diff --git a/content/en/docs/tasks/network/extend-service-ip-ranges.md b/content/en/docs/tasks/network/extend-service-ip-ranges.md index de62cb7378..6c32d9c3e2 100644 --- a/content/en/docs/tasks/network/extend-service-ip-ranges.md +++ b/content/en/docs/tasks/network/extend-service-ip-ranges.md @@ -24,14 +24,15 @@ This document shares how to extend the existing Service IP range assigned to a c ## API Kubernetes clusters with kube-apiservers that have enabled the `MultiCIDRServiceAllocator` -[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and have the `networking.k8s.io/v1beta1` -API group active, -will create a ServiceCIDR object that takes the well-known name `kubernetes`, and that specifies an IP address range +[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and have the +`networking.k8s.io/v1beta1` API group active, will create a ServiceCIDR object that takes +the well-known name `kubernetes`, and that specifies an IP address range based on the value of the `--service-cluster-ip-range` command line argument to kube-apiserver. ```sh kubectl get servicecidr ``` + ``` NAME CIDRS AGE kubernetes 10.96.0.0/28 17d @@ -44,6 +45,7 @@ cluster IP address. ```sh kubectl get service kubernetes ``` + ``` NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 443/TCP 17d @@ -54,26 +56,32 @@ The default Service, in this case, uses the ClusterIP 10.96.0.1, that has the co ```sh kubectl get ipaddress 10.96.0.1 ``` + ``` NAME PARENTREF 10.96.0.1 services/default/kubernetes ``` -The ServiceCIDRs are protected with {{}}, to avoid leaving Service ClusterIPs orphans; -the finalizer is only removed if there is another subnet that contains the existing IPAddresses or -there are no IPAddresses belonging to the subnet. +The ServiceCIDRs are protected with {{}}, +to avoid leaving Service ClusterIPs orphans; the finalizer is only removed if there is another subnet +that contains the existing IPAddresses or there are no IPAddresses belonging to the subnet. ## Extend the number of available IPs for Services -There are cases that users will need to increase the number addresses available to Services, previously, increasing the Service range was a disruptive operation that could also cause data loss. With this new feature users only need to add a new ServiceCIDR to increase the number of available addresses. +There are cases that users will need to increase the number addresses available to Services, +previously, increasing the Service range was a disruptive operation that could also cause data loss. +With this new feature users only need to add a new ServiceCIDR to increase the number of available addresses. ### Adding a new ServiceCIDR -On a cluster with a 10.96.0.0/28 range for Services, there is only 2^(32-28) - 2 = 14 IP addresses available. The `kubernetes.default` Service is always created; for this example, that leaves you with only 13 possible Services. +On a cluster with a 10.96.0.0/28 range for Services, there is only 2^(32-28) - 2 = 14 +IP addresses available. The `kubernetes.default` Service is always created; for this example, +that leaves you with only 13 possible Services. ```sh for i in $(seq 1 13); do kubectl create service clusterip "test-$i" --tcp 80 -o json | jq -r .spec.clusterIP; done ``` + ``` 10.96.0.11 10.96.0.5 @@ -104,6 +112,7 @@ spec: - 10.96.0.0/24 EOF ``` + ``` servicecidr.networking.k8s.io/newcidr1 created ``` @@ -113,6 +122,7 @@ and this will allow you to create new Services with ClusterIPs that will be pick ```sh for i in $(seq 13 16); do kubectl create service clusterip "test-$i" --tcp 80 -o json | jq -r .spec.clusterIP; done ``` + ``` 10.96.0.48 10.96.0.200 @@ -127,6 +137,7 @@ You cannot delete a ServiceCIDR if there are IPAddresses that depend on the Serv ```sh kubectl delete servicecidr newcidr1 ``` + ``` servicecidr.networking.k8s.io "newcidr1" deleted ``` @@ -136,7 +147,8 @@ Kubernetes uses a finalizer on the ServiceCIDR to track this dependent relations ```sh kubectl get servicecidr newcidr1 -o yaml ``` -``` + +```yaml apiVersion: networking.k8s.io/v1beta1 kind: ServiceCIDR metadata: @@ -161,12 +173,12 @@ status: type: Ready ``` - By removing the Services containing the IP addresses that are blocking the deletion of the ServiceCIDR ```sh for i in $(seq 13 16); do kubectl delete service "test-$i" ; done ``` + ``` service "test-13" deleted service "test-14" deleted @@ -180,6 +192,7 @@ so that the ServiceCIDR that was pending deletion will actually be removed. ```sh kubectl get servicecidr newcidr1 ``` + ``` Error from server (NotFound): servicecidrs.networking.k8s.io "newcidr1" not found ``` diff --git a/content/en/docs/tasks/network/validate-dual-stack.md b/content/en/docs/tasks/network/validate-dual-stack.md index bd158e1469..678d80d21d 100644 --- a/content/en/docs/tasks/network/validate-dual-stack.md +++ b/content/en/docs/tasks/network/validate-dual-stack.md @@ -11,12 +11,12 @@ content_type: task This document shares how to validate