From 3f4883d593b49e0419ae7a17f256258d65a8f0aa Mon Sep 17 00:00:00 2001 From: Roberto Bonafiglia Date: Fri, 18 Mar 2022 11:46:42 +0100 Subject: [PATCH 1/4] Update K3s network installation doc --- .../en/installation/network-options/_index.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/content/k3s/latest/en/installation/network-options/_index.md b/content/k3s/latest/en/installation/network-options/_index.md index 78e734929ea..2ceeaa9a2f8 100644 --- a/content/k3s/latest/en/installation/network-options/_index.md +++ b/content/k3s/latest/en/installation/network-options/_index.md @@ -74,6 +74,8 @@ You should see that IP forwarding is set to true. Dual-stack networking must be configured when the cluster is first created. It cannot be enabled on an existing single-stack cluster. +Dual-stack is supported on k3s v1.21 or above. + To enable dual-stack in k3s, you must provide valid dual-stack `cluster-cidr` and `service-cidr`, and set `disable-network-policy` on all server nodes. Both servers and agents must provide valid dual-stack `node-ip` settings. Node address auto-detection and network policy enforcement are not supported on dual-stack clusters when using the default flannel CNI. Besides, only vxlan backend is supported at the moment. This is an example of a valid configuration: ``` @@ -86,3 +88,18 @@ disable-network-policy: true Note that you can choose whatever `cluster-cidr` and `service-cidr` value, however the `node-ip` values must correspond to the ip addresses of your main interface. Remember to allow ipv6 traffic if you are deploying in a public cloud. If you are using a custom cni plugin, i.e. a cni plugin different from flannel, the previous configuration might not be enough to enable dual-stack in the cni plugin. Please check how to enable dual-stack in its documentation and verify if network policies can be enabled. + +### IPv6 only installation + +IPv6 only setup is supported on k3s v1.22 or above. + +IPv6 only setup requires a similar setup as dual-stack where you must provide a valid IPv6 `node-ip` on both servers and agents. This is an example of a valid configuration: + +``` +node-ip: 2a05:d012:c6f:4611:5c2:5602:eed2:898c +cluster-cidr: 2001:cafe:42:0::/56 +service-cidr: 2001:cafe:42:1::/112 +disable-network-policy: true +``` + +Note that you can specify only one IPv6 `cluster-cidr` value. From 814150760a2742f05b236cf579a9fc6df4f4aab1 Mon Sep 17 00:00:00 2001 From: Roberto Bonafiglia Date: Mon, 21 Mar 2022 09:43:46 +0100 Subject: [PATCH 2/4] Update network installation doc --- .../en/installation/network-options/_index.md | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/content/k3s/latest/en/installation/network-options/_index.md b/content/k3s/latest/en/installation/network-options/_index.md index 2ceeaa9a2f8..0889039827e 100644 --- a/content/k3s/latest/en/installation/network-options/_index.md +++ b/content/k3s/latest/en/installation/network-options/_index.md @@ -79,10 +79,7 @@ Dual-stack is supported on k3s v1.21 or above. To enable dual-stack in k3s, you must provide valid dual-stack `cluster-cidr` and `service-cidr`, and set `disable-network-policy` on all server nodes. Both servers and agents must provide valid dual-stack `node-ip` settings. Node address auto-detection and network policy enforcement are not supported on dual-stack clusters when using the default flannel CNI. Besides, only vxlan backend is supported at the moment. This is an example of a valid configuration: ``` -node-ip: 10.0.10.7,2a05:d012:c6f:4611:5c2:5602:eed2:898c -cluster-cidr: 10.42.0.0/16,2001:cafe:42:0::/56 -service-cidr: 10.43.0.0/16,2001:cafe:42:1::/112 -disable-network-policy: true +k3s server --node-ip 10.0.10.7,2a05:d012:c6f:4611:5c2:5602:eed2:898c --cluster-cidr 10.42.0.0/16,2001:cafe:42:0::/56 --service-cidr 10.43.0.0/16,2001:cafe:42:1::/112 --disable-network-policy ``` Note that you can choose whatever `cluster-cidr` and `service-cidr` value, however the `node-ip` values must correspond to the ip addresses of your main interface. Remember to allow ipv6 traffic if you are deploying in a public cloud. @@ -91,15 +88,10 @@ If you are using a custom cni plugin, i.e. a