docs: add documentations for enabling IPv6 in non-eks clusters

tthvo · tthvo · commit ddacd997efde · 2025-07-29T21:24:44.000-07:00
This combines existing docs for IPv6 EKS clusters with non-EKS ones, and
also properly register the topic page into the documentation TOC.
diff --git a/docs/book/src/SUMMARY_PREFIX.md b/docs/book/src/SUMMARY_PREFIX.md
@@ -29,6 +29,7 @@
     - [Upgrades](./topics/rosa/upgrades.md)
     - [External Auth Providers](./topics/rosa/external-auth.md)
     - [Support](./topics/rosa/support.md)
+  - [Enabling IPv6](./topics/ipv6-enabled-cluster.md)
   - [Bring Your Own AWS Infrastructure](./topics/bring-your-own-aws-infrastructure.md)
   - [Specifying the IAM Role to use for Management Components](./topics/specify-management-iam-role.md)
   - [Using external cloud provider with EBS CSI driver](./topics/external-cloud-provider-with-ebs-csi-driver.md)
diff --git a/docs/book/src/topics/bring-your-own-aws-infrastructure.md b/docs/book/src/topics/bring-your-own-aws-infrastructure.md
@@ -29,6 +29,12 @@ In order to have Cluster API consume existing AWS infrastructure, you will need
 * Route table associations that provide connectivity to the Internet through a NAT gateway (for private subnets) or the Internet gateway (for public subnets)
 * VPC endpoints for `ec2`, `elasticloadbalancing`, `secretsmanager` an `autoscaling` (if using MachinePools) when the private Subnets do not have a NAT gateway
 
+If you enable IPv6 for the workload cluster, you will need to ensure the following additional requirements:
+- An IPv6 CIDR associated with the VPC (i.e. dualstack VPC).
+- An egress-only internet gateway for IPv6 egress traffic from private subnets (only needed if the nodes require access to the Internet)
+  - In the route table associated with private subnets, a route that sends all internet-bound IPv6 traffic (`::/0`) to the egress-only internet gateway.
+- (Optional) Enable DNS64 for private subnets to allow IPv6-only workloads to access IPv4-only services via NAT64.
+
 You will need the ID of the VPC and subnet IDs that Cluster API should use. This information is available via the AWS Management Console or the AWS CLI.
 
 Note that there is no need to create an Elastic Load Balancer (ELB), security groups, or EC2 instances; Cluster API will take care of these items.
diff --git a/docs/book/src/topics/eks/ipv6-enabled-cluster.md b/docs/book/src/topics/eks/ipv6-enabled-cluster.md
@@ -1,101 +1 @@
 # IPv6 Enabled Cluster
-
-CAPA supports IPv6 enabled clusters. Dual stack clusters are not yet supported, but
-dual VPC, meaning both ipv6 and ipv4 are defined, is supported and in fact, it's the
-only mode of operation at the writing of this doc.
-
-Upcoming feature will be IPv6 _only_.
-
-## Managed Clusters
-
-### How to set up
-
-Two modes of operations are supported. Request AWS to generate and assign an address
-or BYOIP which is Bring Your Own IP. There must already be a provisioned pool and a
-set of IPv6 CIDRs for that.
