7:[["$","$12",null,{"fallback":null,"children":["$","$L13",null,{"reason":"next/dynamic","children":["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org/\",\"@type\":\"Article\",\"headline\":\"Overcoming Kubernetes IP Address Exhaustion with Cilium\",\"image\":\"https://cdn.sanity.io/images/xinsvxfu/production/ef53161e274b8fb109beb28f10d6627010b0d9f1-1600x1067.webp\",\"datePublished\":\"2025-01-21T14:29:00.000Z\",\"dateModified\":\"2025-01-08T10:18:58.000Z\",\"description\":\"In this blog post, learn how Cilium can overcome IP address exhaustion issues you may face in your Kubernetes clusters.\",\"author\":[{\"@type\":\"Person\",\"name\":\"Nico Vibert\",\"url\":\"https://isovalent.com/\"}]}"}}]}]}],["$","main",null,{"id":"top","children":[["$","header",null,{"className":"restricted mt-10 mb-14","children":[["$","$L18",null,{"href":"/blog/","className":"flex items-center justify-items-center gap-1 mb-6 text-sm font-bold text-action max-w-max","children":[["$","isov-icon",null,{"class":"block rotate-90","name":"arrow-right","size":"small"}],["$","isov-content",null,{"children":["$","span",null,{"className":"ui-text","children":"Blog"}]}]]}],["$","h1",null,{"className":"text-4xl text-nightfall font-bold mb-5 max-w-3xl","children":"Overcoming Kubernetes IP Address Exhaustion with Cilium"}],["$","div",null,{"className":"article-details block sm:flex items-center justify-items-start sm:justify-items-center cursor-default","children":[[["$","isov-avatar","0ae51702-7dba-84ad-a28a-f771145d2ef7",{"size":"medium","name":"Nico Vibert","class":"mr-1","children":["$","$L19",null,{"src":"https://cdn.sanity.io/images/xinsvxfu/production/a8fa134c3d7583ee70832353c7ff0d8a2181ff16-200x200.jpg?auto=format&q=80&fit=clip&w=200","alt":"Nico Vibert Image","slot":"avatar","height":200,"width":200}]}]],["$","div",null,{"className":"text-charcoal","children":[["$","span",null,{"className":"hidden sm:inline","children":"| "}],["$","span",null,{"children":["Published:"," ",["$","strong",null,{"className":"font-bold","children":"January 8, 2025"}],[" ","| Updated:"," ",["$","strong",null,{"className":"font-bold","children":"January 21, 2025"}]]]}]," | ",[["$","$L1a","2159f293-7dd2-46f3-9b11-bf943ad2ae98",{"href":"/blog/networking-for-kubernetes","className":"inline-block text-action hover:underline font-bold pr-1","children":["Networking for Kubernetes",false]}]]]}]]}]]}],["$","section",null,{"id":"page-content","className":"mb-8","children":["$","$12",null,{"fallback":null,"children":["$","$L13",null,{"reason":"next/dynamic","children":["$","$L1b",null,{"content":[{"_key":"21ebf7db-3163-4486-9c52-dd9b83e1fd09","_type":"block","children":[{"_key":"357db081-0301-4d18-a726-f7bfaceddd15","_type":"span","marks":[],"text":"IP address planning is not unlike urban planning (a field in which I've got "},{"_key":"7b8e643e-3ae5-4ad4-afe5-aacbb50ac77e","_type":"span","marks":["6fef7947-7a34-4d75-a3e1-889381658295"],"text":"decades of experience"},{"_key":"b49cd71c-d1b7-49a4-b01f-887fe8851b45","_type":"span","marks":[],"text":"): Tokyo wasn't designed for 40 million residents but regardless, it is now the largest metropolis on Earth and accommodate a huge population through compact housing and vertical expansion."}],"markDefs":[{"_key":"6fef7947-7a34-4d75-a3e1-889381658295","_type":"link","href":"https://en.wikipedia.org/wiki/SimCity","openInNewTab":false}],"style":"normal"},{"_key":"a9ff7064-a989-4993-9eb6-b50ea0c6c9ee","_type":"block","children":[{"_key":"dc11de53-aec0-46db-a555-9a45f569af3f","_type":"span","marks":[],"text":"But let's be frank: subnetting is nowhere near as much fun as playing SimCity. It's probably one of the least enjoyable aspects of network architecture. Selecting a small subnet size and you might quickly run out of IPs to assign to your workloads. Settling on a network too big and you might end up with not enough prefixes to allocate across all your environments. "}],"markDefs":[],"style":"normal"},{"_key":"d12dc14b-9ac2-43bf-aace-91fbd858cd8e","_type":"block","children":[{"_key":"d196d99c-e6de-46b0-948b-0d206e4277a1","_type":"span","marks":[],"text":"The tedium of subnet planning is not just reserved for traditional networks: it is something we also feel in Kubernetes. Platform engineers often underestimate how popular their platform quickly can become and run into IP address exhaustion issues as developers embrace Kubernetes and micro-services are deployed at scale."}],"markDefs":[],"style":"normal"},{"_key":"da2ee908-e718-4fc9-8bf1-56255c2bb3ab","_type":"block","children":[{"_key":"54bcfc2d-b219-4e0f-840d-f686d6958cb6","_type":"span","marks":[],"text":"Yet, just like Tokyo found smart urban strategies to expand, "},{"_key":"cbff3cc9-2769-4ac6-a42e-edaf5984cef5","_type":"span","marks":["af72bb2b-3748-41f4-bb58-d9522de01736"],"text":"Cilium"},{"_key":"ba5f2589-0ab6-43ba-9fc1-00f1b8fc0f42","_type":"span","marks":[],"text":" also offers multiple methods to overcome IP address exhaustion."}],"markDefs":[{"_key":"af72bb2b-3748-41f4-bb58-d9522de01736","_type":"link","href":"https://cilium.io","openInNewTab":false}],"style":"normal"},{"_key":"65faa39a-eaa6-4094-8761-2649ce1a5ec8","_type":"block","children":[{"_key":"14c84139-8052-4538-aca9-da7bfa3af375","_type":"span","marks":[],"text":"In this blog post, we will start by recapitulating the multiple methods available to assign IP addresses to Kubernetes entities, explain the differences between each of them and walk through how Cilium can give you that little extra breathing space when clusters get tight."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:38:10Z","_id":"6e69828d-e97d-3f8f-66bb-11c1a14b791e","_key":"ba8044aa-eb22-41db-b0d4-41d2595a335a","_ref":"6e69828d-e97d-3f8f-66bb-11c1a14b791e","_rev":"ee12hzS4M5aP0OjnS0trBh","_type":"bodyCta","_updatedAt":"2025-05-22T22:21:01Z","alignment":"left","backgroundImage":{"_createdAt":"2025-03-21T16:32:00Z","_id":"407c0eb0-2c56-4f47-a80f-c16575dc4009","_rev":"RvKg2H7lodOtU53j0x4e1l","_type":"mediaImage","_updatedAt":"2025-04-04T21:50:43Z","alignment":"center","alt":"body-cta-bg.svg","altText":{"en":"Body CTA BG"},"clickToEnlarge":false,"image":"https://cdn.sanity.io/images/xinsvxfu/production/490d28b2f74ed0292938bd46ac19a151b6fd3b9c-910x239.svg","languages":["en"],"originalFilename":"body-cta-bg.svg","rounded":false,"size":"large","title":"decoration-body-cta-ice"},"ctas":[{"_createdAt":"2025-04-15T14:13:07Z","_id":"a93900ac-44c9-0d1a-2a5e-6c84e162a6b8","_rev":"wAK4gN2UbqK20YaSXllS2T","_type":"cta","_updatedAt":"2025-05-22T22:21:00Z","label":{"en":"Start the lab"},"languages":["en"],"title":"\"Start Lab\" - Primary (Isovalent IPAM lab)","url":"/labs/cilium-ipam/","variant":"tertiary"}],"headline":{"en":"Isovalent IPAM lab"},"languages":["en"],"logo":null,"logoReference":null,"logoWhite":null,"shaded":true,"text":{"en":[{"_key":"d56d7a83-0869-4cd7-9c3d-5101dd39117a","_type":"block","children":[{"_key":"4796a2d4-8546-4433-8722-b18f6dcdf8e7","_type":"span","marks":[],"text":"If you'd rather learn by doing rather than reading, why don't you start one of our always-on free hands-on lab?"}],"markDefs":[],"style":"normal"}]},"theme":"primary","title":"Isovalent IPAM lab - \"If you'd rather learn by doing rather than reading, why don't you start one of our always-on free hands-on lab?\" Body CTA"},{"_key":"c8fcc97f-d9e5-45ba-a0db-8f0ff82ca967","_type":"block","children":[{"_key":"693ca349-fdd0-4f66-9319-dfe4b5b3307f","_type":"span","marks":[],"text":"IP address management in Kubernetes"}],"markDefs":[],"style":"h2"},{"_key":"5c5858c5-3f84-41b7-a569-09b2079eb3a5","_type":"block","children":[{"_key":"0e5096fb-89a7-4547-909a-4b0ee3a93062","_type":"span","marks":[],"text":"In traditional networking, a "},{"_key":"9966be40-60e9-4624-8111-ed52d5acdae5","_type":"span","marks":["01dc4f38-84b9-4ad2-b3bc-3ccdc66954d5"],"text":"DHCP"},{"_key":"6bd978fd-e0f9-40d6-8263-20a2aa36d48d","_type":"span","marks":[],"text":" server allocates IP addresses to a server as it comes online (unless static addressing is used)."}],"markDefs":[{"_key":"01dc4f38-84b9-4ad2-b3bc-3ccdc66954d5","_type":"link","href":"https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol","openInNewTab":false}],"style":"normal"},{"_key":"22b498c0-63ee-4fe3-9bd3-750747f881a8","_type":"block","children":[{"_key":"de30094c-cdb4-4b93-bf53-46a5c2329230","_type":"span","marks":[],"text":"While the Kubernetes nodes would typically receive their IP address over DHCP, we do not use it for pods. Instead, we refer to "},{"_key":"b935f766-3f0d-4226-9938-7260a07bbf4d","_type":"span","marks":["strong"],"text":"IPAM"},{"_key":"cc921f43-c3ba-4549-a583-ee424511441a","_type":"span","marks":[],"text":" (IP Address Management) the process of assigning an IP to pods and services within Kubernetes."}],"markDefs":[],"style":"normal"},{"_key":"8dcdb287-ceb3-43d9-b219-82496ee854ad","_type":"block","children":[{"_key":"1ef6a13d-5f00-4c8f-b8f4-d4b1c030247f","_type":"span","marks":[],"text":"In Kubernetes, the Container Network Interface plugin (CNI) is "},{"_key":"ebcccbcc-6859-48f9-a669-199e9fc02950","_type":"span","marks":["7b7a0bcf-e61c-4b14-90ed-2db513c0fd0a"],"text":"often responsible for assigning an IP address to your pod"},{"_key":"b7b20325-f1df-495b-8a35-848401e8498d","_type":"span","marks":[],"text":"."}],"markDefs":[{"_key":"7b7a0bcf-e61c-4b14-90ed-2db513c0fd0a","_type":"link","href":"https://kubernetes.io/docs/concepts/cluster-administration/networking/#kubernetes-ip-address-ranges","openInNewTab":false}],"style":"normal"},{"_createdAt":"2025-05-22T22:21:23Z","_id":"d5b8bd76-de2c-4009-ad33-87218efa695d","_key":"2be1e53817bb","_ref":"d5b8bd76-de2c-4009-ad33-87218efa695d","_rev":"wAK4gN2UbqK20YaSXllaOX","_type":"mediaImage","_updatedAt":"2025-05-22T22:21:53Z","alignment":"center","caption":{"_type":"content","en":[{"_key":"d5ab66ebdf19","_type":"block","children":[{"_key":"4dd8c584759f","_type":"span","marks":[],"text":"Cilium CNI"}],"markDefs":[],"style":"normal"}]},"clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-369026094c9ad13913cce92f3635082ffe2414ed-1058x848-webp","_type":"reference"}},"languages":["en"],"rounded":false,"size":"large","title":"diagram-cluster-kubernetes-cni-plugin","url":"https://cdn.sanity.io/images/xinsvxfu/production/369026094c9ad13913cce92f3635082ffe2414ed-1058x848.webp"},{"_key":"c9e2e987-7d73-4e4c-bac3-2998d28694b6","_type":"block","children":[{"_key":"bea9cedd-035d-4621-bc9e-5f0db2062e0f","_type":"span","marks":[],"text":"When a new Pod is added in Kubernetes, it is first assigned to a node via the Kubernetes Scheduler. The Kubelet running on that node will then be notified of the new pod assigned to it and needs to take action to create the containers implementing the pod manifest."