK3d2AGfpAm2VQqOxxhCUsJRa4euEVKaLVw4xeMG7+BJYLij9/wUqNn0kY9LV4LvUX0G6Xufu1h63jl46AF35mM/CqNi3SoPfySbbVWWyqUaTKdWcy0oN9Iv/Z9x3i7sGGUcGvz3sOd/CEXwpC1L6pnT/dL+08HrVpdpshJsLG+f5RxiamhFKyr4UtFDvVhk70f/X8TNB7erYrf/k5UVcBGcvY9V31DXu0vtNBk193FfE7gCjKdH6OU54+9plpcZmNFri2EeaWJkymfBXZNfdT+TjXVGkQ6S8S6X0GOzEwqgotlLoGg/yxSLZADUABguJoSJkbP8Hwjey6EXruzkWiP0Wx4XlEyFyLP/HQJlssWUcyl8it373nFtcrAdkUgS3E6mB+D2Z8z02t3VmAac3LxGzAmU2ZNhK3JA7tFu9PpDq7+CWfX4hx2ctEfPIPqX18Nrq/WFT1VoVRXZy7N3No7RffJIh99EhUX8ifHfqiW+WyD2n7X/uYtLDfZYbf/5UcAAAD//4wWzb9ZBwAA
+    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIhfeVE/q+vdkmNiHKpGqloP65olyY+EBcBTu1HTpW+O5TQtigTTc6ab0D5/g8j3/n+PjwIBxLFY65jT3Po7Hj44QsmMNEJo4M2DnaX67Yaff0ZsAGl/3e2VUH/30MBc1DlSWJJycYDlH7BEb3aGI0+gAXk/IAgKJYw3++32QJgSeGuFjAkvPX0V+lQ9ObyDLnAdgEIbkojJQMFblAhMdNFmnluFRkBMvXIq0mibSuSjlSEvl3OYXSDlmKBbkgCHIlqaYgbpLFlvhxLu6NjRRTuuAzatXqEXev8IAl7u7BDPwgTbKpVHY4whKWEopcPXCLlNBq4dZfa9z6DSwRrP/4DS81eiZt1NPiraS3FP1Gyd2vPW4tr3wctOA7k5FfxXidDrXHn9hWBW2pUKbJdGYx04J+gb6o+07h7cKGUcKtzc8e7uQPuRCGrH2Vnz2rX5b/bNCq1WWKXAk21g9PMi4xNZSCdTV8qcihPmyyd6N/boPG4/+r9W9/J6oqYIOcfcupb5RX+4MWmmxxupjPCVxBpvMTlHh+e9ZUi6tsrMi1hTBv1HEy5bPAcDUlO2yOhs1RYAsLT1jsWFv5WC6rVlstHOVT6Kjy9ussEQUcQY7MTCqCi2XOS9CRRaoFcjdYG0BhChOjZ3j51HtOj167s+G5Rx83PG9tmQuRZ34+McvJjCjmUvmVg/qiYltlYLsikKU4G8xPwOyPBuu1OyswjTm5+F8wJlNmTYStNgW7Q7vT6Q6u/4rObrFzsdPL/uAFqf7N9eDmunD0nEJJV2cuzVxRO0UPySK/JyQqNuTvk31fjfl8I7X9CP7Jw1mOvcNu/7P3PQAA//92JikohwcAAA==
 
 - path: /etc/systemd/system/teleportd.service
   permissions: "0644"

pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+CustomLinuxOSConfig/line222.sh

@@ -30,8 +30,8 @@ if [[ -z "${bridgeIP}" ]]; then
     exit 1
 fi
 
-podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.subnet")
-if [[ -z "${podSubnetAddr}" ]]; then
+podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.ranges[0][0].subnet")
+if [[ -z "${podSubnetAddr}" || "${podSubnetAddr}" == 'null' ]]; then
     echo "could not determine this node's pod ipam subnet range from 10-containerd-net.conflist...exiting early"
     exit 1
 fi
@@ -48,4 +48,4 @@ echo "outputting newly added AKS-DEDUP-PROMISC rules:"
 ebtables -t filter -L OUTPUT 2>/dev/null
 ebtables -t filter -L AKS-DEDUP-PROMISC 2>/dev/null
 exit 0
-#EOF
+#EOF

pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+DynamicKubeletConfig/CustomData

@@ -219,7 +219,7 @@ write_files:
   owner: root
   encoding: gzip
   content: !!binary |
-    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIL7yTE7r1ZpvYhCiTqpWC+ueKcmHiA3EV7NR26Fjhu08hYYM23eik9Q6c4/M753mOjg8PwrFU4Zjb2PM8Gjs+TsiCOUxk4siAnaH99ZKddE+uB2xw0e+dXnbw9lMoaB6qLEk8OcFwiNpnMLpDE6PRR7iYlAcAFMUa/tP7JksIPDHExQKWnF9Ef5MOTW8iy5wHYBOE5KIwUjJU5AIRHjVZpJXjUpERLD+LtJok0roqcqQk8u9yCqUdshQLckEQ5CSppiBuksUW/CiHe2MjxZTO+YxatXrE3QtqwBK3d2AGfpAm2VQqOxxhCUsJRa4euEVKaLVw4xeMG7+BJYLij9/wUqNn0kY9LV4LvUX0G6Xufu1h63jl46AF35mM/CqNi3SoPfySbbVWWyqUaTKdWcy0oN9Iv/Z9x3i7sGGUcGvz3sOd/CEXwpC1L6pnT/dL+08HrVpdpshJsLG+f5RxiamhFKyr4UtFDvVhk70f/X8TNB7erYrf/k5UVcBGcvY9V31DXu0vtNBk193FfE7gCjKdH6OU54+9plpcZmNFri2EeaWJkymfBXZNfdT+TjXVGkQ6S8S6X0GOzEwqgotlLoGg/yxSLZADUABguJoSJkbP8Hwjey6EXruzkWiP0Wx4XlEyFyLP/HQJlssWUcyl8it373nFtcrAdkUgS3E6mB+D2Z8z02t3VmAac3LxGzAmU2ZNhK3JA7tFu9PpDq7+CWfX4hx2ctEfPIPqX18Nrq/WFT1VoVRXZy7N3No7RffJIh99EhUX8ifHfqiW+WyD2n7X/uYtLDfZYbf/5UcAAAD//4wWzb9ZBwAA
+    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIhfeVE/q+vdkmNiHKpGqloP65olyY+EBcBTu1HTpW+O5TQtigTTc6ab0D5/g8j3/n+PjwIBxLFY65jT3Po7Hj44QsmMNEJo4M2DnaX67Yaff0ZsAGl/3e2VUH/30MBc1DlSWJJycYDlH7BEb3aGI0+gAXk/IAgKJYw3++32QJgSeGuFjAkvPX0V+lQ9ObyDLnAdgEIbkojJQMFblAhMdNFmnluFRkBMvXIq0mibSuSjlSEvl3OYXSDlmKBbkgCHIlqaYgbpLFlvhxLu6NjRRTuuAzatXqEXev8IAl7u7BDPwgTbKpVHY4whKWEopcPXCLlNBq4dZfa9z6DSwRrP/4DS81eiZt1NPiraS3FP1Gyd2vPW4tr3wctOA7k5FfxXidDrXHn9hWBW2pUKbJdGYx04J+gb6o+07h7cKGUcKtzc8e7uQPuRCGrH2Vnz2rX5b/bNCq1WWKXAk21g9PMi4xNZSCdTV8qcihPmyyd6N/boPG4/+r9W9/J6oqYIOcfcupb5RX+4MWmmxxupjPCVxBpvMTlHh+e9ZUi6tsrMi1hTBv1HEy5bPAcDUlO2yOhs1RYAsLT1jsWFv5WC6rVlstHOVT6Kjy9ussEQUcQY7MTCqCi2XOS9CRRaoFcjdYG0BhChOjZ3j51HtOj167s+G5Rx83PG9tmQuRZ34+McvJjCjmUvmVg/qiYltlYLsikKU4G8xPwOyPBuu1OyswjTm5+F8wJlNmTYStNgW7Q7vT6Q6u/4rObrFzsdPL/uAFqf7N9eDmunD0nEJJV2cuzVxRO0UPySK/JyQqNuTvk31fjfl8I7X9CP7Jw1mOvcNu/7P3PQAA//92JikohwcAAA==
 
