kubernetes-sigs · k8s-ci-robot · Mar 26, 2025 · Mar 17, 2025 · Mar 17, 2025 · Mar 18, 2025
diff --git a/docs/flags.md b/docs/flags.md
@@ -49,6 +49,7 @@
 | `--[no-]traefik-disable-legacy` | Disable listeners on Resources under the traefik.containo.us API Group |
 | `--[no-]traefik-disable-new` | Disable listeners on Resources under the traefik.io API Group |
 | `--nat64-networks=NAT64-NETWORKS` | Adding an A record for each AAAA record in NAT64-enabled networks; specify multiple times for multiple possible nets (optional) |
+| `--[no-]expose-internal-ipv6` | Expose internal IPv6 addresses for services with IPv6 addresses (optional). Default is true. |
 | `--provider=provider` | The DNS provider where the DNS records will be created (required, options: akamai, alibabacloud, aws, aws-sd, azure, azure-dns, azure-private-dns, civo, cloudflare, coredns, digitalocean, dnsimple, exoscale, gandi, godaddy, google, ibmcloud, inmemory, linode, ns1, oci, ovh, pdns, pihole, plural, rfc2136, scaleway, skydns, tencentcloud, transip, ultradns, webhook) |
 | `--provider-cache-time=0s` | The time to cache the DNS provider record list requests. |
 | `--domain-filter=` | Limit possible target zones by a domain suffix; specify multiple times for multiple domains (optional) |

diff --git a/docs/sources/nodes.md b/docs/sources/nodes.md
@@ -10,6 +10,34 @@ The TTL of the records can be set with the `external-dns.alpha.kubernetes.io/ttl
 Nodes marked as **Unschedulable** as per [core/v1/NodeSpec](https://pkg.go.dev/k8s.io/[email protected]/core/v1#NodeSpec) are excluded.
 This avoid exposing Unhealthy, NotReady or SchedulingDisabled (cordon) nodes.
 
+## IPv6 Behavior
+
+Currently, ExternalDNS exposes the IPv6 `InternalIP` of the nodes. To alleviate this, you can use the `--expose-internal-ipv6`
+flag to not expose your internal ipv6 addresses. The flag is set to `true` by default. This behavior will change in the next minor release
+flipping the flag to `false` by default. You can still set the flag to `true` to expose the internal ipv6 addresses if needed.
+
+### Example spec (with `--expose-internal-ipv6` set to `false`)
+
+```yaml
+spec:
+  serviceAccountName: external-dns
+  containers:
+  - name: external-dns
+    image: registry.k8s.io/external-dns/external-dns:v0.16.1
+    args:
+    - --source=node # will use nodes as source
+    - --provider=aws
+    - --zone-name-filter=external-dns-test.my-org.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
+    - --domain-filter=external-dns-test.my-org.com
+    - --aws-zone-type=public
+    - --registry=txt
+    - --fqdn-template={{.Name}}.external-dns-test.my-org.com
+    - --txt-owner-id=my-identifier
+    - --policy=sync
+    - --log-level=debug
+    - --expose-internal-ipv6=false
+```
+
 ## Manifest (for cluster without RBAC enabled)
 
 ```yaml

diff --git a/main.go b/main.go
@@ -154,6 +154,7 @@ func main() {
 		ResolveLoadBalancerHostname:    cfg.ResolveServiceLoadBalancerHostname,
 		TraefikDisableLegacy:           cfg.TraefikDisableLegacy,
 		TraefikDisableNew:              cfg.TraefikDisableNew,
+		ExposeInternalIPv6:             cfg.ExposeInternalIPV6,
 	}
 
 	// Lookup all the selected sources by names and pass them the desired configuration.

diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go
@@ -61,6 +61,7 @@ type Config struct {
 	IgnoreIngressTLSSpec                          bool
 	IgnoreIngressRulesSpec                        bool
 	ListenEndpointEvents                          bool
+	ExposeInternalIPV6                            bool
 	GatewayName                                   string
 	GatewayNamespace                              string
 	GatewayLabelFilter                            string
@@ -240,6 +241,7 @@ var defaultConfig = &Config{
 	Compatibility:                          "",
 	PublishInternal:                        false,
 	PublishHostIP:                          false,
+	ExposeInternalIPV6:                     true,
 	ConnectorSourceServer:                  "localhost:8080",
 	Provider:                               "",
 	ProviderCacheTime:                      0,
@@ -482,6 +484,7 @@ func App(cfg *Config) *kingpin.Application {
 	app.Flag("traefik-disable-legacy", "Disable listeners on Resources under the traefik.containo.us API Group").Default(strconv.FormatBool(defaultConfig.TraefikDisableLegacy)).BoolVar(&cfg.TraefikDisableLegacy)
 	app.Flag("traefik-disable-new", "Disable listeners on Resources under the traefik.io API Group").Default(strconv.FormatBool(defaultConfig.TraefikDisableNew)).BoolVar(&cfg.TraefikDisableNew)
 	app.Flag("nat64-networks", "Adding an A record for each AAAA record in NAT64-enabled networks; specify multiple times for multiple possible nets (optional)").StringsVar(&cfg.NAT64Networks)
+	app.Flag("expose-internal-ipv6", "Expose internal IPv6 addresses for services with IPv6 addresses (optional). Default is true.").BoolVar(&cfg.ExposeInternalIPV6)
 
 	// Flags related to providers
 	providers := []string{"akamai", "alibabacloud", "aws", "aws-sd", "azure", "azure-dns", "azure-private-dns", "civo", "cloudflare", "coredns", "digitalocean", "dnsimple", "exoscale", "gandi", "godaddy", "google", "ibmcloud", "inmemory", "linode", "ns1", "oci", "ovh", "pdns", "pihole", "plural", "rfc2136", "scaleway", "skydns", "tencentcloud", "transip", "ultradns", "webhook"}

diff --git a/source/node.go b/source/node.go
@@ -34,15 +34,16 @@ import (
 )
 
 type nodeSource struct {
-	client           kubernetes.Interface
-	annotationFilter string
-	fqdnTemplate     *template.Template
-	nodeInformer     coreinformers.NodeInformer
-	labelSelector    labels.Selector
+	client             kubernetes.Interface
+	annotationFilter   string
+	fqdnTemplate       *template.Template
+	nodeInformer       coreinformers.NodeInformer
+	exposeInternalIPV6 bool
+	labelSelector      labels.Selector
 }
 
 // NewNodeSource creates a new nodeSource with the given config.
-func NewNodeSource(ctx context.Context, kubeClient kubernetes.Interface, annotationFilter, fqdnTemplate string, labelSelector labels.Selector) (Source, error) {
+func NewNodeSource(ctx context.Context, kubeClient kubernetes.Interface, annotationFilter, fqdnTemplate string, labelSelector labels.Selector, exposeInternalIPv6 bool) (Source, error) {
 	tmpl, err := parseTemplate(fqdnTemplate)
 	if err != nil {
 		return nil, err
@@ -70,11 +71,12 @@ func NewNodeSource(ctx context.Context, kubeClient kubernetes.Interface, annotat
 	}
 
 	return &nodeSource{
-		client:           kubeClient,
-		annotationFilter: annotationFilter,
-		fqdnTemplate:     tmpl,
-		nodeInformer:     nodeInformer,
-		labelSelector:    labelSelector,
+		client:             kubeClient,
+		annotationFilter:   annotationFilter,
+		fqdnTemplate:       tmpl,
+		nodeInformer:       nodeInformer,
+		labelSelector:      labelSelector,
+		exposeInternalIPV6: exposeInternalIPv6,
 	}, nil
 }
 
@@ -177,10 +179,14 @@ func (ns *nodeSource) nodeAddresses(node *v1.Node) ([]string, error) {
 	var ipv6Addresses []string
 
 	for _, addr := range node.Status.Addresses {
-		addresses[addr.Type] = append(addresses[addr.Type], addr.Address)
 		// IPv6 addresses are labeled as NodeInternalIP despite being usable externally as well.
