cni: add ipv6/dual-stack support for bridge, calico cni

Author: kartikjoshi21

pkg/drivers/kic/kic.go

@@ -95,7 +95,6 @@ func (d *Driver) Create() error {
 	if params.Memory != "0" {
 		params.Memory += "mb"
 	}
-
 	networkName := d.NodeConfig.Network
 	if networkName == "" {
 		networkName = d.NodeConfig.ClusterName
@@ -115,15 +114,18 @@ func (d *Driver) Create() error {
 	if err != nil {
 		msg := "Unable to create dedicated network, this might result in cluster IP change after restart: {{.error}}"
 		args := out.V{"error": err}
-		if staticIP != "" || d.NodeConfig.StaticIPv6 != "" {
-			// If the user requested a static IP on either family, failing
-			// to create the dedicated network should be fatal.
+		if staticIP != "" {
+			// With a user-requested static IP we can’t safely fall back
+			// to the default bridge network.
 			exit.Message(reason.IfDedicatedNetwork, msg, args)
 		}
 		out.WarningT(msg, args)
+		// NOTE: Do NOT set params.Network here – we’ll fall back to Docker’s
+		// default bridge network.
 	} else {
-		// Only attach to the user-defined network when creation/reuse
-		// succeeded. For IPv6-only networks, gateway may legitimately be nil.
+		// Only attach to the dedicated network when creation succeeded.
+		// For IPv6-only clusters the gateway may be nil, but the network
+		// still exists and can be used.
 		params.Network = networkName
 	}
 
@@ -469,7 +471,11 @@ func (d *Driver) Remove() error {
 		return fmt.Errorf("expected no container ID be found for %q after delete. but got %q", d.MachineName, id)
 	}
 
-	if err := oci.RemoveNetwork(d.OCIBinary, d.NodeConfig.ClusterName); err != nil {
+	networkName := d.NodeConfig.ClusterName
+	if d.NodeConfig.Network != "" {
+		networkName = d.NodeConfig.Network
+	}
+	if err := oci.RemoveNetwork(d.OCIBinary, networkName); err != nil {
 		klog.Warningf("failed to remove network (which might be okay) %s: %v", d.NodeConfig.ClusterName, err)
 	}
 	return nil

pkg/drivers/kic/oci/network_create.go

@@ -36,7 +36,12 @@ import (
 // defaultFirstSubnetAddr is a first subnet to be used on first kic cluster
 // it is one octet more than the one used by KVM to avoid possible conflict
 const defaultFirstSubnetAddr = "192.168.49.0"
-const defaultFirstSubnetAddrv6 = "fd00::/64"
+
+// defaultFirstSubnetAddrv6 is the first IPv6 subnet used for kic networks.
+// Avoid fd00::/64 because Docker's IPv6 pools (e.g. fixed-cidr-v6) often sit
+// under fd00::/xx and will trigger "Pool overlaps with other one on this
+// address space". Use a different ULA /64 instead.
+const defaultFirstSubnetAddrv6 = "fd01::/64"
 
 // name of the default bridge network, used to lookup the MTU (see #9528)
 const dockerDefaultBridge = "bridge"
@@ -174,11 +179,14 @@ func CreateNetworkWithIPFamily(ociBin, networkName, subnet, subnetv6, staticIP,
 			return nil, fmt.Errorf("failed to create %s network %s (dual): %w", ociBin, networkName, lastErr)
 		}
 
-		// ----- IPv6-only (no IPv4 subnet) -----
 		args := append([]string{}, baseArgs...)
 		if subnetv6 != "" {
 			args = append(args, "--subnet", subnetv6)
 		}
+		// ipv6-only / “IPv6 + auto IPv4” branch:
+		//  - ipFamily == "ipv6"
+		//  - OR ipFamily == "dual" && staticIP == "" (Docker picks IPv4 range)
+		args = append(args, "--subnet", subnetv6)
 		if ociBin == Docker && bridgeInfo.mtu > 0 {
 			args = append(args, "-o", fmt.Sprintf("com.docker.network.driver.mtu=%d", bridgeInfo.mtu))
 		}
@@ -189,7 +197,7 @@ func CreateNetworkWithIPFamily(ociBin, networkName, subnet, subnetv6, staticIP,
 		)
 
 		if _, err := runCmd(exec.Command(ociBin, args...)); err != nil {
-			klog.Warningf("failed to create %s network %q (ipv6-only): %v", ociBin, networkName, err)
+			klog.Warningf("failed to create %s network %q (ipv6/dual): %v", ociBin, networkName, err)
 			return nil, fmt.Errorf("create %s network %q: %w", ociBin, networkName, err)
 		}
 

pkg/minikube/cni/bridge.go

@@ -17,10 +17,10 @@ limitations under the License.
 package cni
 
 import (
-	"bytes"
+	"encoding/json"
 	"fmt"
 	"os/exec"
-	"text/template"
+	"strings"
 
 	"github.com/pkg/errors"
 	"k8s.io/minikube/pkg/minikube/assets"
@@ -32,38 +32,73 @@ import (
 // ref: https://www.cni.dev/plugins/current/meta/portmap/
 // ref: https://www.cni.dev/plugins/current/meta/firewall/
 
