diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst
index 99cb5d6bf4..2a6de658a2 100644
--- a/doc/source/user/index.rst
+++ b/doc/source/user/index.rst
@@ -362,6 +362,9 @@ the table are linked to more details elsewhere in the user guide.
 | `cloud_provider_enabled`_             | - true             | true          |
 |                                       | - false            |               |
 +---------------------------------------+--------------------+---------------+
+| `service_cluster_ip_range`            | IPv4 CIDR for k8s  | 10.254.0.0/16 |
+|                                       | service portals    |               |
++---------------------------------------+--------------------+---------------+
 
 Cluster
 -------
diff --git a/magnum/drivers/heat/k8s_template_def.py b/magnum/drivers/heat/k8s_template_def.py
index c7e12be8ad..d0e0592fc5 100644
--- a/magnum/drivers/heat/k8s_template_def.py
+++ b/magnum/drivers/heat/k8s_template_def.py
@@ -130,6 +130,10 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
         for label in label_list:
             extra_params[label] = cluster.labels.get(label)
 
+        cluser_ip_range = cluster.labels.get('service_cluster_ip_range')
+        if cluser_ip_range:
+            extra_params['portal_network_cidr'] = cluser_ip_range
+
         if cluster_template.registry_enabled:
             extra_params['swift_region'] = CONF.docker_registry.swift_region
             extra_params['registry_container'] = (
diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
index 099e33ba70..542af69f27 100644
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@@ -59,7 +59,8 @@ class TestClusterConductorWithK8s(base.TestCase):
                        'influx_grafana_dashboard_enabled': 'True',
                        'docker_volume_type': 'lvmdriver-1',
                        'etcd_volume_size': 0,
-                       'availability_zone': 'az_1'},
+                       'availability_zone': 'az_1',
+                       'service_cluster_ip_range': '10.254.0.0/16'},
             'tls_disabled': False,
             'server_type': 'vm',
             'registry_enabled': False,
@@ -107,7 +108,8 @@ class TestClusterConductorWithK8s(base.TestCase):
                        'kubecontroller_options': '--kubecontroller',
                        'kubescheduler_options': '--kubescheduler',
                        'kubeproxy_options': '--kubeproxy',
-                       'influx_grafana_dashboard_enabled': 'True'},
+                       'influx_grafana_dashboard_enabled': 'True',
+                       'service_cluster_ip_range': '10.254.0.0/16'},
             'master_flavor_id': 'master_flavor_id',
             'flavor_id': 'flavor_id',
         }
@@ -217,6 +219,7 @@ class TestClusterConductorWithK8s(base.TestCase):
                        'kubecontroller_options': '--kubecontroller',
                        'kubescheduler_options': '--kubescheduler',
                        'kubeproxy_options': '--kubeproxy',
+                       'service_cluster_ip_range': '10.254.0.0/16',
                        },
             'http_proxy': 'http_proxy',
             'https_proxy': 'https_proxy',
@@ -286,6 +289,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'octavia_enabled': False,
             'kube_service_account_key': 'public_key',
             'kube_service_account_private_key': 'private_key',
+            'portal_network_cidr': '10.254.0.0/16',
         }
         if missing_attr is not None:
             expected.pop(mapping[missing_attr], None)
@@ -405,6 +409,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'octavia_enabled': False,
             'kube_service_account_key': 'public_key',
             'kube_service_account_private_key': 'private_key',
+            'portal_network_cidr': '10.254.0.0/16',
         }
 
         self.assertEqual(expected, definition)
@@ -511,6 +516,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'octavia_enabled': False,
             'kube_service_account_key': 'public_key',
             'kube_service_account_private_key': 'private_key',
+            'portal_network_cidr': '10.254.0.0/16',
         }
         self.assertEqual(expected, definition)
         self.assertEqual(
@@ -600,6 +606,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'kubescheduler_options': '--kubescheduler',
             'kubeproxy_options': '--kubeproxy',
             'octavia_enabled': False,
+            'portal_network_cidr': '10.254.0.0/16',
         }
         self.assertEqual(expected, definition)
         self.assertEqual(
@@ -684,6 +691,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'kubescheduler_options': '--kubescheduler',
             'kubeproxy_options': '--kubeproxy',
             'octavia_enabled': False,
+            'portal_network_cidr': '10.254.0.0/16',
         }
         self.assertEqual(expected, definition)
         self.assertEqual(
@@ -922,6 +930,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'octavia_enabled': False,
             'kube_service_account_key': 'public_key',
             'kube_service_account_private_key': 'private_key',
+            'portal_network_cidr': '10.254.0.0/16',
         }
         self.assertEqual(expected, definition)
         self.assertEqual(
diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py
index 04e509e94e..1024a134f4 100644
--- a/magnum/tests/unit/drivers/test_template_definition.py
+++ b/magnum/tests/unit/drivers/test_template_definition.py
@@ -371,6 +371,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
             'kubeproxy_options')
         cloud_provider_enabled = mock_cluster.labels.get(
             'cloud_provider_enabled')
+        service_cluster_ip_range = mock_cluster.labels.get(
+            'service_cluster_ip_range')
 
         k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
 
@@ -420,6 +422,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
             'octavia_enabled': False,
             'kube_service_account_key': 'public_key',
             'kube_service_account_private_key': 'private_key',
+            'portal_network_cidr': service_cluster_ip_range,
         }}
         mock_get_params.assert_called_once_with(mock_context,
                                                 mock_cluster_template,
@@ -541,6 +544,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
             'kubeproxy_options')
         cloud_provider_enabled = mock_cluster.labels.get(
             'cloud_provider_enabled')
+        service_cluster_ip_range = mock_cluster.labels.get(
+            'service_cluster_ip_range')
 
         k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
 
@@ -592,6 +597,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
             'octavia_enabled': False,
             'kube_service_account_key': 'public_key',
             'kube_service_account_private_key': 'private_key',
+            'portal_network_cidr': service_cluster_ip_range,
         }}
         mock_get_params.assert_called_once_with(mock_context,
                                                 mock_cluster_template,
diff --git a/releasenotes/notes/add-k8s-label-for-portal-network-cidr-a09edab29da6e7da.yaml b/releasenotes/notes/add-k8s-label-for-portal-network-cidr-a09edab29da6e7da.yaml
new file mode 100644
index 0000000000..66fb51b43a
--- /dev/null
+++ b/releasenotes/notes/add-k8s-label-for-portal-network-cidr-a09edab29da6e7da.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Add a new label `service_cluster_ip_range` for kubernetes so that user can
+    set the IP range for service portals to avoid conflicts with pod IP range.
+