Allocate IPv6 Internet bandwidth to a pod - Container Service for Kubernetes

By default, IPv6 addresses can be used only for communication over internal networks. To use an IPv6 address for communication over the Internet, you must create an IPv6 gateway and allocate IPv6 Internet bandwidth to the pod that uses the IPv6 address. This topic describes how to configure Internet bandwidth and egress-only rules for a pod that uses an IPv6 address in a Container Service for Kubernetes (ACK) cluster.

Prerequisites

An ACK managed cluster or an ACK dedicated cluster is created. For more information, see Create an ACK managed cluster or Create an ACK dedicated cluster. The cluster meets the following requirements:
- IPv4/IPv6 dual stack is enabled. For more information about IPv6 gateways, see What is an IPv6 gateway?
- The Terway network plug-in is used for the cluster.
An IPv6 gateway is created in the virtual private cloud (VPC) of the cluster and the ipv6gw controller is used. For more information about how to create an IPv6 gateway, see Create and manage an IPv6 gateway.

Important

Only specific Elastic Compute Service (ECS) instance types support IPv6. For more information, see Overview of instance families.

Limits

You can allocate IPv6 Internet bandwidth only to pods that are running on ECS instances but not to elastic container instances (ECIs).
The bandwidth and number of egress-only rules supported by an IPv6 gateway vary based on the gateway specifications. For more information, see Limits.

Enable an IPv6 gateway by modifying the configuration of ack-extend-network-controller

ack-extend-network-controller calls the APIs of Alibaba Cloud services to create cloud resources. You must first grant the required Resource Access Management (RAM) permissions to ack-extend-network-controller and then install ack-extend-network-controller from the Marketplace page of the ACK console. Then, you can add annotations to a pod to create an IPv6 gateway and associate it with the pod.

Step 1: Grant RAM permissions required by IPv6

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
On the Cluster Information page, click the Basic Information tab, and then click the hyperlink next to Worker RAM Role.

Create a custom policy and add the following content to the policy. For more information, see the Step 1: Create a custom policy section of the "[Product Changes] Permissions of the worker RAM role of ACK managed clusters are revoked" topic.

{
      "Effect": "Allow",
      "Action": [
        "vpc:DescribeIpv6Addresses",
        "vpc:CreateIpv6EgressOnlyRule",
        "vpc:DeleteIpv6EgressOnlyRule",
        "vpc:DescribeIpv6EgressOnlyRules",
        "vpc:AllocateIpv6InternetBandwidth",
        "vpc:DeleteIpv6InternetBandwidth"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {}
    }

Attach the custom policy to the worker RAM role of the cluster. For more information, see the Attach the custom policy to the worker RAM role section of the "[Product Changes] Permissions of the worker RAM role of ACK managed clusters are revoked" topic.

Step 2: Enable the ipv6gw controller for ack-extend-network-controller

Install ack-extend-network-controller and enable the ipv6gw controller. For more information about how to install ack-extend-network-controller from the marketplace, see App Marketplace.

Specify the following parameters for the ipv6gw controller:

clusterID: "c11ba338192xxxxxxx"          # Specify the actual value. 
regionID: "cn-hangzhou"                  # Specify the actual value. 
vpcID: "vpc-bp1rkq0zxxxxxx"              # Specify the actual value. 
enableControllers:
  - ipv6gw                               # Enable the IPv6 gateway. 
networkController:
  ipv6GatewayController:
    maxConcurrentReconciles: 10          # The maximum number of concurrent reconciliations for the controller. 

credential:                               # Specify an AccessKey pair. We recommend that you use the RamRole mode for ACK managed clusters and ACK dedicated clusters. 
  accessKey: ""
  accessSecret: ""

Allocate Internet IPv6 bandwidth to the pod and configure egress-only rules

Add the following annotations to the pod to allocate Internet IPv6 bandwidth, specify the billing method, and configure egress-only rules.

Pod Annotation	Value
k8s.aliyun.com/ipv6-bandwidth	The Internet bandwidth of the IPv6 gateway. Unit: Mbit/s. Valid values: 1 to 5000. For more information, see AllocateIpv6InternetBandwidth.
k8s.aliyun.com/ipv6-internet-charge-type	The billing method of the Internet bandwidth of the IPv6 gateway. Valid values: `PayByTraffic`: pay-by-data-transfer `PayByBandwidth` (default): pay-by-bandwidth For more information, see AllocateIpv6InternetBandwidth.
k8s.aliyun.com/ipv6-egress-only	Create egress-only rules.

