Skip to main content

Network Options

Kubernetes requires installation of one or more CNI Plugins to provide Pod networking. RKE2 bundles four primary CNI Plugins: Canal, Cilium, Calico, and Flannel. Only Calico and Flannel support Microsoft Windows. RKE2 also includes Multus as a secondary CNI Plugin, which must be enabled alongside a primary CNI Plugin. For more information, see the Multus and SR-IOV documentation.

Canal is the default CNI Plugin, but all bundled plugins are supported. Bundled CNI Plugins are installed via Helm chart, and can be customized by deploying a HelmChartConfig with additional chart values. For more information on using HelmChartConfig resources, see the Helm Integration documentation, and the CNI-specific examples provided below.

Select a CNI Plugin

Use the cni configuration file key to select the CNI Plugin you wish to use. If you do not want to use any of the bundled CNI Plugins, you can set cni to none. Note that nodes will remain NotReady and be tainted unschedulable until a CNI Plugin is installed.

# /etc/rancher/rke2/config.yaml
cni: canal

Bundled CNI Plugins are provided as AddOns that deploy a HelmChart resource, as described in the Helm Integration documentation. CNI Plugin charts are named rke2-<CNI-PLUGIN-NAME> and can be found in the kube-system namespace.

To customize the Helm chart values for a bundled CNI Plugin chart, you must create a HelmChartConfig resource that matches the name and namespace of its corresponding HelmChart. See the tabs below for examples of customizing the chart values for each of the bundled CNI Plugins.

Default chart values can be found by browsing the RKE2 charts repository, and referencing values.yaml for the version of the chart bundled with your RKE2 version.

Canal uses Flannel for inter-node traffic and Calico for intra-node traffic and network policies. By default, it will use vxlan encapsulation to create an overlay network among nodes. For example, to override the flannel interface, you can apply the following chart values:

# /var/lib/rancher/rke2/server/manifests/rke2-canal-config.yaml
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-canal
namespace: kube-system
spec:
valuesContent: |-
flannel:
iface: "eth1"

Starting with RKE2 v1.23 it is possible to use flannel's wireguard backend for in-kernel WireGuard encapsulation and encryption (Users of kernels < 5.6 need to install a module). This can be achieved using the following chart values:

# /var/lib/rancher/rke2/server/manifests/rke2-canal-config.yaml
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-canal
namespace: kube-system
spec:
valuesContent: |-
flannel:
backend: "wireguard"

After that, please restart the canal daemonset to use the newer config by executing: kubectl rollout restart ds rke2-canal -n kube-system

For more information about the full options of the Canal config please refer to the rke2-charts.

note

Canal requires the iptables or xtables-nft package to be installed on the node.

warning

Canal is currently not supported on clusters with Windows nodes.

Please check Known issues and Limitations if you experience IP allocation problems.

Dual-stack configuration

IPv4/IPv6 dual-stack networking enables the allocation of both IPv4 and IPv6 addresses to Pods and Services. To configure RKE2 in dual-stack mode, in the control-plane nodes, you must set a valid IPv4/IPv6 dual-stack cidr for pods and services. To do so, use the cluster-cidr and service-cidr configuration file keys:

#/etc/rancher/rke2/config.yaml
cluster-cidr: "10.42.0.0/16,2001:cafe:42::/56"
service-cidr: "10.43.0.0/16,2001:cafe:43::/112"

Each CNI Plugin may require a different configuration for dual-stack:

Canal automatically detects the RKE2 configuration for dual-stack and does not need any extra configuration. Dual-stack is currently not supported in the windows installations of RKE2.

IPv6 setup

In case of IPv6 only configuration RKE2 needs to use localhost to access the liveness URL of the ETCD pod; check that your operating system configures /etc/hosts file correctly:

::1       localhost

Nodes Without a Hostname

Some cloud providers, such as Linode, will create machines with "localhost" as the hostname and others may not have a hostname set at all. This can cause problems with domain name resolution. You can run RKE2 with the node-name parameter and this will pass the node name to resolve this issue.