diff --git a/.travis.yml b/.travis.yml
index c1f9539bc..a2e1b00f4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -24,6 +24,8 @@ before_install:
   # libseccomp in trusty is not new enough, need backports version.
   - sudo sh -c "echo 'deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse' > /etc/apt/sources.list.d/backports.list"
   - sudo apt-get update
+  # Enable ipv6 for dualstack integration test.
+  - sudo sysctl net.ipv6.conf.all.disable_ipv6=0
 
 install:
   - sudo apt-get install btrfs-tools
diff --git a/cluster/gce/cni.template b/cluster/gce/cni.template
index 37f345221..1eb5f5d43 100644
--- a/cluster/gce/cni.template
+++ b/cluster/gce/cni.template
@@ -7,12 +7,8 @@
       "mtu": 1460,
       "ipam": {
         "type": "host-local",
-        "subnet": "{{.PodCIDR}}",
-        "routes": [
-          {
-            "dst": "0.0.0.0/0"
-          }
-        ]
+        "ranges": [{{range $i, $range := .PodCIDRRanges}}{{if $i}}, {{end}}[{"subnet": "{{$range}}"}]{{end}}],
+	"routes": [{{range $i, $route := .Routes}}{{if $i}}, {{end}}{"dst": "{{$route}}"}{{end}}]
       }
     },
     {
diff --git a/docs/config.md b/docs/config.md
index 8f218363f..f2bb2879d 100644
--- a/docs/config.md
+++ b/docs/config.md
@@ -172,7 +172,7 @@ version = 2
     # file will be loaded. If you want to load multiple CNI plugin config files
     # set max_conf_num to the number desired. Setting max_config_num to 0 is
     # interpreted as no limit is desired and will result in all CNI plugin
-    # config files being loaded from the CNI config directory. 
+    # config files being loaded from the CNI config directory.
     max_conf_num = 1
 
     # conf_template is the file path of golang template used to generate
@@ -183,6 +183,7 @@ version = 2
     # This is a temporary backward-compatible solution for kubenet users
     # who don't have a cni daemonset in production yet.
     # This will be deprecated when kubenet is deprecated.
+    # See the "CNI Config Template" section for more details.
     conf_template = ""
 
   # 'plugins."io.containerd.grpc.v1.cri".registry' contains config related to the registry
@@ -208,6 +209,35 @@ When the annotation `io.kubernetes.cri.untrusted-workload` is set to `true` the
 runtime will be used. For example, see
 [Create an untrusted pod using Kata Containers](https://github.com/kata-containers/documentation/blob/master/how-to/how-to-use-k8s-with-cri-containerd-and-kata.md#create-an-untrusted-pod-using-kata-containers).
 