IPv4/IPv6 dual-stack enabled Kubernetes clusters. - ## {{% heading "prerequisites" %}} - -* Provider support for dual-stack networking (Cloud provider or otherwise must be able to provide Kubernetes nodes with routable IPv4/IPv6 network interfaces) -* A [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that supports dual-stack networking. +* Provider support for dual-stack networking (Cloud provider or otherwise must be able to + provide Kubernetes nodes with routable IPv4/IPv6 network interfaces) +* A [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) + that supports dual-stack networking. * [Dual-stack enabled](/docs/concepts/services-networking/dual-stack/) cluster {{< version-check >}} @@ -25,29 +25,36 @@ This document shares how to validate IPv4/IPv6 dual-stack enabled Kubernetes clu While you can validate with an earlier version, the feature is only GA and officially supported since v1.23. {{< /note >}} - ## Validate addressing ### Validate node addressing -Each dual-stack Node should have a single IPv4 block and a single IPv6 block allocated. Validate that IPv4/IPv6 Pod address ranges are configured by running the following command. Replace the sample node name with a valid dual-stack Node from your cluster. In this example, the Node's name is `k8s-linuxpool1-34450317-0`: +Each dual-stack Node should have a single IPv4 block and a single IPv6 block allocated. +Validate that IPv4/IPv6 Pod address ranges are configured by running the following command. +Replace the sample node name with a valid dual-stack Node from your cluster. In this example, +the Node's name is `k8s-linuxpool1-34450317-0`: ```shell kubectl get nodes k8s-linuxpool1-34450317-0 -o go-template --template='{{range .spec.podCIDRs}}{{printf "%s\n" .}}{{end}}' ``` + ``` 10.244.1.0/24 2001:db8::/64 ``` + There should be one IPv4 block and one IPv6 block allocated. -Validate that the node has an IPv4 and IPv6 interface detected. Replace node name with a valid node from the cluster. In this example the node name is `k8s-linuxpool1-34450317-0`: +Validate that the node has an IPv4 and IPv6 interface detected. +Replace node name with a valid node from the cluster. +In this example the node name is `k8s-linuxpool1-34450317-0`: ```shell kubectl get nodes k8s-linuxpool1-34450317-0 -o go-template --template='{{range .status.addresses}}{{printf "%s: %s\n" .type .address}}{{end}}' ``` + ``` Hostname: k8s-linuxpool1-34450317-0 InternalIP: 10.0.0.5 @@ -56,19 +63,23 @@ InternalIP: 2001:db8:10::5 ### Validate Pod addressing -Validate that a Pod has an IPv4 and IPv6 address assigned. Replace the Pod name with a valid Pod in your cluster. In this example the Pod name is `pod01`: +Validate that a Pod has an IPv4 and IPv6 address assigned. Replace the Pod name with +a valid Pod in your cluster. In this example the Pod name is `pod01`: ```shell kubectl get pods pod01 -o go-template --template='{{range .status.podIPs}}{{printf "%s\n" .ip}}{{end}}' ``` + ``` 10.244.1.4 2001:db8::4 ``` -You can also validate Pod IPs using the Downward API via the `status.podIPs` fieldPath. The following snippet demonstrates how you can expose the Pod IPs via an environment variable called `MY_POD_IPS` within a container. +You can also validate Pod IPs using the Downward API via the `status.podIPs` fieldPath. +The following snippet demonstrates how you can expose the Pod IPs via an environment variable +called `MY_POD_IPS` within a container. -``` +```yaml env: - name: MY_POD_IPS valueFrom: @@ -76,20 +87,26 @@ You can also validate Pod IPs using the Downward API via the `status.podIPs` fie fieldPath: status.podIPs ``` -The following command prints the value of the `MY_POD_IPS` environment variable from within a container. The value is a comma separated list that corresponds to the Pod's IPv4 and IPv6 addresses. +The following command prints the value of the `MY_POD_IPS` environment variable from +within a container. The value is a comma separated list that corresponds to the +Pod's IPv4 and IPv6 addresses. ```shell kubectl exec -it pod01 -- set | grep MY_POD_IPS ``` + ``` MY_POD_IPS=10.244.1.4,2001:db8::4 ``` -The Pod's IP addresses will also be written to `/etc/hosts` within a container. The following command executes a cat on `/etc/hosts` on a dual stack Pod. From the output you can verify both the IPv4 and IPv6 IP address for the Pod. +The Pod's IP addresses will also be written to `/etc/hosts` within a container. +The following command executes a cat on `/etc/hosts` on a dual stack Pod. +From the output you can verify both the IPv4 and IPv6 IP address for the Pod. ```shell kubectl exec -it pod01 -- cat /etc/hosts ``` + ``` # Kubernetes-managed hosts file. 127.0.0.1 localhost @@ -104,7 +121,9 @@ fe00::2 ip6-allrouters ## Validate Services -Create the following Service that does not explicitly define `.spec.ipFamilyPolicy`. Kubernetes will assign a cluster IP for the Service from the first configured `service-cluster-ip-range` and