Container Service for Kubernetes:Network management FAQ

Terway FAQ

• What's the difference between Terway's Shared ENI and Exclusive ENI network modes?

• How can I tell if my ACK cluster is using Terway in Shared ENI or Exclusive ENI mode?

• How do I check if my Terway Shared ENI mode is using DataPath V2 or the legacy IPvlan+eBPF for network acceleration?

• Does traffic bypass IPVS when using Terway's network acceleration modes (DataPath V2 or IPvlan+eBPF)?

• Is it possible to switch the CNI network plugin on an existing ACK cluster?

• Why can't my Pods access the internet after adding a new vSwitch for Terway in my ACK cluster?

• My Pods are stuck in ContainerCreating with "InvalidVSwitchId.IpNotEnough" errors. How do I add more IP addresses?

• Why are my Pods getting IPs from an old vSwitch CIDR block even after I updated the Terway configuration?

• I added a new vSwitch to my Terway configuration, but my Pods are still failing to get an IP. Why is this happening?

• What's the difference between the Terway and Flannel network plugins for an ACK Kubernetes cluster?

• How do I enable in-cluster load balancing for ExternalIP and LoadBalancer Services in an existing Terway IPvlan cluster?

• How can I assign Pods to a specific vSwitch/CIDR block in a Terway cluster for IP-based allowlisting?

• What determines the maximum number of Pods per node in a Terway cluster?

• What do the different Pod statuses like Pending and ContainerCreating mean in a Terway network context?

• What is Terway's DataPath V2 mode, and how is it different from the original IPvlan mode?

• Why did my Terway component upgrade fail with the error eip pool is not supported?

• Why do my Pods sometimes fail to create in a Terway cluster with the error can't found dev by mac?

Flannel FAQ

• My nodes are NotReady after upgrading my cluster to Kubernetes 1.16+. How do I fix a Flannel incompatibility?

• What's the difference between the Terway and Flannel network plugins for an ACK Kubernetes cluster?

• In a Flannel cluster, why can my Pods ping some ECS instances but not others?

• Why are newly added nodes in my Flannel cluster getting a NodeNetworkUnavailable taint?

• When do I need to configure the cloud-controller-manager (CCM) for multiple route tables in a Flannel cluster?

• Why are my Pods failing to start with the error failed to allocate for range 0: no IP addresses available in range set?

• How can I change the Pod CIDR, Service CIDR, or IPs per node for an existing ACK cluster?

kube-proxy FAQ

• What is the correct way to modify the kube-proxy configuration in an ACK cluster?

• How do I change the IPVS load balancing algorithm in kube-proxy?

• How do I reduce the UDP session timeout in kube-proxy IPVS mode to fix DNS delays?

IPv6 FAQ

• How do I troubleshoot common issues in an IPv6 dual-stack cluster?

Other issues

• How do I fix network latency issues immediately after a Pod starts?

• Why do my Pods get connection errors when trying to access a Service they expose themselves (hairpinning)?

• What is the correct way to plan the network for an ACK cluster?

• Does ACK support hostPort for Pods?

• How do I identify the network plugin and vSwitches used by my cluster?

• How do I view the cloud resources used by my ACK cluster?

• How can I increase the Linux conntrack (connection tracking) limit on my nodes?

• Is it possible to install a third-party CNI network plugin on an ACK cluster?

• Why do I get a no IP addresses available in range set error in my Flannel cluster?

• What should I consider when configuring a custom cluster domain for my ACK cluster?

Server Load Balancer (SLB) FAQ

• How can I use SLB instances in an ACK cluster?

• Which external traffic policy should I use when I create a Service — Local or Cluster?

• Why are no events collected during the synchronization between a Service and an SLB instance?

• How do I handle an SLB instance that remains in the Pending state?

• What do I do if the vServer groups of an SLB instance are not updated?

• What do I do if the annotations of a Service do not take effect?

• Why are the configurations of an SLB instance modified?

• Why does the cluster fail to access the IP address of an SLB instance?

• When is an SLB instance automatically deleted?

• What do I do if I accidentally delete an SLB instance?

• If I delete a Service, is the SLB instance associated with the Service automatically deleted?

• How do I rename an SLB instance if the CCM version is V1.9.3.10 or earlier?

• How does the CCM calculate node weights in Local mode?

• How do I query the IP addresses, names, and address types of all SLB instances in a cluster?

• How do I ensure that the LoadBalancer gracefully disconnects existing connections when I change the backend of the LoadBalancer Service?

CCM update FAQ

• How do I troubleshoot failures to update the CCM?

Existing SLB instances FAQ

• Why does the system fail to use an existing SLB instance for more than one Service?

• Why is no listener created when I reuse an existing SLB instance?

Other issues

• What do I do if errors occur in Services?

• How do I troubleshoot CCM update failures?

• How is session persistence implemented in Kubernetes Services?

• How do I configure listeners for a NodePort Service?

• How do I access a NodePort Service?

• How do I configure a proper node port range?

• How do I add required permissions for CCM updated in ACK dedicated clusters with Flannel?

Ingress configurations FAQ

• Which SSL/TLS versions does Ingress support?

• Are Layer 7 request headers passed through by default in Ingress?

• Can Ingress-Nginx forward traffic to HTTPS backend services?

• Does Ingress L7 pass through the originating IP address?

• Does the Nginx Ingress Controller component support HSTS?

• Which rewrite configurations does Ingress-Nginx support?

• Configure the network type of an NGINX Ingress Controller

• What resources change when upgrading the Nginx Ingress Controller component in ACK Component Management?

• How do I specify an existing SLB instance for ack-ingress-nginx deployed from the Marketplace page?

• How do I change Ingress-nginx listeners from Layer 4 to Layer 7 (HTTPS/HTTP)?

• Nginx Ingress FAQ

Connectivity FAQ

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

• Why is the default TLS certificate or previous TLS certificate used after I add a TLS certificate to the cluster or change the TLS certificate?

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

Canary releases FAQ

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

Errors FAQ

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

Other issues

• Why does the Ingress controller pod restart after it fails the health check?

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

• NGINX Ingress controller troubleshooting

How do I access cluster workloads over the internet?

ACK supports five methods for exposing workloads to the internet:

• NodePort Services

• SLB instances

• Nginx Ingress

• external-dns

• NAT gateways with DNAT rules

How do I get the real client IP address in my Pods?

If your cluster uses SLB instances to provide external services and Web Application Firewall (WAF) is enabled, set externaltrafficpolicy to Local on the Services that expose your Pods. For clusters that use Ingress instead, set externaltrafficpolicy to Local on the nginx-ingress-lb Service.

For WAF configuration details, see Use WAF.

How do I throttle traffic for an ACK cluster?

Use Alibaba Cloud Service Mesh (ASM) to apply traffic throttling. ASM protects your backend services against traffic spikes, service overloading, resource exhaustion, and attacks — reducing costs and improving user experience. For details, see Throttling.