rbrtbnfgl
commented
1 week ago Did you disable IPv4? On the net-conf configuration you should specify EnableIPv6: true and EnableIPv4: false
Open dvgt opened 2 weeks ago
rbrtbnfgl
commented
1 week ago Did you disable IPv4? On the net-conf configuration you should specify EnableIPv6: true and EnableIPv4: false
dvgt
commented
1 day ago This is the config map that's in use:
apiVersion: v1
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: rke2-canal
meta.helm.sh/release-namespace: kube-system
creationTimestamp: "2024-09-18T12:15:44Z"
labels:
app.kubernetes.io/managed-by: Helm
name: rke2-canal-config
namespace: kube-system
data:
canal_iface: ""
canal_iface_regex: ""
cni_network_config: |-
{
"name": "k8s-pod-network",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "calico",
"log_level": "info",
"datastore_type": "kubernetes",
"nodename": "__KUBERNETES_NODE_NAME__",
"mtu": __CNI_MTU__,
"ipam": {
"type": "host-local",
"ranges": [
[
{
"subnet": "usePodCidrIPv6"
}
]
]
},
"policy": {
"type": "k8s"
},
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__"
}
},
{
"type": "portmap",
"snat": true,
"capabilities": {"portMappings": true}
},
{
"type": "bandwidth",
"capabilities": {"bandwidth": true}
}
]
}
masquerade: "true"
net-conf.json: |
{
"EnableIPv4": false,
"IPv6Network": "A:B:C:D::/108",
"EnableIPv6": true,
"Backend": {
"Type": "vxlan"
}
}
typha_service_name: none
veth_mtu: "1450"Note: The IPv6 address prefix was changed to A:B:C:D.
Expected Behavior
Setting the
flannel.alpha.coreos.com/node-public-ipv6annotation on a node should result in that IP address to be used as backend for the VXLAN tunnel.Current Behavior
The IPv6 address that is getting used, is the first IPv6 address which is found on the interface that has the node-public-ipv6 address, which might not be the expected IPv6 address. Pod traffic going to other nodes are being sent using the first IPv6 address instead of the configured address from the annotation.
I think there is a small bug in
match.go:LookupExtIface, called frommain.go:282ormain.go:284. This passes thepublicIP(v6)as argument to the function. When retrieving the interface for the given publicIP, the variableifaceAddris used initially https://github.com/flannel-io/flannel/blob/da774f2f523db109c3b9a81926de99c557ddbfca/pkg/ipmatch/match.go#L73 but when checking if a fallback is needed later, theifaceV6Addrvariable is used https://github.com/flannel-io/flannel/blob/da774f2f523db109c3b9a81926de99c557ddbfca/pkg/ipmatch/match.go#L243 which is not set in the case of an IPv6-only IP stack. Then the code falls back to using the first IPv6 address of the detected interface.This does not happen in case of dual-stack because the
ifaceV6Addrvariable is set there https://github.com/flannel-io/flannel/blob/da774f2f523db109c3b9a81926de99c557ddbfca/pkg/ipmatch/match.go#L94Possible Solution
A possible solution could be to add
ifaceV6Addr = ifaceAddrand further useifaceV6Addrabove line https://github.com/flannel-io/flannel/blob/da774f2f523db109c3b9a81926de99c557ddbfca/pkg/ipmatch/match.go#L82 and potentially setifaceAddr = nilto avoid processing it as an IPv4 address.Steps to Reproduce (for bugs)
Context
Your Environment