This topic provides answers to some frequently asked questions about container networks.
Table of contents
Terway
Which network plug-in should I choose for an ACK cluster, Terway or Flannel?
How do I enable load balancing within a cluster in Terway IPVLAN mode?
How do I add the pod CIDR block to a whitelist if my cluster uses the Terway network plug-in?
Flannel
Which network plug-in should I choose for an ACK cluster, Terway or Flannel?
What do I do if a node has the NodeNetworkUnavailable taint?
How do I modify the number of node IP addresses, the pod CIDR block, and the Service IP block?
kube-proxy
How do I modify the IPVS load balancing algorithm in the kube-proxy configuration?
How do I modify the timeout period for IPVS UDP sessions in the kube-proxy configuration?
IPv6
How do I fix common issues related to IPv4/IPv6 dual stack?
Others
How do I resolve the issue that the cluster installed with the Terway network plug-in cannot access the Internet after I create a vSwitch for the cluster?
Issue
In the Terway network, after a new vSwitch is created to provide more IP addresses for pods, the cluster cannot access the Internet.
Cause
The new vSwitch that assigns IP addresses to pods does not have access to the Internet.
Solution
You can create a NAT gateway and configure SNAT rules to enable the new vSwitch to access the Internet. For more information, see Enable an existing ACK cluster to access the Internet.
How do I resolve the issue that Flannel becomes incompatible with clusters of Kubernetes 1.16 or later after I manually update Flannel?
Issue
After the Kubernetes version of a cluster is updated to 1.16 or later, the nodes in the cluster change to the NotReady state.
Cause
You manually updated Flannel but did not update the Flannel configuration. As a result, kubelet cannot recognize Flannel.
Solution
Run the following command to add the
cniVersionfield to the Flannel configuration file:kubectl edit cm kube-flannel-cfg -n kube-systemAdd the
cniVersionfield to the configuration file."name": "cb0", "cniVersion":"0.3.0", "type": "flannel",Run the following command to restart Flannel:
kubectl delete pod -n kube-system -l app=flannel
How do I resolve the issue that a pod is not immediately ready for communication after it is started?
Issue
After a pod is started, you must wait a period of time before the pod is ready for communication.
Cause
The network policies require a period of time to take effect. To resolve this issue, you can disable network policies.
Solution
Run the following command to modify the ConfigMap of Terway and disable network policies:
kubectl edit cm -n kube-system eni-configAdd the following field to the ConfigMap:
disable_network_policy: "true"Optional: If your Terway version is not up-to-date, update it to the latest version in the console.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the Add-ons page, click the Networking tab, find the Terway section, and then click Upgrade.
In the Note message, click OK.
Run the following command to restart all Terway pods:
kubectl delete pod -n kube-system -l app=terway-eniip
How do I enable a pod to access a Service that is used to expose the pod?
Issue
Pods are not allowed to access Services that are used to expose them. If a pod accesses the Service that exposes the pod, the performance of the Service becomes unstable or scheduling errors may occur.
Cause
Your cluster uses a Flannel version that does not allow loopback requests.
Flannel versions earlier than 0.15.1.4-e02c8f12-aliyun do not allow loopback requests. If you directly update Flannel to 0.15.1.4-e02c8f12-aliyun or later, Flannel still does not allow loopback requests.
To allow loopback requests, you must uninstall the current Flannel version and then install Flannel 0.15.1.4-e02c8f12-aliyun or a later version.
Solution
Use a headless Service to expose and access applications. For more information, see Headless Services.
NoteWe recommend that you use this method.
Recreate the cluster to use Terway. For more information, see Work with Terway.
Modify the Flannel configuration, reinstall Flannel, and then recreate the pod.
NoteWe recommend that you do not use this method because the Flannel configuration may be overwritten when you update Flannel.
Run the following command to modify cni-config.json:
kubectl edit cm kube-flannel-cfg -n kube-systemAdd
hairpinMode: trueto thedelegateparameter.Example:
cni-conf.json: | { "name": "cb0", "cniVersion":"0.3.1", "type": "flannel", "delegate": { "isDefaultGateway": true, "hairpinMode": true } }Run the following command to restart Flannel:
kubectl delete pod -n kube-system -l app=flannelDelete and recreate the pod.
Which network plug-in should I choose for an ACK cluster, Terway or Flannel?
The following section describes the Flannel and Terway network plug-ins for ACK clusters.
You can select one of the following network plug-ins when you create an ACK cluster:
Flannel: a simple and stable Container Network Interface (CNI) plug-in developed by the Kubernetes community. You can use Flannel with Virtual Private Cloud (VPC) of Alibaba Cloud. This ensures that your clusters and containers run in a high-speed and stable network. However, Flannel provides only basic features and does not support standard Kubernetes network policies.
Terway: a network plug-in developed by ACK. Terway provides all the features of Flannel and allows you to attach Alibaba Cloud elastic network interfaces (ENIs) to containers. You can use Terway to configure access control policies for containers based on standard Kubernetes network policies. Terway also supports bandwidth throttling on individual containers. If you do not want to use Kubernetes network policies, you can choose Flannel. In other cases, we recommend that you choose Terway. For more information about Terway, see Work with Terway.
How do I plan the network of a cluster?