}],"markDefs":[],"style":"normal"},{"_key":"3979b1fa-8d10-4cc9-b845-c6f1a4de37ea","_type":"block","children":[{"_key":"6853b597-31af-46d1-aa61-1d3d03ac24e1","_type":"span","marks":[],"text":"For the networking part, the Kubelet uses the CNI. The first step is for the Kubelet to check the CNI configuration on the node, which is located in "},{"_key":"e26aeced-c9d8-401e-8951-6fd9b9c2853b","_type":"span","marks":["code"],"text":"/etc/cni/net.d/"},{"_key":"48a10d54-5235-404d-bd04-df6facddd155","_type":"span","marks":[],"text":". When Cilium is installed on the cluster, each Cilium agent creates a configuration file in "},{"_key":"05e880c1-2d73-4e2f-ac54-e4d2d0129365","_type":"span","marks":["code"],"text":"/etc/cni/net.d/05-cilium.conf"},{"_key":"ca17a6d2-a98a-4a1f-83cf-746bf4b74c08","_type":"span","marks":[],"text":" which instructs Kubelet on how to configure Pod networking."}],"markDefs":[],"style":"normal"},{"_key":"906df3d5-b9cf-4445-8406-7f8f4e69d655","_type":"block","children":[{"_key":"3df5df3c-7de5-4375-af3a-b3e47ad3cec6","_type":"span","marks":[],"text":"The IP assigned to a pod comes from a subnet referred to as "},{"_key":"e6113ce2-3020-499b-814d-385d24bce7ec","_type":"span","marks":["em"],"text":"PodCIDR"},{"_key":"f89704f5-aede-4811-adb3-f0a6def2a5c7","_type":"span","marks":[],"text":". You might remember the concept of CIDR - Classless Inter-Domain Routing - from doing subnet calculations. In Kubernetes, just think of a PodCIDR as the subnet from which the pod receives an IP address."}],"markDefs":[],"style":"normal"},{"_key":"c171db98-64bc-441e-a639-229c5f933ed3","_type":"block","children":[{"_key":"4ec4d6c9-d46e-4e94-9703-45f34ee19c07","_type":"span","marks":[],"text":"Cilium supports multiple IPAM modes. Some are cloud provider-specific while some can be used in any environment. In this tutorial, we will cover the following IPAM modes:"}],"markDefs":[],"style":"normal"},{"_key":"5b830dec2b0f","_type":"block","children":[{"_key":"d0991339be27","_type":"span","marks":[],"text":"Kubernetes Host Scope"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"05f8b52efcda","_type":"block","children":[{"_key":"e9d9dd4b9887","_type":"span","marks":[],"text":"Cluster Scope (Default)"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"5cf35a896035","_type":"block","children":[{"_key":"50ad29c1ce43","_type":"span","marks":[],"text":"Multi-Pool (Beta)"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"8f489d4f32cf","_type":"block","children":[{"_key":"fdb0a50ec849","_type":"span","marks":[],"text":"AWS ENI (without and with Prefix Delegation)"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"50baf43b2422","_type":"block","children":[{"_key":"46db88814e5e","_type":"span","marks":[],"text":"LoadBalancer Service IPAM"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"5a75383bc4ce","_type":"block","children":[{"_key":"b66287999fbb","_type":"span","marks":[],"text":"Egress Gateway IPAM"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"bb83f26a-94c3-4f2f-a776-4b94aa1c0ce6","_type":"block","children":[{"_key":"08880ae9-3055-4faf-8f23-c683d3296944","_type":"span","marks":[],"text":"Kubernetes-host scope IPAM mode"}],"markDefs":[],"style":"h2"},{"_key":"38043d9e-4730-41ee-b858-dde63d4569a1","_type":"block","children":[{"_key":"c4d7b580-df4d-4af2-ae16-605f4cec514f","_type":"span","marks":[],"text":"The "},{"_key":"216b6bc0-f5ea-4d2c-b37e-5a17527ec866","_type":"span","marks":["5ef25c93-cc3a-4fe3-912e-78a11ef09e58"],"text":"Kubernetes Host Scope"},{"_key":"460b31f0-5958-419a-9a3b-40f71b853ae1","_type":"span","marks":[],"text":" IPAM is probably the most simple IPAM option for a generic Kubernetes cluster, so we'll start with this one."}],"markDefs":[{"_key":"5ef25c93-cc3a-4fe3-912e-78a11ef09e58","_type":"link","href":"https://docs.cilium.io/en/stable/network/concepts/ipam/kubernetes/","openInNewTab":false}],"style":"normal"},{"_key":"47cb9c0a-22d0-4a29-b532-121173082c94","_type":"block","children":[{"_key":"e771ac3b-f05b-4f88-9f76-436ffffe7412","_type":"span","marks":[],"text":"When using the Kubernetes Host Scope, Cilium relies on CIDRs already allocated to the "},{"_key":"f2ae0952-d561-4431-bb5f-c9ca8a17b0ed","_type":"span","marks":["code"],"text":"Node"},{"_key":"31b98c55-2080-472b-934a-81de4b231b63","_type":"span","marks":[],"text":" Kubernetes resources by the Kubernetes Controller Manager."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-05-22T22:22:42Z","_id":"12c5b8a6-e8eb-4e97-b59a-b508a450f42a","_key":"054f255d8922","_ref":"12c5b8a6-e8eb-4e97-b59a-b508a450f42a","_rev":"wAK4gN2UbqK20YaSXllmdt","_type":"mediaImage","_updatedAt":"2025-05-22T22:23:13Z","alignment":"center","caption":{"_type":"content","en":[{"_key":"dd95f27f60a5","_type":"block","children":[{"_key":"5ea85578816b","_type":"span","marks":[],"text":"Kubernetes Host Scope IPAM"}],"markDefs":[],"style":"normal"}]},"clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-b2543628c23cdc4081404e0f5922a89124d3bb98-1488x454-webp","_type":"reference"}},"languages":["en"],"rounded":false,"size":"large","title":"diagram-kubernetes-hostscope","url":"https://cdn.sanity.io/images/xinsvxfu/production/b2543628c23cdc4081404e0f5922a89124d3bb98-1488x454.webp"},{"_key":"c7bd846e-b492-4101-8dea-0e1da0f27fd2","_type":"block","children":[{"_key":"8e93e0bb-6ad1-4dcc-9b43-b3c906042356","_type":"span","marks":[],"text":"In this mode, a single large cluster-wide prefix is assigned to a cluster, and Kubernetes carves out a subnet of that prefix for every node. Cilium would then assign IP addresses from each subnet. "}],"markDefs":[],"style":"normal"},{"_key":"227a3e6d-86b8-448f-9ead-c251fa18f273","_type":"block","children":[{"_key":"7f8bfc35-226a-496b-b80b-d67cc8e0d10c","_type":"span","marks":[],"text":"Let's take a look in a cluster with Cilium deployed in this mode :"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:08Z","_id":"4551e948-a79e-94ed-7601-1bdb35ab67f6","_key":"5dedff98-c752-4925-8cb4-da01bb538f44","_ref":"4551e948-a79e-94ed-7601-1bdb35ab67f6","_rev":"9kz0FTU16Ui9PYoDK28vYX","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:08Z","code":"$$ cilium config view | grep ipam\nipam kubernetes","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"b0bb6bf4-f387-4a8b-b37a-d8b8509a65d4","_type":"block","children":[{"_key":"41b7f12a-10ec-42d6-a6ed-1ddbbd284de9","_type":"span","marks":[],"text":"Cilium will use the PodCIDRs associated with each node (using the "},{"_key":"3148fd2d-0df2-4547-b9d7-76e751c4a29b","_type":"span","marks":["code"],"text":"Node"},{"_key":"c33b1f4f-a05a-4096-a2b4-4cc253b99326","_type":"span","marks":[],"text":" resources) and assign IPs from these subnets to the pods started on the nodes. In our cluster, the "},{"_key":"e2c6a09a-f763-4de3-ba9b-3f85092cdfd9","_type":"span","marks":["code"],"text":"kind-worker"},{"_key":"b62ce953-e1b3-4143-97e2-903b3b01e62f","_type":"span","marks":[],"text":" node is assigned the "},{"_key":"d6b8d8cb-0077-4716-8124-3739f4b99b4a","_type":"span","marks":["code"],"text":"10.244.1.0/24"},{"_key":"a29d5012-4d6f-466d-b375-42b7c362136f","_type":"span","marks":[],"text":" PodCIDR."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:09Z","_id":"446533f2-6a32-4f6e-fba3-9ad565fa1e82","_key":"b3b7d146-f9c0-44d9-a410-705eba0a4555","_ref":"446533f2-6a32-4f6e-fba3-9ad565fa1e82","_rev":"kcq4Y4Flzce7Z96LpMnnya","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:09Z","code":"$$ kubectl get ciliumnode kind-worker -o jsonpath='{.spec.ipam}'\n{\"podCIDRs\":[\"10.244.1.0/24\"]}","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"fcd95d50-0158-40ac-a8a8-6b251267007c","_type":"block","children":[{"_key":"678d0bf6-8084-486a-8173-b242bf7d2e41","_type":"span","marks":[],"text":"Executing "},{"_key":"2c21d18a-5dd1-47be-a642-ce33d1d10e3e","_type":"span","marks":["code"],"text":"cilium-dbg status"},{"_key":"ea8a9a2e-696a-4170-8baf-df62403b557a","_type":"span","marks":[],"text":" in a Cilium agent will let you check how many IP addresses were assigned out of that prefix (note that "},{"_key":"d7c842b5-5de6-4bfc-887a-a5d309ad410b","_type":"span","marks":["724ce4db-1b08-4e10-8b60-20ebbeaa13ef"],"text":"the Cilium CLI running on the agent"},{"_key":"0d1e821d-70b4-4ba9-8985-a9a955d04df6","_type":"span","marks":[],"text":" is different from the "},{"_key":"70a48456-b3aa-4383-afd3-da671407ee05","_type":"span","marks":["0aa11b1e-0ab1-4831-8758-df69b1a85c09"],"text":"Cilium CNI binary typically used for installation"},{"_key":"07dfe30c-a600-4ebe-be29-defcf52f9693","_type":"span","marks":[],"text":"):"}],"markDefs":[{"_key":"724ce4db-1b08-4e10-8b60-20ebbeaa13ef","_type":"link","href":"https://docs.cilium.io/en/stable/cheatsheet/","openInNewTab":false},{"_key":"0aa11b1e-0ab1-4831-8758-df69b1a85c09","_type":"link","href":"/blog/post/cilium-cheat-sheet/","openInNewTab":false}],"style":"normal"},{"_createdAt":"2025-04-15T14:14:11Z","_id":"610348c7-9b12-a941-8810-35f149de5533","_key":"69dfc0a0-ed3c-4c46-aba4-f3ee1a89675d","_ref":"610348c7-9b12-a941-8810-35f149de5533","_rev":"9kz0FTU16Ui9PYoDK28vyn","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:11Z","code":"$$ WORKER_CILIUM_POD=$(kubectl -n kube-system get po -l k8s-app=cilium --field-selector spec.nodeName=kind-worker -o name)\n$ echo $WORKER_CILIUM_POD\npod/cilium-7krnk\n$ kubectl -n kube-system exec -ti $WORKER_CILIUM_POD -c cilium-agent -- cilium-dbg status | grep IPAM\nIPAM: IPv4: 5/254 allocated from 10.244.1.0/24","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"1c926b15-a444-4e1c-86e9-fdd0cf390809","_type":"block","children":[{"_key":"48ff477b-3bef-4784-a266-9af1d4067170","_type":"span","marks":[],"text":"Let's deploy a pod. It is scheduled on "},{"_key":"a5c6303d-052c-4e1f-a866-4534cfedbbaf","_type":"span","marks":["code"],"text":"kind-worker2"},{"_key":"741866b3-b701-4178-9790-11c47d485816","_type":"span","marks":[],"text":" and receives an IP address from the prefix assigned to that node."