 - path: /etc/systemd/system/teleportd.service
   permissions: "0644"

pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+DynamicKubeletConfig/line222.sh

@@ -30,8 +30,8 @@ if [[ -z "${bridgeIP}" ]]; then
     exit 1
 fi
 
-podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.subnet")
-if [[ -z "${podSubnetAddr}" ]]; then
+podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.ranges[0][0].subnet")
+if [[ -z "${podSubnetAddr}" || "${podSubnetAddr}" == 'null' ]]; then
     echo "could not determine this node's pod ipam subnet range from 10-containerd-net.conflist...exiting early"
     exit 1
 fi
@@ -48,4 +48,4 @@ echo "outputting newly added AKS-DEDUP-PROMISC rules:"
 ebtables -t filter -L OUTPUT 2>/dev/null
 ebtables -t filter -L AKS-DEDUP-PROMISC 2>/dev/null
 exit 0
-#EOF
+#EOF

pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=false/CustomData

@@ -219,7 +219,7 @@ write_files:
   owner: root
   encoding: gzip
   content: !!binary |
-    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIL7yTE7r1ZpvYhCiTqpWC+ueKcmHiA3EV7NR26Fjhu08hYYM23eik9Q6c4/M753mOjg8PwrFU4Zjb2PM8Gjs+TsiCOUxk4siAnaH99ZKddE+uB2xw0e+dXnbw9lMoaB6qLEk8OcFwiNpnMLpDE6PRR7iYlAcAFMUa/tP7JksIPDHExQKWnF9Ef5MOTW8iy5wHYBOE5KIwUjJU5AIRHjVZpJXjUpERLD+LtJok0roqcqQk8u9yCqUdshQLckEQ5CSppiBuksUW/CiHe2MjxZTO+YxatXrE3QtqwBK3d2AGfpAm2VQqOxxhCUsJRa4euEVKaLVw4xeMG7+BJYLij9/wUqNn0kY9LV4LvUX0G6Xufu1h63jl46AF35mM/CqNi3SoPfySbbVWWyqUaTKdWcy0oN9Iv/Z9x3i7sGGUcGvz3sOd/CEXwpC1L6pnT/dL+08HrVpdpshJsLG+f5RxiamhFKyr4UtFDvVhk70f/X8TNB7erYrf/k5UVcBGcvY9V31DXu0vtNBk193FfE7gCjKdH6OU54+9plpcZmNFri2EeaWJkymfBXZNfdT+TjXVGkQ6S8S6X0GOzEwqgotlLoGg/yxSLZADUABguJoSJkbP8Hwjey6EXruzkWiP0Wx4XlEyFyLP/HQJlssWUcyl8it373nFtcrAdkUgS3E6mB+D2Z8z02t3VmAac3LxGzAmU2ZNhK3JA7tFu9PpDq7+CWfX4hx2ctEfPIPqX18Nrq/WFT1VoVRXZy7N3No7RffJIh99EhUX8ifHfqiW+WyD2n7X/uYtLDfZYbf/5UcAAAD//4wWzb9ZBwAA
+    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIhfeVE/q+vdkmNiHKpGqloP65olyY+EBcBTu1HTpW+O5TQtigTTc6ab0D5/g8j3/n+PjwIBxLFY65jT3Po7Hj44QsmMNEJo4M2DnaX67Yaff0ZsAGl/3e2VUH/30MBc1DlSWJJycYDlH7BEb3aGI0+gAXk/IAgKJYw3++32QJgSeGuFjAkvPX0V+lQ9ObyDLnAdgEIbkojJQMFblAhMdNFmnluFRkBMvXIq0mibSuSjlSEvl3OYXSDlmKBbkgCHIlqaYgbpLFlvhxLu6NjRRTuuAzatXqEXev8IAl7u7BDPwgTbKpVHY4whKWEopcPXCLlNBq4dZfa9z6DSwRrP/4DS81eiZt1NPiraS3FP1Gyd2vPW4tr3wctOA7k5FfxXidDrXHn9hWBW2pUKbJdGYx04J+gb6o+07h7cKGUcKtzc8e7uQPuRCGrH2Vnz2rX5b/bNCq1WWKXAk21g9PMi4xNZSCdTV8qcihPmyyd6N/boPG4/+r9W9/J6oqYIOcfcupb5RX+4MWmmxxupjPCVxBpvMTlHh+e9ZUi6tsrMi1hTBv1HEy5bPAcDUlO2yOhs1RYAsLT1jsWFv5WC6rVlstHOVT6Kjy9ussEQUcQY7MTCqCi2XOS9CRRaoFcjdYG0BhChOjZ3j51HtOj167s+G5Rx83PG9tmQuRZ34+McvJjCjmUvmVg/qiYltlYLsikKU4G8xPwOyPBuu1OyswjTm5+F8wJlNmTYStNgW7Q7vT6Q6u/4rObrFzsdPL/uAFqf7N9eDmunD0nEJJV2cuzVxRO0UPySK/JyQqNuTvk31fjfl8I7X9CP7Jw1mOvcNu/7P3PQAA//92JikohwcAAA==
 