When you create an ACK cluster, you must specify a VPC, vSwitches, CIDR blocks of pods, and CIDR blocks of Services. We recommend that you plan the CIDR block of Elastic Compute Service (ECS) instances in the cluster, the pod CIDR block, and the Service CIDR block before you create an ACK cluster. For more information, see Plan CIDR blocks for an ACK cluster.
Can I use the hostPort feature to create port mappings in an ACK cluster?
Only Flannel allows you to use the hostPort feature to create port mappings in an ACK cluster.
A pod in a VPC can be accessed by other cloud resources that are deployed in the same VPC through the endpoint of the pod in the VPC. Therefore, port mapping is not required.
To expose applications to the Internet, you can use NodePort Services or LoadBalancer Services.
How do I check the network type and vSwitches of a cluster?
ACK supports two types of container network: Flannel and Terway.
To check the network type of the cluster, perform the following steps:
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster, or click Details in the Actions column. The details page of the cluster appears.
On the Basic Information tab, check the value of Network Plug-in in the Cluster Information section.
If the value of Network Plug-in is terway-eniip, the Terway network is used.
If the value of Network Plug-in is Flannel, the Flannel network is used.
To check the vSwitch to which the nodes in the network belong, perform the following steps:
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the Node Pools page, find the node pool that you want to manage and click Details in the Actions column.
In the Node Configurations section, check the value of Node vSwitch.
To check the vSwitch to which the pods in the Terway network belong, perform the following steps:
Only pods in the Terway network require a vSwitch. Pods in the Flannel network do not require a vSwitch.
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster, or click Details in the Actions column. Then, the details page of the cluster appears.
On the details page of the cluster, click the Cluster Resources tab and check the value of Pod vSwitch.
How do I check the cloud resources used in an ACK cluster?
You can perform the following steps to check the cloud resources used in ACK clusters, such as vSwitches, VPCs, and worker RAM roles:
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster, or click Details in the Actions column. The details page of the cluster appears.
On the Cluster Resources tab, view information about the cloud resources that are used in the cluster.
How do I modify the kube-proxy configuration?
By default, a DaemonSet named kube-proxy-worker is deployed in an ACK managed cluster for load balancing. You can modify the ConfigMap named kube-proxy-worker to change the parameters of the kube-proxy-worker DaemonSet. If you use an ACK dedicated cluster, a DaemonSet and a ConfigMap both named kube-proxy-master are deployed on each master node.
The kube-proxy configuration items in ACK are fully compatible with the open source KubeProxyConfiguration. You can refer to the open source version when you customize configurations. For more information, see kube-proxy configuration. The kube-proxy configuration must conform to specific formats. Do not omit colons (:) or space characters. Perform the following steps to modify the kube-proxy configuration:
If you use an ACK managed cluster, modify the kube-proxy-worker ConfigMap.
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of the cluster that you want to manage and choose in the left-side navigation pane.
On the ConfigMap page, select the kube-system namespace, find the kube-proxy-worker ConfigMap, and then click Edit YAML in the Actions column.
In the View in YAML panel, modify the parameters and click OK.
Recreate all kube-proxy-worker pods for the configuration to take effect.
ImportantYour workloads are not interrupted when kube-proxy is restarted. However, new releases will be postponed because the system must wait until kube-proxy is restarted. We recommend that you restart kube-proxy during off-peak hours.
In the left-side navigation pane of the details page, choose .
On the DaemonSets page, find and click kube-proxy-worker.
On the Pods tab of the kube-proxy-worker page, select a pod and choose in the Actions column. In the message that appears, click OK.
Repeat the preceding steps to delete all of the pods. After you delete the pods, the system automatically recreates the pods.
If you use an ACK dedicated cluster, modify the kube-proxy-worker and kube-proxy-master Configmaps, and then delete the kube-proxy-worker and kube-proxy-master pods. The system automatically recreates them. For more information, see the preceding steps.
How do I increase the maximum number of tracked connections in the conntrack table of the Linux kernel?
If the dmesg command returns the conntrack full message, it indicates that the number of tracked connections in the conntrack table has exceeded the limit specified by conntrack_max. In this case, you may need to increase the maximum number of tracked connections in the conntrack table.
Run the conntrack -L command to check the proportions of protocols used by the connections in the conntrack table.
If a large number of TCP connections are found, you must check the application type and consider using long-lived connections to replace short-lived connections.
If a large number of DNS connections are found, you must use NodeLocal DNSCache to improve DNS performance for your cluster. For more information, see Configure NodeLocal DNSCache.
If the proportions of connections in the conntrack table are proper or you do not want to modify the application, you can add the maxPerCore parameter to the kube-proxy configuration to adjust the maximum number of tracked connections.
