How to Adjust the Pod IP Range of Calico(En)

Albert Weng
3 min readApr 26, 2024

Recently, I plan to test several networking stuff, and since the physical network environment also needs to be reconfigured,I found out that the Pod CIDR, which is 192.168.0.0/16, overlaps with the new network. Therefore, I need to perform the modification described in this article. Even though they shouldn’t mess with each other theoretically. I’d rather not risk it. it’s just easier to keep things separate from the real network to avoid any confusion.

Alina Grubnvak on Unsplash

This article focuses on adjusting Calico in a running Kubernetes cluster. It’s crucial to note that this adjustment will affect running services. So, if you’re planning to do this in a production environment, make sure to take stock of the relevant services, inform about the associated risks, and be well-prepared before executing.

※ Note: This operation will impact services!!

1. Adjusting Calico PodCIDR

(Ensure that the modified CIDR doesn’t overlap with the original one, or it won’t be established)

#-----------------------------------------
# S1-1. Check the default IP range for Calico.
#-----------------------------------------
[master]# calicoctl get ippool -o wide
NAME CIDR NAT IPIPMODE VXLANMODE DISABLED DISABLEBGPEXPORT SELECTOR
default-ipv4-ippool 192.168.0.0/16 true Always Never false false all()

[master]# kubectl get pod -n kube-system | grep calico
calico-kube-controllers-7ddc4f45bc-m4wkf 1/1 Running 0 11m
calico-node-7hwvz 1/1 Running 0 11m
calico-node-7wxdd 1/1 Running 0 11m
calico-node-bxhxr 1/1 Running 0 11m
calico-node-gbff6 1/1 Running 0 11m
calico-node-m6xm7 1/1 Running 0 11m
calico-node-zgd69 1/1 Running 0
#-----------------------------------------
# S1-2. Export the current Calico configuration and make modifications
#-----------------------------------------
[master]# calicoctl get ippool -o yaml --allow-version-mismatch > default-ippool.yaml.ori
[master]# cp default-ippool.yaml.ori calico-ippool.yaml
[master]# vim calico-ippool.yaml
apiVersion: projectcalico.org/v3
items:
- apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
creationTimestamp: "2023-11-05T01:41:12Z"
name: my-ipv4-ippool
resourceVersion: "346974"
uid: cb319f2c-6530-4782-b023-f1647ebf68da
spec:
allowedUses:
- Workload
- Tunnel
blockSize: 26
cidr: 172.16.0.0/16 <<< Here
ipipMode: Always
natOutgoing: true
nodeSelector: all()
vxlanMode: Never
kind: IPPoolList
metadata:
resourceVersion: "38025731"

[master]# calicoctl apply -f calico-ippool.yaml --allow-version-mismatch
[master]# calicoctl get ippool -o wide --allow-version-mismatch
#-----------------------------------------
# S1-3. Disable original ippool
#-----------------------------------------
[master]# vim default-ippool.yaml.ori
...
spec:
allowedUses:
- Workload
- Tunnel
blockSize: 26
cidr: 192.168.0.0/16
ipipMode: Always
natOutgoing: true
disabled: true <<<
nodeSelector: all()
vxlanMode: Never

[master]# calicoctl apply -f default-ippool.yaml.ori --allow-version-mismatch
[master]# calicoctl get ippool -o wide --allow-version-mismatch
#-----------------------------------------
# S1-4. Verify which Pods are currently using the original CIDR
#-----------------------------------------
[master]# calicoctl get wep --all-namespaces --allow-version-mismatch
#-----------------------------------------
# S1-5. Delete the Pods and recreate them to use the new subnet
#-----------------------------------------
[master]# kubectl delete pod pgpool-deployment-b9cdf65d8-qvwrk -n database
[master]# calicoctl get wep --all-namespaces --allow-version-mismatch
=> Confirm the changes and proceed to restart the remaining Pods

2. Conclusion

This article provides a practical guide to adjusting Calico settings. It’s essential to proceed with caution, especially in production environments where services are already running. Whenever possible, avoid making network changes unless absolutely necessary. Even in testing environments with fewer services, it’s crucial to discuss potential risks with relevant stakeholders before implementation.

Lastly, consider taking backups of ETCD/App before making any modifications to ensure data integrity and system stability.

※References:

https://docs.tigera.io/calico/latest/networking/ipam/migrate-pools

--

--

Albert Weng

You don't have to be great to start, but you have to start to be great