IPv6 support

Table of Contents

• Introduction
• Load Balancer Controller with IPv6 Support
• IPv6 Configuration of Shoot Cluster Network
• IPv6 Address Assignment for Virtual Machines
• IP Address Management for Pods on a Virtual Machine

Introduction

Kubernetes and Gardener started with IPv4-only, single-stack networking. While this allows a commonly known simple network architecture, it does have the usual limitations of IPv4, e.g. address limitations. Dedicated address ranges for private/restricted use, e.g. RFC 1918 and RFC 6598, and network address translation (NAT) provide some means to mitigate the situation given the fact that kubernetes clusters usually operate in private/restricted networks. Nevertheless, there are technical, e.g. more efficient routing, monetary, e.g. IPv4 address costs, and political, e.g. US governance IPv6 memorandum reasons why IPv6 may be attractive.

This issue covers the infrastructure specific topic to support IPv6 on GCP in the context of Gardener. It is part of gardener/gardener#8899.

Load Balancer Controller with IPv6 Support

Kubernetes clusters may need entry points to receive external traffic. These are usually load balancers, which are represented in Kubernetes by Service resources with type: LoadBalancer. To be able to address a Kubernetes workload from an external IPv6-only client the load balancer need to have at least one IPv6 address. In case the load balancer does not translate the protocol the backends may also need to be able to receive IPv6 traffic. For various reasons, it needs to be possible to retrieve the real client IP.

Tasks:

• Check existing load balancer controllers for IPv6 support
  • Check cloud-provider-gcp
  • Check ingress-gce
• In case no existing load balancer controller supports IPv6 properly: Develop new load balancer controller
• Manage IPv6-capable load balancer controller as part of gardener-extension-provider-gcp

Requirements:

• IPv4+IPv6 dual-stack support
• IPv6 support (optional)
• IPv4 support (optional in case it works together with cloud-provider-gcp)
• Client IP preservation
• Protocol translation, e.g. IPv6 => IPv4 (optional)

IPv6 Configuration of Shoot Cluster Network

The shoot cluster network needs to be adjusted to support IPv6. All work should be included in cloud-provider-gcp.

Tasks:

• Configure (infrastructure-defined) IPv6 range in VPC network
• Enable IPv6-only/dual-stack for subnet
• Add IPv6 routes (if necessary)
• Configure internet gateway that support IPv6 protocol for outbound (internet) traffic
• Check if GCP support DNS64/NAT64 (relevant primarily for IPv6-only scenarios)

IPv6 Address Assignment for Virtual Machines

The nodes of a Kubernetes cluster should have IPv6 addresses in IPv6-only or dual-stack scenarios.

Tasks:

• Assign IPv6 addresses to virtual machines managed by machine-controller-manager-provider-gcp
• Check whether virtual machines receive a prefix or a single address
  • In case virtual machines only receive single IPv6 addresses, assign an IPv6 prefix to the virtual machine to be used for the pods
• Adapt MachineClass configuration in gardener-extension-provider-gcp
• Depending on the load balancer type virtual machines may need to be assigned to instance groups

IP Address Management for Pods on a Virtual Machine

Pods on the virtual machines need to receive IP addresses. Those IP addresses should come from the prefix assigned to the node for ease of routing.

Tasks:

• Check if cloud-provider-gcp supports IPv6 pod IP address management that allows the IPv6 prefix of the node to be propagated to the Kubernetes Node resource
• If cloud-provider-gcp does not allow this, check if a contribution is possible
• If contribution is not an option extend aws-ipam-controller to support GCP