-// note: "cannot set hairpin mode and promiscuous mode at the same time"
-// ref: https://github.com/containernetworking/plugins/blob/7e9ada51e751740541969e1ea5a803cbf45adcf3/plugins/main/bridge/bridge.go#L424
-var bridgeConf = template.Must(template.New("bridge").Parse(`
-{
-  "cniVersion": "0.4.0",
-  "name": "bridge",
-  "plugins": [
-    {
-      "type": "bridge",
-      "bridge": "bridge",
-      "addIf": "true",
-      "isDefaultGateway": true,
-      "forceAddress": false,
-      "ipMasq": true,
-      "hairpinMode": true,
-      "ipam": {
-          "type": "host-local",
-          "subnet": "{{.PodCIDR}}"
-      }
-    },
-    {
-      "type": "portmap",
-      "capabilities": {
-          "portMappings": true
-      }
-    },
-    {
-       "type": "firewall"
-    }
-  ]
+// renderBridgeConflist builds a bridge CNI config that supports IPv4-only, IPv6-only, or dual-stack.
+func renderBridgeConflist(k8s config.KubernetesConfig) ([]byte, error) {
+	// minimal structs for JSON marshal
+	type rng struct {
+		Subnet string `json:"subnet"`
+	}
+	type ipam struct {
+		Type   string  `json:"type"`
+		Subnet string  `json:"subnet,omitempty"` // single-stack (v4 or v6)
+		Ranges [][]rng `json:"ranges,omitempty"` // dual-stack
+	}
+	type bridge struct {
+		Type             string `json:"type"`
+		Bridge           string `json:"bridge"`
+		IsDefaultGateway bool   `json:"isDefaultGateway"`
+		HairpinMode      bool   `json:"hairpinMode"`
+		IPMasq           bool   `json:"ipMasq"`
+		IPAM             ipam   `json:"ipam"`
+	}
+	type plugin struct {
+		Type         string          `json:"type"`
+		Capabilities map[string]bool `json:"capabilities,omitempty"`
+	}
+	type conflist struct {
+		CNIVersion string        `json:"cniVersion"`
+		Name       string        `json:"name"`
+		Plugins    []interface{} `json:"plugins"`
+	}
+
+	v4 := k8s.PodCIDR != ""
+	v6 := k8s.PodCIDRv6 != ""
+
+	cfgIPAM := ipam{Type: "host-local"}
+	switch {
+	case v4 && v6:
+		cfgIPAM.Ranges = [][]rng{{{Subnet: k8s.PodCIDR}}, {{Subnet: k8s.PodCIDRv6}}}
+	case v6:
+		cfgIPAM.Subnet = k8s.PodCIDRv6
+	default:
+		// fall back to previous default if unset upstream
+		cidr := k8s.PodCIDR
+		if cidr == "" {
+			cidr = DefaultPodCIDR
+		}
+		cfgIPAM.Subnet = cidr
+	}
+
+	// NAT generally not desired for IPv6; keep masquerade only for v4
+	ipMasq := v4 && !v6
+
+	br := bridge{
+		Type: "bridge", Bridge: "cni0",
+		IsDefaultGateway: true,
+		HairpinMode:      true,
+		IPMasq:           ipMasq,
+		IPAM:             cfgIPAM,
+	}
+	portmap := plugin{Type: "portmap", Capabilities: map[string]bool{"portMappings": true}}
+	firewall := plugin{Type: "firewall"}
+
+	out := conflist{
+		CNIVersion: "1.0.0",
+		Name:       "k8s-pod-network",
+		Plugins:    []interface{}{br, portmap, firewall},
+	}
+	return json.MarshalIndent(out, "", "  ")
 }
-`))
 
 // Bridge is a simple CNI manager for single-node usage
 type Bridge struct {
@@ -76,14 +111,11 @@ func (c Bridge) String() string {
 }
 
 func (c Bridge) netconf() (assets.CopyableFile, error) {
-	input := &tmplInput{PodCIDR: DefaultPodCIDR}
-
-	b := bytes.Buffer{}
-	if err := bridgeConf.Execute(&b, input); err != nil {
+	cfgBytes, err := renderBridgeConflist(c.cc.KubernetesConfig)
+	if err != nil {
 		return nil, err
 	}
-
-	return assets.NewMemoryAssetTarget(b.Bytes(), "/etc/cni/net.d/1-k8s.conflist", "0644"), nil
+	return assets.NewMemoryAssetTarget(cfgBytes, "/etc/cni/net.d/1-k8s.conflist", "0644"), nil
 }
 
 // Apply enables the CNI
@@ -110,5 +142,15 @@ func (c Bridge) Apply(r Runner) error {
 
 // CIDR returns the default CIDR used by this CNI
 func (c Bridge) CIDR() string {
+
+	// Prefer explicitly-set CIDRs from the cluster config.
+	k := c.cc.KubernetesConfig
+	if k.PodCIDRv6 != "" && (strings.ToLower(k.IPFamily) == "ipv6" || k.PodCIDR == "") {
+		return k.PodCIDRv6
+	}
+
+	if k.PodCIDR != "" {
+		return k.PodCIDR
+	}
 	return DefaultPodCIDR
 }