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:12Z","_id":"3a17c559-c797-7329-cf8d-76018ff351bb","_key":"dc7426ca-564c-4463-aab5-9b0c5e8d8e04","_ref":"3a17c559-c797-7329-cf8d-76018ff351bb","_rev":"kcq4Y4Flzce7Z96LpMnoh6","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:12Z","code":"$$ kubectl run netshoot --image nicolaka/netshoot --command \"sleep\" \"infinite\"\npod/netshoot created\n$ kubectl get pod netshoot -o wide\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\nnetshoot 1/1 Running 0 19s 10.244.2.39 kind-worker2 \n$ kubectl get ciliumnode kind-worker2 -o jsonpath='{.spec.ipam}'\n{\"podCIDRs\":[\"10.244.2.0/24\"]}","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"8e16406f-7f91-44ed-994f-d2f992a645d5","_type":"block","children":[{"_key":"c69b0211-5310-4d37-8ba1-5b98b9b1699d","_type":"span","marks":[],"text":"While this mode is simple, it is inflexible. With it, it is not possible to configure the size of the CIDRs allocated to each node, nor is it possible to add additional CIDRs to the cluster or to individual nodes, making precise IP address planning crucial prior to cluster deployment."}],"markDefs":[],"style":"normal"},{"_key":"1541b2b8-de7b-4d25-992e-05a657667e16","_type":"block","children":[{"_key":"a544788f-babc-4f65-b263-8f89206846b9","_type":"span","marks":[],"text":"Cluster scope IPAM mode"}],"markDefs":[],"style":"h2"},{"_key":"af044637-2f35-4ddb-a9c6-88fa36a1435f","_type":"block","children":[{"_key":"7019164f-4210-4009-8d82-e3658b2b49a5","_type":"span","marks":[],"text":"The "},{"_key":"42049651-cdc2-47c3-914a-a13b412d071d","_type":"span","marks":["d2e6e917-129f-436d-b94a-97576e55e658"],"text":"Cluster Scope mode"},{"_key":"d4c9e259-033e-4af8-b7f4-ef1d9ef93666","_type":"span","marks":[],"text":" works in a similar way to the Kubernetes Host Scope mode, but Cilium allocates pod CIDRs to the nodes itself (instead of Kube Controller Manager). As it doesn't require a specific configuration of the Kubernetes cluster, this mode is the default option in Cilium."}],"markDefs":[{"_key":"d2e6e917-129f-436d-b94a-97576e55e658","_type":"link","href":"https://docs.cilium.io/en/stable/network/concepts/ipam/cluster-pool/","openInNewTab":false}],"style":"normal"},{"_key":"debbeaa7-4e07-45c2-9baf-d334bb8324f9","_type":"block","children":[{"_key":"7ed0e999-df51-4efa-ad03-ff14463cab93","_type":"span","marks":[],"text":"In this mode, the Cilium Operator is in charge of allocating pod CIDRs to each node. It uses the "},{"_key":"06487d97-dbe0-4a8e-a43b-0aba96d26c3e","_type":"span","marks":["code"],"text":"CiliumNode"},{"_key":"2599a8e4-0902-40c0-bcfc-93d26927e346","_type":"span","marks":[],"text":" resources instead of the "},{"_key":"903486b7-22d4-4e3d-9be5-7a051bb269f4","_type":"span","marks":["code"],"text":"Node"},{"_key":"d2875b7b-6fd1-430a-b76c-2caedbc36617","_type":"span","marks":[],"text":" resources to achieve this (this avoids potential clashes with CIDRs assigned by the Kubernetes Controller Manager)."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-05-22T22:23:54Z","_id":"4fa1cad9-cdd8-4317-9b06-6884e3538c64","_key":"254bdecda2a7","_ref":"4fa1cad9-cdd8-4317-9b06-6884e3538c64","_rev":"ee12hzS4M5aP0OjnS0u4Qg","_type":"mediaImage","_updatedAt":"2025-05-22T22:24:10Z","alignment":"center","caption":{"_type":"content","en":[{"_key":"84d6ad81b150","_type":"block","children":[{"_key":"5681812ecb13","_type":"span","marks":[],"text":"Cluster Scope IPAM Mode"}],"markDefs":[],"style":"normal"}]},"clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-dba454503e73edeb13899b5efc677f423c0e9d1c-714x175-webp","_type":"reference"}},"languages":["en"],"rounded":false,"size":"large","title":"diagram-ciliumnode-cluster-scope","url":"https://cdn.sanity.io/images/xinsvxfu/production/dba454503e73edeb13899b5efc677f423c0e9d1c-714x175.webp"},{"_key":"9e8b459f-1d0a-4323-80a5-9d5bd0192bf0","_type":"block","children":[{"_key":"1074ac23-3ff9-45a7-83be-8042ba20d412","_type":"span","marks":[],"text":"By default, Cilium uses the "},{"_key":"38c7f5a4-6f23-4989-825b-d32f9ebce457","_type":"span","marks":["code"],"text":"10.0.0.0/8"},{"_key":"cff48aef-1966-4718-8626-273706f91561","_type":"span","marks":[],"text":" CIDR for pods. Let's verify in a cluster deployed in Cluster Scope mode (which is sometimes referred to as \"Cluster-Pool\"):"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:13Z","_id":"c764ae2b-b3a3-3ee0-3d9a-67def1d87b82","_key":"4c9a6bde-ca17-4fcd-9117-31d67c16c10e","_ref":"c764ae2b-b3a3-3ee0-3d9a-67def1d87b82","_rev":"4wy3EvkFBguUtSHAFFop4U","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:13Z","code":"$$ cilium config view | grep cluster-pool\ncluster-pool-ipv4-cidr 10.0.0.0/8\ncluster-pool-ipv4-mask-size 24\nipam cluster-pool","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"cfd0ca9f-7584-4ee5-9210-c9b8b8075bcb","_type":"block","children":[{"_key":"9050207b-2fd4-4480-9adf-07569fde81ac","_type":"span","marks":[],"text":"You'll also notice the "},{"_key":"1b33065c-1a55-4de2-ab03-fd5598c12563","_type":"span","marks":["code"],"text":"cluster-pool-ipv4-mask-size"},{"_key":"e4286c34-843d-4894-9ba0-e84dbcafd430","_type":"span","marks":[],"text":" parameter, which is set to "},{"_key":"c10b9374-624e-4515-a27a-adb6e0622fd9","_type":"span","marks":["code"],"text":"24"},{"_key":"d1bb24ac-10ed-4f10-ade9-83ebd018f5f6","_type":"span","marks":[],"text":". This means that Cilium will split the cluster CIDR into "},{"_key":"3033acc2-d2bc-4428-ba56-733c5a7b9b5d","_type":"span","marks":["code"],"text":"/24"},{"_key":"b99aeb69-3ac7-4c45-9088-b96ffb68c8ae","_type":"span","marks":[],"text":" subnets and assign one to each node in the cluster by adding it to the "},{"_key":"3c0e29cd-c32b-42de-807d-f677daf5dc86","_type":"span","marks":["code"],"text":"spec.ipam.podCIDRs"},{"_key":"f56a05ac-224f-4421-aa32-2a519a1cf696","_type":"span","marks":[],"text":" field in their respective "},{"_key":"e3772c91-4a0f-4949-a6e1-aaf995121d8a","_type":"span","marks":["code"],"text":"CiliumNode"},{"_key":"a1eff6bd-2e09-480d-99ef-d48bef1fe9f2","_type":"span","marks":[],"text":" resources."}],"markDefs":[],"style":"normal"},{"_key":"5b24e548-777b-4c6e-ae04-9646a94d4de0","_type":"block","children":[{"_key":"09028671-177c-4935-b9f1-87fe8aeccda5","_type":"span","marks":[],"text":"Let's list the CIDRs associated to each node:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:14Z","_id":"b15c3c1e-3fac-791c-dff9-385475430495","_key":"ca22d4d6-3831-4741-99ad-a83baf625187","_ref":"b15c3c1e-3fac-791c-dff9-385475430495","_rev":"4wy3EvkFBguUtSHAFFop8M","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:14Z","code":"$$ kubectl get ciliumnode -o jsonpath='{range .items[*]}{.metadata.name} {.spec.ipam.podCIDRs[]}{\"\n\"}{end}' | column -t\nkind-control-plane 10.0.0.0/24\nkind-worker 10.0.1.0/24\nkind-worker2 10.0.2.0/24","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"2f296828-f171-49e6-a324-af63d05ee067","_type":"block","children":[{"_key":"a19fdf4f-a60e-4d56-b744-b7c6eaba911c","_type":"span","marks":[],"text":"Notice that they are the first 3 "},{"_key":"fa839347-981f-42dd-a620-750075aca543","_type":"span","marks":["code"],"text":"/24"},{"_key":"875c1b7c-9536-4a57-8760-a2c21f850443","_type":"span","marks":[],"text":" subnets derived from the "},{"_key":"06afb9c8-b909-44e2-925e-7f91e54fda06","_type":"span","marks":["code"],"text":"10.0.0.0/8"},{"_key":"474dab95-ecf5-4e5d-923f-15a9db00fc70","_type":"span","marks":[],"text":" CIDR. "}],"markDefs":[],"style":"normal"},{"_key":"828f3f6f-b596-4185-a0cf-60a7346f8f7e","_type":"block","children":[{"_key":"93b1e75c-d29c-4f0a-ab2c-bbc60544eced","_type":"span","marks":[],"text":"Let's deploy a pod and check the IPAM status on the Cilium agent located on the same node as the pod."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:15Z","_id":"84144bbd-19c2-3846-7769-5459d37e1bda","_key":"df564070-f514-4441-ae6c-f7039aa81184","_ref":"84144bbd-19c2-3846-7769-5459d37e1bda","_rev":"9kz0FTU16Ui9PYoDK28wV1","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:15Z","code":"$$ kubectl run netshoot --image nicolaka/netshoot --command \"sleep\" \"infinite\"\npod/netshoot created\n$ NETSHOOT_NODE=$(kubectl get po netshoot -o jsonpath='{.spec.nodeName}')\n$ echo $NETSHOOT_NODE\nkind-worker\n$ NETSHOOT_CILIUM_POD=$(kubectl -n kube-system get po -l k8s-app=cilium --field-selector spec.nodeName=$NETSHOOT_NODE -o name)\n$ echo $NETSHOOT_CILIUM_POD\npod/cilium-7v9mq\n$ kubectl -n kube-system exec -ti $NETSHOOT_CILIUM_POD -c cilium-agent -- cilium-dbg status | grep IPAM\nIPAM: IPv4: 3/254 allocated from 10.0.1.0/24, ","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"db0bbba9-44b2-4135-be77-54d06be9d9a4","_type":"block","children":[{"_key":"4f175e1a-50cb-40e6-97a0-8b8ea01d4914","_type":"span","marks":[],"text":"The node is now using at least 3 IPs, which we can review using "},{"_key":"3c9ba08a-b462-4cc5-97f7-b0c7e56ea93b","_type":"span","marks":["code"],"text":"cilium-dbg status --verbose"},{"_key":"166f7c68-eec9-4b18-9a19-75c18df6462f","_type":"span","marks":[],"text":", under the \"Allocated addresses\" section:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:17Z","_id":"ad3a682c-5224-8949-2f8e-cac674d85d33","_key":"ab5b1ab4-364e-47c3-90a7-e45a515284b8","_ref":"ad3a682c-5224-8949-2f8e-cac674d85d33","_rev":"9kz0FTU16Ui9PYoDK28wdN","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:17Z","code":"$$ kubectl -n kube-system exec -ti $NETSHOOT_CILIUM_POD -c cilium-agent -- cilium-dbg status --verbose | grep -A6 \"Allocated\"\nAllocated addresses:\n 10.0.1.165 (default/netshoot)\n 10.0.1.174 (router)\n 10.0.1.227 (health)\nBandwidthManager: Disabled\nHost Routing: Legacy\nMasquerading: IPTables [IPv4: Enabled, IPv6: Disabled]","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"0ba20f4d-defd-4a8c-b202-78e189de2b4d","_type":"block","children":[{"_key":"566896de-594c-44a9-8461-b6f823093fb4","_type":"span","marks":[],"text":"Three IPs have been taken from the node's Pod CIDR range:"}],"markDefs":[],"style":"normal"},{"_key":"3d4fb367-a776-4e04-9f6b-f9957eccfc83","_type":"block","children":[{"_key":"d376a8b3-3511-4372-b9ec-458f26a1fde3","_type":"span","marks":[],"text":"the IP of the new pod ("},{"_key":"334f56374f34","_type":"span","marks":["code"],"text":"default/netshoot"},{"_key":"f0cc387280c4","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"d506174a3216","_type":"block","children":[{"_key":"a4c7408e5e5d","_type":"span","marks":[],"text":"the internal IP of the node ("},{"_key":"9652fc6dd16e","_type":"span","marks":["code"],"text":"router"},{"_key":"ca3e95d0a4af","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"3a93c4a3a801","_type":"block","children":[{"_key":"3c3265788e09","_type":"span","marks":[],"text":"the health IP of the node ("},{"_key":"ea565e9fe25a","_type":"span","marks":["code"],"text":"health"},{"_key":"4ddf4f1d8c9c","_type":"span","marks":[],"text":")"}],"level":1,"listItem":"bullet","markDefs":[],"style":"normal"},{"_key":"7798e3c6-eaef-4ad6-bd08-4617d388cc3c","_type":"block","children":[{"_key":"6217f3f1-2faa-4583-82b8-15a8199a527a","_type":"span","marks":[],"text":"One advantage Cluster Scope IPAM has over Kubernetes IPAM is that we can allocate multiple CIDRs to the cluster. This can provide more flexibility, albeit it doesn't necessarily overcome IP address exhaustions."}],"markDefs":[],"style":"normal"},{"_key":"a0945233-76d4-42e4-8394-d3d347094102","_type":"block","children":[{"_key":"8b3a7a14-3af3-4f7a-9091-5f05eb5a1a81","_type":"span","marks":[],"text":"Let's deploy Cilium in Cluster Scope IPAM with two small CIDRs assigned to the cluster to illustrate what happens when they get exhausted. Let's use the "},{"_key":"19e4dcaf-0d78-4085-8ad8-fcae5d243c85","_type":"span","marks":["code"],"text":"values.yaml"},{"_key":"67fd0cd9-21db-4ff3-8c87-6c53e7c52f85","_type":"span","marks":[],"text":" below for Cilium's starting configuration:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:18Z","_id":"10e8ebaf-cc5f-3344-1972-0693f5c67bda","_key":"e967e862-1910-4258-aed1-aedcc178e8e7","_ref":"10e8ebaf-cc5f-3344-1972-0693f5c67bda","_rev":"9kz0FTU16Ui9PYoDK28wfl","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:18Z","code":"ipam:\n mode: cluster-pool\n operator:\n clusterPoolIPv4MaskSize: '29'\n clusterPoolIPv4PodCIDRList:\n - 10.0.42.0/28\n - 10.0.84.0/28","language":"yaml","title":"yaml - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"a3090c31-77c2-44ea-be2d-7239128e93c4","_type":"block","children":[{"_key":"381c6e16-8ae4-48b6-a7a7-43921f2bd269","_type":"span","marks":[],"text":"Since we've specified "},{"_key":"32050aca-7811-4267-8686-0345d29a2d4e","_type":"span","marks":["code"],"text":"29"},{"_key":"fbb1e414-d2ee-4e2e-90ac-1b7ed9ae5a50","_type":"span","marks":[],"text":" as the mask size, each node will receive a "},{"_key":"8a9e2260-647c-4e54-a103-a544acbebee3","_type":"span","marks":["code"],"text":"/29"},{"_key":"fe57f1b2-17c4-4ef5-adeb-2a161297d256","_type":"span","marks":[],"text":" subnet, which corresponds to 6 usable IPs (8 IPs, minus 2 IPs reserved for Cilium Host and Cilium Health interfaces)."}],"markDefs":[],"style":"normal"},{"_key":"a2078148-d140-4dd0-bb13-98d1056b4530","_type":"block","children":[{"_key":"32203336-9fa1-4ce9-b5ef-b3500ce087da","_type":"span","marks":[],"text":"Let's install Cilium in this mode and verify the settings:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:19Z","_id":"5767026d-6210-b365-cf70-e043a2fc7624","_key":"3ac52610-766a-4f48-876d-c9d7658a9561","_ref":"5767026d-6210-b365-cf70-e043a2fc7624","_rev":"kcq4Y4Flzce7Z96LpMnrwu","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:19Z","code":"$$ cilium config view | grep cluster-pool\ncluster-pool-ipv4-cidr 10.0.42.0/28 10.0.84.0/28\ncluster-pool-ipv4-mask-size 29\nipam cluster-pool\n$ kubectl get ciliumnode -o jsonpath='{range .items[*]}{.metadata.name} {.spec.ipam.podCIDRs[*]}{\"\n\"}{end}' | column -t\nkind-control-plane 10.0.42.0/29\nkind-worker 10.0.84.0/29\nkind-worker2 10.0.42.8/29","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"dcb581ff-1e24-4191-bb30-792627370202","_type":"block","children":[{"_key":"bbc0f1a8-3c98-4080-be71-fe570f1b9c4b","_type":"span","marks":[],"text":"Since the CIDRs we passed are "},{"_key":"9dbdadc8-3c46-435a-b165-50e6255a70d7","_type":"span","marks":["code"],"text":"/28"},{"_key":"fcb489f3-5367-4b53-a2d1-a017d14b9d6b","_type":"span","marks":[],"text":" and we're allocating one "},{"_key":"109de7ad-8c38-4022-a603-195e94a92a9e","_type":"span","marks":["code"],"text":"/29"},{"_key":"83cb9b41-71a4-4f6a-a491-7233272e3328","_type":"span","marks":[],"text":" per node, only two nodes can consume IPs from the first CIDR block. For this reason, the third node gets a subnet from the second block, which is why we see three subnets configured."}],"markDefs":[],"style":"normal"},{"_key":"e420f2a7-e55d-4448-b7fa-b7742c9b56b2","_type":"block","children":[{"_key":"c26414bc-b11c-4bf0-b7d0-2b5ea91d5acb","_type":"span","marks":[],"text":"Let's create a deployment to deploy 10 pods over the cluster:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:20Z","_id":"9afafa65-c816-8780-2681-4d3284ce0626","_key":"9946a999-d704-49a0-9d3d-c5f4d2f46a21","_ref":"9afafa65-c816-8780-2681-4d3284ce0626","_rev":"9kz0FTU16Ui9PYoDK28wkX","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:20Z","code":"$1c","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"a263ced8-b1e6-4309-9077-66b443673b5f","_type":"block","children":[{"_key":"a8188421-6a04-4356-9fdc-9380b95170b3","_type":"span","marks":[],"text":"Notice that some pods did not get an IP address and are now stuck at creation. When looking at the pod logs, we can see there are no available IP addresses:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:21Z","_id":"18b3a448-7962-e66c-4248-092b75ab0b10","_key":"25ff674e-999e-4fda-8616-a17cba70a577","_ref":"18b3a448-7962-e66c-4248-092b75ab0b10","_rev":"9kz0FTU16Ui9PYoDK28wmv","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:21Z","code":"Warning FailedCreatePodSandBox 1s kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox \"b851fbfc4a052dc64fd53c6bafc567964e19acea2b6866c30430515626fdb53e\": plugin type=\"cilium-cni\" name=\"cilium\" failed (add): unable to allocate IP via local cilium agent: [POST /ipam][502] postIpamFailure range is full","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"3213eaa5-0393-487a-8f8f-e7643bce2f30","_type":"block","children":[{"_key":"1e85a014-8640-4af5-adaf-230e41b0379c","_type":"span","marks":[],"text":"The kubelet on the node is trying to retrieve IPs from the Cilium CNI plugin to assign to the new pod but failing to do so. The CNI plugin is replying that the range is full. We can verify on the node that all IP addresses have been allocated:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:22Z","_id":"59503cc8-8fe2-d9c8-1ef8-4deb137fd8e9","_key":"bac9d445-15d2-4631-8457-086bcdad06b7","_ref":"59503cc8-8fe2-d9c8-1ef8-4deb137fd8e9","_rev":"9kz0FTU16Ui9PYoDK28wpJ","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:22Z","code":"$$ kubectl -n kube-system exec -ti cilium-7lzbb -c cilium-agent -- cilium-dbg status | grep IPAM\nIPAM: IPv4: 6/6 allocated from 10.0.42.8/29,","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"2e8d7f3c-1dd1-47f9-b672-29508ecdea19","_type":"block","children":[{"_key":"18e57bd9-7103-4854-8e49-9b2f5da012e6","_type":"span","marks":[],"text":"This mode is easy to understand and lets you assign multiple IP ranges per cluster but comes with some limitations: 1) it doesn't let you add PodCIDRs dynamically to a cluster and 2) it doesn't provide as much control as users might like on how Pods receive their IP addresses from."}],"markDefs":[],"style":"normal"},{"_key":"0cac98b5-ab87-40b4-9be2-60cf73834916","_type":"block","children":[{"_key":"28f493da-2f79-490e-9c03-bd43f37a6156","_type":"span","marks":[],"text":"Let's explore the mode that can address these limitations."}],"markDefs":[],"style":"normal"},{"_key":"214320d7-df2e-491a-8bbf-fff033603ef3","_type":"block","children":[{"_key":"142e7e04-ff74-43ca-aaf6-3dd40368df9d","_type":"span","marks":[],"text":"Multi-Pool IPAM mode"}],"markDefs":[],"style":"h2"},{"_key":"6e2a97a8-743d-4afa-b9ad-423ecef78ba5","_type":"block","children":[{"_key":"c29f785c-479e-47b2-8656-bfc436b6a775","_type":"span","marks":[],"text":"The "},{"_key":"651ea020-7f04-4df9-b69f-b96264f397b9","_type":"span","marks":["08ae252e-c08e-4ad7-a772-0322bcadd359"],"text":"Multi-Pool mode"},{"_key":"b254e827-c56b-4f4f-adb2-ee93fa973b16","_type":"span","marks":[],"text":" is the most recent (it was introduced with "},{"_key":"f48e4ab6-98be-46f7-b786-fad4ce5c28f2","_type":"span","marks":["95a46e42-61dd-48e2-b801-87efb3803b8d"],"text":"Cilium 1.14"},{"_key":"6b97d5bf-678a-490e-9da4-30542c51e4ec","_type":"span","marks":[],"text":") and the most flexible one. It supports allocating PodCIDRs from multiple different IPAM pools, depending on properties of the workload defined by the user, e.g., annotations. Pods on the same node can receive IP addresses from various ranges. In addition, PodCIDRs can be dynamically added to a node as and when needed."