If you use an ACK managed cluster, add the maxPerCore parameter to the kube-proxy-worker ConfigMap and set its value to 65536 or greater. Then, delete the kube-proxy-worker pods. The system automatically recreates the pods for the configuration to take effect. For more information about how to modify the kube-proxy-worker ConfigMap and delete its pods, see How do I modify the kube-proxy configuration?
apiVersion: v1 kind: ConfigMap metadata: name: kube-proxy-worker namespace: kube-system data: config.conf: | apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration featureGates: IPv6DualStack: true clusterCIDR: 172.20.0.0/16 clientConnection: kubeconfig: /var/lib/kube-proxy/kubeconfig.conf conntrack: maxPerCore: 65536 // Set maxPerCore to a proper value. Default value: 65536. mode: ipvs # Irrelevant fields are not shown.If you use an ACK dedicated cluster, add the maxPerCore parameter to the kube-proxy-worker and kube-proxy-master ConfigMaps and set its value to 65536 or greater. Then, delete the kube-proxy-worker and kube-proxy-master pods. The system automatically recreates the pods for the configurations to take effect. For more information about how to modify the kube-proxy-worker and kube-proxy-master ConfigMaps and delete their pods, see How do I modify the kube-proxy configuration?
How do I modify the IPVS load balancing algorithm in the kube-proxy configuration?
You can modify the IPVS load balancing algorithm in the kube-proxy configuration to resolve the issue that a large number of long-lived connections are not evenly distributed. To do this, perform the following steps:
Select a proper scheduling algorithm. For more information about how to select scheduling algorithms, see Parameter changes on Kubernetes Blog.
By default, cluster nodes that were created before October 2022 may not have all IPVS scheduling algorithms enabled. You need to manually enable the IPVS kernel modules on all cluster nodes. The following example uses the least connections algorithm as an example. If you want to use other scheduling algorithms, replace the lc keyword. Log on to each node, run the lsmod | grep ip_vs_lc command, and check the output.
If the output contains ip_vs_lc, the kernel modules are loaded. You can skip this step.
If the kernel modules are not loaded, run the modprobe ip_vs_lc command for the node to immediately take effect. Then, run the echo "ip_vs_lc" >> /etc/modules-load.d/ack-ipvs-modules.conf command to restart the node.
Set the ipvs scheduler parameter to the proper scheduling algorithm.
If you use an ACK managed cluster, set the ipvs scheduler parameter to the proper scheduling algorithm in the kube-proxy-worker ConfigMap. Then, delete the kube-proxy-worker pods. The system automatically recreates the pods for the configuration to take effect. For more information about how to modify the kube-proxy-worker ConfigMap and delete its pods, see How do I modify the kube-proxy configuration?
apiVersion: v1 kind: ConfigMap metadata: name: kube-proxy-worker namespace: kube-system data: config.conf: | apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration featureGates: IPv6DualStack: true clusterCIDR: 172.20.0.0/16 clientConnection: kubeconfig: /var/lib/kube-proxy/kubeconfig.conf conntrack: maxPerCore: 65536 mode: ipvs ipvs: scheduler: lc // Set scheduler to a proper scheduling algorithm. # Irrelevant fields are not shown.If you use an ACK dedicated cluster, set the ipvs scheduler parameter to the proper scheduling algorithm in the kube-proxy-worker and kube-proxy-master ConfigMaps. Then, delete the kube-proxy-worker and kube-proxy-master pods. The system automatically recreates the pods for the configurations to take effect. For more information about how to modify the kube-proxy-worker and kube-proxy-master ConfigMaps and delete their pods, see How do I modify the kube-proxy configuration?
View the kube-proxy log.
Run the kubectl get pods command to check whether the status of the kube-proxy-worker container in the kube-system namespace is Running. If your cluster is an ACK dedicated cluster, you also need to check the status of the kube-proxy-master container.
Run the kubectl logs command to view the log of the container.
If the log contains Can't use the IPVS proxier: IPVS proxier will not be used because the following required kernel modules are not loaded: [ip_vs_lc], the IPVS kernel modules fail to be loaded. You need to check whether the preceding steps are performed without errors and then try again.
If the log contains Using iptables Proxier., kube-proxy fails to enable the IPVS kernel modules and switches back to the iptables mode. In this scenario, we recommend that you roll back the kube-proxy configuration and then restart the node.
If the log does not contain the preceding messages and contains Using ipvs Proxier., the IPVS kernel modules are enabled.
If kube-proxy passes the preceding checks, the load balancing algorithm is modified.
How do I modify the timeout period for IPVS UDP sessions in the kube-proxy configuration?
If the kube-proxy mode is set to IPVS in your cluster, the default session persistence policy of IPVS may cause packet loss five minutes after the UDP connection is closed. If your application is dependent on CoreDNS, issues such as API latency and request timeouts may occur five minutes after CoreDNS is updated or its host is restarted.
If your applications in the cluster do not use the UDP protocol, you can reduce the timeout period for IPVS UDP sessions to minimize the effect of DNS resolution latency or failures. To do this, perform the following steps:
If your applications use UDP, submit a ticket.
ACK clusters that run Kubernetes 1.18 or later
If you use an ACK managed cluster, modify the udpTimeout parameter in the kube-proxy-worker ConfigMap. Then, delete the kube-proxy-worker pods. The system automatically recreates the pods for the configuration to take effect. For more information about how to modify the kube-proxy-worker ConfigMap and delete its pods, see How do I modify the kube-proxy configuration?
apiVersion: v1 kind: ConfigMap metadata: name: kube-proxy-worker namespace: kube-system data: config.conf: | apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration # Irrelevant fields are not shown. mode: ipvs // If the ipvs field does not exist, you must add the field. ipvs: udpTimeout: 10s // The default timeout period is 300 seconds. In this example, the timeout period is set to 10 seconds. This way, the time period during which packet loss may occur is reduced to 10 seconds after a UDP connection is closed.If you use an ACK dedicated cluster, modify the udpTimeout parameter in the kube-proxy-worker and kube-proxy-master ConfigMaps. Then, delete the kube-proxy-worker and kube-proxy-master pods. The system automatically recreates the pods for the configurations to take effect. For more information about how to modify the kube-proxy-worker ConfigMap and delete its pods, see How do I modify the kube-proxy configuration?