Use the ACK console

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Workloads > Deployments.

In the upper-right part of the Deployments page, click Create from YAML. Then, copy the following YAML content to the Template parameter and click Create.

In this example, the Internet IPv6 bandwidth allocated to the pod is 10 Mbit/s and egress-only rules are created.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
  labels:
    app: example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      labels:
        app: example
      annotations:
        k8s.aliyun.com/ipv6-bandwidth: "10" # Set the Internet bandwidth of the IPv6 gateway to 10 Mbit/s. 
        k8s.aliyun.com/ipv6-egress-only: "" # Create egress-only rules. 
    spec:
      containers:
      - name: example
        image: nginx

On the Deployments page, find the Deployment named example and click its name to go to the basic information page. On the basic information page of the example Deployment, you can view the name of the pod.

Run the following command to query the podipv6gws.alibabacloud.com resource that uses the same name as the pod. You can view the allocated bandwidth and egress-only rules.

kubectl get podipv6gws.alibabacloud.com  -oyaml example-674b897446-q****

Expected output:

apiVersion: alibabacloud.com/v1beta1
kind: PodIPv6GW
metadata:
  creationTimestamp: "2024-02-07T06:00:48Z"
  finalizers:
  - ipv6gw-controller.alibabacloud.com/finalizer
  generation: 1
  name: example-674b897446-q****
  namespace: default
  ownerReferences:
  - apiVersion: v1
    kind: Pod
    name: example-674b897446-q****
    uid: bdf86c45-7**5-4**4-b**3-9b****
  resourceVersion: "11488"
  uid: 78747d60-9**8-4**e-b**8-f7f7c****
spec:
  bandwidth: 10
  egressOnlyRule: true
  ipv6Address: 2408:4006:1115:xxxx:xxxx:xxxx:xxxx:xxxx
 status:
    ipv6AddressID: ipv6-xxx
    ipv6EgressOnlyRuleID: ipv6py-xxx
    ipv6GatewayID: ipv6gw-xxx
    ipv6InternetBandwidthID: ipv6bw-xxx

Use kubectl

Create a file named example.yaml and add the following content to the file:

In this example, the Internet IPv6 bandwidth allocated to the pod is 10 Mbit/s and egress-only rules are created.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
  labels:
    app: example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      labels:
        app: example
      annotations:
        k8s.aliyun.com/ipv6-bandwidth: "10" # Set the Internet bandwidth of the IPv6 gateway to 10 Mbit/s. 
        k8s.aliyun.com/ipv6-egress-only: "" # Create egress-only rules. 
    spec:
      containers:
      - name: example
        image: nginx

Run the following command to create resource objects:
```
kubectl apply -f example.yaml
```
Expected output:
```
deployment.apps/example created
```

Run the following command to query the name of the pod:

kubectl get podipv6gws -n <Namespace of the sample Deployment>

Run the following command to query the podipv6gws.alibabacloud.com resource that uses the same name as the pod. You can view the allocated bandwidth and egress-only rules.

kubectl get podipv6gws.alibabacloud.com  -oyaml example-674b897446-q****

Expected output:

apiVersion: alibabacloud.com/v1beta1
kind: PodIPv6GW
metadata:
  creationTimestamp: "2024-02-07T06:00:48Z"
  finalizers:
  - ipv6gw-controller.alibabacloud.com/finalizer
  generation: 1
  name: example-674b897446-q****
  namespace: default
  ownerReferences:
  - apiVersion: v1
    kind: Pod
    name: example-674b897446-q****
    uid: bdf86c45-7**5-4**4-b**3-9b****
  resourceVersion: "11488"
  uid: 78747d60-9**8-4**e-b**8-f7f7c****
spec:
  bandwidth: 10
  egressOnlyRule: true
  ipv6Address: 2408:4006:1115:xxxx:xxxx:xxxx:xxxx:xxxx
 status:
    ipv6AddressID: ipv6-xxx
    ipv6EgressOnlyRuleID: ipv6py-xxx
    ipv6GatewayID: ipv6gw-xxx
    ipv6InternetBandwidthID: ipv6bw-xxx

FAQ

How do I deploy ack-extend-network-controller in an ACK Serverless cluster?

We recommend that you do not deploy this component in ACK Serverless clusters. If you need to deploy the component, you must first generate an AccessKey pair for a RAM user. For more information, see Create a RAM user and Create custom policies. Then, configure the corresponding parameters when you deploy the component on the Marketplace page.

References

For more information about how to enable a pod to access an external network, see Configure a pod to access an external network.