}],"markDefs":[{"_key":"08ae252e-c08e-4ad7-a772-0322bcadd359","_type":"link","href":"https://docs.cilium.io/en/stable/network/concepts/ipam/multi-pool/","openInNewTab":false},{"_key":"95a46e42-61dd-48e2-b801-87efb3803b8d","_type":"link","href":"/blog/post/cilium-release-114/#h-multi-pool-ipam-beta","openInNewTab":false}],"style":"normal"},{"_createdAt":"2025-05-22T22:25:26Z","_id":"d2cf8447-6158-43f2-a632-5ef94de901e8","_key":"fe5363e8db46","_ref":"d2cf8447-6158-43f2-a632-5ef94de901e8","_rev":"ee12hzS4M5aP0OjnS0uOZD","_type":"mediaImage","_updatedAt":"2025-05-22T22:25:43Z","alignment":"center","clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-4990c392f349688bcf1b40c52da00c98189f1330-1472x982-webp","_type":"reference"}},"languages":["en"],"rounded":false,"size":"large","title":"diagram-multi-pool-ipam-mode.webp","url":"https://cdn.sanity.io/images/xinsvxfu/production/4990c392f349688bcf1b40c52da00c98189f1330-1472x982.webp"},{"_key":"05220f4b-2d76-4192-8ab9-a9a295dfc688","_type":"block","children":[{"_key":"a3e544f9-91b7-4210-9221-00d3c3efda74","_type":"span","marks":[],"text":"Let's try it. My cluster is deployed with Cilium in Multi-Pool mode and set to automatically create a cluster-wide pool at startup, split into "},{"_key":"2a196639-5ad0-4192-be5b-62d81d79cb41","_type":"span","marks":["code"],"text":"/27"},{"_key":"12c57b9c-9476-49ab-9138-9a5ad259c6c8","_type":"span","marks":[],"text":"-large pools as and when needed."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:23Z","_id":"5501d352-b533-a9c3-1b03-75081b79c807","_key":"3477c0e3-7033-4ddd-b2af-a4d8734394ae","_ref":"5501d352-b533-a9c3-1b03-75081b79c807","_rev":"9kz0FTU16Ui9PYoDK28wrh","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:23Z","code":"$$ cilium config view | grep multi-pool\nipam multi-pool\n$ cilium config view | grep auto-create\nauto-create-cilium-pod-ip-pools default=ipv4-cidrs:10.10.0.0/16;ipv4-mask-size:27","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"c2e86ad0-a8a3-4fb8-8779-d484baa4c47f","_type":"block","children":[{"_key":"59d981d8-ee8d-434c-a6f2-57e127d2857a","_type":"span","marks":[],"text":"Let's verify the pool was deployed at start-up:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:24Z","_id":"4bfcf495-8235-5ef0-d793-97dd6b341c11","_key":"d7c995e2-41b4-4d03-ace6-b671ade6aedb","_ref":"4bfcf495-8235-5ef0-d793-97dd6b341c11","_rev":"9kz0FTU16Ui9PYoDK28wwT","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:24Z","code":"$$ kubectl get ciliumpodippools.cilium.io default -o yaml\napiVersion: cilium.io/v2alpha1\nkind: CiliumPodIPPool\nmetadata:\n creationTimestamp: \"2024-12-18T16:41:42Z\"\n generation: 1\n name: default\n resourceVersion: \"2270\"\n uid: cd576280-11eb-45ac-83d2-03f230d3e252\nspec:\n ipv4:\n cidrs:\n - 10.10.0.0/16\n maskSize: 27","language":"yaml","title":"yaml - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"100794ce-6838-4b3e-84b7-ba321e557809","_type":"block","children":[{"_key":"7b967aff-09ac-432d-ad50-02f0b15abce4","_type":"span","marks":[],"text":"Let's also deploy another Pod IP pool called "},{"_key":"e2f9aac5-3dcb-4307-b904-20424a018374","_type":"span","marks":["code"],"text":"mars"},{"_key":"f3613a21-f717-46af-b380-cb781b7722f7","_type":"span","marks":[],"text":":"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:26Z","_id":"ba1644b1-3e66-d3eb-e471-e952a2b524f2","_key":"27c9edce-d26e-4193-b367-faa6c99e2882","_ref":"ba1644b1-3e66-d3eb-e471-e952a2b524f2","_rev":"4wy3EvkFBguUtSHAFFopbO","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:26Z","code":"$$ cat < \nnginx-default-7f687944f7-p4scr 1/1 Running 0 2m53s 10.10.0.54 kind-worker2 \nnginx-mars-58bb784756-hpsq7 1/1 Running 0 2m53s 10.20.0.42 kind-worker \nnginx-mars-58bb784756-pz9v7 1/1 Running 0 2m53s 10.20.0.29 kind-worker2 ","language":"yaml","title":"yaml - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"b9314e44-5f47-4fc1-aefe-4730c2680b21","_type":"block","children":[{"_key":"d46d2439-c5bf-43d4-bccc-9b6d9b56bd29","_type":"span","marks":[],"text":"Before we scale and observe what happens, let's look at our initial pools. Both nodes have a "},{"_key":"745d50be-6b16-42f1-8b8e-94ca3645421f","_type":"span","marks":["code"],"text":"/27"},{"_key":"92edb8bb-9c68-494c-b539-8cadb03c4d52","_type":"span","marks":[],"text":" from each broader pool."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:29Z","_id":"0c03519b-79b1-6058-1b11-af4539d0b4df","_key":"82a70bb3-4062-4615-8570-8055d01ee4d5","_ref":"0c03519b-79b1-6058-1b11-af4539d0b4df","_rev":"4wy3EvkFBguUtSHAFFopso","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:29Z","code":"$$ kubectl get ciliumnodes kind-worker -o yaml | yq .spec.ipam.pools\nallocated:\n - cidrs:\n - 10.10.0.64/27\n pool: default\n - cidrs:\n - 10.20.0.32/27\n pool: mars\nrequested:\n - needed:\n ipv4-addrs: 16\n pool: default\n - needed:\n ipv4-addrs: 1\n pool: mars\n$ kubectl get ciliumnodes kind-worker2 -o yaml | yq .spec.ipam.pools\nallocated:\n - cidrs:\n - 10.10.0.32/27\n pool: default\n - cidrs:\n - 10.20.0.0/27\n pool: mars\nrequested:\n - needed:\n ipv4-addrs: 16\n pool: default\n - needed:\n ipv4-addrs: 1\n pool: mars","language":"yaml","title":"yaml - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"21a7db88-0b5c-413f-92ba-ad80f83d2fa0","_type":"block","children":[{"_key":"9af2ac69-e3dd-4033-aafe-d19c5782cafd","_type":"span","marks":[],"text":"Our two "},{"_key":"ba29af85-173c-40b7-aed0-5ee441bcaa74","_type":"span","marks":["code"],"text":"/27"},{"_key":"cd1a5bf8-a55e-43e7-a3dc-cf43eda799e1","_type":"span","marks":[],"text":" are only enough for 64 pods so scaling up the "},{"_key":"1e0535cf-23c5-4316-a458-c0a599ee48b7","_type":"span","marks":["code"],"text":"mars"},{"_key":"4121dbd8-ecfc-4f0b-b78d-74e8940ca50d","_type":"span","marks":[],"text":" deployment to 70 pods causes Cilium to react:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:30Z","_id":"93dae1e4-fb62-c4a1-47c2-263f1493a8f0","_key":"f58c6c75-4609-45d1-bace-c6cee5197edc","_ref":"93dae1e4-fb62-c4a1-47c2-263f1493a8f0","_rev":"9kz0FTU16Ui9PYoDK28xyv","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:30Z","code":"$$ kubectl scale deployment nginx-mars --replicas=70\ndeployment.apps/nginx-mars scaled\n$ kubectl get ciliumnodes kind-worker -o yaml | yq .spec.ipam.pools\nallocated:\n - cidrs:\n - 10.10.0.64/27\n pool: default\n - cidrs:\n - 10.20.0.32/27\n - 10.20.0.64/27\n pool: mars\nrequested:\n - needed:\n ipv4-addrs: 16\n pool: default\n - needed:\n ipv4-addrs: 35\n pool: mars\n$ kubectl get ciliumnodes kind-worker2 -o yaml | yq .spec.ipam.pools\nallocated:\n - cidrs:\n - 10.10.0.32/27\n pool: default\n - cidrs:\n - 10.20.0.0/27\n - 10.20.0.96/27\n pool: mars\nrequested:\n - needed:\n ipv4-addrs: 16\n pool: default\n - needed:\n ipv4-addrs: 35\n pool: mars","language":"yaml","title":"yaml - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"cc17581b-1d61-4bb4-84ab-71ed0e947f23","_type":"block","children":[{"_key":"2e9a3925-001d-47ea-93d7-62c308cca0d0","_type":"span","marks":[],"text":"Note the "},{"_key":"38140abd-cc32-4cd7-9d71-1f50fc7b0542","_type":"span","marks":["code"],"text":"needed"},{"_key":"54ba7323-4784-4cfa-b688-41d6cf0a5eda","_type":"span","marks":[],"text":" field above: as the number of required IPs significantly increased, another "},{"_key":"5f46bc61-039d-419d-aa52-36295ae248e8","_type":"span","marks":["code"],"text":"/27"},{"_key":"f505790d-93ce-4b8b-86cd-42920b1b998d","_type":"span","marks":[],"text":" CIDR from the cluster-wide "},{"_key":"994f6936-b995-4de4-9848-4086eeb25a09","_type":"span","marks":["code"],"text":"10.20.0.0/16"},{"_key":"ff48355f-699c-4825-bc72-f2979440a8cb","_type":"span","marks":[],"text":" was allocated to each Cilium Node. "}],"markDefs":[],"style":"normal"},{"_key":"3f7f84a7-b32a-4528-bdc6-c62f7357185a","_type":"block","children":[{"_key":"634ceaaf-8d9a-4450-ba94-0f2f538c6dbd","_type":"span","marks":[],"text":"Multi-Pool works nicely with the "},{"_key":"71d485c2-6bd3-4f91-b4ed-215271483602","_type":"span","marks":["33ec58b5-76b1-472e-a1e9-c38e64a8305f"],"text":"Multi-Network feature"},{"_key":"1b555501-3eea-48f7-a48e-a2edbe926204","_type":"span","marks":[],"text":" ; giving users the ability to connect a Pod to multiple user interfaces."}],"markDefs":[{"_key":"33ec58b5-76b1-472e-a1e9-c38e64a8305f","_type":"link","href":"/blog/post/isovalent-enterprise-for-cilium-1-14-multi-network/","openInNewTab":false}],"style":"normal"},{"_createdAt":"2025-04-15T14:38:13Z","_id":"ecfa1124-7456-56d7-215f-851acc9d3273","_key":"637ddb4c-e083-4f5a-a18a-7672075890e3","_ref":"ecfa1124-7456-56d7-215f-851acc9d3273","_rev":"wAK4gN2UbqK20YaSXlynxR","_type":"bodyCta","_updatedAt":"2025-05-22T23:26:10Z","alignment":"left","backgroundImage":{"_createdAt":"2025-03-21T16:32:00Z","_id":"407c0eb0-2c56-4f47-a80f-c16575dc4009","_rev":"RvKg2H7lodOtU53j0x4e1l","_type":"mediaImage","_updatedAt":"2025-04-04T21:50:43Z","alignment":"center","alt":"body-cta-bg.svg","altText":{"en":"Body CTA BG"},"clickToEnlarge":false,"image":"https://cdn.sanity.io/images/xinsvxfu/production/490d28b2f74ed0292938bd46ac19a151b6fd3b9c-910x239.svg","languages":["en"],"originalFilename":"body-cta-bg.svg","rounded":false,"size":"large","title":"decoration-body-cta-ice"},"ctas":[{"_createdAt":"2025-04-15T14:13:33Z","_id":"b59f862c-ebcf-2c79-1820-04d7ed6bc847","_rev":"2T9xkAacgDKp8j06wdLdfR","_type":"cta","_updatedAt":"2025-05-22T23:25:37Z","label":{"en":"Start the lab"},"languages":["en"],"title":"\"Start Lab!\" - Primary (Multi-Network Lab)","url":"/labs/cilium-multi-networking/","variant":"tertiary"}],"headline":{"en":"Multi-Network Lab"},"languages":["en"],"logo":null,"logoReference":null,"logoWhite":null,"shaded":true,"text":{"en":[{"_key":"e76fdde2-4558-41c4-be96-da3b4aa1cd12","_type":"block","children":[{"_key":"1e6cc82e-5577-44e0-ba44-8cfbb4bc77b4","_type":"span","marks":[],"text":"Learn how you can connect Kubernetes Pods to multiple interfaces with Isovalent Enterprise for Cilium 1.14 multi-network!"}],"markDefs":[],"style":"normal"}]},"theme":"primary","tinted":true,"title":"Multi-Network Lab - \"Learn how you can connect Kubernetes Pods to multiple interfaces with Isovalent Enterprise for Cilium 1.14 multi-network!\" Body CTA"},{"_key":"f7404872-dd94-48ee-92fa-985e58b8e357","_type":"block","children":[{"_key":"bb8b9ae9-4ce4-4e36-a1a2-0e5800de5163","_type":"span","marks":[],"text":"IPAM ENI Mode & Prefix Delegation for AWS EKS"}],"markDefs":[],"style":"h2"},{"_key":"66a0fb9f-141b-4d27-84b6-9c504c226c79","_type":"block","children":[{"_key":"816c39ea-a223-4906-a237-80eea0a007aa","_type":"span","marks":[],"text":"As highlighted earlier, when Cilium is providing networking and security services for a managed Kubernetes service, it sometimes includes a specific IP Address Management mode. "}],"markDefs":[],"style":"normal"},{"_key":"24df5747-afb2-4d81-9176-35637c9806a1","_type":"block","children":[{"_key":"9b69067a-e524-40ce-9f06-a817448f23b1","_type":"span","marks":[],"text":"Let's focus on AWS EKS (Elastic Kubernetes Services)."