-
-#### Automatically Generated IP
-
-To request AWS to assign a set of IPv6 addresses from an AWS defined address pool,
-use the following setting:
-
-```yaml
-kind: AWSManagedControlPlane
-apiVersion: controlplane.cluster.x-k8s.io/v1beta1
-metadata:
-  name: "${CLUSTER_NAME}-control-plane"
-spec:
-  network:
-    vpc:
-      ipv6: {}
-```
-
-#### BYOIP ( Bring Your Own IP )
-
-To define your own IPv6 address pool and CIDR set the following values:
-
-```yaml
-spec:
-  network:
-    vpc:
-      ipv6:
-        poolId: pool-id
-        cidrBlock: "2009:1234:ff00::/56"
-```
-
-If you have a VPC that is IPv6 enabled and you would like to use it, please define it in the config:
-
-```yaml
-spec:
-  network:
-    vpc:
-      ipv6: {}
-```
-
-This has to be done explicitly because otherwise, it would break in the following two scenarios:
-- During an upgrade from 1.5 to >=2.0 where the VPC is ipv6 enabled, but CAPA was only recently made aware
-- During a migration on the VPC, switching it from only IPv4 to Dual Stack ( it would see that ipv6 is enabled and
-  enforce it while doing that would not have been the intention of the user )
-
-
-### Requirements
-
-The use of a Nitro enabled instance is required. To see a list of nitro instances in your region
-run the following command:
-
-```bash
-aws ec2 describe-instance-types --filters Name=hypervisor,Values=nitro --region us-west-2  | grep "InstanceType"
-```
-
-This will list all available Nitro hypervisor based instances in your region.
-
-All addons **must** be enabled. A working cluster configuration looks like this:
-
-```yaml
-kind: AWSManagedControlPlane
-apiVersion: controlplane.cluster.x-k8s.io/v1beta1
-metadata:
-  name: "${CLUSTER_NAME}-control-plane"
-spec:
-  network:
-    vpc:
-      ipv6: {}
-  region: "${AWS_REGION}"
-  sshKeyName: "${AWS_SSH_KEY_NAME}"
-  version: "${KUBERNETES_VERSION}"
-  addons:
-    - name: "vpc-cni"
-      version: "v1.11.0-eksbuild.1"
-      conflictResolution: "overwrite" # this is important, otherwise environment property update will not work
-    - name: "coredns"
-      version: "v1.8.7-eksbuild.1"
-    - name: "kube-proxy"
-      version: "v1.22.6-eksbuild.1"
-```
-
-You can't define custom POD CIDRs on EKS with IPv6. EKS automatically assigns an address range from a unique local
-address range of `fc00::/7`.
-
-## Unmanaged Clusters
-
-Unmanaged clusters are not supported at this time.
diff --git a/docs/book/src/topics/ipv6-enabled-cluster.md b/docs/book/src/topics/ipv6-enabled-cluster.md
@@ -0,0 +1,136 @@
+# Enabling IPv6
+
+## Overview
+
+CAPA enables you to create an IPv6 Kubernetes clusters on Amazon Web Service (AWS).
+
+Only single-stack IPv6 clusters are supported. However, CAPA utilizes a dual stack infrastructure (e.g. dual stack VPC) to support IPv6. In fact, it is the only mode of operation at the time of writing.
+
+> **IMPORTANT NOTE**: Dual stack clusters are not yet supported.
+
+## Prerequisites
+
+The instance types for control plane and worker machines must be [Nitro-based](https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-nitro-instances.html) in order to support IPv6. To see a list of Nitro instance types in your region, run the following command:
+
+```bash
+aws ec2 describe-instance-types \
+  --filters Name=hypervisor,Values=nitro \
+  --query="InstanceTypes[*].InstanceType"
+```
+
+## Creating IPv6 EKS-managed Clusters
+
+To quickly deploy an IPv6 EKS cluster, use the [IPv6 EKS cluster template](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/templates/cluster-template-eks-ipv6.yaml).
+
+<aside class="note warning">
+
+<h1>Warning</h1>
+
+You can't define custom Pod CIDRs on EKS with IPv6. EKS automatically assigns an address range from a unique local
+address range of `fc00::/7`.