 		if addr.Type == v1.NodeInternalIP && suitableType(addr.Address) == endpoint.RecordTypeAAAA {
-			ipv6Addresses = append(ipv6Addresses, addr.Address)
+			if ns.exposeInternalIPV6 {
+				addresses[v1.NodeInternalIP] = append(addresses[v1.NodeInternalIP], addr.Address)
+				ipv6Addresses = append(ipv6Addresses, addr.Address)
+			}
+		} else {
+			addresses[addr.Type] = append(addresses[addr.Type], addr.Address)
 		}
 	}
 

diff --git a/source/node_test.go b/source/node_test.go
@@ -18,6 +18,7 @@ package source
 
 import (
 	"context"
+	"k8s.io/utils/ptr"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -77,6 +78,7 @@ func testNodeSourceNewNodeSource(t *testing.T) {
 				ti.annotationFilter,
 				ti.fqdnTemplate,
 				labels.Everything(),
+				true,
 			)
 
 			if ti.expectError {
@@ -93,17 +95,18 @@ func testNodeSourceEndpoints(t *testing.T) {
 	t.Parallel()
 
 	for _, tc := range []struct {
-		title            string
-		annotationFilter string
-		labelSelector    string
-		fqdnTemplate     string
-		nodeName         string
-		nodeAddresses    []v1.NodeAddress
-		labels           map[string]string
-		annotations      map[string]string
-		unschedulable    bool // default to false
-		expected         []*endpoint.Endpoint
-		expectError      bool
+		title              string
+		annotationFilter   string
+		labelSelector      string
+		fqdnTemplate       string
+		nodeName           string
+		nodeAddresses      []v1.NodeAddress
+		labels             map[string]string
+		annotations        map[string]string
+		exposeInternalIPv6 *bool // default to true for this version. Change later when the next minor version is released.
+		unschedulable      bool  // default to false
+		expected           []*endpoint.Endpoint
+		expectError        bool
 	}{
 		{
 			title:         "node with short hostname returns one endpoint",
@@ -200,6 +203,15 @@ func testNodeSourceEndpoints(t *testing.T) {
 				{RecordType: "AAAA", DNSName: "node1", Targets: endpoint.Targets{"2001:DB8::8"}},
 			},
 		},
+		{
+			title:              "node with only internal IPs with expose internal IP as false shouldn't return AAAA endpoints with internal IPs",
+			nodeName:           "node1",
+			exposeInternalIPv6: ptr.To(false),
+			nodeAddresses:      []v1.NodeAddress{{Type: v1.NodeInternalIP, Address: "2.3.4.5"}, {Type: v1.NodeInternalIP, Address: "2001:DB8::9"}},
+			expected: []*endpoint.Endpoint{
+				{RecordType: "A", DNSName: "node1", Targets: endpoint.Targets{"2.3.4.5"}},
+			},
+		},
 		{
 			title:         "node with neither external nor internal IP returns no endpoints",
 			nodeName:      "node1",
@@ -361,13 +373,20 @@ func testNodeSourceEndpoints(t *testing.T) {
 			_, err := kubernetes.CoreV1().Nodes().Create(context.Background(), node, metav1.CreateOptions{})
 			require.NoError(t, err)
 
+			if tc.exposeInternalIPv6 == nil {
+				t.Logf("WARNING: The default behavior of exposing internal IPv6 addresses will change in the next minor version. Use --expose-internal-ipv6=false flag to opt-in to the new behavior.")
+				tc.exposeInternalIPv6 = new(bool)
+				*tc.exposeInternalIPv6 = true
+			}
+
 			// Create our object under test and get the endpoints.
 			client, err := NewNodeSource(
 				context.TODO(),
 				kubernetes,
 				tc.annotationFilter,
 				tc.fqdnTemplate,
 				labelSelector,
+				*tc.exposeInternalIPv6,
 			)
 			require.NoError(t, err)
 

diff --git a/source/store.go b/source/store.go
@@ -80,6 +80,7 @@ type Config struct {
 	ResolveLoadBalancerHostname    bool
 	TraefikDisableLegacy           bool
 	TraefikDisableNew              bool
+	ExposeInternalIPv6             bool
 }
 
 // ClientGenerator provides clients
@@ -216,7 +217,7 @@ func BuildWithConfig(ctx context.Context, source string, p ClientGenerator, cfg
 		if err != nil {
 			return nil, err
 		}
-		return NewNodeSource(ctx, client, cfg.AnnotationFilter, cfg.FQDNTemplate, cfg.LabelFilter)
+		return NewNodeSource(ctx, client, cfg.AnnotationFilter, cfg.FQDNTemplate, cfg.LabelFilter, cfg.ExposeInternalIPv6)
 	case "service":
 		client, err := p.KubeClient()
 		if err != nil {