ACK clusters that run Kubernetes 1.16 or earlier
kube-proxy in an ACK cluster that runs Kubernetes 1.16 or an earlier version does not support the udpTimeout parameter. To change the timeout period of UDP sessions, we recommend that you use OOS to run the following
ipvsadmcommands on all ECS instances in the cluster at the same time: Run the following commands:yum install -y ipvsadm ipvsadm -L --timeout > /tmp/ipvsadm_timeout_old ipvsadm --set 900 120 10 ipvsadm -L --timeout > /tmp/ipvsadm_timeout_new diff /tmp/ipvsadm_timeout_old /tmp/ipvsadm_timeout_newFor more information about how to use OOS to manage multiple ECS instances at the same time, see Manage multiple instances at a time.
How do I fix common issues related to IPv4/IPv6 dual stack?
Issue: The pod IP addresses displayed in kubectl are still IPv4 addresses.
Solution: Run the following command to display pod IPv6 addresses:
kubectl get pods -A -o jsonpath='{range .items[*]}{@.metadata.namespace} {@.metadata.name} {@.status.podIPs[*].ip} {"\n"}{end}'Issue: The cluster IP addresses displayed in kubectl are still IPv4 addresses.
Solution:
Confirm that the spec.ipFamilyPolicy field is not set to SingleStack.
Run the following command to display cluster IPv6 addresses:
kubectl get svc -A -o jsonpath='{range .items[*]}{@.metadata.namespace} {@.metadata.name} {@.spec.ipFamilyPolicy} {@.spec.clusterIPs[*]} {"\n"}{end}'
Issue: You cannot access a pod through its IPv6 address.
Cause: By default, some applications do not listen on IPv6 addresses, such as NGINX containers.
Solution: Run the
netstat -anpcommand to check whether the pod listens on IPv6 addresses.Expected output:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.XX.XX:10248 0.0.0.0:* LISTEN 8196/kubelet tcp 0 0 127.0.XX.XX:41935 0.0.0.0:* LISTEN 8196/kubelet tcp 0 0 0.0.XX.XX:111 0.0.0.0:* LISTEN 598/rpcbind tcp 0 0 0.0.XX.XX:22 0.0.0.0:* LISTEN 3577/sshd tcp6 0 0 :::30500 :::* LISTEN 1916680/kube-proxy tcp6 0 0 :::10250 :::* LISTEN 8196/kubelet tcp6 0 0 :::31183 :::* LISTEN 1916680/kube-proxy tcp6 0 0 :::10255 :::* LISTEN 8196/kubelet tcp6 0 0 :::111 :::* LISTEN 598/rpcbind tcp6 0 0 :::10256 :::* LISTEN 1916680/kube-proxy tcp6 0 0 :::31641 :::* LISTEN 1916680/kube-proxy udp 0 0 0.0.0.0:68 0.0.0.0:* 4892/dhclient udp 0 0 0.0.0.0:111 0.0.0.0:* 598/rpcbind udp 0 0 47.100.XX.XX:323 0.0.0.0:* 6750/chronyd udp 0 0 0.0.0.0:720 0.0.0.0:* 598/rpcbind udp6 0 0 :::111 :::* 598/rpcbind udp6 0 0 ::1:323 :::* 6750/chronyd udp6 0 0 fe80::216:XXXX:fe03:546 :::* 6673/dhclient udp6 0 0 :::720 :::* 598/rpcbindIf the value in the
Protocolumn istcp, it indicates that the pod listens on IPv4 addresses. If the value istcp6, the pod listens on IPv6 addresses.Issue: You can access a pod through its IPv6 address from within the cluster but not from the Internet.
Cause: No public bandwidth is configured for the IPv6 address.
Solution: Configure public bandwidth for the IPv6 address. For more information, see Enable and manage IPv6 Internet bandwidth.
Issue: You cannot access a pod through the cluster IPv6 address.
Solution:
Confirm that the spec.ipFamilyPolicy field is not set to SingleStack.
