What the Arrival of IPv6 Support in Kubernetes Means for You
Native dual-stack networking in Kubernetes 1.23 carries implications for networking, security, load balancing, and breadth of use cases.
IPv6, the latest version of the Internet Protocol that, unlike IPv4, supports a practically limitless amount of IP addresses, has finally come to Kubernetes.
Introduced in 1995, IPv6 is a big deal for any networking geek. And the arrival of its support in Kubernetes is a huge deal for anyone working with the container orchestration system. Here’s our take on the implications of native dual-stack IPv6 and IPv4 support, stable in Kubernetes version 1.23.
Dual-stack means you can use either protocol. It also means you can assign both IPv4 and IPv6 addresses to pods or other resources at the same time. That may come in handy for clusters that need to support legacy workloads that aren’t compatible with IPv6 and modern applications that are.
IPv6 Complicates Kubernetes Networking
Kubernetes networking is complicated enough with IPv4 alone. You have to manage both internal and external connections and set up ingress or load balancing for public facing resources.
Kubernetes IPv6 support doubles down on this complexity. Now, if you choose to use both versions of the protocol at the same time, you’ll need to manage both an IPv4 and an IPv6 version of your network.
But IPv6 remains optional in Kubernetes, of course. If you’re happy with IPv4, you can stick with it.
IPv6 in Kubernetes Adds Security Challenges
While IPv6 isn’t inherently less secure than IPv4 — in many ways it’s more secure — one potential security issue that may arise in Kubernetes clusters using IPv6 is that more pods will be reachable from the internet.
But it’s a useful feature. The ability to assign many more unique public IPs means that each pod can have its own internet-facing address, which is not practical with IPv4.
The tradeoff is the extra risk associated with public internet-facing addresses. That means using IPv6 will require more security controls to keep Kubernetes clusters safe.
IPv6 Can Also Enhance Kubernetes Security
On the flip side, one of the inherent security advantages of assigning public IP addresses to all of your pods is that the bad guys will have a much harder time discovering them.
IPv4 address ranges are relatively narrow. Attackers can discover resources with a public address simply by scanning networks.
IPv6 makes this approach a lot less feasible. There are simply too many potential addresses to discover pods effectively via scanning.
IPv6 Complicates Load Balancing
Load balancing, too, will become trickier within dual-stack clusters. Kubernetes admins will need to ensure that external resources can’t bypass load balancers or ingress controllers by sending requests directly to the IPv6 address of a pod instead of the controller that is supposed to manage traffic to it.
This is doable, but again, it makes Kubernetes networking that much harder to configure.
IPv6 Makes Kubernetes IoT-Friendly
The ability to assign thousands and thousands of unique public IP addresses within a cluster means that Kubernetes will become a much more obvious platform for hosting IoT workloads.
We’ve long heard about how IPv6 will make large-scale IoT adoption practical. But until now, relatively few platforms you might want to use to manage IoT devices have offered first-class IPv6 support. The addition of Kubernetes IPv6 support changes that.
IPv4 Isn’t Going Anywhere
If you know much about IPv6, you know that adoption of the protocol hasn’t exactly lived up to the hype. While some hyperscalers, like Facebook and Google, are what you might call IPv6-native, most internet applications and services still use IPv4.
It’s a pretty safe bet that on Kubernetes, too, IPv4 isn’t going away anytime soon. That said, it’s likely that IPv6 usage on Kubernetes will vary between different market segments. Web-scale companies deploying Kubernetes clusters will probably take full advantage of IPv6, but smaller businesses — and those that need to readily integrate services with partners or customers who may not support IPv6 in their own environments — are likely to stick with an IPv4-centric approach for the foreseeable future (although there’s nothing stopping them from using it alongside IPv6).
In short, Kubernetes IPv6 support changes everything and changes nothing at the same time. For organizations that choose to use it, IPv6 opens up new Kubernetes use cases, provided they can manage the administration and security challenges the protocol poses. But for everyone else, nothing is likely to change anytime soon, because IPv4 isn’t going anywhere.