IPv4 / IPv6双协议栈

功能状态: Kubernetes v1.16 [alpha]

IPv4 / IPv6双协议栈可将IPv4和IPv6地址分配给 豆荚服务.

如果您为Kubernetes集群启用了IPv4 / IPv6双栈网络,则该集群将支持同时分配IPv4和IPv6地址。

支持的功能

在Kubernetes集群上启用IPv4 / IPv6双协议栈可提供以下功能:

  • 双栈Pod网络(每个Pod分配一个IPv4和IPv6地址)
  • 支持IPv4和IPv6的服务
  • 同时通过IPv4和IPv6接口进行集群外出口路由(例如Internet)

先决条件

为了利用IPv4 / IPv6双栈Kubernetes集群,需要满足以下先决条件:

  • Kubernetes 1.20或更高版本
    有关在早期版本中使用双栈服务的信息 Kubernetes版本,请参阅该版本的文档 of Kubernetes.
  • 提供程序对双栈网络的支持(云提供程序或其他方式必须能够为Kubernetes节点提供可路由的IPv4 / IPv6网络接口)
  • 支持双栈的网络插件(例如Kubenet或Calico)

启用IPv4 / IPv6双协议栈

要启用IPv4 / IPv6双协议栈,请启用 IPv6DualStack 功能门 集群的相关组件,并设置双栈集群网络分配:

  • kube-apiserver:
    • --feature-gates="IPv6DualStack=true"
    • --service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>
  • kube-controller-manager:
    • --feature-gates="IPv6DualStack=true"
    • --cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>
    • --service-cluster-ip-range=<IPv4 CIDR>,<IPv6 CIDR>
    • --node-cidr-mask-size-ipv4|--node-cidr-mask-size-ipv6 对于IPv4默认为/ 24,对于IPv6默认为/ 64
  • kubelet:
    • --feature-gates="IPv6DualStack=true"
  • 库贝代理:
    • --cluster-cidr=<IPv4 CIDR>,<IPv6 CIDR>
    • --feature-gates="IPv6DualStack=true"
注意:

An example of an IPv4 CIDR: 10.244.0.0/16 (though you would supply your own address range)

An example of an IPv6 CIDR: fdXY:IJKL:MNOP:15::/64 (this shows the format but is not a valid address - see RFC 4193)

服务

如果您的集群启用了双栈,则可以创建 服务 可以使用IPv4和/或IPv6。

The address family of a 服务 defaults to the address family of the first service cluster IP range (configured via the --service-cluster-ip-range flag to the kube-controller-manager).

定义服务时,可以选择将其配置为双协议栈。要指定所需的行为,您可以 set the .spec.ipFamilyPolicy field to one of the following values:

  • SingleStack:单栈服务。控制平面使用第一个配置的服务群集IP范围为服务分配群集IP。
  • PreferDualStack:
    • 仅在群集启用了双堆栈的情况下使用。为服务分配IPv4和IPv6群集IP
    • If the cluster does not have dual-stack enabled, this setting follows the same behavior as SingleStack.
  • RequireDualStack: Allocates 服务 .spec.ClusterIPs from both IPv4 和 IPv6 address ranges.
    • Selects the .spec.ClusterIP from the list of .spec.ClusterIPs based on the address family of the first element in the .spec.ipFamilies array.
    • 群集必须配置了双堆栈网络。

If you would like to define which IP family to use for single stack 要么 define the 要么der of IP families for dual-stack, you can choose the address families by setting an optional field, .spec.ipFamilies, on the 服务.

注意: The .spec.ipFamilies field is immutable because the .spec.ClusterIP cannot be reallocated on a 服务 that already exists. If you want to change .spec.ipFamilies, delete 和 recreate the 服务.

You can set .spec.ipFamilies to any of the following array values:

  • ["IPv4"]
  • ["IPv6"]
  • ["IPv4","IPv6"] (双栈)
  • ["IPv6","IPv4"] (双栈)

The first family you list is used for the legacy .spec.ClusterIP field.

双栈服务配置方案

这些示例演示了各种双堆栈服务配置方案的行为。

新服务的双栈选项

  1. This 服务 specification does not explicitly define .spec.ipFamilyPolicy. When you create this 服务, Kubernetes assigns a cluster IP for the 服务 from the first configured service-cluster-ip-range 和 sets the .spec.ipFamilyPolicy to SingleStack. (没有选择器的服务无头服务 选择器的行为将与此相同。)
apiVersion: v1
kind: 服务
metadata:
  name: my-service
  labels:
    app: MyApp
spec:
  selector:
    app: MyApp
  ports:
    - protocol: TCP
      port: 80
  1. This 服务 specification explicitly defines PreferDualStack in .spec.ipFamilyPolicy. When you create this 服务 on a dual-stack cluster, Kubernetes assigns both IPv4 和 IPv6 addresses for the service. The control plane updates the .spec for the 服务 to record the IP address assignments. The field .spec.ClusterIPs is the primary field, 和 contains both assigned IP addresses; .spec.ClusterIP is a secondary field with its value calculated from .spec.ClusterIPs.