Run the
netstat -anpcommand to check whether the pod listens on IPv6 addresses.Expected output:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.XX.XX:10248 0.0.0.0:* LISTEN 8196/kubelet tcp 0 0 127.0.XX.XX:41935 0.0.0.0:* LISTEN 8196/kubelet tcp 0 0 0.0.XX.XX:111 0.0.0.0:* LISTEN 598/rpcbind tcp 0 0 0.0.XX.XX:22 0.0.0.0:* LISTEN 3577/sshd tcp6 0 0 :::30500 :::* LISTEN 1916680/kube-proxy tcp6 0 0 :::10250 :::* LISTEN 8196/kubelet tcp6 0 0 :::31183 :::* LISTEN 1916680/kube-proxy tcp6 0 0 :::10255 :::* LISTEN 8196/kubelet tcp6 0 0 :::111 :::* LISTEN 598/rpcbind tcp6 0 0 :::10256 :::* LISTEN 1916680/kube-proxy tcp6 0 0 :::31641 :::* LISTEN 1916680/kube-proxy udp 0 0 0.0.0.0:68 0.0.0.0:* 4892/dhclient udp 0 0 0.0.0.0:111 0.0.0.0:* 598/rpcbind udp 0 0 47.100.XX.XX:323 0.0.0.0:* 6750/chronyd udp 0 0 0.0.0.0:720 0.0.0.0:* 598/rpcbind udp6 0 0 :::111 :::* 598/rpcbind udp6 0 0 ::1:323 :::* 6750/chronyd udp6 0 0 fe80::216:XXXX:fe03:546 :::* 6673/dhclient udp6 0 0 :::720 :::* 598/rpcbindIf the value in the
Protocolumn istcp, it indicates that the pod listens on IPv4 addresses. If the value istcp6, the pod listens on IPv6 addresses.Issue: You cannot access the Internet from a pod by using an IPv6 address.
Solution: Create an IPv6 gateway for the VPC in which the pod resides and configure public bandwidth for the IPv6 address that you use. For more information, see Create and manage an IPv6 gateway and Enable and manage IPv6 Internet bandwidth.
What do I do if an ACK cluster in which Terway is installed has insufficient idle vSwitch IP addresses?
Issue
You failed to create a pod. After you log on to the VPC console, select the region where you want to create the pod, and click vSwitch, you find that the Available IP Addresses column of the vSwitch used by your cluster displays 0. For more information about how to troubleshoot this issue, see What to do next.
Cause
The vSwitch used by the Terway network of the node does not have sufficient idle IP addresses. Consequently, no IP address is assigned to the pod that you want to create and the pod remains in the ContainerCreating state.
Solution
To resolve this issue, add another vSwitch:
Log on to the VPC console, select a region in the top navigation bar, and then click a vSwitch.
NoteThe vSwitch must reside in the region and zone of the vSwitch that does not have sufficient idle IP addresses. If the number of pods continuously grows, we recommend that you set the mask length of the vSwitch CIDR block for pods to a value no greater than 19. This ensures that the CIDR block contains at least 8,192 IP addresses.
Run the following command to delete all Terway pods. The system then recreates the Terway pods.
NoteIf you choose Terway when you create the cluster and have selected Assign One ENI to Each Pod, your elastic network interface (ENI) has only one IP address. If you do not select this option, your ENI has multiple IP addresses. For more information, see Terway.
If the ENI uses multiple IP addresses:
kubectl delete -n kube-system pod -l app=terway-eniipIf the ENI uses only one IP address:
kubectl delete -n kube-system pod -l app=terway-eni
Run the
kubectl get podcommand to verify that all Terway pods are recreated.Create a pod. Verify that the pod is created and an IP address is assigned from the vSwitch to the pod.
What to do next
Connect to your ACK cluster and run the
kubectl get podcommand. The output indicates that the pod is in the ContainerCreating state. For more information about how to connect to an ACK cluster, see Connect to an ACK cluster by using kubectl. Run the following command to print the Terway container log of the node that hosts the pod:kubectl get pod -l app=terway-eniip -n kube-system | grep [$Node_Name] # [$Node_Name] indicates the name of the node that hosts the pod. You can use the node name to locate the Terway pod on the node. kubectl logs --tail=100 -f [$Pod_Name] -n kube-system -c terway # [$Pod_Name] indicates the name of the Terway pod on the node.If the InvalidVSwitchId.IpNotEnough error is displayed, the vSwitch does not have sufficient idle IP addresses.
time="2020-03-17T07:03:40Z" level=warning msg="Assign private ip address failed: Aliyun API Error: RequestId: 2095E971-E473-4BA0-853F-0C41CF52651D Status Code: 403 Code: InvalidVSwitchId.IpNotEnough Message: The specified VSwitch \"vsw-AAA\" has not enough IpAddress., retrying"
What do I do if the IP address of a newly created pod does not fall within the vSwitch CIDR block in Terway mode?
Issue
In Terway mode, the IP address of a newly created pod does not fall within the vSwitch CIDR block.
Cause
After the pod is created, the ENI of the ECS instance assigns an IP address from the VPC CIDR block to the pod. You can configure vSwitches only if a newly created ENI is attached to the node. If an ENI is attached to the node before you add the node to the cluster or modify vSwitches used by Terway, the ENI assigns IP addresses to newly created pods on the node from the vSwitch to which the ENI belongs.
This issue may occur in the following scenarios:
You add a node that is removed from another cluster to your cluster. The node was not drained when it was removed. In this case, the node uses the ENI that was attached by the cluster to which the node previously belonged.
You manually add or modify the vSwitches used by Terway. However, a node may still be attached to the original ENI. In this case, the ENI assigns IP addresses to newly created pods on the node from the vSwitch to which the ENI belongs.
Solution
Create new nodes or create pods on other nodes.
What do I do if the IP address of a newly created pod does not fall within the vSwitch CIDR block after I add a vSwitch in Terway mode?
