docs: add documentations for enabling IPv6 in non-eks clusters

tthvo · tthvo · commit 13e43794f16d · 2025-07-30T17:37:49.000-07:00
This combines existing docs for IPv6 EKS clusters with non-EKS ones, and
also properly register the topic page into the documentation TOC.
diff --git a/docs/book/src/SUMMARY_PREFIX.md b/docs/book/src/SUMMARY_PREFIX.md
@@ -29,6 +29,7 @@
     - [Upgrades](./topics/rosa/upgrades.md)
     - [External Auth Providers](./topics/rosa/external-auth.md)
     - [Support](./topics/rosa/support.md)
+  - [Enabling IPv6](./topics/ipv6-enabled-cluster.md)
   - [Bring Your Own AWS Infrastructure](./topics/bring-your-own-aws-infrastructure.md)
   - [Specifying the IAM Role to use for Management Components](./topics/specify-management-iam-role.md)
   - [Using external cloud provider with EBS CSI driver](./topics/external-cloud-provider-with-ebs-csi-driver.md)
diff --git a/docs/book/src/topics/bring-your-own-aws-infrastructure.md b/docs/book/src/topics/bring-your-own-aws-infrastructure.md
@@ -29,6 +29,12 @@ In order to have Cluster API consume existing AWS infrastructure, you will need
 * Route table associations that provide connectivity to the Internet through a NAT gateway (for private subnets) or the Internet gateway (for public subnets)
 * VPC endpoints for `ec2`, `elasticloadbalancing`, `secretsmanager` an `autoscaling` (if using MachinePools) when the private Subnets do not have a NAT gateway
 
+If you enable IPv6 for the workload cluster, you will need to ensure the following additional requirements:
+- An IPv6 CIDR associated with the VPC (i.e. dualstack VPC).
+- An egress-only internet gateway for IPv6 egress traffic from private subnets (only needed if the nodes require access to the Internet)
+  - In the route table associated with private subnets, a route that sends all internet-bound IPv6 traffic (`::/0`) to the egress-only internet gateway.
+- (Optional) Enable DNS64 for private subnets to allow IPv6-only workloads to access IPv4-only services via NAT64.
+
 You will need the ID of the VPC and subnet IDs that Cluster API should use. This information is available via the AWS Management Console or the AWS CLI.
 
