Terway is an open-source CNI plug-in for Alibaba Cloud VPC that supports standard Kubernetes network policies for defining access policies between containers.
Before you begin
Read this topic to understand how Terway works before you use the Terway container network plugin.
First, read Networking overview and Terway vs. Flannel CNI plugins to understand the basic concepts of container network plugins and choose one.
Before you create a cluster, you must plan its CIDR blocks. For more information, see ACK managed cluster network planning.
Billing
The Terway plugin is free of charge. However, Terway deploys pods to each node, which consume a small amount of node resources. For details on billing for ACK cloud services, see Cloud resource costs.
Important
The Terway configuration file eni-config contains critical system parameters. Modifying or deleting fields not explicitly permitted for user configuration can cause network disruptions or prevent pods from being created. For information about the parameters that you can customize, see Customize Terway parameters.
The Terway component uses CRDs to track the status of resources. Do not manually modify these system resources. Unauthorized changes can cause network disruptions or prevent pods from being created.
Resource name | Resource type | User CRD operations | User CR operations |
podnetworkings.network.alibabacloud.com | User resources | No | Yes |
podenis.network.alibabacloud.com | System resources | No | No |
networkinterfaces.network.alibabacloud.com | System resources | No | No |
nodes.network.alibabacloud.com | System resources | No | No |
noderuntimes.network.alibabacloud.com | System resources | No | No |
*.cilium.io | System resources | No | No |
*.crd.projectcalico.org | System resources | No | No |
Maximum pods per node
When using the Terway network plugin, the maximum number of pods a node can run depends on the number of elastic network interfaces (ENIs) its ECS instance type supports. Terway enforces a minimum pod limit, which each node must meet to be successfully added to a cluster.
Terway mode | Pod limit | Example | Static IP pod count |
shared ENI mode | (Number of ENIs supported by the ECS instance type - 1) × Number of private IP addresses per ENI. (EniQuantity - 1) × EniPrivateIpAddressQuantity Note A node must support more than 11 pods to join the cluster. | For example, consider an instance of type ecs.g7.4xlarge from the g7 general-purpose instance family. This instance type supports 8 ENIs, and each ENI supports 30 private IP addresses. The maximum number of pods per node is calculated as (8 - 1) × 30 = 210 pods. Important The maximum number of pods that use node ENIs is fixed by the node's instance type. Modifying the | 0 |
shared ENI mode + Trunk ENI | Maximum Trunk pods per node: Total network interfaces for the ECS instance type - Number of ENIs supported by the ECS instance type. EniTotalQuantity - EniQuantity | ||
exclusive ENI mode | ECS instance: Number of ENIs supported by the ECS instance type - 1. EniQuantity - 1 Lingjun instance: Lingjun ENI quota - 1. LeniQuota - 1 Note A node must support more than 6 pods to join the cluster. | For example, an ECS instance of type ecs.g7.4xlarge supports 8 ENIs. The maximum number of pods per node is (8 - 1) = 7 pods. | Number of ENIs supported by the ECS instance type - 1. EniQuantity - 1 Note Lingjun instances are not supported. |
In Terway v1.11.0 and later, you can select exclusive ENI mode or shared ENI mode for a node pool. Node pools that use different modes can coexist in the same cluster. For more information, see Terway release notes.
Check supported pod count
Method 1: When creating a node pool, check the Terway Compatibility (Supported Pods) column in the Instance Type section to see the number of supported pods.
Method 2: Get the required values by using one of the following methods, and then manually calculate the number of pods the ECS instance type supports.
Refer to the instance family documentation to find the maximum number of elastic network interfaces an ECS instance supports.
Use OpenAPI Explorer. Specify the instance type of an existing node for the
InstanceTypesparameter and click Initiate Call. In the response,EniQuantityis the maximum number of elastic network interfaces the instance type supports,EniPrivateIpAddressQuantityis the number of private IP addresses per ENI, andEniTotalQuantityis the total number of network interfaces the instance type supports.
Install the Terway network plug-in
You must install the Terway network plug-in when you create a cluster. You cannot change the network plug-in type for an existing cluster.
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click Create Kubernetes Cluster.
Configure the key network parameters for the Terway network plug-in. For other cluster creation parameters, see Create an ACK managed cluster.
Parameter
Description
IPv6 Dual-stack
Select Enable to create a dual-stack cluster that supports both IPv4 and IPv6 addresses.
Supported only for Kubernetes 1.22 or later, only with Terway, and cannot be used together with eRDMA.
The cluster supports both IPv4 and IPv6 protocols, but communication between worker nodes and the control plane still uses IPv4 addresses. Ensure the following:
The cluster VPC supports IPv6 dual-stack.
When using Terway in shared ENI mode, the instance type of the node must support IPv6 and have the same number of assignable IPv4 and IPv6 addresses.
VPC
The VPC for the cluster.
