By default, when ack-onepilot injects an init-container into an application, it uses the ONEPILOT_INIT_IMAGE_URL from the ack-onepilot deployment (typically named ack-onepilot-ack-onepilot and located in the ack-onepilot namespace) as the init-container's image URL. ack-onepilot automatically rewrites this URL to a Virtual Private Cloud (VPC) internal image URL, even if you specify a non-VPC URL.
In the ACK console, choose Workloads > Stateless in the left navigation pane. Find the ack-onepilot-ack-onepilot deployment and open its environment variable settings. The ONEPILOT_INIT_IMAGE_URL variable has a value similar to registry-cn-zhangjiakou-vpc.ack.aliyuncs.com/acs/ack-o... (a VPC internal image URL).
To prevent ack-onepilot from injecting an init-container that uses a VPC internal image, add the following environment variable to the ack-onepilot deployment: NODE_IS_EXTERNAL=true.
Then, in the ack-onepilot deployment, remove the -vpc suffix from ONEPILOT_INIT_IMAGE_URL. This allows the init-container image to be pulled from a public endpoint, such as registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-onepilot-init:3.2.5.
After the ack-onepilot deployment restarts, init-containers in newly instrumented applications no longer require VPC network access to pull their images.