Issue
In Terway mode, the IP address of a newly created pod does not fall within the vSwitch CIDR block after you add a vSwitch.
Cause
After the pod is created, the ENI of the ECS instance assigns an IP address from the VPC CIDR block to the pod. You can configure vSwitches only if a newly created ENI is attached to the node. If an ENI is attached to the node before you add the node to the cluster or modify vSwitches used by Terway, the ENI assigns IP addresses to newly created pods on the node from the vSwitch to which the ENI belongs. If the number of ENIs that are attached to the node reaches the upper limit, new ENIs cannot be created. As a result, an error is returned. For more information about the ENI quota, see Overview.
Solution
Create new nodes or create pods on other nodes.
How do I enable load balancing within a cluster in Terway IPVLAN mode?
Issue
In Terway IPVLAN mode, when you create a cluster that uses Terway 1.2.0 or a later version, load balancing is automatically enabled within the cluster. If you access an external IP address or an SLB instance from within a cluster, the traffic is routed to the backend Service. How do I enable load balancing within an existing cluster that uses the Terway IPVLAN mode?
Cause
If you access an external IP address or an SLB instance from within a cluster, kube-proxy directly routes the traffic to the endpoint of the backend Service. In Terway IPVLAN mode, the traffic is handled by Cilium instead of kube-proxy. This feature is not supported in Terway versions earlier than 1.2.0. This feature is automatically enabled for clusters that use Terway 1.2.0 or later versions. You must manually enable this feature for clusters that use Terway versions earlier than 1.2.0.
Solution
Update Terway to 1.2.0 or later and enable the IPVLAN mode.
If the IPVLAN mode is not enabled, the following configuration does not take effect.
This feature is automatically enabled for newly created clusters that use Terway 1.2.0 or later versions.
Run the following command to modify the eni_conf ConfigMap of the Terway configurations:
kubectl edit cm eni-config -n kube-systemAdd the following content to the eni_conf ConfigMap:
in_cluster_loadbalance: "true"NoteMake sure that
in_cluster_loadbalanceis aligned witheni_conf.Run the following command to enable load balancing within the cluster by recreating the Terway pod:
kubectl delete pod -n kube-system -l app=terway-eniipVerify the configuration
Run the following command to print the policy log in terway-ennip. If the log displays
enable-in-cluster-loadbalance=true, the modification is in effect.kubectl logs -n kube-system <terway pod name> policy | grepenable-in-cluster-loadbalance
How do I add the pod CIDR block to a whitelist if my cluster uses the Terway network plug-in?
Issue
You want to enforce access control on services such as database services by using whitelists. To configure access control in container networks, you must add pod IP addresses to a whitelist. However, pod IP addresses dynamically change.
Cause
ACK provides the Flannel and Terway network plug-ins to set up the container network:
If your cluster uses Flannel as the network plug-in, pods in the cluster use the IP addresses of the nodes that host the pods to access services such as database services. You can schedule client pods to a small number of nodes and then add the IP addresses of these nodes to the whitelist of a database service.
If your cluster uses Terway as the network plug-in, ENIs assign IP addresses to pods in the cluster. Pods use the IP addresses assigned by ENIs to access external services. Therefore, client pods do not use the IP addresses of nodes to access external services even if you schedule the client pods to specific nodes based on affinity settings. Random IP addresses are allocated to pods from the vSwitch that is specified by Terway. In most cases, auto scaling is required for pods. Therefore, static IP addresses are not suitable for pods. To meet the requirement of auto scaling, we recommend that you specify a CIDR block for pods and then add the CIDR block to the whitelist of a database service that you want to access.
Solution
Add a label to a node to specify the vSwitch that is used to allocate IP addresses to pods. This way, the system uses the vSwitch to allocate IP addresses to pods when the pods are scheduled to the node with the specified label.
Create a ConfigMap named eni-config-fixed in the kube-system namespace. Specify the vSwitch that you want to use in the ConfigMap.
In this example, the vsw-2zem796p76viir02c**** vSwitch is used. The CIDR block of the vSwitch is 10.2.1.0/24.
apiVersion: v1 data: eni_conf: | { "vswitches": {"cn-beijing-h":["vsw-2zem796p76viir02c****"]}, "security_group": "sg-bp19k3sj8dk3dcd7****", "security_groups": ["sg-bp1b39sjf3v49c33****","sg-bp1bpdfg35tg****"] } kind: ConfigMap metadata: name: eni-config-fixed namespace: kube-systemCreate a node pool and add the
terway-config: eni-config-fixedlabel to nodes in the node pool. For more information about how to create a node pool, see Create a node pool.To ensure that irrelevant pods are not scheduled to the nodes in the node pool, add specific taints, for example,
fixed=true:NoSchedule, to the nodes.
Scale out the node pool. For more information, see Increase the number of nodes in an ACK cluster.
The label and taint that you added in the previous step are automatically added to the nodes that are newly added to the node pool.
Create pods. To ensure that the pods are scheduled to nodes with the
terway-config: eni-config-fixedlabel, you must add a specific toleration rule to the pod configuration.apiVersion: apps/v1 # Use apps/v1beta1 in clusters whose Kubernetes versions are earlier than 1.8.0. kind: Deployment metadata: name: nginx-fixed labels: app: nginx-fixed spec: replicas: 2 selector: matchLabels: app: nginx-fixed template: metadata: labels: app: nginx-fixed spec: tolerations: # Add a toleration. - key: "fixed" operator: "Equal" value: "true" effect: "NoSchedule" nodeSelector: terway-config: eni-config-fixed containers: - name: nginx image: nginx:1.9.0 # Replace the value with the actual image that you use. Set the value in the following format: <image_name:tags>. ports: - containerPort: 80Verify the result
Run the following command to query the IP addresses of the pods that you created:
kubectl get po -o wide | grep fixedExpected output:
nginx-fixed-57d4c9bd97-l**** 1/1 Running 0 39s 10.2.1.124 bj-tw.062149.aliyun.com <none> <none> nginx-fixed-57d4c9bd97-t**** 1/1 Running 0 39s 10.2.1.125 bj-tw.062148.aliyun.com <none> <none>The output shows that the IP addresses of the pods are allocated from the vSwitch that you specified.
Run the following command to increase the number of pods to 30:
kubectl scale deployment nginx-fixed --replicas=30Expected output:
nginx-fixed-57d4c9bd97-2**** 1/1 Running 0 60s 10.2.1.132 bj-tw.062148.aliyun.com <none> <none> nginx-fixed-57d4c9bd97-4**** 1/1 Running 0 60s 10.2.1.144 bj-tw.062149.aliyun.com <none> <none> nginx-fixed-57d4c9bd97-5**** 1/1 Running 0 60s 10.2.1.143 bj-tw.062148.aliyun.com <none> <none> ...The output shows that the IP addresses of the pods are allocated from the vSwitch that you specified. You can add the CIDR block of the vSwitch to the whitelist of a database service that you want to access. This way, access control is enforced for pods that use dynamic IP addresses.
We recommend that you create new nodes. If you use existing nodes, you must disassociate ENIs from the ECS instances before you can add the ECS instances to the cluster. You must add existing nodes in Auto mode. In Auto mode, the system disks of the nodes are replaced. For more information, see Unbind an ENI and Automatically add ECS instances.
You must add specific labels and taints to the nodes in the node pools that you want to use to host client pods. This ensures that irrelevant pods are not scheduled to the node pools.
After you create the eni-config-fixed ConfigMap, it overwrites the eni-config ConfigMap. For more information about how to configure the eni-config ConfigMap, see Dynamic Terway configuration on nodes.
We recommend that you specify a vSwitch that can provide at least twice as many IP addresses as the client pods. This ensures sufficient IP addresses when pods are scaled out or IP addresses cannot be reclaimed.
What do I do if I fail to ping ECS nodes from a pod?
Issue
Your cluster uses Flannel as the network plug-in and the VPN gateway works as normal. After you log on to a pod, you fail to ping specific ECS nodes.
Cause
The following causes are possible:
Cause 1: The ECS instances that you accessed from the pod are deployed in the same VPC as the cluster in which the pod is deployed but do not belong to the same security group as the cluster.
Cause 2: The ECS instances that you accessed from the pod are not deployed in the same VPC as the cluster in which the pod is deployed.
Solution
The solution to the issue varies based on the cause.
If the issue is caused by Cause 1, you must add the ECS instances to the security group to which the cluster belongs. For more information, see Step 2: Configure a security group.
If the issue is caused by Cause 2, you must add the public IP address of the cluster in which the pod is deployed to the inbound rules of the security group to which the ECS instances belong.
What do I do if a node has the NodeNetworkUnavailable taint?
Issue
In a cluster that uses Flannel, if a newly added node has the NodeNetworkUnavailable taint, pods cannot be scheduled to the node.
Cause
The NodeNetworkUnavailable taint is not deleted by the cloud controller manager (CCM) due to reasons such as that the route table is full or the VPC has multiple route tables.
Solution
Run the kubectl describe node command to check the node events and fix the issue based on the issue details in the output.
What do I do if I fail to launch a pod and the following error message is displayed: no IP addresses available in range?
Issue
You fail to launch a pod in the Flannel network and the following message is displayed in the relevant pod event: failed to allocate for range 0: no IP addresses available in range set: 172.30.34.129-172.30.34.190.
Cause
Solution
If the Kubernetes version of your cluster is earlier than 1.20, update the Kubernetes version to 1.20 or later. For more information, see Update an ACK cluster.
If the version of the Flannel plug-in used by your cluster is earlier 0.15.1.11-7e95fe23-aliyun, update the Flannel plug-in to 0.15.1.11-7e95fe23-aliyun or later. To do this, perform the following steps:
If Flannel 0.15.1.11-7e95fe23-aliyun or later is used by your cluster, ACK migrates the database that stores the default CIDR block to the temporary directory /var/run. If a node is restarted, the system automatically deletes the data in the temporary directory to prevent leaking the IP addresses in the temporary directory.
Update Flannel to 0.15.1.11-7e95fe23-aliyun or later. For more information, see Manage components.