 - path: /etc/systemd/system/teleportd.service
   permissions: "0644"

pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=false/line222.sh

@@ -30,8 +30,8 @@ if [[ -z "${bridgeIP}" ]]; then
     exit 1
 fi
 
-podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.subnet")
-if [[ -z "${podSubnetAddr}" ]]; then
+podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.ranges[0][0].subnet")
+if [[ -z "${podSubnetAddr}" || "${podSubnetAddr}" == 'null' ]]; then
     echo "could not determine this node's pod ipam subnet range from 10-containerd-net.conflist...exiting early"
     exit 1
 fi
@@ -48,4 +48,4 @@ echo "outputting newly added AKS-DEDUP-PROMISC rules:"
 ebtables -t filter -L OUTPUT 2>/dev/null
 ebtables -t filter -L AKS-DEDUP-PROMISC 2>/dev/null
 exit 0
-#EOF
+#EOF

pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=true/CustomData

@@ -219,7 +219,7 @@ write_files:
   owner: root
   encoding: gzip
   content: !!binary |
-    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIL7yTE7r1ZpvYhCiTqpWC+ueKcmHiA3EV7NR26Fjhu08hYYM23eik9Q6c4/M753mOjg8PwrFU4Zjb2PM8Gjs+TsiCOUxk4siAnaH99ZKddE+uB2xw0e+dXnbw9lMoaB6qLEk8OcFwiNpnMLpDE6PRR7iYlAcAFMUa/tP7JksIPDHExQKWnF9Ef5MOTW8iy5wHYBOE5KIwUjJU5AIRHjVZpJXjUpERLD+LtJok0roqcqQk8u9yCqUdshQLckEQ5CSppiBuksUW/CiHe2MjxZTO+YxatXrE3QtqwBK3d2AGfpAm2VQqOxxhCUsJRa4euEVKaLVw4xeMG7+BJYLij9/wUqNn0kY9LV4LvUX0G6Xufu1h63jl46AF35mM/CqNi3SoPfySbbVWWyqUaTKdWcy0oN9Iv/Z9x3i7sGGUcGvz3sOd/CEXwpC1L6pnT/dL+08HrVpdpshJsLG+f5RxiamhFKyr4UtFDvVhk70f/X8TNB7erYrf/k5UVcBGcvY9V31DXu0vtNBk193FfE7gCjKdH6OU54+9plpcZmNFri2EeaWJkymfBXZNfdT+TjXVGkQ6S8S6X0GOzEwqgotlLoGg/yxSLZADUABguJoSJkbP8Hwjey6EXruzkWiP0Wx4XlEyFyLP/HQJlssWUcyl8it373nFtcrAdkUgS3E6mB+D2Z8z02t3VmAac3LxGzAmU2ZNhK3JA7tFu9PpDq7+CWfX4hx2ctEfPIPqX18Nrq/WFT1VoVRXZy7N3No7RffJIh99EhUX8ifHfqiW+WyD2n7X/uYtLDfZYbf/5UcAAAD//4wWzb9ZBwAA
