Configure dual stack or IPv6 only

Big picture

Configure Calico IP address allocation to use dual stack or IPv6 only for workload communications.

Value

Workload communication over IPv6 is increasingly desirable, as well as or instead of IPv4. Calico supports:

  • IPv4 only (default)

    Each workload gets an IPv4 address, and can communicate over IPv4.

  • Dual stack

    Each workload gets an IPv4 and an IPv6 address, and can communicate over IPv4 or IPv6.

  • IPv6 only

    Each workload gets an IPv6 address, and can communicate over IPv6.

Features

This how-to guide uses the following Calico features:

  • CNI plugin configuration with assign_ipv6 and assign_ipv4 flags
  • IPPool

Before you begin

Calico requirements

  • Calico IPAM

Kubernetes version requirements

  • For dual stack, 1.16 and later
  • For one IP stack at a time (IPv4 or IPv6), any Kubernetes version

Kubernetes IPv6 host requirements

  • An IPv6 address that is reachable from the other hosts
  • The sysctl setting, net.ipv6.conf.all.forwarding, is set to 1. This ensures both Kubernetes service traffic and Calico traffic is forwarded appropriately.
  • A default IPv6 route

Kubernetes IPv4 host requirements

  • An IPv4 address that is reachable from the other hosts
  • The sysctl setting, net.ipv4.conf.all.forwarding, is set to 1. This ensures both Kubernetes service traffic and Calico traffic is forwarded appropriately.
  • A default IPv4 route

How to

Configure dual stack or IPv6 only - 图1note

The following tasks are only for new clusters.

Enable IPv6 only

  • Operator
  • Manifest

To configure an IPv6-only cluster using the operator, edit your default Installation at install time to include a single IPv6 pool, and no IPv4 pools. For example:

  1. apiVersion: operator.tigera.io/v1
  2. kind: Installation
  3. metadata:
  4.   name: default
  5. spec:
  6.   calicoNetwork:
  7.      # Note: The ipPools section cannot be modified post-install.
  8.     ipPools:
  9.       - blockSize: 122
  10.         cidr: 2001::00/64
  11.         encapsulation: None
  12.         natOutgoing: Enabled
  13.         nodeSelector: all()

  1. Set up a new Kubernetes cluster with an IPv6 pod CIDR and service IP range.

  2. Using the Calico Kubernetes install guide, download the correct Calico manifest for the cluster and datastore type.

  3. Edit the CNI config (calico-config ConfigMap in the manifest) to disable IPv4 assignments and enable IPv6 assignments.

    1.     "ipam": {
    2.         "type": "calico-ipam",
    3.         "assign_ipv4": "false",
    4.         "assign_ipv6": "true"
    5.     },

  4. Configure IPv6 support by adding the following variable settings to the environment for the calico-node container:

    Variable nameValue
    IP6autodetect
    FELIX_IPV6SUPPORTtrue

    Configure dual stack or IPv6 only - 图2note

    If your IPv6 IP pools include private IP addresses, pods that are assigned private IP addresses cannot perform outbound NAT by default.

    To enable outbound NAT for these pods, add CALICO_IPV6POOL_NAT_OUTGOING: true to the environment of the calico-node container.

  5. For clusters not provisioned with kubeadm (see note below), configure the default IPv6 IP pool by adding the following variable setting to the environment for the calico-node container:

    Variable nameValue
    CALICO_IPV6POOL_CIDRthe same as the IPv6 range you configured as the cluster CIDR to kube-controller-manager and kube-proxy

    Configure dual stack or IPv6 only - 图3note

    For clusters provisioned with kubeadm, Calico autodetects the IPv4 and IPv6 pod CIDRs and does not require configuration.

  6. Apply the edited manifest with kubectl apply -f.

    New pods will get IPv6 addresses, and can communicate with each other and the outside world over IPv6.

(Optional) Update host to not look for IPv4 addresses

If you want your workloads to have IPv6 addresses only, because you do not have IPv4 addresses or connectivity between your nodes, complete these additional steps to tell Calico not to look for any IPv4 addresses.

  1. Disable IP autodetection of IPv4 by setting IP to none.
  2. Calculate the Calico BGP router ID for IPv6 using either of the following methods.
    • Set the environment variable CALICO_ROUTER_ID=hash on calico/node. This configures Calico to calculate the router ID based on the hostname.
    • Pass a unique value for CALICO_ROUTER_ID to each node individually.

Enable dual stack

  1. Set up a new cluster following the Kubernetes prerequisites and enablement steps.
  • Operator
  • Manifest

To configure dual-stack cluster using the operator, edit your default Installation at install time to include both an IPv4 and IPv6 pool. For example:

  1. apiVersion: operator.tigera.io/v1
  2. kind: Installation
  3. metadata:
  4.   name: default
  5. spec:
  6.    # Configures Calico networking.
  7.   calicoNetwork:
  8.      # Note: The ipPools section cannot be modified post-install.
  9.     ipPools:
  10.       - blockSize: 26
  11.         cidr: 10.48.0.0/21
  12.         encapsulation: IPIP
  13.         natOutgoing: Enabled
  14.         nodeSelector: all()
  15.       - blockSize: 122
  16.         cidr: 2001::00/64
  17.         encapsulation: None
  18.         natOutgoing: Enabled
  19.         nodeSelector: all()

  1. Using the Calico Kubernetes install guide, download the correct Calico manifest for the cluster and datastore type.

  2. Edit the CNI config (calico-config ConfigMap in the manifest), and enable IPv4 and IPv6 address allocation by setting both fields to true.

    1.     "ipam": {
    2.         "type": "calico-ipam",
    3.         "assign_ipv4": "true",
    4.         "assign_ipv6": "true"
    5.     },

  3. Configure IPv6 support by adding the following variable settings to the environment for the calico-node container:

    Variable nameValue
    IP6autodetect
    FELIX_IPV6SUPPORTtrue

    Configure dual stack or IPv6 only - 图4note

    If your IPv6 IP pools include private IP addresses, pods that are assigned private IP addresses cannot perform outbound NAT by default.

    To enable outbound NAT for these pods, add CALICO_IPV6POOL_NAT_OUTGOING: true to the environment of the calico-node container.

  4. For clusters not provisioned with kubeadm (see note below), configure the default IPv6 IP pool by adding the following variable setting to the environment for the calico-node container:

    Variable nameValue
    CALICO_IPV6POOL_CIDRthe same as the IPv6 range you configured as the IPv6 cluster CIDR to kube-controller-manager and kube-proxy

    Configure dual stack or IPv6 only - 图5note

    For clusters provisioned with kubeadm, Calico autodetects the IPv4 and IPv6 pod CIDRs and does not require configuration.

  5. Apply the edited manifest with kubectl apply -f.

    New pods will get both IPv4 and IPv6 addresses, and can communicate with each other and the outside world over IPv4 or IPv6.

Additional resources