    • 对于 the .spec.ClusterIP field, the control plane records the IP address that is from the same address family as the first service cluster IP range.
    • On a single-stack cluster, the .spec.ClusterIPs.spec.ClusterIP fields both only list one address.
    • On a cluster with dual-stack enabled, specifying RequireDualStack in .spec.ipFamilyPolicy behaves the same as PreferDualStack.
apiVersion: v1
kind: 服务
metadata:
  name: my-service
  labels:
    app: MyApp
spec:
  ipFamilyPolicy: PreferDualStack
  selector:
    app: MyApp
  ports:
    - protocol: TCP
      port: 80
  1. This 服务 specification explicitly defines IPv6IPv4 in .spec.ipFamilies as well as defining PreferDualStack in .spec.ipFamilyPolicy. When Kubernetes assigns an IPv6 和 IPv4 address in .spec.ClusterIPs, .spec.ClusterIP is set to the IPv6 address because that is the first element in the .spec.ClusterIPs array, overriding the default.
apiVersion: v1
kind: 服务
metadata:
  name: my-service
  labels:
    app: MyApp
spec:
  ipFamilyPolicy: PreferDualStack
  ipFamilies:
  - IPv6
  - IPv4
  selector:
    app: MyApp
  ports:
    - protocol: TCP
      port: 80

现有服务上的双堆栈默认设置

这些示例演示了在已经存在服务的群集上新启用双堆栈时的默认行为。

  1. 在群集上启用双堆栈时,现有 服务 (whether IPv4 要么 IPv6) are configured by the control plane to set .spec.ipFamilyPolicy to SingleStack 和 set .spec.ipFamilies to the address family of the existing 服务. The existing 服务 cluster IP will be stored in .spec.ClusterIPs.
apiVersion: v1
kind: 服务
metadata:
  name: my-service
  labels:
    app: MyApp
spec:
  selector:
    app: MyApp
  ports:
    - protocol: TCP
      port: 80

您可以通过使用kubectl检查现有服务来验证此行为。

Kubectl get svc my-service -o yaml
apiVersion: v1
kind: 服务
metadata:
  labels:
    app: MyApp
  name: my-service
spec:
  clusterIP: 10.0.197.123
  clusterIPs:
  - 10.0.197.123
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: MyApp
  type: ClusterIP
status:
  loadBalancer: {}
  1. 在群集上启用双堆栈时,现有 无头服务 with selectors are configured by the control plane to set .spec.ipFamilyPolicy to SingleStack 和 set .spec.ipFamilies to the address family of the first service cluster IP range (configured via the --service-cluster-ip-range flag to the kube-controller-manager) even though .spec.ClusterIP is set to 没有 ne.
apiVersion: v1
kind: 服务
metadata:
  name: my-service
  labels:
    app: MyApp
spec:
  selector:
    app: MyApp
  ports:
    - protocol: TCP
      port: 80

您可以使用kubectl通过选择器检查现有的无头服务来验证此行为。

Kubectl get svc my-service -o yaml
apiVersion: v1
kind: 服务
metadata:
  labels:
    app: MyApp
  name: my-service
spec:
  clusterIP: 没有 ne
  clusterIPs:
  - 没有 ne
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: MyApp

在单堆栈和双堆栈之间切换服务

服务可以从单栈更改为双栈,也可以从双栈更改为单栈。

  1. To change a 服务 from single-stack to dual-stack, change .spec.ipFamilyPolicy from SingleStack to PreferDualStack 要么 RequireDualStack as desired. When you change this 服务 from single-stack to dual-stack, Kubernetes assigns the missing address family so that the 服务 now has IPv4 和 IPv6 addresses.

    Edit the 服务 specification updating the .spec.ipFamilyPolicy from SingleStack to PreferDualStack.

之前:

spec:
  ipFamilyPolicy: SingleStack

后:

spec:
  ipFamilyPolicy: PreferDualStack
  1. To change a 服务 from dual-stack to single-stack, change .spec.ipFamilyPolicy from PreferDualStack 要么 RequireDualStack to SingleStack. When you change this 服务 from dual-stack to single-stack, Kubernetes retains only the first element in the .spec.ClusterIPs array, 和 sets .spec.ClusterIP to that IP address 和 sets .spec.ipFamilies to the address family of .spec.ClusterIPs.

无选择器的无头服务

对于 无选择器的无头服务 和 without .spec.ipFamilyPolicy explicitly set, the .spec.ipFamilyPolicy field defaults to RequireDualStack.

服务类型LoadBalancer

为您的服务配置双栈负载均衡器:

  • Set the .spec.type field to LoadBalancer
  • Set .spec.ipFamilyPolicy field to PreferDualStack 要么 RequireDualStack
注意: To use a dual-stack LoadBalancer type 服务, your cloud provider must support IPv4 和 IPv6 load balancers.

出口流量

如果要启用出口流量以便从使用非公共可路由IPv6地址的Pod到达群集外目的地(例如,公共Internet),则需要使Pod通过某种机制使用公共路由的IPv6地址例如透明代理或IP伪装。的 ip-masq-agent 该项目支持双堆栈群集上的IP伪装。

注意: 确保你的 CNI 提供程序支持IPv6。

下一步是什么

太平洋标准时间(PST):2020年10月26日下午1:06: Kubernetes 1.20(8a3244fdd)的双栈文档