Kubernetes v1.33 [stable](enabled by default)This document shares how to reconfigure the default Service IP range(s) assigned to a cluster.
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
Your Kubernetes server must be at or later than version v1.33.To check the version, enter kubectl version.
This document explains how to manage the Service IP address range within a Kubernetes cluster, which also influences the cluster's supported IP families for Services.
The IP families available for Service ClusterIPs are determined by the
--service-cluster-ip-range flag to kube-apiserver. For a better
understanding of Service IP address allocation, refer to the
Services IP address allocation tracking documentation.
Since Kubernetes 1.33, the Service IP families configured for the cluster are
reflected by the ServiceCIDR object named kubernetes. The kubernetes ServiceCIDR
object is created by the first kube-apiserver instance that starts, based on its
configured --service-cluster-ip-range flag. To ensure consistent cluster behavior,
all kube-apiserver instances must be configured with the same --service-cluster-ip-range values,
which must match the default kubernetes ServiceCIDR object.
ServiceCIDR reconfiguration typically falls into one of the following categories:
Extending the existing ServiceCIDRs: This can be done dynamically by adding new ServiceCIDR objects without the need for reconfiguring the kube-apiserver. Please refer to the dedicated documentation on Extending Service IP Ranges.
Single-to-dual-stack conversion preserving the primary ServiceCIDR: This involves introducing a secondary IP family (IPv6 to an IPv4-only cluster, or IPv4 to an IPv6-only cluster) while keeping the original IP family as primary. This requires an update to the kube-apiserver configuration and a corresponding modification of various cluster components that need to handle this additional IP family. These components include, but are not limited to, kube-proxy, the CNI or network plugin, service mesh implementations, and DNS services.
Dual-to-single conversion preserving the primary ServiceCIDR: This involves removing the secondary IP family from a dual-stack cluster, reverting to a single IP family while retaining the original primary IP family. In addition to reconfiguring the components to match the new IP family, you might need to address Services that were explicitly configured to use the removed IP family.
Anything that results in changing the primary ServiceCIDR: Completely
replacing the default ServiceCIDR is a complex operation. If the new
ServiceCIDR does not overlap with the existing one, it will require
renumbering all existing Services and changing the kubernetes.default Service.
The case where the primary IP family also changes is even more complicated,
and may require changing multiple cluster components (kubelet, network plugins, etc.)
to match the new primary IP family.
Reconfiguring the default ServiceCIDR necessitates manual steps performed by the cluster operator, administrator, or the software managing the cluster lifecycle. These typically include:
--service-cluster-ip-range flag with the new IP range(s).kubernetes.default
Service must be deleted and recreated to obtain an IP address from the new
ServiceCIDR if the primary IP family is changed or replaced by a different
network.The following steps describe a controlled reconfiguration focusing on the
complete replacement of the default ServiceCIDR and the recreation of the
kubernetes.default Service:
--service-cluster-ip-range.kubernetes default ServiceCIDR for deletion (it will remain
pending due to existing IPs and finalizers). This prevents new allocations
from the old range.kubernetes.default Service. The new kube-apiserver will
recreate it within the new ServiceCIDR.