}],"markDefs":[],"style":"normal"},{"_key":"8392204a-ff8b-4336-ab4d-e347f4e9c215","_type":"block","children":[{"_key":"89f8baa4-a390-442b-add8-160d039d876a","_type":"span","marks":[],"text":"IPAM ENI Mode"}],"markDefs":[],"style":"h3"},{"_key":"b897fb5f-d3d4-4330-af32-ca37c483933a","_type":"block","children":[{"_key":"5d6dc996-e986-460a-b3fd-34445630e473","_type":"span","marks":[],"text":"In this mode, IP allocation is based on IPs of "},{"_key":"70d00c53-d946-4fbb-97e1-4e0c8e17148f","_type":"span","marks":["3b3b43f0-22bc-4187-9e62-638c2c0a6734"],"text":"AWS Elastic Network Interfaces (ENI)"},{"_key":"dfbbb5dd-c442-4a4b-be9d-58d99a597a91","_type":"span","marks":[],"text":"."}],"markDefs":[{"_key":"3b3b43f0-22bc-4187-9e62-638c2c0a6734","_type":"link","href":"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html","openInNewTab":false}],"style":"normal"},{"_createdAt":"2025-05-23T03:36:39Z","_id":"83b97c04-b027-4419-89e6-3445ba02a635","_key":"26d7b44c0246","_ref":"83b97c04-b027-4419-89e6-3445ba02a635","_rev":"ee12hzS4M5aP0OjnS1afXR","_type":"mediaImage","_updatedAt":"2025-05-23T03:37:23Z","alignment":"center","caption":{"_type":"content","en":[{"_key":"7e00f9fc28bf","_type":"block","children":[{"_key":"158e89906a02","_type":"span","marks":[],"text":"IPAM ENI Mode"}],"markDefs":[],"style":"normal"}]},"clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-102b9f6903544dc59d47b256b563933f97411219-849x359-webp","_type":"reference"}},"languages":["en"],"rounded":false,"size":"large","title":"diagram-ipam-eni","url":"https://cdn.sanity.io/images/xinsvxfu/production/102b9f6903544dc59d47b256b563933f97411219-849x359.webp"},{"_key":"3b016ea6-a52a-4a77-9a12-37cc98b636db","_type":"block","children":[{"_key":"aa24d444-f444-470a-acf2-602e9d86c196","_type":"span","marks":[],"text":"Each node creates a "},{"_key":"0905554b-4788-4e4b-b40d-f05f6282ce5f","_type":"span","marks":["code"],"text":"CiliumNode"},{"_key":"cdf71bfa-da84-41b1-ae38-d32fbb4d277f","_type":"span","marks":[],"text":" custom resource when Cilium starts up for the first time on that node. It contacts the EC2 metadata API to retrieve the instance ID, instance type, and VPC information, then it populates the custom resource with this information."}],"markDefs":[],"style":"normal"},{"_key":"b17b6df4-5c26-4f19-87db-d36b64aba535","_type":"block","children":[{"_key":"8dc28107-783b-4a7d-af2c-ad8a69a853c4","_type":"span","marks":[],"text":"Let's take a look at an EKS cluster with Cilium:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:31Z","_id":"3522c832-b5d8-cb62-0f32-a432ae4ffa5e","_key":"8bcad521-4827-4230-ad4c-21bc3b79dbb2","_ref":"3522c832-b5d8-cb62-0f32-a432ae4ffa5e","_rev":"kcq4Y4Flzce7Z96LpMnwsa","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:31Z","code":"$$ cilium config view | grep ipam\nipam eni\nipam-cilium-node-update-rate 15s","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"c472a36f-bf0b-4c77-b2cb-2a7a3250bede","_type":"block","children":[{"_key":"83ca921d-d687-4a0f-b7ef-3a5ffad7e0f7","_type":"span","marks":[],"text":"Let's deploy the "},{"_key":"02b46f43-5834-4d96-876f-c1425f23c4f6","_type":"span","marks":["f8eda84e-ee57-4d75-aa80-bf2609ce4428"],"text":"Star Wars-inspired demo app"},{"_key":"19645741-8b02-488c-83dc-fa932985533d","_type":"span","marks":[],"text":", made up of 4 pods. All pods receive an IP address as you would expect."}],"markDefs":[{"_key":"f8eda84e-ee57-4d75-aa80-bf2609ce4428","_type":"link","href":"https://docs.cilium.io/en/stable/gettingstarted/demo/","openInNewTab":false}],"style":"normal"},{"_createdAt":"2025-04-15T14:14:32Z","_id":"718e5408-2ebf-6dad-4de6-8ac6f3c12ee1","_key":"e317fbab-cf48-4ee5-a8df-0a8c8e20b635","_ref":"718e5408-2ebf-6dad-4de6-8ac6f3c12ee1","_rev":"9kz0FTU16Ui9PYoDK28y4t","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:32Z","code":"$$ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/1.16.5/examples/minikube/http-sw-app.yaml\nservice/deathstar created\ndeployment.apps/deathstar created\npod/tiefighter created\npod/xwing created\n$ kubectl get pods -o wide\nNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\ndeathstar-689f66b57d-bmlst 1/1 Running 0 97s 192.168.158.231 ip-192-168-132-54.eu-west-1.compute.internal \ndeathstar-689f66b57d-px2p6 1/1 Running 0 97s 192.168.164.141 ip-192-168-183-94.eu-west-1.compute.internal \ntiefighter 1/1 Running 0 97s 192.168.159.145 ip-192-168-132-54.eu-west-1.compute.internal \nxwing 1/1 Running 0 97s 192.168.151.7 ip-192-168-132-54.eu-west-1.compute.internal ","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"7961e6ec-652e-4521-b387-2f4164a4c886","_type":"block","children":[{"_key":"d22054cc-476f-42d4-a0ad-a6942abc694a","_type":"span","marks":[],"text":"The pod IPs are actually taken from our EC2 instance's network interface and listed as a secondary private IPs, as you can see on the AWS console."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:34Z","_id":"d77a2202-e632-6ba9-64d6-4a26d934375a","_key":"d52c2f1b-65b1-4653-a8c0-d278ed222798","_ref":"d77a2202-e632-6ba9-64d6-4a26d934375a","_rev":"9kz0FTU16Ui9PYoDK28yvP","_type":"mediaImage","_updatedAt":"2025-04-15T14:14:34Z","alignment":"center","image":{"_type":"image","asset":{"_ref":"image-1802e293b65d5e7197d2fc7cec9b798e9dbe17da-4630x2206-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"IPAM-ENI.png","size":"large","title":"IPAM-ENI.png - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/1802e293b65d5e7197d2fc7cec9b798e9dbe17da-4630x2206.png"},{"_key":"28d8e181-a5d9-4c70-ae75-56cb75450f23","_type":"block","children":[{"_key":"77f085a1-71a9-461c-966a-8ead9cf961a7","_type":"span","marks":[],"text":"IPAM ENI"}],"markDefs":[],"style":"normal"},{"_key":"b9cdf808-f363-4b24-ac94-84a21e60da34","_type":"block","children":[{"_key":"bcc35320-c356-4d07-a08f-7b97aa35f7ab","_type":"span","marks":[],"text":"This provides a clear benefit: pods receive ENI IPs that are directly routable in the AWS VPC. There's no NAT required and it makes networking and observability easier for operators. We can also see the IPs being populated on the Cilium Node resource."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:35Z","_id":"7cefe19a-70bf-0081-189e-f9c0422c7fa1","_key":"837300ec-6442-4875-864d-2383a336700f","_ref":"7cefe19a-70bf-0081-189e-f9c0422c7fa1","_rev":"9kz0FTU16Ui9PYoDK28z1N","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:35Z","code":"$1d","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"ea6e3b59-d7bf-4c93-8f15-2d74cdbf196e","_type":"block","children":[{"_key":"e563f0f8-80bf-4840-a19c-54539ff29b6a","_type":"span","marks":[],"text":"However, there's a "},{"_key":"6e1c06f4-3f03-43c4-a0ac-53f8689c00be","_type":"span","marks":["7a877a1d-df33-4e4a-bc3c-e9754a3c9324"],"text":"finite amount of Pod IPs per instance"},{"_key":"f3baa532-ccc8-415b-9619-6510ce32226f","_type":"span","marks":[],"text":", which depends on the type of EC2 model used."}],"markDefs":[{"_key":"7a877a1d-df33-4e4a-bc3c-e9754a3c9324","_type":"link","href":"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AvailableIpPerENI.html","openInNewTab":false}],"style":"normal"},{"_key":"759be41b-b794-44c4-8a7d-920e20963417","_type":"block","children":[{"_key":"caf209b1-0eae-4a0b-a41e-992b331692aa","_type":"span","marks":[],"text":"Let's check for M5 models:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:36Z","_id":"f50fb088-79ed-4792-98c3-628fb3737abf","_key":"99e7078a-6e28-43f6-bcf1-da329fb10bbe","_ref":"f50fb088-79ed-4792-98c3-628fb3737abf","_rev":"4wy3EvkFBguUtSHAFFoqCA","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:36Z","code":"$$ aws ec2 describe-instance-types \n --filters \"Name=instance-type,Values=m5.*\" \n --query \"InstanceTypes[].{ \n Type: InstanceType, \n MaxENI: NetworkInfo.MaximumNetworkInterfaces, \n IPv4addr: NetworkInfo.Ipv4AddressesPerInterface}\" \n --output table\n---------------------------------------\n| DescribeInstanceTypes |\n+----------+----------+---------------+\n| IPv4addr | MaxENI | Type |\n+----------+----------+---------------+\n| 30 | 8 | m5.8xlarge |\n| 50 | 15 | m5.24xlarge |\n| 30 | 8 | m5.12xlarge |\n| 50 | 15 | m5.metal |\n| 15 | 4 | m5.xlarge |\n| 30 | 8 | m5.4xlarge |\n| 15 | 4 | m5.2xlarge |\n| 10 | 3 | m5.large |\n| 50 | 15 | m5.16xlarge |\n+----------+----------+---------------+","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"c9ba28a3-d60c-4975-99e9-5a795cef7d60","_type":"block","children":[{"_key":"749f162f-b60d-4688-bb98-f3df6b3f0277","_type":"span","marks":[],"text":"My EKS nodegroup is made up of 2 "},{"_key":"96a67c6f-ed6b-4eec-9bfe-6c4d4ef71cc3","_type":"span","marks":["code"],"text":"m5.large"},{"_key":"8755134e-8abc-474e-9c8f-1cea448bc630","_type":"span","marks":[],"text":" instances. This type of instance only supports up to 3 network interfaces and 10 IPs per interface. We quickly run out of IPs when we scale our deployment to "},{"_key":"dd6d9ef7-15f1-4931-b08c-9ac22918c3d8","_type":"span","marks":["code"],"text":"50"},{"_key":"e5770ed5-e27d-4f5f-941c-2168faa2b577","_type":"span","marks":[],"text":" Deathstars across the 2-node cluster:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:37Z","_id":"d71afea3-fc8e-d672-9b84-95ad74611068","_key":"65ff8d83-ffb6-4d0c-bd3c-f53e5a71592a","_ref":"d71afea3-fc8e-d672-9b84-95ad74611068","_rev":"kcq4Y4Flzce7Z96LpMnxDM","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:37Z","code":"$$ kubectl scale deployment deathstar --replicas=50\ndeployment.apps/deathstar scaled\n$ kubectl get pods | grep Pending \ndeathstar-689f66b57d-2zxt5 0/1 Pending 0 3s\ndeathstar-689f66b57d-79qfp 0/1 Pending 0 3s\ndeathstar-689f66b57d-pxhdg 0/1 Pending 0 3s","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"2ec383fc-870e-4baa-90b8-1564cc9c8c3f","_type":"block","children":[{"_key":"ec8d9825-48ef-4993-887b-1370953e2ae0","_type":"span","marks":[],"text":"The logs on the Cilium operator confirm our suspicions:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:38Z","_id":"8f5592e6-59cf-0b4c-b98e-b5a44cc18dda","_key":"1627575a-7399-4a72-8973-2ff62b4eca94","_ref":"8f5592e6-59cf-0b4c-b98e-b5a44cc18dda","_rev":"9kz0FTU16Ui9PYoDK28zJH","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:38Z","code":"$$ kubectl logs -n kube-system cilium-operator-558888ffb5-mfmb2\ntime=\"2024-12-19T12:37:52Z\" level=warning msg=\"Unable to assign additional IPs to interface, will create new interface\" error=\"operation error EC2: AssignPrivateIpAddresses, https response error StatusCode: 400, RequestID: ddbdbf61-ccd4-4567-9fb2-a9f7f22c6d67, api error PrivateIpAddressLimitExceeded: Number of private addresses will exceed limit.