Network Plug-in
Select Terway.
DataPath V2
Select this option to enable the DataPath V2 acceleration mode. In this mode, Terway uses a different traffic forwarding path than the standard shared ENI mode to provide network acceleration. For more information, see Best practices for Terway with Datapath V2.
NoteFor new clusters that run Kubernetes 1.34 or later and use DataPath V2, kube-proxy no longer runs on Terway nodes.
This mode includes built-in support for portmap, so you do not need to configure the portmap plug-in. For more information, see Configure a custom CNI chain.
DataPath V2 is supported only on the following operating system images and requires Linux kernel 5.10 or later:
Alibaba Cloud Linux 4
Alibaba Cloud Linux 3 (all versions)
ContainerOS
Ubuntu
When enabled, the Terway policy container on each worker node is expected to consume an additional 0.5 CPU cores and 512 MB of memory. This resource consumption increases with the cluster size. In the default Terway configuration, the CPU limit for the policy container is 1 core, and there is no memory limit.
In DataPath V2 mode, container network connection tracking (conntrack) information is stored in an eBPF map. Similar to the native conntrack mechanism in Linux, eBPF conntrack uses a Least Recently Used (LRU) algorithm. When the map is full, the oldest connection records are evicted to make space for new ones. Configure the relevant parameters based on your workload to prevent exceeding the connection limit. For more information, see Optimize conntrack configurations in Terway mode.
NetworkPolicy support
Select this option to enable native Kubernetes
NetworkPolicy.NoteStarting from Terway v1.9.2, NetworkPolicy for new clusters is implemented by eBPF, and the DataPath V2 feature is enabled for the data plane.
The feature that allows you to manage
NetworkPolicyresources in the console is in public preview. To use this feature, submit a request in Quota Center console.
Support for ENI Trunking
Select this option to enable Trunk ENI mode. This allows you to assign a static IP address, an independent vSwitch, and a separate security group to each pod.
NoteYou can enable Trunk ENI for ACK managed clusters without submitting a request. If you want to enable Trunk ENI for an ACK dedicated cluster, submit a request in Quota Center console first.
For newly created ACK managed clusters that run Kubernetes 1.31 or later, the Trunk ENI feature is automatically enabled. You do not need to manually select it.
vSwitch
The vSwitches for the cluster nodes. For high availability, we recommend selecting vSwitches from at least three different availability zones.
Pod vSwitch
The vSwitches for pods. These can be the same as the node vSwitches.
Service CIDR
The CIDR block for Kubernetes Services. This CIDR block cannot overlap with the node CIDR block or the pod CIDR block.
IPv6 Service CIDR Block
You can configure this parameter only after you enable IPv6 dual-stack.
Terway working modes
This topic compares the Terway modes and how they work.
Shared ENI mode and exclusive ENI mode
Terway provides two modes for assigning IP addresses to pods: shared ENI mode and exclusive ENI mode.
In Terway v1.11.0 and later, you can select either shared ENI mode or exclusive ENI mode for a node pool. This option is no longer available at the cluster level during creation.
The node's operating system (OS) uses the primary ENI. Terway manages the remaining ENIs to configure the pod network. Do not manually configure these ENIs. If you need to manage some ENIs yourself, see Configure a filter for ENIs.
Item | Shared ENI mode | Exclusive ENI mode | |
Pod IP address management | ENI allocation | Multiple pods share an ENI. | Each pod is assigned a dedicated ENI on its node. |
Pod deployment density | High density, supporting hundreds of pods on a single node. | Low density. A typical node supports only a few pods. | |
Network architecture | |||
Data path | When a pod communicates with other pods or is accessed as a Service backend, traffic passes through the node's network stack. | When a pod accesses a Service, traffic still passes through the node's OS network stack. However, for pod-to-pod communication or when a pod acts as a Service backend, traffic bypasses the node's network stack by directly using the attached ENI, which improves performance. | |
Scenarios | General-purpose Kubernetes workloads. | Provides network performance comparable to virtual machines, making it ideal for applications that require high network throughput or low latency. | |
Network acceleration | Supports DataPath V2 for network acceleration. For more information, see Network acceleration. | Network acceleration is not supported. This mode already provides excellent network performance because each pod has a dedicated ENI. | |
NetworkPolicy support | Supports native Kubernetes | Does not support | |
Node-level network configuration | Supported. For more information, see Node-level network configuration. | Supported. For more information, see Node-level network configuration. | |
Access control | When Trunk ENI is enabled, you can configure a static IP address, a separate vSwitch, and a separate security group for each pod. For more information, see Configure a static IP address, separate vSwitch, and security group for a pod. | Allows you to configure a static IP address, a separate vSwitch, and a separate security group for each pod. | |
Network acceleration
In shared ENI mode, you can enable network acceleration. This uses a different traffic forwarding path from the standard mode to achieve higher performance. Terway currently supports the DataPath V2 acceleration mode. The following section describes its features.