+    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIhfeVE/q+vdkmNiHKpGqloP65olyY+EBcBTu1HTpW+O5TQtigTTc6ab0D5/g8j3/n+PjwIBxLFY65jT3Po7Hj44QsmMNEJo4M2DnaX67Yaff0ZsAGl/3e2VUH/30MBc1DlSWJJycYDlH7BEb3aGI0+gAXk/IAgKJYw3++32QJgSeGuFjAkvPX0V+lQ9ObyDLnAdgEIbkojJQMFblAhMdNFmnluFRkBMvXIq0mibSuSjlSEvl3OYXSDlmKBbkgCHIlqaYgbpLFlvhxLu6NjRRTuuAzatXqEXev8IAl7u7BDPwgTbKpVHY4whKWEopcPXCLlNBq4dZfa9z6DSwRrP/4DS81eiZt1NPiraS3FP1Gyd2vPW4tr3wctOA7k5FfxXidDrXHn9hWBW2pUKbJdGYx04J+gb6o+07h7cKGUcKtzc8e7uQPuRCGrH2Vnz2rX5b/bNCq1WWKXAk21g9PMi4xNZSCdTV8qcihPmyyd6N/boPG4/+r9W9/J6oqYIOcfcupb5RX+4MWmmxxupjPCVxBpvMTlHh+e9ZUi6tsrMi1hTBv1HEy5bPAcDUlO2yOhs1RYAsLT1jsWFv5WC6rVlstHOVT6Kjy9ussEQUcQY7MTCqCi2XOS9CRRaoFcjdYG0BhChOjZ3j51HtOj167s+G5Rx83PG9tmQuRZ34+McvJjCjmUvmVg/qiYltlYLsikKU4G8xPwOyPBuu1OyswjTm5+F8wJlNmTYStNgW7Q7vT6Q6u/4rObrFzsdPL/uAFqf7N9eDmunD0nEJJV2cuzVxRO0UPySK/JyQqNuTvk31fjfl8I7X9CP7Jw1mOvcNu/7P3PQAA//92JikohwcAAA==
 
 - path: /etc/systemd/system/teleportd.service
   permissions: "0644"

pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=true/line222.sh

@@ -30,8 +30,8 @@ if [[ -z "${bridgeIP}" ]]; then
     exit 1
 fi
 
-podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.subnet")
-if [[ -z "${podSubnetAddr}" ]]; then
+podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.ranges[0][0].subnet")
+if [[ -z "${podSubnetAddr}" || "${podSubnetAddr}" == 'null' ]]; then
     echo "could not determine this node's pod ipam subnet range from 10-containerd-net.conflist...exiting early"
     exit 1
 fi
@@ -48,4 +48,4 @@ echo "outputting newly added AKS-DEDUP-PROMISC rules:"
 ebtables -t filter -L OUTPUT 2>/dev/null
 ebtables -t filter -L AKS-DEDUP-PROMISC 2>/dev/null
 exit 0
-#EOF
+#EOF