\" instanceID=i-0a037536e1a597052 ipsToAllocate=5 name=ip-192-168-132-54.eu-west-1.compute.internal selectedInterface=eni-0e2c19f3b2da72c6c subsys=ipam\ntime=\"2024-12-19T12:37:52Z\" level=warning msg=\"Instance is out of interfaces\" instanceID=i-0a037536e1a597052 name=ip-192-168-132-54.eu-west-1.compute.internal subsys=ipam","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"0c5d46de-5c10-421a-b2e4-e34df663bfd6","_type":"block","children":[{"_key":"e84d5167-eefe-4a14-874b-089430e38228","_type":"span","marks":[],"text":"How can we get over the limit, without having to scale horizontally with more nodes?"}],"markDefs":[],"style":"normal"},{"_key":"0da04b24-ee9f-462a-b0f3-73601e6c7bef","_type":"block","children":[{"_key":"09af703f-f4dc-4df2-9752-b4b7f099c44a","_type":"span","marks":[],"text":"Prefix Delegation"}],"markDefs":[],"style":"h3"},{"_key":"8375748d-222d-413e-8cae-98814b919b18","_type":"block","children":[{"_key":"c07b21e6-d3d8-4b7c-b81b-a5981d83545b","_type":"span","marks":[],"text":"With "},{"_key":"ab162971-a506-41f8-a269-e2e2ab9ef985","_type":"span","marks":["084995fb-43f0-4d3c-ab49-31ee81c9a7de"],"text":"Prefix Delegation"},{"_key":"6f63d6dd-c686-4d07-a48c-c6a683ba0343","_type":"span","marks":[],"text":", we can assign a private CIDR range to our network interface, which is then used to attribute IP addresses to pods."}],"markDefs":[{"_key":"084995fb-43f0-4d3c-ab49-31ee81c9a7de","_type":"link","href":"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html","openInNewTab":false}],"style":"normal"},{"_key":"57942b8c-1b32-4746-9179-c7d17948cad2","_type":"block","children":[{"_key":"e9e8defa-c265-44a0-b11d-cb373a3218f4","_type":"span","marks":[],"text":"A prefix still counts towards the limit of IPs - so, for example, assigning a prefix (typically, a /28) to an interface on my "},{"_key":"8e03688e-f5aa-4d87-9d65-94e62db4f63a","_type":"span","marks":["code"],"text":"m5.large"},{"_key":"123baf73-5158-47c4-b399-aa52cd327679","_type":"span","marks":[],"text":" would count as one of the 10 IPs I can assign. Still - going from 10 individual IP addresses to 10 /28 prefixes (up to 160 IP addresses) would alleviate many IP addressing concerns."}],"markDefs":[],"style":"normal"},{"_key":"11af1f73-f826-43c7-8fef-41d8bafe0ca6","_type":"block","children":[{"_key":"d738b970-380a-458b-b268-5c0dac05b059","_type":"span","marks":[],"text":"Let's try it. Prefix Delegation only works for new nodes that join our cluster so we have to add a new node group to our cluster in this particular instance."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:40Z","_id":"ff216d0d-2a30-0e0c-867e-77d765dd9032","_key":"6dac971d-01bc-4447-9ad3-9cc4fb2927c6","_ref":"ff216d0d-2a30-0e0c-867e-77d765dd9032","_rev":"kcq4Y4Flzce7Z96LpMnxh2","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:40Z","code":"$1e","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"b356586f-5ced-4205-b4ff-fa189991558b","_type":"block","children":[{"_key":"e4748f5f-aa9f-484f-b21c-817176f8c5c1","_type":"span","marks":[],"text":"Scaling to 150 pods - which would have failed in the standard ENI mode for a 4-cluster node - is now seamless."}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:41Z","_id":"c62074e6-169d-d3e9-162c-98a8d8ce9bf8","_key":"e61b0c5b-b085-45cb-a265-7e9f85a7ff94","_ref":"c62074e6-169d-d3e9-162c-98a8d8ce9bf8","_rev":"4wy3EvkFBguUtSHAFFoqfC","_type":"codeBlock","_updatedAt":"2025-04-15T14:14:41Z","code":"$$ kubectl scale deployment deathstar --replicas=150 \ndeployment.apps/deathstar scaled\n$ kubectl get deployment deathstar \nNAME READY UP-TO-DATE AVAILABLE AGE\ndeathstar 150/150 150 150 29m","language":"bash","title":"bash - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Code Block"},{"_key":"130e6247-cbd3-4cc4-a4d0-faae4402d0fa","_type":"block","children":[{"_key":"fee51791-9462-4404-b8dc-38ac0acaf7c1","_type":"span","marks":[],"text":"All my pods have received an IP address and are functioning. This time though, there's no secondary private IPv4 addresses attached to my node network interface. Instead, prefixes have been automatically assigned to it:"}],"markDefs":[],"style":"normal"},{"_createdAt":"2025-04-15T14:14:42Z","_id":"1cc794b9-d7eb-fb49-a851-3162b7cbbb80","_key":"4315abf6-155c-4752-9b4b-66a217ceeba9","_ref":"1cc794b9-d7eb-fb49-a851-3162b7cbbb80","_rev":"wAK4gN2UbqK20YaSXmtcIv","_type":"mediaImage","_updatedAt":"2025-05-23T03:38:23Z","alignment":"center","caption":{"_type":"content","en":[{"_key":"7ae9b34efe06","_type":"block","children":[{"_key":"2be21e7bbd47","_type":"span","marks":[],"text":"IPAM ENI with Prefix Delegation"}],"markDefs":[],"style":"normal"}]},"image":{"_type":"image","asset":{"_ref":"image-424b4c69ce34057bfc62d64b3c07da40d53db4fd-1024x534-png","_type":"reference"},"crop":{"_type":"sanity.imageCrop","bottom":0,"left":0,"right":0,"top":0},"hotspot":{"_type":"sanity.imageHotspot","height":1,"width":1,"x":0.5,"y":0.5}},"languages":["en"],"originalFilename":"IPAM-ENI-Prefix-Delegation.png","size":"large","title":"IPAM-ENI-Prefix-Delegation.png - \"Overcoming Kubernetes IP Address Exhaustion with Cilium\" Image","url":"https://cdn.sanity.io/images/xinsvxfu/production/424b4c69ce34057bfc62d64b3c07da40d53db4fd-1024x534.png"},{"_key":"2c990e35-db28-4fd1-aa6e-abb119070103","_type":"block","children":[{"_key":"1cad9dd6-d238-497c-9d0f-9272bcf4352e","_type":"span","marks":[],"text":"My teammate Amit provided "},{"_key":"35a76503-1f52-450f-8f05-7f175ee8bcce","_type":"span","marks":["441acfc7-7069-4ff7-b84d-a3eb36e9276c"],"text":"a much more detailed walkthrough in his personal blog post on Medium"},{"_key":"19caee38-008a-45f7-a179-ea8769b17ad4","_type":"span","marks":[],"text":" - read it for a more thorough tutorial."}],"markDefs":[{"_key":"441acfc7-7069-4ff7-b84d-a3eb36e9276c","_type":"link","href":"https://medium.com/@amitmavgupta/cilium-support-for-eni-prefix-delegation-in-an-eks-cluster-feddf894160b","openInNewTab":false}],"style":"normal"},{"_key":"6e9233db-b4e9-4495-a596-6f8c2d85df88","_type":"block","children":[{"_key":"ae630709-077b-4ff5-9aca-84d0a58e6cbd","_type":"span","marks":[],"text":"IPAM for LoadBalancer and Egress"}],"markDefs":[],"style":"h2"},{"_key":"244de7c7-e994-49bb-bca3-91baeff8e597","_type":"block","children":[{"_key":"249a2507-6652-4831-abce-2dd5e8910c6a","_type":"span","marks":[],"text":"While the focus of this blog post is around assigning IP addresses for pods, we ought to cover some additional IP Address Management capabilities that are native to Cilium or to our enterprise edition."}],"markDefs":[],"style":"normal"},{"_key":"a45ec524-2e48-42eb-aab4-33a4f3924966","_type":"block","children":[{"_key":"761b5b3f-8b77-4139-9ecc-d25c16bb7575","_type":"span","marks":[],"text":"LoadBalancer IPAM"}],"markDefs":[],"style":"h3"},{"_key":"7ef8de02-7eaa-4bb0-badd-281150fb3665","_type":"block","children":[{"_key":"f54c0769-9849-497d-bbc4-f98bd7e4d9c0","_type":"span","marks":[],"text":"We covered this feature in detail at launch with "},{"_key":"b0d45228-a215-4f36-93d3-a9b477a73e44","_type":"span","marks":["fc38495f-65bd-4c48-9e6b-ca05fbcaa280"],"text":"Cilium 1.13"},{"_key":"e98df9e8-d456-4e28-a6c8-42c14d9c948d","_type":"span","marks":[],"text":" but as a reminder: Cilium can assign IP addresses to Kubernetes Services of the type LoadBalancer. Often used with Ingress/Gateway API, these services expose applications running inside the cluster to the outside world."}],"markDefs":[{"_key":"fc38495f-65bd-4c48-9e6b-ca05fbcaa280","_type":"link","href":"/blog/post/cilium-release-113/#ipam-for-loadbalancer-services-and-bgp-services-advertisement","openInNewTab":false}],"style":"normal"},{"_createdAt":"2025-05-23T03:31:23Z","_id":"949cd334-8ca3-4722-95a5-8c9b7f74928d","_key":"924e731641d7","_ref":"949cd334-8ca3-4722-95a5-8c9b7f74928d","_rev":"ee12hzS4M5aP0OjnS1aEFR","_type":"mediaImage","_updatedAt":"2025-05-23T03:31:39Z","alignment":"center","altText":{"en":"LB-IPAM"},"clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-1a5e444e6c443b214b543e43155f74f050fcb98b-1414x820-webp","_type":"reference"}},"languages":["en"],"rounded":false,"size":"large","title":"diagram-load-balancer-ipam.webp","url":"https://cdn.sanity.io/images/xinsvxfu/production/1a5e444e6c443b214b543e43155f74f050fcb98b-1414x820.webp"},{"_key":"e6c43064-8c43-4585-86eb-1d0cfabd9e67","_type":"block","children":[{"_key":"f01ac8fb-afd1-401f-8cec-f2ff44ebe533","_type":"span","marks":[],"text":"Many users would have typically used MetalLB for this purpose but with Cilium offering this functionality natively, we see "},{"_key":"b7c5e21c-08a4-4abf-95d6-713bc0a5ced7","_type":"span","marks":["0a5c046a-b9cc-40c6-8c25-d43acf2dad08"],"text":"many users migrating from MetalLB to Cilium"},{"_key":"8821554b-2485-4eb7-88b4-bb224d94a50b","_type":"span","marks":[],"text":". You can find more about the migration process in our tutorial below: "}],"markDefs":[{"_key":"0a5c046a-b9cc-40c6-8c25-d43acf2dad08","_type":"link","href":"https://blog.stonegarden.dev/articles/2023/12/migrating-from-metallb-to-cilium/","openInNewTab":false}],"style":"normal"},{"_createdAt":"2025-04-15T14:38:15Z","_id":"2b2b8fe0-4aaa-8fa5-1d27-b4529c995bd9","_key":"48d50f57-3682-4f15-bee8-bd0fffb021fe","_ref":"2b2b8fe0-4aaa-8fa5-1d27-b4529c995bd9","_rev":"2T9xkAacgDKp8j06weWPYr","_type":"bodyCta","_updatedAt":"2025-05-23T03:32:31Z","alignment":"left","backgroundImage":{"_createdAt":"2025-03-21T16:32:00Z","_id":"407c0eb0-2c56-4f47-a80f-c16575dc4009","_rev":"RvKg2H7lodOtU53j0x4e1l","_type":"mediaImage","_updatedAt":"2025-04-04T21:50:43Z","alignment":"center","alt":"body-cta-bg.svg","altText":{"en":"Body CTA BG"},"clickToEnlarge":false,"image":"https://cdn.sanity.io/images/xinsvxfu/production/490d28b2f74ed0292938bd46ac19a151b6fd3b9c-910x239.svg","languages":["en"],"originalFilename":"body-cta-bg.svg","rounded":false,"size":"large","title":"decoration-body-cta-ice"},"ctas":[{"_createdAt":"2025-04-15T14:14:01Z","_id":"84a85e00-991c-4def-ff6f-42d15c5540b2","_rev":"ee12hzS4M5aP0OjnS1aLjN","_type":"cta","_updatedAt":"2025-05-23T03:32:28Z","label":{"en":"Start reading"},"languages":["en"],"title":"\"Start Reading\" - Primary (Migrating from MetalLB to Cilium)","url":"/blog/post/migrating-from-metallb-to-cilium/","variant":"tertiary"}],"headline":{"en":"Migrating from MetalLB to Cilium"},"languages":["en"],"logo":null,"logoReference":null,"logoWhite":null,"shaded":true,"text":{"en":[{"_key":"a0243ddf-a669-478f-9fb8-465027e1ce97","_type":"block","children":[{"_key":"0d6ddb9e-ca82-4b29-9c8c-e25757b57e08","_type":"span","marks":[],"text":" In this blog post, you will learn how to migrate from MetalLB to Cilium for local service advertisement over Layer 2."