Theo kỷ nguyên số, các doanh nghiệp sử dụng đám mây đã tận dụng công…
Operational goodies for your IPv4/IPv6 dual-stack Kubernetes clusters
Is your business ready to get started with IPv6? Is your cloud provider ready to go with you? Google Kubernetes Engine (GKE) now supports dual-stack Kubernetes clusters to support your enterprise's transition to IPv6 and ensure that your application is always ready. To meet the operational requirements for IPv6 workloads, Google is adding a number of features to GKE networking to extend protection for incoming and outgoing IPv6 traffic, and keep it secure, safe, and available.
The following features for dual-stack GKE clusters now include IPv6, making it easier to enable v6 workloads with solutions that use both v6 and v4 Pods:
- Load Balancer Services
- FQDN Network Policies
- Dataplane V2 observability
These new features complement the extensive work we’ve been doing for GKE to support IPv6 at the same level as we do IPv4. For example:
- Dual-stack clusters – Google has supported IPv4 and IPv6 front-ends with Ingress for a while and the Gateway API management system by Google has supported them since launch. Starting December 22, 2022, dual-stack GKE clusters have been provisioned with global unicast addresses (GUA) along with unique local addresses (ULA) across VPC networks. Google Cloud. With GKE dual-stack clusters, both nodes and Pods are assigned an IPv4 and IPv6 address to facilitate communication with both IP addresses.
- DNS support – GKE supports both IP addresses with many DNS solutions. From the very beginning, kube-dns has supported dual-stack with both A and AAAA records. GKE also provides a more powerful, optimized and efficient DNS service through Cloud DNS. This Google Cloud-native DNS integration includes in-cluster name resolution with full IPv4 and IPv6 support.
- Dual-stack Kubernetes Services - For Services, either single-stack IPv4, single-stack IPv6, or dual-stack addresses can be allocated. When we released dual-stack clusters, we supported clusterIP and nodePort Services. These fundamental constructs enable IPv6-capable Kubernetes workloads to be connected in a cluster.
- Serving IPv6 to the world – GKE clusters have long been able to discover your workloads whenever needed through Kubernetes Ingress services on Google Cloud. By deploying Gateway and Ingress services on GKE, you will get the benefits of Google Networking at the edge to serve and protect with IPv6! Both the Kubernetes Gateway API and Ingress on GKE use the tried-and-true approach Google Cloud Load Balancers, giving you proven infrastructure assurance. In addition, while making IPv6 available to the world, you can protect your applications with Google Cloud privacy policy. Cloud Armor.
Now, let’s take a look at the latest IPv6 features and capabilities we’ve developed for GKE.
GKE Load Balancer Services
Google are excited to announce that the Service type LoadBalancer now available with dual-stack feature. This means you will be able to create Kubernetes LoadBalancer Services and specify their families' IP addresses. For the sake of running GKE, they are deployed as Google Cloud Network Load Balancers, which can be handled publicly or privately with an IP address of your choice (i.e. IPv4, IPv6 only, or both).
Here’s an example of a YAML that you can use to create a dual-stack Kubernetes LoadBalancer Service on GKE is discovered as Google Cloud Network Load Balancer:
Once you’ve created a dual-stack Kubernetes LoadBalancer Service, you can confirm that both an IPv4 and IPv6 address have been assigned to the Service:
You can use the standard Kubernetes API to create dual-stack Load Balancers and apply GKE annotations as you like.
GKE FQDN Network Policies
Google is enhancing the capabilities of GKE with dual-stack support for the Fully qualified domain name (FQDN) feature. This exciting feature elevates the Network Security status of workloads deployed on GKE to account for IPv6-enabled applications.
By leveraging both A and AAAA records, FQDN Network Policies provides enhanced network security for both IPv4 and IPv6 address types. FQDN Network Policies enforces outbound traffic policies when workloads reach specific destinations outside of GKE cluster(s) that are resolved as IPv4 or IPv6 addresses. The FQDN complements any existing endpoints that are allowed by Egress Network Policy. When the FQDN Network Policies is created and applied as an Egress policy, a DENY directive is applied to all endpoints that are not specified as whitelisted destinations.
These capabilities provide network security consistency across both IPv4 and IPv6 as you bring your IPv6-capable workloads onto GKE.
GKE Dataplane V2 observability
Open up a world of metrics — the release of GKE Dataplane V2 enables monitoring and visualization of your IP4/IPv6 workloads. This feature set includes metrics and troubleshooting tools to make dual-stack GKE clusters ready to go. The GKE Dataplane V2 observability stack allows you to have dual-stack Pod traffic metrics for the network information you care about. You can use Cloud Monitoring Metrics Explorer to monitor Dataplane V2 metrics for your IPv6 workloads, while Managed Hubble solution for IPv6 Kubernetes workloads on GKE that allows you to troubleshoot environments. The Open source Hubble project is an Observability platform built on top of Cilium and eBPF. Built for GKE's Dataplane V2, the Managed Hubble UI gives you the ability to display Network Policy enforcement and connection information in the form of a service map and a Network Policy decision table. Finally, a CLI for live interactive troubleshooting allows you to better understand your dual-stack Kubernetes workloads.
Get ready for dual-stack GKE Clusters
Currently, Google users are thinking that dual-stack clusters are a stepping stone to an IPv6-only world. Together, this feature set improves the availability of Kubernetes workloads for IPv6. Going to full production with IPv6 means that Google is demonstrating a readiness for operations with high levels of availability, security, and visibility. These releases will give you more confidence when running dual-stack workloads on GKE.
To read more, check out Google's current dual-stack capabilities resources.
Explore more: