Description
When creating a Network Load Balancer with ipFamilyPolicy: PreferDualStack on a Kubernetes cluster that doesn't support dual-stack networking, but the OCI subnet does support dual-stack, the NLB creation fails with:
Invalid listener: TCP-443-IPv6 is not associated with a backendset
Environment
- OCI Cloud Controller Manager version: v1.33.0
- Kubernetes version: v1.34.x / v1.35.x
- OCI subnet: Dual-stack (has both IPv4 and IPv6 CIDR blocks)
- Kubernetes cluster: Single-stack IPv4 (no IPv6 pod network configured)
Steps to Reproduce
- Deploy Kubernetes cluster without dual-stack networking (IPv4 only pods)
- Use an OCI subnet that has both IPv4 and IPv6 CIDR blocks
- Create a LoadBalancer service with:
apiVersion: v1
kind: Service
metadata:
name: my-service
annotations:
oci.oraclecloud.com/load-balancer-type: "nlb"
spec:
type: LoadBalancer
ipFamilyPolicy: PreferDualStack
# Kubernetes assigns ipFamilies: [IPv4] since cluster doesn't support IPv6
ports:
- port: 443
targetPort: 443
Expected Behavior
The CCM should create an IPv4-only NLB since the service's ipFamilies field is [IPv4].
Actual Behavior
The CCM attempts to create IPv6 listeners (based on subnet capabilities) but only creates IPv4 backend sets (based on ipFamilies), causing a mismatch error.
Root Cause
In getLbListenerBackendSetIpVersion(), the PreferDualStack case returns [IPv4, IPv6] when the subnet supports both, completely ignoring the ipFamilies parameter:
case string(v1.IPFamilyPolicyPreferDualStack):
// ... subnet checks ...
return []string{IPv4, IPv6}, nil // Ignores ipFamilies!The ipFamilies field is the authoritative specification of what IP families a service uses. The ipFamilyPolicy only influences how ipFamilies gets populated when not explicitly set.
Proposed Fix
Modify the PreferDualStack case to respect ipFamilies by only including IP versions that are both specified in ipFamilies AND supported by the subnet.
Description
When creating a Network Load Balancer with
ipFamilyPolicy: PreferDualStackon a Kubernetes cluster that doesn't support dual-stack networking, but the OCI subnet does support dual-stack, the NLB creation fails with:Environment
Steps to Reproduce
Expected Behavior
The CCM should create an IPv4-only NLB since the service's ipFamilies field is [IPv4].
Actual Behavior
The CCM attempts to create IPv6 listeners (based on subnet capabilities) but only creates IPv4 backend sets (based on ipFamilies), causing a mismatch error.
Root Cause
In
getLbListenerBackendSetIpVersion(), thePreferDualStackcase returns[IPv4, IPv6]when the subnet supports both, completely ignoring theipFamiliesparameter:The
ipFamiliesfield is the authoritative specification of what IP families a service uses. TheipFamilyPolicyonly influences howipFamiliesgets populated when not explicitly set.Proposed Fix
Modify the
PreferDualStackcase to respectipFamiliesby only including IP versions that are both specified inipFamiliesAND supported by the subnet.