}],"markDefs":[],"style":"normal"}]},"theme":"primary","title":"Migrating from MetalLB to Cilium - \" In this blog post, you will learn how to migrate from MetalLB to Cilium for local service advertisement over Layer 2.\" Body CTA"},{"_key":"e84a6d76-9c8e-438f-bee0-2e82ec7bebfb","_type":"block","children":[{"_key":"25fc2806-fab8-4ca5-a79b-b03fa6b7530b","_type":"span","marks":[],"text":"Egress IPAM"}],"markDefs":[],"style":"h3"},{"_key":"0a3b7be7-d6ed-4bac-a6e3-089fb7f3a99d","_type":"block","children":[{"_key":"1b65c121-19c6-4bf6-a745-925e4dc8e48b","_type":"span","marks":["em"],"text":"Enterprise only"}],"markDefs":[],"style":"normal"},{"_key":"4e35bd20-ebbe-443d-b83d-3a65af547593","_type":"block","children":[{"_key":"1feda761-81cc-4861-aede-9c927f529c8c","_type":"span","marks":[],"text":"Egress Gateway is a popular Cilium functionality that enables users to set a predictable IP for traffic leaving the cluster. Often used alongside external firewalls, this feature ensures traffic for a specific namespace or pod exits via a specific node and that the source IP is masqueraded to one of the IP addresses of said node. This would have typically leveraged secondary IP interfaces on the nodes, which comes with a manual burden to configure and manage the nodes themselves."}],"markDefs":[],"style":"normal"},{"_key":"cb864f50-071b-432b-9692-0d5de1884c63","_type":"block","children":[{"_key":"305bc9d6-1784-4cd2-ae5d-b4734a7048a7","_type":"span","marks":[],"text":"With a "},{"_key":"a0d3b463-2489-4611-a6b2-0add69c65d9e","_type":"span","marks":["e527d52a-e3a6-4ab5-a34d-e921a816e19e"],"text":"recent update to Egress Gateway in Isovalent Enterprise for Cilium"},{"_key":"dc2bffc4-970d-4c34-8dd9-93c05f5b93e2","_type":"span","marks":[],"text":", users get additional control of the IP addressing distributed to their Egress Gateway nodes."}],"markDefs":[{"_key":"e527d52a-e3a6-4ab5-a34d-e921a816e19e","_type":"link","href":"/blog/post/isovalent-enterprise-for-cilium-1-16/#h-egress-gateway-ipam","openInNewTab":false}],"style":"normal"},{"_key":"deaf5c6c-13e9-454a-b90e-6608e27488c8","_type":"block","children":[{"_key":"e92834f1-6f42-4689-b797-01bae11fbc3c","_type":"span","marks":[],"text":"The IPAM feature allows you to specify an IP pool in the "},{"_key":"304ee0ed-40db-4ed8-a5d3-59fc28ceb3e6","_type":"span","marks":["code"],"text":"IsovalentEgressGatewayPolicy"},{"_key":"be1b2b6b-6a7f-423f-8ac8-03d9036c2639","_type":"span","marks":[],"text":" from which Cilium leases egress IPs and assigns them to the selected egress interfaces."}],"markDefs":[],"style":"normal"},{"_key":"6dcf89ff-9b61-4a22-8ce4-17628b906985","_type":"block","children":[{"_key":"725bc1c8-413f-41d0-8822-387e70c1568d","_type":"span","marks":[],"text":"Combine it with "},{"_key":"a78d8a7c-2573-423f-96a3-b582bd4d0ce6","_type":"span","marks":["84e8bd74-d266-4d4b-9d5c-3891a5f16ca0"],"text":"BGP support for Egress"},{"_key":"9afc1ec5-4cf0-4b73-8e17-9f02af94ef74","_type":"span","marks":[],"text":" to advertise the IP address range to the rest of the network, to enable the return traffic to come back safely to the cluster."}],"markDefs":[{"_key":"84e8bd74-d266-4d4b-9d5c-3891a5f16ca0","_type":"link","href":"/blog/post/isovalent-enterprise-for-cilium-1-15/#h-bgp-support-for-egress-gateway","openInNewTab":false}],"style":"normal"},{"_createdAt":"2025-05-23T03:32:56Z","_id":"fa77b3f5-6f6a-42dd-be9b-3f731944b763","_key":"469275afa4ef","_ref":"fa77b3f5-6f6a-42dd-be9b-3f731944b763","_rev":"2T9xkAacgDKp8j06weWazU","_type":"mediaImage","_updatedAt":"2025-05-23T03:33:17Z","alignment":"center","caption":{"_type":"content","en":[{"_key":"c88cbffa4e68","_type":"block","children":[{"_key":"ec74b59cba47","_type":"span","marks":[],"text":"BGP support for Egress Gateway"}],"markDefs":[],"style":"normal"}]},"clickToEnlarge":false,"image":{"_type":"image","asset":{"_ref":"image-dbecaee79f9847a2d6644fd4d41d7aef5aa21d2f-2048x1034-webp","_type":"reference"}},"languages":["en"],"rounded":false,"size":"large","title":"diagram-bgp-support-egress","url":"https://cdn.sanity.io/images/xinsvxfu/production/dbecaee79f9847a2d6644fd4d41d7aef5aa21d2f-2048x1034.webp"},{"_key":"d8166180-0510-4922-931e-835cd4596598","_type":"block","children":[{"_key":"85f7ae38-57cd-459d-87fc-d0bc8829f262","_type":"span","marks":[],"text":"Final Thoughts"}],"markDefs":[],"style":"h2"},{"_key":"7498a770-0ded-4d2b-b9d4-3331b6eedf43","_type":"block","children":[{"_key":"d5689511-34e1-46ab-a687-83b40ca769fb","_type":"span","marks":[],"text":"I hope this tutorial clarifies all the different ways Cilium can assign IP addresses to your Kubernetes entities. I have not mentioned the most obvious way to overcome IPv4 IP address exhaustion: IPv6! If you'd like to learn more about it, read this "},{"_key":"963b997c-5a05-4bbd-ad72-f8705168703c","_type":"span","marks":["aae52ebc-5f76-458c-a846-568b254e5dba"],"text":"IPv6 tutorial with Cilium"},{"_key":"663ed8ef-f2a8-4d37-8768-d5cc6e46a466","_type":"span","marks":[],"text":"."}],"markDefs":[{"_key":"aae52ebc-5f76-458c-a846-568b254e5dba","_type":"link","href":"/blog/post/tutorial-run-and-observe-ipv6-on-kubernetes-with-cilium/","openInNewTab":false}],"style":"normal"},{"_key":"2ca1e62e-22cf-447d-bb04-caaba2d5c0f6","_type":"block","children":[{"_key":"eeda0629-53c6-413c-950c-3469d0c4f702","_type":"span","marks":[],"text":"Thanks for reading."}],"markDefs":[],"style":"normal"}],"featuredImage":["$","$L19",null,{"src":"https://cdn.sanity.io/images/xinsvxfu/production/ef53161e274b8fb109beb28f10d6627010b0d9f1-1600x1067.webp?auto=format&q=80&fit=clip&w=1080","alt":"Image","className":"mx-auto mb-10 w-full max-w-[72.75]","placeholder":"blur","blurDataURL":"data:image/svg+xml;base64,CiAgICA8c3ZnIHdpZHRoPSIxMDgwIiBoZWlnaHQ9IjEwODAiIHZlcnNpb249IjEuMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KICAgICAgICA8ZGVmcz4KICAgICAgICAgICAgPGxpbmVhckdyYWRpZW50IGlkPSJnIj4KICAgICAgICAgICAgPHN0b3Agc3RvcC1jb2xvcj0iI0Y2RjhGRSIgb2Zmc2V0PSIyMCUiIC8+CiAgICAgICAgICAgIDxzdG9wIHN0b3AtY29sb3I9IiNFRkY1RkYiIG9mZnNldD0iNTAlIiAvPgogICAgICAgICAgICA8c3RvcCBzdG9wLWNvbG9yPSIjRjZGOEZFIiBvZmZzZXQ9IjcwJSIgLz4KICAgICAgICAgICAgPC9saW5lYXJHcmFkaWVudD4KICAgICAgICA8L2RlZnM+CiAgICAgICAgPHJlY3Qgd2lkdGg9IjEwODAiIGhlaWdodD0iMTA4MCIgZmlsbD0iI0Y2RjhGRSIgLz4KICAgICAgICA8cmVjdCBpZD0iciIgd2lkdGg9IjEwODAiIGhlaWdodD0iMTA4MCIgZmlsbD0idXJsKCNnKSIgLz4KICAgICAgICA8YW5pbWF0ZSBocmVmPSIjciIgYXR0cmlidXRlTmFtZT0ieCIgZnJvbT0iLTEwODAiIHRvPSIxMDgwIiBkdXI9IjFzIiByZXBlYXRDb3VudD0iaW5kZWZpbml0ZSIgIC8+CiAgICA8L3N2Zz4=","width":1080,"height":1080,"priority":true}],"articleData":{"title":"Overcoming Kubernetes IP Address Exhaustion with Cilium","description":"In this blog post, learn how Cilium can overcome IP address exhaustion issues you may face in your Kubernetes clusters.","url":"https://isovalent.com/blog/post/overcoming-kubernetes-ip-address-exhaustion-with-cilium","download":"$undefined","authors":[{"_createdAt":"2024-09-27T10:02:38Z","_id":"0ae51702-7dba-84ad-a28a-f771145d2ef7","_rev":"6LVvD8xfzQrGEZvFexsj7u","_type":"person","_updatedAt":"2025-03-25T23:54:43Z","bio":{"en":[{"_key":"be6d1ddb-c534-48aa-9920-df188816a37a","_type":"block","children":[{"_key":"bb5153ab-f237-44b0-9510-a169a1950ad0","_type":"span","marks":[],"text":"Nico Vibert is a Senior Staff Technical Marketing Engineer at Isovalent, the company behind the open-source cloud-native solution Cilium. Prior to joining Isovalent, Nico worked in many different roles—operations and support, design and architecture, and technical pre-sales—at companies such as HashiCorp, VMware, and Cisco. In his current role, Nico focuses primarily on creating content to make networking a more approachable field and regularly speaks at events like KubeCon, VMworld, and Cisco Live. Nico has held over 15 networking certifications, including the Cisco Certified Internetwork Expert CCIE (# 22990). Nico is now the Lead Subject Matter Expert on the Cilium Certified Associate (CCA) certification."}],"markDefs":[],"style":"normal"},{"_key":"74d4f41ab634","_type":"block","children":[{"_key":"d11957993c26","_type":"span","marks":[],"text":"Outside of Isovalent, Nico is passionate about intentional diversity & inclusion initiatives and is Chief DEI Officer at the Open Technology organization OpenUK. You can find out more about him on his blog."}],"markDefs":[],"style":"normal"}]},"company":{"_ref":"35073912-4894-4a13-89f6-caa5d58ff52d","_type":"reference"},"firstName":{"en":"Nico"},"fullName":{"en":"Nico Vibert"},"headshot":{"_type":"image","asset":{"_ref":"image-a8fa134c3d7583ee70832353c7ff0d8a2181ff16-200x200-jpg","_type":"reference"}},"image":"https://cdn.sanity.io/images/xinsvxfu/production/a8fa134c3d7583ee70832353c7ff0d8a2181ff16-200x200.jpg","languages":["en"],"lastName":{"en":"Vibert"},"title":{"en":"Senior Staff Technical Marketing Engineer"}}]}}]}]}]}],"$undefined"]}]]