How to Build a Cilium Dual‑Stack IPv4/IPv6 Kubernetes Cluster with Kind
This guide explains the concepts of IPv4/IPv6 dual‑stack networking, outlines two dual‑stack implementation methods, and provides step‑by‑step instructions to set up a Cilium‑enabled Kubernetes cluster using Kind, configure dual‑stack settings, deploy a demo app, and analyze routing behavior for both IP families.
1. About IPv4/IPv6 Dual‑Stack
Many companies are transitioning their services from IPv4 to IPv6 or operating both protocols simultaneously.
Dual‑Stack Implementation Methods
Assign both an IPv4 and an IPv6 address to a single network interface (standard approach).
Use two separate network interfaces, one for IPv4 and one for IPv6, and route traffic to the appropriate interface via a load‑balancing mechanism.
Kubernetes has supported IPv4/IPv6 dual‑stack since version 1.21 (alpha) and it is stable in 1.23.
Cilium CNI also implements dual‑stack at the in‑cluster level; external traffic requires platform‑level support.
2. Setting Up a Cilium Dual‑Stack Environment
We use kind to quickly create a Kubernetes cluster.
#1-setup-env.sh
#!/bin/bash
date
set -v
# 1. prep nocNI env
cat <<EOF | kind create cluster --name=cilium-dual-stack --image=kindest/node:v1.23.4 --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
networking:
disableDefaultCNI: true # disable the default rancher CNI
ipFamily: dual
nodes:
- role: control-plane
- role: worker
- role: worker
EOF
# 2. remove taints
controller_node=$(kubectl get nodes --no-headers -o custom-columns=NAME:.metadata.name | grep control-plane)
kubectl taint nodes $controller_node node-role.kubernetes.io/master:NoSchedule-
kubectl get nodes -owide
# 3. install Cilium CNI
helm repo add cilium https://helm.cilium.io > /dev/null 2>&1
helm repo update > /dev/null 2>&1
helm install cilium cilium/cilium \
--set k8sServiceHost=$controller_node \
--set k8sServicePort=6443 \
--version 1.13.0-rc5 \
--namespace kube-system \
--set debug.enabled=true \
--set debug.verbose=datapath \
--set monitorAggregation=none \
--set ipam.mode=kubernetes \
--set cluster.name=cilium-dual-stack \
--set tunnel=vxlan \
--set kubeProxyReplacement=disabled \
--set ipv6.enabled=true
# 4. install auxiliary tools inside kind nodes
for i in $(docker ps -a --format "table {{.Names}}" | grep cilium-dual-stack); do
echo $i
docker cp /usr/bin/ping $i:/usr/bin/ping
docker exec -it $i bash -c "sed -i -e 's/jp.archive.ubuntu.com\|archive.ubuntu.com\|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list"
docker exec -it $i bash -c "apt-get -y update > /dev/null && apt-get -y install net-tools tcpdump lrzsz > /dev/null 2>&1"
doneKey Configuration Options
ipFamily: dual– enables dual‑stack for the cluster. set kubeProxyReplacement=disabled – dual‑stack relies on Cilium’s proxy replacement. set ipv6.enabled=true – IPv6 must be explicitly enabled. set tunnel=vxlan – using VXLAN simplifies installation.
Deploying a Demo Application
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
labels:
app: app
spec:
replicas: 2
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: nettool
image: burlyluo/nettool
securityContext:
privileged: true
---
apiVersion: v1
kind: Service
metadata:
name: app
spec:
ipFamilyPolicy: PreferDualStack
ipFamilies:
- IPv6
- IPv4
type: ClusterIP
selector:
app: app
ports:
- name: app
port: 8080
targetPort: 80After applying the manifests, the cluster reports successful dual‑stack deployment.
Verification shows both IPv4 and IPv6 addresses are assigned to Pods and Services.
3. Cilium Dual‑Stack Mode Analysis
IPv4 Pod Routing
Pods send traffic through the eth0 interface; the next‑hop IP is 10.244.1.3, which corresponds to the host’s cilium_host interface.
IPv6 Pod Routing
Running ip -6 route show reveals the next‑hop address fd00:10:244:1::20f3, which may not correspond to a visible host‑side interface.
IPv6 Ping Test
Two Pods with IPv6 addresses fd00:10:244:1::89bc and fd00:10:244:2::3573 can ping each other successfully.
Packet Capture Inside a Pod
Captured packets show source MAC f2:65:2b:03:4c:22 (the Pod’s eth0), source IPv6 fd00:10:244:1::89bc, destination IPv6 fd00:10:244:2::3573, and destination MAC 8a:be:1f:9b:eb:9d (the host’s LXC interface).
Even though the IPv6 next‑hop is not visible on the host, the packet can still be encapsulated and transmitted because a hook intercepts the traffic and supplies the required MAC address.
Advantages of IPv6
IPv6 allows early detection of unwanted packets at the data‑link layer, provides a vastly larger address space, and simplifies certain network operations, though it introduces additional complexity.
Service Dual‑Stack
The Service’s ClusterIP has both an IPv6 address ( fd00:10:96::94f8) and an IPv4 address ( 10.96.247.62).
Inside a container you can resolve both IPv4 and IPv6 Service IPs to verify proper dual‑stack operation.
Source: https://www.cnblogs.com/huaweiyun/p/17903006.html
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.