DataPath V2 is an upgraded version of the previous IPvlan+eBPF acceleration mode. In Terway V1.8.0 and later, DataPath V2 is the only available acceleration mode when you create a cluster and install the Terway plugin.
The DataPath V2 and IPvlan+eBPF acceleration modes apply only to node pools in shared ENI mode and do not affect node pools in exclusive ENI mode.
DataPath V2 features | Description |
Applicable Terway versions | Clusters created with Terway v1.8.0 or later. |
Network architecture | |
Accelerated data path |
|
Performance optimization |
|
Usage | When you create a cluster, set Network Plug-in to Terway and then select the DataPath V2 option. |
Usage notes |
|
The IPvlan+eBPF acceleration mode might be in use on older clusters. Its features are described below.
Access control
Terway offers fine-grained traffic management. In shared ENI mode, this is achieved via NetworkPolicy and the Trunk ENI option. Exclusive ENI mode also provides traffic control capabilities.
NetworkPolicy
Node pools in exclusive ENI mode do not support
NetworkPolicy.Node pools in shared ENI mode support native Kubernetes
NetworkPolicy, which allows you to control network traffic between pods by using user-defined rules.When you create a cluster, you can enable
NetworkPolicyby selecting Terway as the Network Plug-in and selecting the NetworkPolicy support option. For more information, see Use network policies in ACK clusters.NoteThe feature that allows you to manage
NetworkPolicyresources in the console is in public preview. To use this feature, submit a request in Quota Center console.
Static IP, vSwitch, and security group
Node pools in exclusive ENI mode inherently support assigning a static IP address, a separate vSwitch, and a separate security group to each pod. This enables fine-grained traffic management, network isolation, policy configuration, and IP address management.
For node pools in shared ENI mode, the optional Trunk ENI feature enables you to configure a static IP address, a separate vSwitch, and a separate security group for each pod.
To enable this feature, set Network Plug-in to Terway and then select the Support for ENI Trunking option when you create your cluster. For more information, see Configure a static IP address, separate vSwitch, and security group for a pod.
NoteYou can enable Trunk ENI for ACK managed clusters without submitting a request. If you want to enable Trunk ENI for an ACK dedicated cluster, submit a request in Quota Center console first.
For newly created ACK managed clusters that run Kubernetes 1.31 or later, the Trunk ENI feature is automatically enabled. You do not need to manually select it.
After you enable Trunk ENI mode, the terway-eniip and terway-controlplane components are installed.
Scaling limits
Terway calls the OpenAPI of cloud products to manage node network interfaces and IP addresses. For the usage limits of these operations, see the documentation for each cloud product.
shared ENI mode: A maximum of 500 nodes can be allocated concurrently.
exclusive ENI/TrunkENI mode: A maximum of 100 pods can be allocated concurrently.
These quotas are fixed.
Data plane configuration
The Terway data plane relies on the precise sequence and integrity of its kernel-level configurations. Any uncoordinated modification of IP rule, IP route, or eBPF hooks by external components—including priority adjustments, rule overrides, or program unloading—can cause severe failures such as pod network disruptions, ineffective network policies, and unintended traffic redirection. Strictly validate all third-party components before integration to prevent conflicts.
TC filter rules
Interface | Direction | Program | Priority | Function |
ethx | toContainer | VLAN Untag | 20000 | Remove VLAN tag |
ethx | toContainer | cil_from_netdev | 25000 | Cilium svc/network policy |
veth | toContainer | cil_to_container | 25000 | Cilium svc/network policy |
veth | fromContainer | cil_from_container | 25000 | Cilium svc/network policy |
ethx | fromContainer | cil_to_netdev | 25000 | Cilium svc/network policy |
ethx | fromContainer | VLAN Tag | 50001 | Add VLAN tag |
IP rules
Direction | Priority | Routing table |
toContainer | 512 | 1000 + linkIndex (ENI index) |
fromContainer | 512 | 1000 + linkIndex (ENI index) |
FAQ
Identifying Terway ENI modes
-
In Terway v1.11.0 and later, Terway uses shared ENI mode by default. To enable exclusive ENI mode for a node pool, see Configure the exclusive ENI network mode for a node pool.
-
In versions earlier than Terway v1.11.0, you could select either exclusive ENI mode or shared ENI mode during cluster creation. After you create a cluster, you can use one of the following methods to identify the active mode:
-
exclusive ENI mode: In the kube-system namespace, the Terway DaemonSet is named
terway-eni. -
shared ENI mode: In the kube-system namespace, the Terway DaemonSet is named
terway-eniip.
-
Network plugin switching
The network plugin is a fundamental component selected during cluster creation. To switch plugins, you must create a new cluster with the desired CNI plugin and migrate your workloads.