Run the following command to modify the kube-flannel-cfg file. Then, add the dataDir and ipam parameters to the kube-flannel-cfg file.
kubectl -n kube-system edit cm kube-flannel-cfgExample of the kube-flannel-cfg file:
# The original setting { "name": "cb0", "cniVersion":"0.3.1", "plugins": [ { "type": "flannel", "delegate": { "isDefaultGateway": true, "hairpinMode": true }, }, // portmap # This section may not be used in earlier versions of Flannel. You can ignore this section if it is not required. { "type": "portmap", "capabilities": { "portMappings": true }, "externalSetMarkChain": "KUBE-MARK-MASQ" } ] } # The modified setting { "name": "cb0", "cniVersion":"0.3.1", "plugins": [ { "type": "flannel", "delegate": { "isDefaultGateway": true, "hairpinMode": true }, // Add a comma (,) to the end of each parameter. "dataDir": "/var/run/cni/flannel", "ipam": { "type": "host-local", "dataDir": "/var/run/cni/networks" } }, { "type": "portmap", "capabilities": { "portMappings": true }, "externalSetMarkChain": "KUBE-MARK-MASQ" } ] }Run the following command to restart Flannel pods:
The restart operation does not interrupt workloads that are running.
kubectl -n kube-system delete pod -l app=flannelDelete the directories that store CIDR blocks on nodes and then restart the nodes.
Drain nodes. For more information, see Set node schedulability.
Log on to each node and run the following command to delete the directory that stores the CIDR block:
rm -rf /etc/cni/ rm -rf /var/lib/cni/Restart nodes. For more information, see Restart instances.
Perform the preceding steps to delete the directories that store CIDR blocks on all nodes in your cluster.
Run the following command to check whether a temporary directory is created on the node to store the CIDR block:
if [ -d /var/lib/cni/networks/cb0 ]; then echo "not using tmpfs"; fi if [ -d /var/run/cni/networks/cb0 ]; then echo "using tmpfs"; fi cat /etc/cni/net.d/10-flannel.conf*If
using tmpfsis returned, the current node has migrated the database that stores the default CIDR block to the temporary directory /var/run.
If you cannot update the Kubernetes version of your cluster or the Flannel plug-in used by your cluster, you can use the following method to resolve the issue of pod IP leakage in the preceding scenarios. The following method applies only to pod IP address leaks that occur due to the preceding reasons.
This method is used to delete the leaked pod IP addresses. You cannot use this method to prevent pod IP address leaks.
NoteThe following commands are not applicable to nodes that use Flannel 0.15.1.11-7e95fe23-aliyun or later and have stored CIDR blocks in the /var/run directory.
The following script is for reference only. If you have configured custom node configurations, you may fail to execute the script.
Set the node on which pod IP addresses are leaked as Unschedulable. For more information, see Set node schedulability.
Select a script based on the container runtime used by the node and execute the script on the node to delete the leaked pod IP addresses.
If the node uses Docker, execute the following script on the node to delete the leaked pod IP addresses:
#!/bin/bash cd /var/lib/cni/networks/cb0; docker ps -q > /tmp/running_container_ids find /var/lib/cni/networks/cb0 -regex ".*/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" -printf '%f\n' > /tmp/allocated_ips for ip in $(cat /tmp/allocated_ips); do cid=$(head -1 $ip | sed 's/\r#g' | cut -c-12) grep $cid /tmp/running_container_ids > /dev/null || (echo removing leaked ip $ip && rm $ip) doneIf the node uses containerd, execute the following script on the node to delete the leaked pod IP addresses:
#!/bin/bash # install jq yum install -y jq # export all running pod's configs crictl -r /run/containerd/containerd.sock pods -s ready -q | xargs -n1 crictl -r /run/containerd/containerd.sock inspectp > /tmp/flannel_ip_gc_all_pods # export and sort pod ip cat /tmp/flannel_ip_gc_all_pods | jq -r '.info.cniResult.Interfaces.eth0.IPConfigs[0].IP' | sort > /tmp/flannel_ip_gc_all_pods_ips # export flannel's all allocated pod ip ls -alh /var/lib/cni/networks/cb0/1* | cut -f7 -d"/" | sort > /tmp/flannel_ip_gc_all_allocated_pod_ips # print leaked pod ip comm -13 /tmp/flannel_ip_gc_all_pods_ips /tmp/flannel_ip_gc_all_allocated_pod_ips > /tmp/flannel_ip_gc_leaked_pod_ip # clean leaked pod ip echo "Found $(cat /tmp/flannel_ip_gc_leaked_pod_ip | wc -l) leaked Pod IP, press <Enter> to clean." read sure # delete leaked pod ip for pod_ip in $(cat /tmp/flannel_ip_gc_leaked_pod_ip); do rm /var/lib/cni/networks/cb0/${pod_ip} done echo "Leaked Pod IP cleaned, removing temp file." rm /tmp/flannel_ip_gc_all_pods_ips /tmp/flannel_ip_gc_all_pods /tmp/flannel_ip_gc_leaked_pod_ip /tmp/flannel_ip_gc_all_allocated_pod_ips
Set the node as Schedulable. For more information, see Set node schedulability.
How do I modify the number of node IP addresses, the pod CIDR block, and the Service IP block?
The number of node IP addresses, the pod CIDR block, and the Service IP block cannot be modified after you create a cluster. We recommend that you set these items to proper values when you create a cluster.