By default, IPv6 addresses can be used only for communication over internal networks. To use an IPv6 address for communication over the Internet, you must create an IPv6 gateway and allocate IPv6 Internet bandwidth to the pod that uses the IPv6 address. This topic describes how to configure Internet bandwidth and egress-only rules for a pod that uses an IPv6 address in a Container Service for Kubernetes (ACK) cluster.
Prerequisites
An ACK managed cluster, ACK dedicated cluster, or ACK Serverless cluster is created. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster, and Create an ACK Serverless cluster. The cluster meets the following requirements:
IPv4/IPv6 dual stack is enabled.
Terway is installed in the ACK managed cluster or ACK dedicated cluster.
An IPv6 gateway is created in the virtual private cloud (VPC) of the cluster. You must create an IPv6 gateway before you can use the ipv6gw controller. For more information, see Create and manage an IPv6 gateway.
Only some Elastic Compute Service (ECS) instance types support IPv6. For more information, see Instance families.
Background information
For more information about IPv6 gateways, see What is an IPv6 gateway?
Limits
You cannot allocate IPv6 Internet bandwidth to pods in ACK Edge clusters or ASI clusters.
The bandwidth and the number of egress-only rules supported by an IPv6 gateway vary based on the gateway specifications. For more information, see Limits.
Enable an IPv6 gateway by modifying the configuration of ack-extend-network-controller
ack-extend-network-controller needs to call the APIs of Alibaba Cloud services to create cloud resources. You must first grant the required Resource Access Management (RAM) permissions to ack-extend-network-controller and then install ack-extend-network-controller from the Marketplace page of the ACK console. Then, you can add annotations to a pod to create an IPv6 gateway and associate it with the pod. To do this, perform the following steps:
Step 1: Grant RAM permissions on DNAT
For ACK clusters:
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.
On the Cluster Information page, click the Cluster Resources tab, and then click the hyperlink next to Worker RAM Role.
Create a custom policy and add the following content to the policy. For more information, see Step 1: Create a custom policy.
{ "Effect": "Allow", "Action": [ "vpc:DescribeIpv6Addresses", "vpc:CreateIpv6EgressOnlyRule", "vpc:DeleteIpv6EgressOnlyRule", "vpc:DescribeIpv6EgressOnlyRules", "vpc:AllocateIpv6InternetBandwidth", "vpc:DeleteIpv6InternetBandwidth" ], "Resource": [ "*" ], "Condition": {} }
Grant permissions to the worker role of the cluster. For more information, see Step 2: Attach the custom policy to the worker RAM role.
For ACK Serverless clusters:
Generate an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create custom policies.
Step 2: Enable the natgw controller for ack-extend-network-controller
Install ack-extend-network-controller and enable the natgw controller. For more information about how to install ack-extend-network-controller from the marketplace, see App Marketplace.
Configure the following parameters for the natgw controller:
clusterID: "c11ba338192xxxxxxx" # Replace with the actual value.
regionID: "cn-hangzhou" # Replace with the actual value.
vpcID: "vpc-bp1rkq0zxxxxxx" # Replace with the actual value.
enableControllers:
- ipv6gw # Enable the IPv6 gateway.
networkController:
ipv6GatewayController:
maxConcurrentReconciles: 10 # The maximum number of concurrent reconciliations for the controller.
credential: # Specify an AccessKey pair. For ACK clusters, we recommend that you use the RamRole mode.
accessKey: ""
accessSecret: ""
Allocate Internet IPv6 bandwidth to the pod and configure egress-only rules
Add the following annotations to the pod to allocate Internet IPv6 bandwidth, specify the metering method, and configure egress-only rules.
Pod Annotations | Value |
k8s.aliyun.com/ipv6-bandwidth | The Internet bandwidth of the IPv6 gateway. Unit: Mbit/s. Valid values: 1 to 5000. For more information, see AllocateIpv6InternetBandwidth. |
k8s.aliyun.com/ipv6-internet-charge-type | The metering method of the Internet bandwidth of the IPv6 gateway. Valid values:
For more information, see AllocateIpv6InternetBandwidth. |
k8s.aliyun.com/ipv6-egress-only | Create egress-only rules. |
Use the ACK console
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
In the upper-right part of the Deployments page, click Create from YAML. Then, copy the following YAML content to Template and click Create.