set the `.spec.ipFamilyPolicy` to `SingleStack`. +Create the following Service that does not explicitly define `.spec.ipFamilyPolicy`. +Kubernetes will assign a cluster IP for the Service from the first configured +`service-cluster-ip-range` and set the `.spec.ipFamilyPolicy` to `SingleStack`. {{% code_sample file="service/networking/dual-stack-default-svc.yaml" %}} @@ -114,7 +133,9 @@ Use `kubectl` to view the YAML for the Service. kubectl get svc my-service -o yaml ``` -The Service has `.spec.ipFamilyPolicy` set to `SingleStack` and `.spec.clusterIP` set to an IPv4 address from the first configured range set via `--service-cluster-ip-range` flag on kube-controller-manager. +The Service has `.spec.ipFamilyPolicy` set to `SingleStack` and `.spec.clusterIP` set +to an IPv4 address from the first configured range set via `--service-cluster-ip-range` +flag on kube-controller-manager. ```yaml apiVersion: v1 @@ -141,7 +162,9 @@ status: loadBalancer: {} ``` -Create the following Service that explicitly defines `IPv6` as the first array element in `.spec.ipFamilies`. Kubernetes will assign a cluster IP for the Service from the IPv6 range configured `service-cluster-ip-range` and set the `.spec.ipFamilyPolicy` to `SingleStack`. +Create the following Service that explicitly defines `IPv6` as the first array element in +`.spec.ipFamilies`. Kubernetes will assign a cluster IP for the Service from the IPv6 range +configured `service-cluster-ip-range` and set the `.spec.ipFamilyPolicy` to `SingleStack`. {{% code_sample file="service/networking/dual-stack-ipfamilies-ipv6.yaml" %}} @@ -151,7 +174,8 @@ Use `kubectl` to view the YAML for the Service. kubectl get svc my-service -o yaml ``` -The Service has `.spec.ipFamilyPolicy` set to `SingleStack` and `.spec.clusterIP` set to an IPv6 address from the IPv6 range set via `--service-cluster-ip-range` flag on kube-controller-manager. +The Service has `.spec.ipFamilyPolicy` set to `SingleStack` and `.spec.clusterIP` set to +an IPv6 address from the IPv6 range set via `--service-cluster-ip-range` flag on kube-controller-manager. ```yaml apiVersion: v1 @@ -179,7 +203,10 @@ status: loadBalancer: {} ``` -Create the following Service that explicitly defines `PreferDualStack` in `.spec.ipFamilyPolicy`. Kubernetes will assign both IPv4 and IPv6 addresses (as this cluster has dual-stack enabled) and select the `.spec.ClusterIP` from the list of `.spec.ClusterIPs` based on the address family of the first element in the `.spec.ipFamilies` array. +Create the following Service that explicitly defines `PreferDualStack` in `.spec.ipFamilyPolicy`. +Kubernetes will assign both IPv4 and IPv6 addresses (as this cluster has dual-stack enabled) and +select the `.spec.ClusterIP` from the list of `.spec.ClusterIPs` based on the address family of +the first element in the `.spec.ipFamilies` array. {{% code_sample file="service/networking/dual-stack-preferred-svc.yaml" %}} @@ -188,13 +215,16 @@ The `kubectl get svc` command will only show the primary IP in the `CLUSTER-IP` ```shell kubectl get svc -l app.kubernetes.io/name=MyApp +``` +``` NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-service ClusterIP 10.0.216.242 80/TCP 5s ``` {{< /note >}} -Validate that the Service gets cluster IPs from the IPv4 and IPv6 address blocks using `kubectl describe`. You may then validate access to the service via the IPs and ports. +Validate that the Service gets cluster IPs from the IPv4 and IPv6 address blocks using +`kubectl describe`. You may then validate access to the service via the IPs and ports. ```shell kubectl describe svc -l app.kubernetes.io/name=MyApp @@ -220,7 +250,9 @@ Events: ### Create a dual-stack load balanced Service -If the cloud provider supports the provisioning of IPv6 enabled external load balancers, create the following Service with `PreferDualStack` in `.spec.ipFamilyPolicy`, `IPv6` as the first element of the `.spec.ipFamilies` array and the `type` field set to `LoadBalancer`. +If the cloud provider supports the provisioning of IPv6 enabled external load balancers, +create the following Service with `PreferDualStack` in `.spec.ipFamilyPolicy`, `IPv6` as +the first element of the `.spec.ipFamilies` array and the `type` field set to `LoadBalancer`. {{% code_sample file="service/networking/dual-stack-prefer-ipv6-lb-svc.yaml" %}} @@ -230,11 +262,10 @@ Check the Service: kubectl get svc -l app.kubernetes.io/name=MyApp ``` -Validate that the Service receives a `CLUSTER-IP` address from the IPv6 address block along with an `EXTERNAL-IP`. You may then validate access to the service via the IP and port. +Validate that the Service receives a `CLUSTER-IP` address from the IPv6 address block +along with an `EXTERNAL-IP`. You may then validate access to the service via the IP and port. -```shell +``` NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-service LoadBalancer 2001:db8:fd00::7ebc 2603:1030:805::5 80:30790/TCP 35s ``` - -