Kubernetes – kube-proxy NodePort with IPv6

calicoipv6kubeadmkuberneteslinux-networking

I am trying to expose a service using NodePort on a on premise bare metal kubernetes (1.17) cluster (calico for CNI and CRI-O 1.17)

  • All nodes (Ubuntu 18.04) have IPv4 and IPv6 adresses and are reachable (e.g. ssh) using both
  • Kubernetes has been initiated using kubeadm with IPv4
  • A nginx test deployment is running and made reachable using a service with nodeport

I can curl the service using IPv4 successfully but not using IPv6 (connection is established but nothing transfered).

kubectl describe svc/example-service

Name:                     example-service
Namespace:                default
Labels:                   <none>
Annotations:              <none>
Selector:                 app=helloworld
Type:                     NodePort
IP:                       10.97.69.135
Port:                     <unset>  5000/TCP
TargetPort:               5000/TCP
NodePort:                 <unset>  32042/TCP
Endpoints:                10.10.166.132:5000
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

On the host running this deployment:

netstat -tulpen|grep ':32042'

tcp6       0      0 :::32042                :::*                    LISTEN      0          10276301   2314/kube-proxy

kube-proxy obviously binds to tcp6 (with tcp4 compatibility mode) – therefore the connection can be established – but there is no data transfered using tcp6 (curl -6), tcp4 (curl -4) works as expected.

Does a cluster have to be configured in dual stack or IPv6 mode to receive IPv4 and IPv6 requests (e.g. via NodePort)?

Best Answer

Yes, that what dual stack is for. It enables allocation of IPv6 and IPv4 addresses. Without it the pods and services won't be reachable from one or the other IP protocol. DNS resolution is not enough for proper network connectivity if the IP protocol cannot be handled.

According to kubernetes documentation:

IPv4/IPv6 dual-stack

FEATURE STATE: Kubernetes v1.16 alpha

IPv4/IPv6 dual-stack enables the allocation of both IPv4 and IPv6 addresses to Pods and Services.

If you enable IPv4/IPv6 dual-stack networking for your Kubernetes cluster, the cluster will support the simultaneous assignment of both IPv4 and IPv6 addresses.

Please note that this is an alpha feature and is not suitable for production envirnments.

Alternative approach would be to use IPv6 termination model. Where IPv6 traffic is is sent via proxies to IPv4 backends inside cluster network. Example from GCP documentation.

Update:

It is possible to use ONLY IPv6 without IPv4 with calico. However there are some limitations.

According to calico documentation:

  • Currently Kubernetes supports only one IP stack version at a time. This means that if you configure Kubernetes for IPv6 then Calico should be configured to assign only IPv6 addresses.
  • The steps and setup here have not been tested against an existing IPv4 cluster and are intended only for new clusters.

To enable IPv6 only in kubernetes cluster use this guide.

Hope it helps.

Related Topic