Allocate IPv6 Internet bandwidth to a pod - Container Service for Kubernetes

By default, IPv6 addresses can be used only for communication over internal networks. To use an IPv6 address for communication over the Internet, you must create an IPv6 gateway and allocate IPv6 Internet bandwidth to the pod that uses the IPv6 address. This topic describes how to configure Internet bandwidth and egress-only rules for a pod that uses an IPv6 address in a Container Service for Kubernetes (ACK) cluster.

Prerequisites

An ACK managed cluster, ACK dedicated cluster, or ACK Serverless cluster is created. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster, and Create an ACK Serverless cluster. The cluster meets the following requirements:
- IPv4/IPv6 dual stack is enabled.
- Terway is installed in the ACK managed cluster or ACK dedicated cluster.
An IPv6 gateway is created in the virtual private cloud (VPC) of the cluster. You must create an IPv6 gateway before you can use the ipv6gw controller. For more information, see Create and manage an IPv6 gateway.

Important

Only some Elastic Compute Service (ECS) instance types support IPv6. For more information, see Instance families.

Background information

For more information about IPv6 gateways, see What is an IPv6 gateway?

Limits

You cannot allocate IPv6 Internet bandwidth to pods in ACK Edge clusters or ASI clusters.
The bandwidth and the number of egress-only rules supported by an IPv6 gateway vary based on the gateway specifications. For more information, see Limits.

Enable an IPv6 gateway by modifying the configuration of ack-extend-network-controller

ack-extend-network-controller needs to call the APIs of Alibaba Cloud services to create cloud resources. You must first grant the required Resource Access Management (RAM) permissions to ack-extend-network-controller and then install ack-extend-network-controller from the Marketplace page of the ACK console. Then, you can add annotations to a pod to create an IPv6 gateway and associate it with the pod. To do this, perform the following steps:

Step 1: Grant RAM permissions on DNAT

For ACK clusters:
1. Log on to the ACK console and click Clusters in the left-side navigation pane.
2. On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.
3. On the Cluster Information page, click the Cluster Resources tab, and then click the hyperlink next to Worker RAM Role.
4. Create a custom policy and add the following content to the policy. For more information, see Step 1: Create a custom policy.
```
{
      "Effect": "Allow",
      "Action": [
        "vpc:DescribeIpv6Addresses",
        "vpc:CreateIpv6EgressOnlyRule",
        "vpc:DeleteIpv6EgressOnlyRule",
        "vpc:DescribeIpv6EgressOnlyRules",
        "vpc:AllocateIpv6InternetBandwidth",
        "vpc:DeleteIpv6InternetBandwidth"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {}
    }
```
5. Grant permissions to the worker role of the cluster. For more information, see Step 2: Attach the custom policy to the worker RAM role.
For ACK Serverless clusters:
Generate an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create custom policies.

Step 2: Enable the natgw controller for ack-extend-network-controller

Install ack-extend-network-controller and enable the natgw controller. For more information about how to install ack-extend-network-controller from the marketplace, see App Marketplace.

Configure the following parameters for the natgw controller:

clusterID: "c11ba338192xxxxxxx"          # Replace with the actual value. 
regionID: "cn-hangzhou"                  # Replace with the actual value. 
vpcID: "vpc-bp1rkq0zxxxxxx"              # Replace with the actual value. 
enableControllers:
  - ipv6gw                               # Enable the IPv6 gateway. 
networkController:
  ipv6GatewayController:
    maxConcurrentReconciles: 10          # The maximum number of concurrent reconciliations for the controller. 

credential:                               # Specify an AccessKey pair. For ACK clusters, we recommend that you use the RamRole mode. 
  accessKey: ""
  accessSecret: ""

Allocate Internet IPv6 bandwidth to the pod and configure egress-only rules

Add the following annotations to the pod to allocate Internet IPv6 bandwidth, specify the metering method, and configure egress-only rules.

Pod Annotations	Value
k8s.aliyun.com/ipv6-bandwidth	The Internet bandwidth of the IPv6 gateway. Unit: Mbit/s. Valid values: 1 to 5000. For more information, see AllocateIpv6InternetBandwidth.
k8s.aliyun.com/ipv6-internet-charge-type	The metering method of the Internet bandwidth of the IPv6 gateway. Valid values: `PayByTraffic`: pay-by-data-transfer `PayByBandwidth` (default): pay-by-bandwidth For more information, see AllocateIpv6InternetBandwidth.
k8s.aliyun.com/ipv6-egress-only	Create egress-only rules.

Use the ACK console

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.

In the upper-right part of the Deployments page, click Create from YAML. Then, copy the following YAML content to Template and click Create.

In this example, the Internet IPv6 bandwidth allocated to the pod is 10 Mbit/s and egress-only rules are created.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
  labels:
    app: example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      labels:
        app: example
      annotations:
        k8s.aliyun.com/ipv6-bandwidth: "10" # Set the Internet bandwidth of the IPv6 gateway to 10 Mbit/s. 
        k8s.aliyun.com/ipv6-egress-only: "" # Create egress-only rules. 
    spec:
      containers:
      - name: example
        image: nginx

On the Deployments page, click the Deployment named example to go to the basic information page. On the basic information page of the example Deployment, you can view the name of the pod.

Run the following command to query the podipv6gws.alibabacloud.com resource that uses the same name as the pod. You can view the allocated bandwidth and egress-only rules.

kubectl get podipv6gws.alibabacloud.com  -oyaml example-674b897446-q****

Expected output:

apiVersion: alibabacloud.com/v1beta1
kind: PodIPv6GW
metadata:
  creationTimestamp: "2024-02-07T06:00:48Z"
  finalizers:
  - ipv6gw-controller.alibabacloud.com/finalizer
  generation: 1
  name: example-674b897446-q****
  namespace: default
  ownerReferences:
  - apiVersion: v1
    kind: Pod
    name: example-674b897446-q****
    uid: bdf86c45-7**5-4**4-b**3-9b****
  resourceVersion: "11488"
  uid: 78747d60-9**8-4**e-b**8-f7f7c****
spec:
  bandwidth: 10
  egressOnlyRule: true
  ipv6Address: 2408:4006:1115:xxxx:xxxx:xxxx:xxxx:xxxx
 status:
    ipv6AddressID: ipv6-xxx
    ipv6EgressOnlyRuleID: ipv6py-xxx
    ipv6GatewayID: ipv6gw-xxx
    ipv6InternetBandwidthID: ipv6bw-xxx

Use kubectl

Create a file named example.yaml and add the following content to the file:

In this example, the Internet IPv6 bandwidth allocated to the pod is 10 Mbit/s and egress-only rules are created.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
  labels:
    app: example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      labels:
        app: example
      annotations:
        k8s.aliyun.com/ipv6-bandwidth: "10" # Set the Internet bandwidth of the IPv6 gateway to 10 Mbit/s. 
        k8s.aliyun.com/ipv6-egress-only: "" # Create egress-only rules. 
    spec:
      containers:
      - name: example
        image: nginx

Run the following command to create resource objects:
```
kubectl apply -f example.yaml
```
Expected output:
```
deployment.apps/example created
```

Run the following command to query the name of the pod:

kubectl get podipv6gws -n <Namespace of the example Deployment>