SUSE Support

Here When You Need Us

How to create multiple IPPool for Calico CNI in rke2 cluster

This document (000020972) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.6.x and rancher 2.7.x
rke2 cluster with calico as the CNI

Situation

There are several reasons why you might want to create multiple IP pools in Calico:
  1. Resource allocation: You might want to allocate a specific set of IP addresses to a certain group of containers or pods, to ensure that they have access to the resources they need. By defining a separate IP pool for each group, you can control the allocation of resources and ensure that each group has enough IP addresses to meet its needs.
  2. Security: You might want to create multiple IP pools to enforce different security policies for different groups of containers or pods. For example, you might want to assign a separate IP pool to a group of containers that require stricter security controls, such as those that process sensitive data.
  3. Flexibility: Multiple IP pools can provide more flexibility in network design, enabling different types of workloads to be separated or grouped together as needed. For example, you might create separate IP pools for frontend and backend services, or for testing and production environments.

Resolution

Below is the manifest for creating the IPPool with the name "new-pool". Use the same yaml by changing the name and IP range for a different IPPool 
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: new-pool
spec:
  cidr: 10.168.0.0/16
  blockSize: 24
  ipipMode: Never
  natOutgoing: true
  vxlanMode: Always
Note: vxlanMode is used above to provide a complete example. If vxlan is not in use, switch in the relevant routing method, for example, ipipMode.

From here, you can allocate IPs per IPPool based on node topology.
Alternatively, use the annotation below to allocate IPs from a specific IPPool in a workload. 
annotations:
        "cni.projectcalico.org/ipv4pools": "[\"new-pool\"]"
For example: 
apiVersion: apps/v1 
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 4 
  template:
    metadata:
      labels:
        app: nginx
      annotations:
        "cni.projectcalico.org/ipv4pools": "[\"new-pool\"]"
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80


If you do not want to allocate IPs from an IPPool, you can disable the IPPool without removing it: 
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  name: new-pool
spec:
  cidr: 10.168.0.0/16
  blockSize: 24
  ipipMode: Never
  natOutgoing: true
  vxlanMode: Always
  disabled: true

Status

Top Issue

Additional Information

https://projectcalico.docs.tigera.io/archive/v3.24/networking/migrate-pools
https://docs.tigera.io/calico/3.25/operations/install-apiserver

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020972
  • Creation Date: 14-Feb-2023
  • Modified Date:22-Jul-2024
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center