How Intel and F5 Enabled Dual‑Stack Support in Istio 1.17
This article details the collaborative effort between Intel and F5 to redesign and implement dual‑stack networking support in Istio 1.17, covering the background challenges, new RFC design, key Envoy changes, step‑by‑step experimental setup, listener and endpoint modifications, and ways for the community to contribute.
Background
Initial dual‑stack implementation for Istio duplicated Envoy configuration for listeners, clusters, routes and endpoints, raising memory and CPU concerns. Community feedback requested a redesign to avoid this overhead.
Redefining dual‑stack support
A simplified RFC was created that modifies Envoy itself rather than only Istio, reducing configuration duplication.
Support in Istio 1.17
Collaboration with the Envoy community resolved key issues such as “matched IP family for outbound listener” and “support multiple addresses per listener”. Improvements like smarter endpoint selection and enabling socket options on multiple addresses were merged, enabling experimental dual‑stack support in Istio 1.17.
Key Envoy interface changes
Listener addresses (see Envoy listener.proto)
Bind config (see Envoy address.proto)
Quick experiment guide
Enable the experimental feature in Istio 1.17+ with the following IstioOperator configuration:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
defaultConfig:
proxyMetadata:
ISTIO_AGENT_DUAL_STACK: "true"
values:
pilot:
env:
ISTIO_DUAL_STACK: "true"Create three namespaces and label them for sidecar injection:
kubectl create namespace dual-stack
kubectl create namespace ipv4
kubectl create namespace ipv6
kubectl label --overwrite namespace default istio-injection=enabled
kubectl label --overwrite namespace dual-stack istio-injection=enabled
kubectl label --overwrite namespace ipv4 istio-injection=enabled
kubectl label --overwrite namespace ipv6 istio-injection=enabledDeploy the tcp-echo sample into each namespace and a sleep workload in the default namespace:
# dual‑stack (listens on both IPv4 and IPv6)
kubectl apply -n dual-stack -f https://github.com/istio/istio/blob/master/samples/tcp-echo/tcp-echo-dual-stack.yaml
# IPv4‑only
kubectl apply -n ipv4 -f https://github.com/istio/istio/blob/master/samples/tcp-echo/tcp-echo-ipv4.yaml
# IPv6‑only
kubectl apply -n ipv6 -f https://github.com/istio/istio/blob/master/samples/tcp-echo/tcp-echo-ipv6.yaml
# sleep workload
kubectl apply -f https://github.com/istio/istio/blob/master/samples/sleep/sleep.yamlVerify traffic from the sleep pod:
kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadata.name}') -- sh -c "echo dualstack | nc tcp-echo 9000"
kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadata.name}') -- sh -c "echo ipv4 | nc tcp-echo.ipv4 9000"
kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadata.name}') -- sh -c "echo ipv6 | nc tcp-echo.ipv6 9000"Listener and endpoint changes
For dual‑stack services, listeners bind to multiple addresses (IPv4 and IPv6). Virtual inbound listeners are configured to listen on 0.0.0.0 and [::]. Endpoints now contain both IPv4 and IPv6 addresses.
Example listener configuration (showing additionalAddresses):
"name": "fd00:10:96::f9fc_9000",
"address": {"socketAddress": {"address": "fd00:10:96::f9fc","portValue":9000}},
"additionalAddresses": [
{"address": {"socketAddress": {"address":"10.96.106.11","portValue":9000}}}
]Virtual inbound listener example:
"name":"virtualInbound",
"address":{"socketAddress":{"address":"0.0.0.0","portValue":15006}},
"additionalAddresses":[
{"address":{"socketAddress":{"address":"::","portValue":15006}}}
]Endpoint configuration now includes both families:
10.244.0.19:9000 (IPv4)
fd00:10:244::1a:9000 (IPv6)
...Further work
Additional contributions are needed to bring dual‑stack support to Alpha status and later to Ambient mode in Istio 1.18. Ongoing discussions are tracked in Istio issue #40394 and the dual‑stack enhancement document.
References
Kubernetes dual‑stack networking: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
RFC design documents: https://docs.google.com/document/d/1oT6pmRhOw7AtsldU0-HbfA0zA26j9LYiBD_eepeErsQ/edit and https://docs.google.com/document/d/15LP2XHpQ71ODkjCVItGacPgzcn19fsVhyE7ruMGXDyU/edit
Envoy issue “matched IP Family for outbound listener”: https://github.com/envoyproxy/envoy/issues/16804
Envoy issue “supported multiple addresses per listener”: https://github.com/envoyproxy/envoy/issues/11184
Smarter endpoint selection: https://github.com/envoyproxy/envoy/issues/21640
Enable socket options on multiple addresses: https://github.com/envoyproxy/envoy/pull/23496
Istio PR “extra source addresses on inbound clusters”: https://github.com/istio/istio/pull/41618
Envoy listener API: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto.html?highlight=additional_addresses
Envoy bind config API: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-bindconfig
Istio dual‑stack enhancement: https://github.com/istio/enhancements/blob/master/features/dual-stack-support.md
Istio issue #40394: https://github.com/istio/istio/issues/40394
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Cloud Native Technology Community
The Cloud Native Technology Community, part of the CNBPA Cloud Native Technology Practice Alliance, focuses on evangelizing cutting‑edge cloud‑native technologies and practical implementations. It shares in‑depth content, case studies, and event/meetup information on containers, Kubernetes, DevOps, Service Mesh, and other cloud‑native tech, along with updates from the CNBPA alliance.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.