Skip to content

How to create multiple IPPool for Calico CNI in rke2 cluster

This document (000020972) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.6.x and rancher 2.7.x

rke2 cluster with calico as the CNI

Situation

There are several reasons why you might want to create multiple IP pools in Calico:

  1. Resource allocation: You might want to allocate a specific set of IP addresses to a certain group of containers or pods, to ensure that they have access to the resources they need. By defining a separate IP pool for each group, you can control the allocation of resources and ensure that each group has enough IP addresses to meet its needs.
  2. Security: You might want to create multiple IP pools to enforce different security policies for different groups of containers or pods. For example, you might want to assign a separate IP pool to a group of containers that require stricter security controls, such as those that process sensitive data.
  3. Flexibility: Multiple IP pools can provide more flexibility in network design, enabling different types of workloads to be separated or grouped together as needed. For example, you might create separate IP pools for frontend and backend services, or for testing and production environments.

Resolution

Below is the manifest for creating the IPPool with the name "new-pool". Use the same yaml by changing the name and IP range for a different IPPool

apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: new-pool
spec:
  cidr: 10.168.0.0/16
  blockSize: 24
  ipipMode: Never
  natOutgoing: true
  vxlanMode: Always

Note: vxlanMode is used above to provide a complete example. If vxlan is not in use, switch in the relevant routing method, for example, ipipMode.

From here, you can allocate IPs per IPPool based on node topology.

Alternatively, use the annotation below to allocate IPs from a specific IPPool in a workload.

annotations:
        "cni.projectcalico.org/ipv4pools": "[\"new-pool\"]"

For example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 4
  template:
    metadata:
      labels:
        app: nginx
      annotations:
        "cni.projectcalico.org/ipv4pools": "[\"new-pool\"]"
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80

If you do not want to allocate IPs from an IPPool, you can disable the IPPool without removing it:

apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: new-pool
spec:
  cidr: 10.168.0.0/16
  blockSize: 24
  ipipMode: Never
  natOutgoing: true
  vxlanMode: Always
  disabled: true

Status

Top Issue

Additional Information

https://projectcalico.docs.tigera.io/archive/v3.24/networking/migrate-pools

https://docs.tigera.io/calico/3.25/operations/install-apiserver

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.