+
+</aside>
+
+**Notes**: All addons **must** be enabled. A working cluster configuration looks like this:
+
+```yaml
+kind: AWSManagedControlPlane
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+metadata:
+  name: "${CLUSTER_NAME}-control-plane"
+spec:
+  network:
+    vpc:
+      ipv6: {}
+  region: "${AWS_REGION}"
+  sshKeyName: "${AWS_SSH_KEY_NAME}"
+  version: "${KUBERNETES_VERSION}"
+  addons:
+    - name: "vpc-cni"
+      version: "v1.11.0-eksbuild.1"
+      # this is important, otherwise environment property update will not work
+      conflictResolution: "overwrite"
+    - name: "coredns"
+      version: "v1.8.7-eksbuild.1"
+    - name: "kube-proxy"
+      version: "v1.22.6-eksbuild.1"
+```
+
+## Creating IPv6 Self-managed Clusters
+
+To quickly deploy an IPv6 self-managed cluster, use the [IPv6 cluster template](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/templates/cluster-template-ipv6.yaml).
+
+When creating a self-managed cluster, you can define the Pod and Service CIDR. For example, you can define ULA IPv6 range `fd01::/48` for pod networking and `fd02::/112` for service networking.
+
+<aside class="note warning">
+
+<h1>Warning</h1>
+
+**Action required**: Since coredns pods run on the single-stack IPv6 pod network, they will fail to resolve non-cluster DNS queries
+via the IPv4 upstream nameserver in `/etc/resolv.conf`.
+
+Here are workaround options:
+- Edit the `coredns` deployment and add `hostNetwork: true`, so it can leverage host routes for the v4 network.
+  ```bash
+  kubectl -n kube-system patch deploy/coredns \
+    --type=merge -p '{"spec": {"template": {"spec":{"hostNetwork": true}}}}'
+  ```
+- Edit the `coredns` ConfigMap to use Route53 Resolver nameserver `fd00:ec2::253`, by setting `forward . /etc/resolv.conf` part to `forward . fd00:ec2::253 /etc/resolv.conf`.
+  ```bash
+  kubectl -n kube-system edit cm/coredns
+  ```
+</aside>
+
+### CNI IPv6 support
+
+By default, no CNI plugin is installed when provisioning a self-managed cluster. You need to install your own CNI solution that supports IPv6, for example, Calico with VXLAN.
+
+You can find the guides to enable [IPv6](https://docs.tigera.io/calico/latest/networking/ipam/ipv6#ipv6) and [VXLAN](https://docs.tigera.io/calico/latest/networking/configuring/vxlan-ipip) support for Calico on their official documentation. Or you can use a customized Calico manifests [here](https://raw.githubusercontent.com/kubernetes-sigs/cluster-api-provider-aws/refs/heads/main/test/e2e/data/cni/calico_ipv6.yaml) for IPv6.
+
+## IPv6 CIDR Allocations
+
+### AWS-assigned IPv6 VPC CIDR
+
+To request AWS to automatically assign an IPv6 CIDR from an AWS defined address pool, use the following setting:
+
+```yaml
+spec:
+  network:
+    vpc:
+      ipv6: {}
+```
+
+### BYOIPv6 VPC CIDR
+
+To define your own IPv6 address pool and CIDR set the following values:
+
+```yaml
+spec:
+  network:
+    vpc:
+      ipv6:
+        poolId: pool-id
+        cidrBlock: "2009:1234:ff00::/56"
+```
+
+There must already be a provisioned pool and a set of IPv6 CIDRs for that.
+
+### BYO IPv6 VPC
+
+If you have a VPC that is IPv6 enabled (i.e. dual stack VPC) and you would like to use it, please define it in the `AWSCluster` specs:
+
+```yaml
+spec:
+  network:
+    vpc:
+      id: vpc-1234567890abcdefg
+      cidrBlock: 10.0.0.0/16
+      ipv6:
+        cidrBlock: "2001:1234:ff00::/56"
+        egressOnlyInternetGatewayId: eigw-1234567890abcdefg
+```
+
+This has to be done explicitly because otherwise, it would break in the following two scenarios:
+- During an upgrade from 1.5 to >=2.0 where the VPC is ipv6 enabled, but CAPA was only recently made aware.
+- During a migration on the VPC, switching it from only IPv4 to Dual Stack (it would see that ipv6 is enabled and
+  enforce it while doing that would not have been the intention of the user).
