SLAAC IPAM

Question

SLAAC IPAM

maxpain opened this issue 4 months ago · comments

I use the macvlan plugin for Kubernetes, and my pods autoconfigure IPv6 addresses using SLAAC, but those addresses aren't exposed to Kubernetes.

How to achieve this?

Antonio Ojea · Answer 1 · Fri Mar 08 2024 14:58:45 GMT+0800 (China Standard Time)

they have to be returned as the response of the CNI ADD command

Tomofumi Hayashi · Answer 2 · Fri Mar 08 2024 20:09:15 GMT+0800 (China Standard Time)

they have to be returned as the response of the CNI ADD command

This issue is not just simple as above. In my conclusion, current CNI and Kubernetes does not support IPv6 SLAAC address.
There are several gaps between SLAAC, CNI and Kubernetes.

Current CNI plugin (at least, under https://github.com/containernetworking/plugins/) does not care IPv6 SLAAC address

SLAAC IP configuration is asynchronous to interface creation, actually. After interface creation, linux kernel will send a router solicitation and its reply (i.e. router advertisement) contains the network prefix, then IP autoconfiguration (i.e. DAD, duplicated address ditection) is started. Hence even though CNI plugin finishes their task, SLAAC process may be still on going.
(That is why submitter files the issue, I guess but there are still several technical challenges...)

SLAAC may change the IP address, but Kubernetes/CNI cannot have a way to track the changes

SLAAC provide a method to configure IPv6 address automatically based on prefix advertised by a local router, hence if the router provides different prefix then Pod's address will automatically re-configured (i.e. changed). Currently CNI plugins are only invoked at Pod creation and Pod deletion, hence Kubernetes does not capture Pod's re-configured address.

SLAAC may have multiple IP address to an interface but Kubernetes does not support multiple IPv6 address for a Pod

SLAAC, defined in https://tex2e.github.io/rfc-translater/html/rfc7217.html, introduces multiple IPv6 address to an interfaces. If user network has two or more network prefix, an interface has two or more IPv6 addresses, for each network prefix. In addition, even if user network has only one network prefix, "temporary addresses" is assigned to an interfaces, additionally. So IPv6 and SLAAC are designed to have multiple IP addresses in an interface.

But on the other side, current Kubernetes only supports one IP address for each protocol (i.e. IPv4/v6). Hence Kubernetes cannot handle multiple IPv6 address.

As of above reasons, currently SLAAC IPv6 address is not handling in Kubernetes/CNI yet.

Antonio Ojea · Answer 3 · Fri Mar 08 2024 20:14:55 GMT+0800 (China Standard Time)

Let me explain myself better, kubernetes pods are ephemeral, the lifecycle of a Pod is start -> run -> stop, so there is no concept of dynamic IPs on Pods. It will be interesting to know your use case for having a Pod that is running and changing IPs though ...

If you want to represent an IP address to kubernetes , as in pod.status.PodIP, it has to be returned as the response of the CNI ADD , it is up to the plugin implementation how to obtain this IP, you can use dhcp, slaac or static IP assignment to get this IP , but kubernetes will be only aware of the IP that is in the response of the CNI ADD

Casey Callendrello · Answer 4 · Mon Mar 11 2024 23:48:44 GMT+0800 (China Standard Time)

I actually wrote a SLAAC ipam plugin once, and it totally worked. (The branch is long gone, that laptop is like 3 acquisitions old 😆). The basic step was:

Bring up interface
Wait for SLAAC
Disable SLAAC, "manually" IP address and routes to interface (to remove from SLAAC lifecycle)
Return IP in CNI status

It totally worked! If you want to re-create it, I'd be happy to merge it.