✨ Support IPv6/dual-stack routable pods with NSX-VPC by silvery1622 · Pull Request #1763 · kubernetes/cloud-provider-vsphere

silvery1622 · 2026-05-18T06:37:20Z

What this PR does / why we need it:

New ipfamily package centralises the four --cluster-ip-family values and their boolean helpers (IPv4Enabled, IPv6Enabled, DualStack, PrimaryIPv4).
NSXVPCIPManager creates/deletes one IPAddressAllocation CR per enabled IP family per node (IPv4 keeps the bare node name; IPv6 appends -ipv6). Both CRs carry nodeName and ipfamily labels so downstream consumers never need to parse CR names.
ipaddressallocation_controller waits for both partner allocations to be ready, then issues a single atomic PodCIDRs patch ordered by primary family. A resync idempotency guard skips redundant PATCHes when the node already has the correct CIDRs.
StaticRoute CRs gain nodeName/ipfamily labels; ListRoutes prefers labels over name-suffix parsing (legacy fallback retained).
StartControllers now takes an Options struct to keep the signature stable as new flags are added.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

Release note:

Add IPv6 and dual-stack routable pod support for NSX-VPC mode. Set --cluster-ip-family=ipv6, ipv4ipv6, or ipv6ipv4 together with --enable-vpc-mode=true to enable per-family IPAddressAllocation and StaticRoute CRs.

k8s-ci-robot · 2026-05-18T06:37:29Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: silvery1622

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [silvery1622]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

silvery1622 · 2026-05-18T06:37:35Z

/hold

DanielXiao · 2026-06-10T08:55:38Z

+// We deliberately do NOT parse the CR name to decide the family: node names
+// that themselves end in "-ipv6" would otherwise be misclassified.
+func isIPv4Allocation(alloc *vpcapisv1.IPAddressAllocation) bool {
+	return alloc.Spec.IPAddressType != vpcapisv1.IPAllocationIPAddressTypeIPv6


According to method name, alloc.Spec.IPAddressType == vpcapisv1.IPAllocationIPAddressTypeIPv4 looks better

We cannot use == vpcapisv1.IPAllocationIPAddressTypeIPv4 because of backward compatibility. Older CRs created before dual stack support have IPAddressType unset (empty string). By checking != IPv6, we correctly classify both explicitly set IPv4 CRs and older empty-type CRs as IPv4, which matches the upstream API default.

DanielXiao · 2026-06-10T08:57:45Z

+	} else {
+		// Dual-stack: list all allocations for this node.
+		// Dual-stack clusters are new and guaranteed to have the nodeName label on their CRs.
+		selector := labels.SelectorFromSet(labels.Set{helper.LabelKeyNodeName: nodeName})


Should we also add label for cluster name or vsphere cluster name? There could be same nodeName in different clusters, for example, below 2 clusters all render node name coffee-worker-beijing
cluster coffee nodepool worker-beijing
cluster coffee-worker nodepool beijing

Thanks for the comment. I have updated the code and add clusterName into IPAddressAllocation's label.
I also passed clusterName into IPAddressAllocation Controller and matches both nodeName and clusterName when doing label selector.

DanielXiao · 2026-06-10T09:07:28Z

 			Namespace: m.svNamespace,
+			Labels: map[string]string{
+				helper.LabelKeyNodeName: nodeName,
+				helper.LabelKeyIPFamily: familyLabel,


The spec.IPAddressType contains ipfamily so I don't think this label is used anywhere. We need to add a label for VSphereCluster

Agreed. I have replaced the IPFamily label with clusterName label.

DanielXiao · 2026-06-10T09:12:32Z

+	ctx := context.TODO()
+
+	for _, ipv4 := range families {
+		crName := crNameForFamily(node.Name, ipv4)


We should use label to get IPAddressAnnotation rather than name.

We need continue using Get(crName) to ensure backward compatibility for existing IPv4 single stack clusters during upgrades, as their CRs lack the new labels. Since dual stack is greenfield only, the deterministic CR name crNameForFamily(nodeName, ipv4) is guaranteed to be unique and safe to use without label filtering.

DanielXiao · 2026-06-10T09:13:05Z

+// deleteIPAddressAllocation deletes the IPAddressAllocation CR for the given node and
+// IP family. NotFound is treated as success (idempotent delete).
+func (m *NSXVPCIPManager) deleteIPAddressAllocation(ctx context.Context, nodeName string, ipv4 bool) error {
+	crName := crNameForFamily(nodeName, ipv4)


same as above

We need continue using Get(crName) to ensure backward compatibility for existing IPv4 single stack clusters during upgrades, as their CRs lack the new labels. Since dual stack is greenfield only, the deterministic CR name crNameForFamily(nodeName, ipv4) is guaranteed to be unique and safe to use without label filtering.

DanielXiao · 2026-06-10T09:15:06Z

+			// destination is actually IPv6, so an IPv4 route on a node whose
+			// name happens to end in "-ipv6" is not silently truncated.
+			nodeName := staticroute.Labels[helper.LabelKeyNodeName]
+			if nodeName == "" {


Raise an error till label is added by node controller.

We cannot raise an error here because it would break route syncing for existing IPv4 single stack clusters during upgrades, as their legacy CRs lack the label. However, since dual stack is greenfield only, any CR without the label is guaranteed to be a legacy IPv4 CR. I have simplified the code to safely fall back to the CR name directly.

DanielXiao · 2026-06-10T09:16:46Z

 	}
-	if podCIDR == "" {
-		return fmt.Errorf("IPAddressAllocation %v does not get CIDR allocated", ipAddressAllocation.Name)
+	return helper.StripFamilySuffix(alloc.Name)


Do not fallback, Raise an error till label is added by node controller.

Similar to StaticRoute, raising an error would break backward compatibility for existing IPv4 single stack clusters. Since dual stack is greenfield only, any CR lacking the label is guaranteed to be a legacy IPv4 CR. I have simplified the fallback logic to just return the CR name directly.

…NSX-VPC - hack/nsx-operator-apis-fork: local copy of nsx-operator API types with updated IPAddressAllocation (multi-family CIDR fields) - routablepod/core.go: thread ipv4Enabled/ipv6Enabled/primaryIPFamilyIsIPv4 through to IPAddressAllocation and node controllers - routablepod/ipaddressallocation: allocate separate IPv4/IPv6 CRs in dual-stack - nsxipmanager/nsx_vpc.go: reconcile IPv4/IPv6 IPAddressAllocation objects - routemanager: propagate per-family CIDRs to StaticRoute CRs - cloud.go: derive IP-family flags from --cluster-ip-family and pass to StartControllers

k8s-ci-robot requested review from chenlin07 and wyike May 18, 2026 06:37

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 18, 2026

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 18, 2026

k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels May 18, 2026

silvery1622 force-pushed the ipv6-dualstack-routablepods branch from 67393ba to 45e7c24 Compare May 18, 2026 06:47