All Products
Search

This Product

    Container Service for Kubernetes:[Product change] IP address change for internal communication in Terway exclusive ENI mode

    Document Center

    Container Service for Kubernetes:[Product change] IP address change for internal communication in Terway exclusive ENI mode

    Last Updated:Dec 10, 2025

    For Terway versions 1.16.3 and later, the source IP address for traffic from a node to its pods changes when using the exclusive ENI mode.

    Understand the change and its impact

    When you upgrade the Terway plugin to version 1.16.3 or later, the source IP address for communication between a node in exclusive ENI mode and its pods (created after the upgrade) changes as follows:

    Exclusive ENI mode reference: Configure exclusive ENI mode for node pools.

    • For versions earlier than 1.16.3: The node's veth interface uses the fixed link-local address 169.254.1.1.

    • For versions 1.16.3 and later: When a node communicates with a pod, it no longer uses the fixed IP address. Instead, it uses the node IP, which is the private IP address of the node within the Virtual Private Cloud (VPC).

    Assess risks

    This IP address change can affect workloads in your cluster as follows:

    • Failure of container-level access control: If your application or pod whitelists only the source IP 169.254.1.1 (for example, in application logic, configuration files, or container-level iptables rules), it will deny requests from the node after the upgrade. As a result, features that depend on node-to-pod communication, such as health checks (liveness probes and readiness probes) and monitoring metrics collection, will fail. This may lead to frequent pod restarts or service disruptions.

    • Anomalies in log analysis and auditing: The source IP address from the node, as recorded in pod application logs, will no longer be 169.254.1.1. Consequently, any log analysis, monitoring alerts, or audit scripts designed to match the specific IP address 169.254.1.1 will fail.

    Take required actions

    Before you upgrade the Terway plugin, perform the following checks and updates:

    1. Review and update access control rules. If your containers use a whitelist that only allows traffic from 169.254.1.1, expand the whitelist to include the CIDR block for the entire node pool using exclusive ENI mode. This is necessary because the specific node IP can vary.

    2. Test and verify changes. First, upgrade Terway in a test environment to verify that node-to-pod connectivity works as expected. For example, use the ping command on the node to reach a pod's IP address. After validating the changes, proceed with the upgrade in your production environment.