+## CNI Config Template
+
+Ideally the cni config should be placed by system admin or cni daemon like calico,
+weaveworks etc. However, there are still users using [kubenet](https://kubernetes.io/docs/concepts/cluster-administration/network-plugins/#kubenet)
+today, who don't have a cni daemonset in production. The cni config template is
+a temporary backward-compatible solution for them. This is expected to be
+deprecated when kubenet is deprecated.
+
+The cni config template uses the [golang
+template](https://golang.org/pkg/text/template/) format. Currently supported
+values are:
+* `.PodCIDR` is a string of the first CIDR assigned to the node.
+* `.PodCIDRRanges` is a string array of all CIDRs assigned to the node. It is
+  usually used for
+  [dualstack](https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/20180612-ipv4-ipv6-dual-stack.md) support.
+* `.Routes` is a string array of all routes needed. It is usually used for
+  dualstack support or single stack but IPv4 or IPv6 is decided at runtime.
+
+The [golang template actions](https://golang.org/pkg/text/template/#hdr-Actions)
+can be used to render the cni config. For example, you can use the following
+template to add CIDRs and routes for dualstack in the CNI config:
+```
+"ipam": {
+  "type": "host-local",
+  "ranges": [{{range $i, $range := .PodCIDRRanges}}{{if $i}}, {{end}}[{"subnet": "{{$range}}"}]{{end}}],
+  "routes": [{{range $i, $route := .Routes}}{{if $i}}, {{end}}{"dst": "{{$route}}"}{{end}}]
+}
+```
+
 ## Deprecation
 The config options of the CRI plugin follow the [Kubernetes deprecation
 policy of "admin-facing CLI components"](https://kubernetes.io/docs/reference/using-api/deprecation-policy/#deprecating-a-flag-or-cli).
diff --git a/hack/install/install-cni-config.sh b/hack/install/install-cni-config.sh
index b1d05263e..06226a2da 100755
--- a/hack/install/install-cni-config.sh
+++ b/hack/install/install-cni-config.sh
@@ -34,9 +34,17 @@ ${SUDO} bash -c 'cat >'${CNI_CONFIG_DIR}'/10-containerd-net.conflist <<EOF
       "promiscMode": true,
       "ipam": {
         "type": "host-local",
-        "subnet": "10.88.0.0/16",
+        "ranges": [
+          [{
+            "subnet": "10.88.0.0/16"
+          }],
+          [{
+            "subnet": "2001:4860:4860::8888/32"
+          }]
+        ],
         "routes": [
-          { "dst": "0.0.0.0/0" }
+          { "dst": "0.0.0.0/0" },
+          { "dst": "::/0" }
         ]
       }
     },
diff --git a/integration/pod_dualstack_test.go b/integration/pod_dualstack_test.go
new file mode 100644
index 000000000..c0b864377
--- /dev/null
+++ b/integration/pod_dualstack_test.go
@@ -0,0 +1,105 @@
+/*
+Copyright The containerd Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package integration
+
+import (
+	"io/ioutil"
+	"net"
+	"os"
+	"path/filepath"
+	"regexp"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
+)
+
+func TestPodDualStack(t *testing.T) {
+	testPodLogDir, err := ioutil.TempDir("/tmp", "dualstack")
+	require.NoError(t, err)
+	defer os.RemoveAll(testPodLogDir)
+
+	t.Log("Create a sandbox")
+	sbConfig := PodSandboxConfig("sandbox", "dualstack", WithPodLogDirectory(testPodLogDir))
+	sb, err := runtimeService.RunPodSandbox(sbConfig, *runtimeHandler)
+	require.NoError(t, err)
+	defer func() {
+		assert.NoError(t, runtimeService.StopPodSandbox(sb))
+		assert.NoError(t, runtimeService.RemovePodSandbox(sb))
+	}()
+
+	const (
+		testImage     = "busybox"
+		containerName = "test-container"
+	)
+	t.Logf("Pull test image %q", testImage)
+	img, err := imageService.PullImage(&runtime.ImageSpec{Image: testImage}, nil, sbConfig)
+	require.NoError(t, err)
+	defer func() {
+		assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
+	}()
+
+	t.Log("Create a container to print env")
+	cnConfig := ContainerConfig(
+		containerName,
+		testImage,
+		WithCommand("ip", "address", "show", "dev", "eth0"),
+		WithLogPath(containerName),
+	)
+	cn, err := runtimeService.CreateContainer(sb, cnConfig, sbConfig)
+	require.NoError(t, err)
+
+	t.Log("Start the container")
+	require.NoError(t, runtimeService.StartContainer(cn))
+
+	t.Log("Wait for container to finish running")
+	require.NoError(t, Eventually(func() (bool, error) {
+		s, err := runtimeService.ContainerStatus(cn)
+		if err != nil {
+			return false, err
+		}
+		if s.GetState() == runtime.ContainerState_CONTAINER_EXITED {
+			return true, nil
+		}
+		return false, nil
+	}, time.Second, 30*time.Second))
+
+	content, err := ioutil.ReadFile(filepath.Join(testPodLogDir, containerName))
+	assert.NoError(t, err)
+	status, err := runtimeService.PodSandboxStatus(sb)
+	require.NoError(t, err)
+	ip := status.GetNetwork().GetIp()
+	additionalIps := status.GetNetwork().GetAdditionalIps()
+
+	ipv4Enabled, err := regexp.MatchString("inet .* scope global", string(content))
+	assert.NoError(t, err)
+	ipv6Enabled, err := regexp.MatchString("inet6 .* scope global", string(content))
+	assert.NoError(t, err)
+
+	if ipv4Enabled && ipv6Enabled {
+		t.Log("Dualstack should be enabled")
+		require.Len(t, additionalIps, 1)
+		assert.NotNil(t, net.ParseIP(ip).To4())
+		assert.Nil(t, net.ParseIP(additionalIps[0].GetIp()).To4())
+	} else {
+		t.Log("Dualstack should not be enabled")
+		assert.Len(t, additionalIps, 0)
+		assert.NotEmpty(t, ip)
+	}
+}
diff --git a/integration/restart_test.go b/integration/restart_test.go
index 241b5ddfc..b3bcebc25 100644
--- a/integration/restart_test.go
+++ b/integration/restart_test.go
@@ -133,7 +133,7 @@ func TestContainerdRestart(t *testing.T) {
 
 	t.Logf("Pull test images")
 	for _, image := range []string{"busybox", "alpine"} {
-		img, err := imageService.PullImage(&runtime.ImageSpec{image}, nil, nil)
+		img, err := imageService.PullImage(&runtime.ImageSpec{Image: image}, nil, nil)
 		require.NoError(t, err)
 		defer func() {
 			assert.NoError(t, imageService.RemoveImage(&runtime.ImageSpec{Image: img}))
diff --git a/integration/truncindex_test.go b/integration/truncindex_test.go
index 16db28852..1a5ac05fb 100644
--- a/integration/truncindex_test.go
+++ b/integration/truncindex_test.go
@@ -74,7 +74,7 @@ func TestTruncIndex(t *testing.T) {
 	assert.Equal(t, sb, sbStatus.Id)
 
 	t.Logf("Forward port for sandbox by truncindex")
-	_, err = runtimeService.PortForward(&runtimeapi.PortForwardRequest{sbTruncIndex, []int32{80}})
+	_, err = runtimeService.PortForward(&runtimeapi.PortForwardRequest{PodSandboxId: sbTruncIndex, Port: []int32{80}})
 	assert.NoError(t, err)
 
 	// TODO(yanxuean): add test case for ListPodSandbox