All Products
Search

This Product

    Container Service for Kubernetes:Node-level network configuration

    Document Center

    Container Service for Kubernetes:Node-level network configuration

    Last Updated:Mar 26, 2026

    By default, all nodes in a Terway cluster share the network configuration defined in the eni-config ConfigMap in the kube-system namespace. To assign different vSwitches or security groups to specific nodes, create a separate ConfigMap and label the target nodes to reference it. Terway merges the new configuration into the default configuration using JSON Merge Patch (RFC 7396).

    Use cases

    Configure per-node network settings when:

    • Egress IP isolation: Specific pods need dedicated NAT IP addresses or bandwidth limits, separate from the rest of the cluster.

    image

    Prerequisites

    Before you begin, ensure that you have:

    Considerations

    • Existing elastic network interfaces (ENIs) are not updated automatically. When you apply a new ConfigMap to a node, only ENIs created after the configuration takes effect use the new vSwitches and security groups. Existing ENIs continue to use their original settings. Apply per-node network settings to new nodes where possible.

    • vSwitches must be in the same zone as the node. If a vSwitch is in a different zone from the node, the setting has no effect.

    • Security group limit. You can assign up to five security groups per ENI. All security groups must belong to the same VPC and be of the same type. See Associate multiple security groups for an ENI.

    Configure per-node network settings

    This procedure consists of three steps: creating a ConfigMap that defines the network settings, labeling the target nodes to use that ConfigMap, and verifying that the new ENIs use the correct settings.

    Step 1: Create a ConfigMap

    Create a ConfigMap named foo in the kube-system namespace. This ConfigMap defines the vSwitches and security groups to apply to labeled nodes.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Configurations > ConfigMaps.

    3. On the ConfigMap page, select kube-system from the Namespace drop-down list, then click Create in the upper-right corner.

    4. In the Create panel, set ConfigMap Name to foo. Click Add, set Name to eni_conf, and enter the following JSON in the Value field. Replace the vswitches and security_group values with your actual IDs.

      {
    "vswitches": {
        "cn-hangzhou-g": [
            "vsw-10000"
        ],
        "cn-hangzhou-i": [
            "vsw-10001"
        ]
    },
    "security_group": "sg-10000",
    "security_groups": [
        "sg-10000",
        "sg-10001"
    ]
}
      Parameter Description
      vswitches A map of zone IDs to vSwitch ID lists. Each vSwitch must be in the same zone as the target nodes. To find zone IDs and vSwitch IDs, go to the VPC console and click vSwitch in the left-side navigation pane.
      security_group To assign a single security group, set this parameter and leave security_groups as null.
      security_groups To assign one or more security groups, set this parameter and leave security_group as null. The system applies all security groups listed in both parameters.

    5. Click OK.

    Step 2: Label nodes

    Apply the label terway-config=foo to the nodes that should use this ConfigMap.

    For existing nodes:

    1. In the left-side navigation pane of the cluster details page, choose Nodes > Nodes. Click Manage Labels and Taints in the upper-right corner.

    2. On the Labels tab, select the target nodes and click Add Label.

    3. In the Add dialog box, set Name to terway-config and Value to foo, then click OK.

    4. Restart the Terway pods to apply the change.

      1. In the left-side navigation pane, choose Workloads > Pods.

      2. Select kube-system from the Namespace drop-down list, search for terway-eniip, select all matching pods, and click Batch Delete.

      3. In the confirmation dialog, click OK. Kubernetes automatically recreates the Terway pods.

      4. Wait until the Status column shows Running for all pods whose names start with terway-eniip. The new vSwitches and security groups take effect after the pods are running.

    For new nodes:

    When creating a node pool, add a label with key set to terway-config and value set to foo. See the Create a node pool section of the "Create a node pool" topic.

    Step 3: Verify the configuration

    After the Terway pods restart, verify that new ENIs use the correct vSwitches and security groups.

    1. Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances.

    2. Click the name of the target ECS instance. On the instance details page, click the ENIs tab.

    3. Confirm that the ENI used to allocate pod IP addresses is associated with the vSwitches and security groups you specified in the ConfigMap.

    Note

    If a newly created pod's IP address does not fall within the expected vSwitch CIDR block, see the FAQ about container networks.