 Note that there is no need to create an Elastic Load Balancer (ELB), security groups, or EC2 instances; Cluster API will take care of these items.
diff --git a/docs/book/src/topics/eks/ipv6-enabled-cluster.md b/docs/book/src/topics/eks/ipv6-enabled-cluster.md
diff --git a/docs/book/src/topics/ipv6-enabled-cluster.md b/docs/book/src/topics/ipv6-enabled-cluster.md
@@ -0,0 +1,130 @@
+# Enabling IPv6
+
+## Overview
+
+CAPA enables you to create an IPv6 Kubernetes clusters on Amazon Web Service (AWS).
+
+Only single-stack IPv6 clusters are supported. However, CAPA utilizes a dual stack infrastructure (e.g. dual stack VPC) to support IPv6. In fact, it is the only mode of operation at the time of writing.
+
+> **IMPORTANT NOTE**: Dual stack clusters are not yet supported.
+
+## Prerequisites
+
+The instance types for control plane and worker machines must be [Nitro-based](https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html) in order to support IPv6. To see a list of Nitro instance types in your region, run the following command:
+
+```bash
+aws ec2 describe-instance-types \
+  --filters Name=hypervisor,Values=nitro \
+  --query="InstanceTypes[*].InstanceType"
+```
+
+## Creating IPv6 EKS-managed Clusters
+
+To quickly deploy an IPv6 EKS cluster, use the [IPv6 EKS cluster template](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/templates/cluster-template-eks-ipv6.yaml).
+
+<aside class="note warning">
+
+<h1>Warning</h1>
+
+You can't define custom Pod CIDRs on EKS with IPv6. EKS automatically assigns an address range from a unique local
+address range of `fc00::/7`.
+
+</aside>
+
+**Notes**: All addons **must** be enabled. A working cluster configuration looks like this:
+
+```yaml
+kind: AWSManagedControlPlane
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+metadata:
+  name: "${CLUSTER_NAME}-control-plane"
+spec:
+  network:
+    vpc:
+      ipv6: {}
+  region: "${AWS_REGION}"
+  sshKeyName: "${AWS_SSH_KEY_NAME}"
+  version: "${KUBERNETES_VERSION}"
+  addons:
+    - name: "vpc-cni"
+      version: "v1.11.0-eksbuild.1"
+      # this is important, otherwise environment property update will not work
+      conflictResolution: "overwrite"
+    - name: "coredns"
+      version: "v1.8.7-eksbuild.1"
+    - name: "kube-proxy"
+      version: "v1.22.6-eksbuild.1"
+```
+
+## Creating IPv6 Self-managed Clusters
+
+To quickly deploy an IPv6 self-managed cluster, use the [IPv6 cluster template](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/templates/cluster-template-ipv6.yaml).
+
+When creating a self-managed cluster, you can define the Pod and Service CIDR. For example, you can define ULA IPv6 range `fd01::/48` for pod networking and `fd02::/112` for service networking.
+
+<aside class="note warning">
+
+<h1>Warning</h1>
+
+**Action required**: Since coredns pods run on the single-stack IPv6 pod network, they will fail to resolve non-cluster DNS queries
+via the IPv4 upstream nameserver in `/etc/resolv.conf`.
+
+The workaround is to edit the `coredns` ConfigMap to use Route53 Resolver nameserver `fd00:ec2::253`, by setting `forward . /etc/resolv.conf` part to `forward . fd00:ec2::253 /etc/resolv.conf`.
+  ```bash
+  kubectl -n kube-system edit cm/coredns
+  ```
+</aside>
+
+### CNI IPv6 support
+
+By default, no CNI plugin is installed when provisioning a self-managed cluster. You need to install your own CNI solution that supports IPv6, for example, Calico with VXLAN.
+
+You can find the guides to enable [IPv6](https://docs.tigera.io/calico/latest/networking/ipam/ipv6#ipv6) and [VXLAN](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) support for Calico on their official documentation. Or you can use a customized Calico manifests [here](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/test/e2e/data/cni/calico_ipv6.yaml) for IPv6.
+
+## IPv6 CIDR Allocations
+
+### AWS-assigned IPv6 VPC CIDR
+
+To request AWS to automatically assign an IPv6 CIDR from an AWS defined address pool, use the following setting:
+
+```yaml
+spec:
+  network:
+    vpc:
+      ipv6: {}
+```
+
+### BYOIPv6 VPC CIDR
+
+To define your own IPv6 address pool and CIDR set the following values:
+
+```yaml
+spec:
+  network:
+    vpc:
+      ipv6:
+        poolId: pool-id
+        cidrBlock: "2009:1234:ff00::/56"
+```
+
+There must already be a provisioned pool and a set of IPv6 CIDRs for that.
+
+### BYO IPv6 VPC
+
+If you have a VPC that is IPv6 enabled (i.e. dual stack VPC) and you would like to use it, please define it in the `AWSCluster` specs:
+
+```yaml
+spec:
+  network:
+    vpc:
+      id: vpc-1234567890abcdefg
+      cidrBlock: 10.0.0.0/16
+      ipv6:
+        cidrBlock: "2001:1234:ff00::/56"
+        egressOnlyInternetGatewayId: eigw-1234567890abcdefg
+```
+
+This has to be done explicitly because otherwise, it would break in the following two scenarios:
+- During an upgrade from 1.5 to >=2.0 where the VPC is ipv6 enabled, but CAPA was only recently made aware.
+- During a migration on the VPC, switching it from only IPv4 to Dual Stack (it would see that ipv6 is enabled and
+  enforce it while doing that would not have been the intention of the user).
