This documentation is deprecated, please check here for its new home
Since Kubernetes 1.22 deployments at CERN have dual stack networking support enabled. Workloads can be configured to run IPv4 only, IPv6 only, or dual stack.
Services can be configured to prefer or require IPv4 only, IPv6 only or dual
stack support via the
ipFamilies parameters. Check here
for full details.
By default services have both configured but prefer IPv4.
A quick example (taken from the upstream docs) mandating single stack IPv4 only:
apiVersion: v1 kind: Service metadata: labels: app: MyApp name: my-service spec: ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - port: 80 protocol: TCP targetPort: 80 selector: app: MyApp
And to enable dual stack networking:
apiVersion: v1 kind: Service metadata: name: my-service labels: app: MyApp spec: ipFamilyPolicy: PreferDualStack selector: app: MyApp ports: - protocol: TCP port: 80
These settings can be changed on existing services, without redeployment.
All pods get dual stack networking configured by default, and unlike Services there is no parameter available to change this behavior in the Pod configuration.
This can be problematic if the workload cannot rely on IPv6 for whatever reason. As a workaround, you can add an initContainer to explicitly disable IPv6 in the Pod's network stack. Here's an example for a Deployment:
apiVersion: apps/v1 kind: Deployment metadata: name: noipv6 labels: app: noipv6 spec: replicas: 1 selector: matchLabels: app: noipv6 template: metadata: labels: app: noipv6 spec: # this is the relevant part, you can reuse this initContainer as defined # below to disable the ipv6 stack - no matter the actual workload later initContainers: - name: disableipv6 image: ubuntu:20.04 command: ["/bin/bash", "-c", "sysctl -w net.ipv6.conf.all.disable_ipv6=1"] securityContext: privileged: true containers: - name: main image: ubuntu:20.04 # this is a sample command that shows only IPv4 is set in the pod command: ["/bin/bash", "-c", "apt-get update; apt-get install -y iputils-ping iproute2; ip a; sleep inf"]