cni plugin different from flannel, ### IPv6 only installation -IPv6 only setup is supported on k3s v1.22 or above. - -IPv6 only setup requires a similar setup as dual-stack where you must provide a valid IPv6 `node-ip` on both servers and agents. This is an example of a valid configuration: +IPv6 only setup is supported on k3s v1.22 or above. As in dual-stack operation, IPv6 node addresses cannot be auto-detected; all nodes must have an explicitly configured IPv6 `node-ip`. This is an example of a valid configuration: ``` -node-ip: 2a05:d012:c6f:4611:5c2:5602:eed2:898c -cluster-cidr: 2001:cafe:42:0::/56 -service-cidr: 2001:cafe:42:1::/112 -disable-network-policy: true +k3s server --node-ip 2a05:d012:c6f:4611:5c2:5602:eed2:898c --cluster-cidr 2001:cafe:42:0::/56 --service-cidr 2001:cafe:42:1::/112 --disable-network-policy ``` Note that you can specify only one IPv6 `cluster-cidr` value. From c840d7fab68abead093eaadb5ddbbaa67700e25e Mon Sep 17 00:00:00 2001 From: Alexandre Pinon <1724149+zaggash@users.noreply.github.com> Date: Mon, 21 Mar 2022 10:48:30 +0100 Subject: [PATCH 3/4] impacted version update firewalld/iptables issue still unresolved on newer releases. --- .../v2.6/en/installation/resources/advanced/firewall/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/installation/resources/advanced/firewall/_index.md b/content/rancher/v2.6/en/installation/resources/advanced/firewall/_index.md index 291cee6d594..69c1afae91d 100644 --- a/content/rancher/v2.6/en/installation/resources/advanced/firewall/_index.md +++ b/content/rancher/v2.6/en/installation/resources/advanced/firewall/_index.md @@ -3,7 +3,7 @@ title: Opening Ports with firewalld weight: 1 --- -> We recommend disabling firewalld. For Kubernetes 1.19, firewalld must be turned off. +> We recommend disabling firewalld. For Kubernetes 1.19.x and higher, firewalld must be turned off. Some distributions of Linux [derived from RHEL,](https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux#Rebuilds) including Oracle Linux, may have default firewall rules that block communication with Helm. From 5c59b6ceb9ddd82b492b88d49e49eab9f99d559b Mon Sep 17 00:00:00 2001 From: Jennifer Travinski Date: Mon, 21 Mar 2022 10:59:00 -0400 Subject: [PATCH 4/4] Added update to 2.0-2.4 and 2.5 docs also --- .../en/installation/resources/advanced/firewall/_index.md | 2 +- .../v2.5/en/installation/resources/advanced/firewall/_index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.0-v2.4/en/installation/resources/advanced/firewall/_index.md b/content/rancher/v2.0-v2.4/en/installation/resources/advanced/firewall/_index.md index f3ee9defadd..67c6f880325 100644 --- a/content/rancher/v2.0-v2.4/en/installation/resources/advanced/firewall/_index.md +++ b/content/rancher/v2.0-v2.4/en/installation/resources/advanced/firewall/_index.md @@ -3,7 +3,7 @@ title: Opening Ports with firewalld weight: 1 --- -> We recommend disabling firewalld. For Kubernetes 1.19, firewalld must be turned off. +> We recommend disabling firewalld. For Kubernetes 1.19.x and higher, firewalld must be turned off. Some distributions of Linux [derived from RHEL,](https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux#Rebuilds) including Oracle Linux, may have default firewall rules that block communication with Helm. diff --git a/content/rancher/v2.5/en/installation/resources/advanced/firewall/_index.md b/content/rancher/v2.5/en/installation/resources/advanced/firewall/_index.md index b779951aa7b..2ff27022f24 100644 --- a/content/rancher/v2.5/en/installation/resources/advanced/firewall/_index.md +++ b/content/rancher/v2.5/en/installation/resources/advanced/firewall/_index.md @@ -5,7 +5,7 @@ aliases: - /rancher/v2.x/en/installation/resources/advanced/firewall/ --- -> We recommend disabling firewalld. For Kubernetes 1.19, firewalld must be turned off. +> We recommend disabling firewalld. For Kubernetes 1.19.x and higher, firewalld must be turned off. Some distributions of Linux [derived from RHEL,](https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux#Rebuilds) including Oracle Linux, may have default firewall rules that block communication with Helm.