Use a specific IP address with a pod

2 MINUTE READ

Big picture

Choose the IP address for a pod instead of allowing Calico to choose automatically.

Value

Some applications require the use of stable IP addresses. Also, you may want to create entries in external DNS servers that point directly to pods, and this requires static IPs.

Features

This how-to guide uses the following features:

  • Calico IPAM
  • IPPool resource

Concepts

Kubernetes pod CIDR

The Kubernetes pod CIDR is the range of IPs Kubernetes expects pod IPs to be assigned from. It is defined for the entire cluster and is used by various Kubernetes components to determine whether an IP belongs to a pod. For example, kube-proxy treats traffic differently if an IP is from a pod than if it is not. All pod IPs must be in the CIDR range for Kubernetes to function correctly.

IP Pools

IP pools are ranges of IP addresses from which Calico assigns pod IPs. Static IPs must be in an IP pool.

Before you begin…

You must be using Calico IPAM.

If you are not sure, ssh to one of your Kubernetes nodes and examine the CNI configuration.

cat /etc/cni/net.d/10-calico.conflist

Look for the entry:

         "ipam": {
              "type": "calico-ipam"
          },

If it is present, you are using Calico IPAM. If the IPAM is set to something else, or the 10-calico.conflist file does not exist, you cannot use these features in your cluster.

How to

Annotate the pod with cni.projectcalico.org/ipAddrs set to a list of IP addresses to assign, enclosed in brackets. For example:

  "cni.projectcalico.org/ipAddrs": "[\"192.168.0.1\"]"

Note the use of the escaped \" for the inner double quotes around the addresses.

The address must be within a configured Calico IP pool and not currently in use. The annotation must be present when the pod is created; adding it later has no effect.

Note that currently only a single IP address is supported per-pod using this annotation.

Reserving IPs for manual assignments

The cni.projectcalico.org/ipAddrs annotation requires the IP address to be within an IP pool. This means that, by default, Calico may decide to use the IP address that you select for another workload or for an internal tunnel address. To prevent this, there are several options:

  • To reserve a whole IPPool for manual allocations, you can set its node selector to "!all()". Since the !all()
    cannot match any nodes, the IPPool will not be used for any automatic assignments.

  • To reserve part of a pool, you can create an IPReservation resource. This allows for certain IPs to be reserved so that Calico IPAM will not use them automatically. However, manual assignments (using the annotation) can still use IPs that are “reserved”.

  • To prevent Calico from using IPs from a certain pool for internal IPIP and/or VXLAN tunnel addresses, you can set the allowedUses field on the IPPool to ["Workload"].

Above and beyond

For help configuring Calico CNI and Calico IPAM, see Configuring the Calico CNI Plugins.