pkg/agent/testdata/AKSUbuntu1604+Docker/CustomData

@@ -219,7 +219,7 @@ write_files:
   owner: root
   encoding: gzip
   content: !!binary |
-    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIL7yTE7r1ZpvYhCiTqpWC+ueKcmHiA3EV7NR26Fjhu08hYYM23eik9Q6c4/M753mOjg8PwrFU4Zjb2PM8Gjs+TsiCOUxk4siAnaH99ZKddE+uB2xw0e+dXnbw9lMoaB6qLEk8OcFwiNpnMLpDE6PRR7iYlAcAFMUa/tP7JksIPDHExQKWnF9Ef5MOTW8iy5wHYBOE5KIwUjJU5AIRHjVZpJXjUpERLD+LtJok0roqcqQk8u9yCqUdshQLckEQ5CSppiBuksUW/CiHe2MjxZTO+YxatXrE3QtqwBK3d2AGfpAm2VQqOxxhCUsJRa4euEVKaLVw4xeMG7+BJYLij9/wUqNn0kY9LV4LvUX0G6Xufu1h63jl46AF35mM/CqNi3SoPfySbbVWWyqUaTKdWcy0oN9Iv/Z9x3i7sGGUcGvz3sOd/CEXwpC1L6pnT/dL+08HrVpdpshJsLG+f5RxiamhFKyr4UtFDvVhk70f/X8TNB7erYrf/k5UVcBGcvY9V31DXu0vtNBk193FfE7gCjKdH6OU54+9plpcZmNFri2EeaWJkymfBXZNfdT+TjXVGkQ6S8S6X0GOzEwqgotlLoGg/yxSLZADUABguJoSJkbP8Hwjey6EXruzkWiP0Wx4XlEyFyLP/HQJlssWUcyl8it373nFtcrAdkUgS3E6mB+D2Z8z02t3VmAac3LxGzAmU2ZNhK3JA7tFu9PpDq7+CWfX4hx2ctEfPIPqX18Nrq/WFT1VoVRXZy7N3No7RffJIh99EhUX8ifHfqiW+WyD2n7X/uYtLDfZYbf/5UcAAAD//4wWzb9ZBwAA
+    H4sIAAAAAAAA/7yVX2/aPBTG7/MpnqZIhfeVE/q+vdkmNiHKpGqloP65olyY+EBcBTu1HTpW+O5TQtigTTc6ab0D5/g8j3/n+PjwIBxLFY65jT3Po7Hj44QsmMNEJo4M2DnaX67Yaff0ZsAGl/3e2VUH/30MBc1DlSWJJycYDlH7BEb3aGI0+gAXk/IAgKJYw3++32QJgSeGuFjAkvPX0V+lQ9ObyDLnAdgEIbkojJQMFblAhMdNFmnluFRkBMvXIq0mibSuSjlSEvl3OYXSDlmKBbkgCHIlqaYgbpLFlvhxLu6NjRRTuuAzatXqEXev8IAl7u7BDPwgTbKpVHY4whKWEopcPXCLlNBq4dZfa9z6DSwRrP/4DS81eiZt1NPiraS3FP1Gyd2vPW4tr3wctOA7k5FfxXidDrXHn9hWBW2pUKbJdGYx04J+gb6o+07h7cKGUcKtzc8e7uQPuRCGrH2Vnz2rX5b/bNCq1WWKXAk21g9PMi4xNZSCdTV8qcihPmyyd6N/boPG4/+r9W9/J6oqYIOcfcupb5RX+4MWmmxxupjPCVxBpvMTlHh+e9ZUi6tsrMi1hTBv1HEy5bPAcDUlO2yOhs1RYAsLT1jsWFv5WC6rVlstHOVT6Kjy9ussEQUcQY7MTCqCi2XOS9CRRaoFcjdYG0BhChOjZ3j51HtOj167s+G5Rx83PG9tmQuRZ34+McvJjCjmUvmVg/qiYltlYLsikKU4G8xPwOyPBuu1OyswjTm5+F8wJlNmTYStNgW7Q7vT6Q6u/4rObrFzsdPL/uAFqf7N9eDmunD0nEJJV2cuzVxRO0UPySK/JyQqNuTvk31fjfl8I7X9CP7Jw1mOvcNu/7P3PQAA//92JikohwcAAA==
 
 - path: /etc/systemd/system/teleportd.service
   permissions: "0644"

pkg/agent/testdata/AKSUbuntu1604+Docker/line222.sh

@@ -30,8 +30,8 @@ if [[ -z "${bridgeIP}" ]]; then
     exit 1
 fi
 
-podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.subnet")
-if [[ -z "${podSubnetAddr}" ]]; then
+podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.ranges[0][0].subnet")
+if [[ -z "${podSubnetAddr}" || "${podSubnetAddr}" == 'null' ]]; then
     echo "could not determine this node's pod ipam subnet range from 10-containerd-net.conflist...exiting early"
     exit 1
 fi
@@ -48,4 +48,4 @@ echo "outputting newly added AKS-DEDUP-PROMISC rules:"
 ebtables -t filter -L OUTPUT 2>/dev/null
 ebtables -t filter -L AKS-DEDUP-PROMISC 2>/dev/null
 exit 0
-#EOF
+#EOF