In this example, the Internet IPv6 bandwidth allocated to the pod is 10 Mbit/s and egress-only rules are created.
apiVersion: apps/v1 kind: Deployment metadata: name: example labels: app: example spec: replicas: 1 selector: matchLabels: app: example template: metadata: labels: app: example annotations: k8s.aliyun.com/ipv6-bandwidth: "10" # Set the Internet bandwidth of the IPv6 gateway to 10 Mbit/s. k8s.aliyun.com/ipv6-egress-only: "" # Create egress-only rules. spec: containers: - name: example image: nginx
On the Deployments page, click the Deployment named example to go to the basic information page. On the basic information page of the example Deployment, you can view the name of the pod.
Run the following command to query the
podipv6gws.alibabacloud.com
resource that uses the same name as the pod. You can view the allocated bandwidth and egress-only rules.kubectl get podipv6gws.alibabacloud.com -oyaml example-674b897446-q****
Expected output:
apiVersion: alibabacloud.com/v1beta1 kind: PodIPv6GW metadata: creationTimestamp: "2024-02-07T06:00:48Z" finalizers: - ipv6gw-controller.alibabacloud.com/finalizer generation: 1 name: example-674b897446-q**** namespace: default ownerReferences: - apiVersion: v1 kind: Pod name: example-674b897446-q**** uid: bdf86c45-7**5-4**4-b**3-9b**** resourceVersion: "11488" uid: 78747d60-9**8-4**e-b**8-f7f7c**** spec: bandwidth: 10 egressOnlyRule: true ipv6Address: 2408:4006:1115:xxxx:xxxx:xxxx:xxxx:xxxx status: ipv6AddressID: ipv6-xxx ipv6EgressOnlyRuleID: ipv6py-xxx ipv6GatewayID: ipv6gw-xxx ipv6InternetBandwidthID: ipv6bw-xxx
Use kubectl
Create a file named example.yaml and add the following content to the file:
In this example, the Internet IPv6 bandwidth allocated to the pod is 10 Mbit/s and egress-only rules are created.
apiVersion: apps/v1 kind: Deployment metadata: name: example labels: app: example spec: replicas: 1 selector: matchLabels: app: example template: metadata: labels: app: example annotations: k8s.aliyun.com/ipv6-bandwidth: "10" # Set the Internet bandwidth of the IPv6 gateway to 10 Mbit/s. k8s.aliyun.com/ipv6-egress-only: "" # Create egress-only rules. spec: containers: - name: example image: nginx
Run the following command to create resource objects:
kubectl apply -f example.yaml
Expected output:
deployment.apps/example created
Run the following command to query the name of the pod:
kubectl get podipv6gws -n <Namespace of the example Deployment>
Run the following command to query the
podipv6gws.alibabacloud.com
resource that uses the same name as the pod. You can view the allocated bandwidth and egress-only rules.kubectl get podipv6gws.alibabacloud.com -oyaml example-674b897446-q****
Expected output:
apiVersion: alibabacloud.com/v1beta1 kind: PodIPv6GW metadata: creationTimestamp: "2024-02-07T06:00:48Z" finalizers: - ipv6gw-controller.alibabacloud.com/finalizer generation: 1 name: example-674b897446-q**** namespace: default ownerReferences: - apiVersion: v1 kind: Pod name: example-674b897446-q**** uid: bdf86c45-7**5-4**4-b**3-9b**** resourceVersion: "11488" uid: 78747d60-9**8-4**e-b**8-f7f7c**** spec: bandwidth: 10 egressOnlyRule: true ipv6Address: 2408:4006:1115:xxxx:xxxx:xxxx:xxxx:xxxx status: ipv6AddressID: ipv6-xxx ipv6EgressOnlyRuleID: ipv6py-xxx ipv6GatewayID: ipv6gw-xxx ipv6InternetBandwidthID: ipv6bw-xxx
References
For more information about how to enable a pod to access an external network, see Configure a pod to access an external network.