This topic provides answers to some frequently asked questions about container networks.

Index

FAQ about Terway

FAQ about Flannel

FAQ about kube-proxy

FAQ about IPv6

How do I fix common issues related to IPv4/IPv6 dual stack?

Other issues

How do I resolve the issue that the cluster installed with the Terway network plug-in cannot access the Internet after I create a vSwitch for the cluster?

Issue

In the Terway network, after a new vSwitch is created to provide more IP addresses for pods, the cluster cannot access the Internet.

Cause

The new vSwitch that assigns IP addresses to pods does not have access to the Internet.

Solution

You can create a NAT gateway and configure SNAT rules to enable the new vSwitch to access the Internet. For more information, see Enable an existing ACK cluster to access the Internet.

How do I resolve the issue that Flannel becomes incompatible with clusters of Kubernetes 1.16 or later after I manually update Flannel?

Issue

After the Kubernetes version of a cluster is updated to 1.16 or later, the nodes in the cluster change to the NotReady state.

Cause

You manually updated Flannel but did not update the Flannel configuration. As a result, kubelet cannot recognize Flannel.

Solution

  1. Run the following command to modify the Flannel configuration file and add the cniVersion field. 
    kubectl edit cm kube-flannel-cfg -n kube-system

    Add the cniVersion field to the configuration file. 

    "name": "cb0",      
"cniVersion":"0.3.0",
"type": "flannel",
  2. Run the following command to restart Flannel: 
    kubectl delete pod -n kube-system -l app=flannel

How do I resolve the issue that a pod is not immediately ready for communication after it is started?

Issue

After a pod is started, you must wait for a period of time before the pod is ready for communication.

Cause

The network policies require a period of time to take effect. To resolve this issue, you can disable network policies.

Solution

  1. Run the following command to modify the ConfigMap of Terway and disable network policies: 
    kubectl edit cm -n kube-system eni-config

    Add the following field to the ConfigMap: 

    disable_network_policy: "true"
  2. Optional:If Terway is not updated to the latest version, log on to the Container Service for Kubernetes (ACK) console and update Terway.
    1. Log on to the ACK console and click Clusters in the left-side navigation pane.
    2. On the Clusters page, click the name of a cluster and choose Operations > Add-ons in the left-side navigation pane.
    3. On the Add-ons page, click the Networking tab, find the Terway section, and then click Upgrade.
    4. In the Note message that appears, click OK.
  3. Run the following command to restart all Terway pods: 
     kubectl delete pod -n kube-system -l app=terway-eniip

How do I enable a pod to access a Service that is used to expose the pod?

Issue

Pods are not allowed to access Services that are used to expose them. If a pod accesses the Service that is exposed on the pod, the performance of the Service becomes unstable or scheduling errors may occur.

Cause

Your cluster uses a Flannel version that does not allow loopback requests.
Note
  • Flannel versions earlier than 0.15.1.4-e02c8f12-aliyun do not allow loopback requests. If you directly update Flannel to 0.15.1.4-e02c8f12-aliyun or later, Flannel still does not allow loopback requests.
  • To allow loopback requests, you must uninstall the current Flannel version and then install Flannel 0.15.1.4-e02c8f12-aliyun or a later version.

Solution

  • Use a headless Service to expose and access applications. For more information, see Headless Services.
    Note We recommend that you use this method.
  • Recreate a cluster that uses the Terway network plug-in. For more information, see Work with Terway.
  • Modify the Flannel configuration, reinstall Flannel, and then recreate the pod.
    Note We recommend that you do not use this method because the Flannel configuration may be overwritten when you update Flannel.
    1. Run the following command to modify cni-config.json: 
      kubectl edit cm kube-flannel-cfg -n kube-system
    2. Add hairpinMode: true to the delegate parameter.
      Example:
      cni-conf.json: |
    {
      "name": "cb0",
      "cniVersion":"0.3.1",
      "type": "flannel",
      "delegate": {
        "isDefaultGateway": true,
        "hairpinMode": true
      }
    }
    3. Run the following command to restart Flannel: 
      kubectl delete pod -n kube-system -l app=flannel
    4. Delete and recreate the pod.

Which network plug-in should I choose for an ACK cluster, Terway or Flannel?

The following section describes the Flannel and Terway network plug-ins for ACK clusters.

You can select one of the following network plug-ins when you create an ACK cluster:
  • Flannel: a simple and stable Container Network Interface (CNI) plug-in developed by the Kubernetes community. You can use Flannel with Virtual Private Cloud (VPC) of Alibaba Cloud. This ensures that your clusters and containers run in a high-speed and stable network. However, Flannel provides only basic features and does not support standard Kubernetes network policies.
  • Terway: a network plug-in developed by ACK. Terway provides all the features of Flannel and allows you to attach Alibaba Cloud elastic network interfaces (ENIs) to containers. You can use Terway to configure access control policies for containers based on standard Kubernetes network policies. Terway also supports bandwidth throttling on individual containers. If you do not want to use Kubernetes network policies, you can choose Flannel. In other cases, we recommend that you choose Terway. For more information about Terway, see Work with Terway.

How do I plan the network of a cluster?

When you create an ACK cluster, you must specify a VPC, vSwitches, the pod CIDR block, and the Service CIDR block. We recommend that you plan the CIDR block of Elastic Compute Service (ECS) instances in the cluster, the pod CIDR block, and the Service CIDR block before you create an ACK cluster. For more information, see Plan CIDR blocks for an ACK cluster.

Can I use the hostPort feature to create port mappings in an ACK cluster?

  • Only Flannel allows you to use the hostPort feature to create port mappings in an ACK cluster.
  • A pod in a VPC can be accessed by other cloud resources that are deployed in the same VPC through the endpoint of the pod in the VPC. Therefore, port mapping is not required.
  • To expose applications to the Internet, you can use NodePort Services or LoadBalancer Services.

How do I check the network type and vSwitches of a cluster?

ACK supports two types of container network: Flannel and Terway.

To check the network type of the cluster, perform the following steps:

  1. Log on to the ACK console and click Clusters in the left-side navigation pane.
  2. On the Clusters page, find the cluster that you want to manage and click the name of the cluster, or click Details in the Actions column. The details page of the cluster appears.
  3. On the Basic Information tab, check the value of Network Plug-in in the Cluster Information section.
    • If the value of Network Plug-in is terway-eniip, it indicates that the Terway network is used.
    • If the value of Network Plug-in is Flannel, it indicates that the Flannel network is used.

To check the vSwitch to which the nodes in the network belong, perform the following steps:

  1. Log on to the ACK console and click Clusters in the left-side navigation pane.
  2. On the Clusters page, click the name of a cluster and choose Nodes > Node Pools in the left-side navigation pane.
  3. On the Node Pools page, find the node pool that you want to manage and click Details in the Actions column.

    In the Node Configurations section, check the value of Node vSwitch.

To check the vSwitch to which the pods in the Terway network belong, perform the following steps:

Note Only pods in the Terway network require a vSwitch. Pods in the Flannel network do not require a vSwitch.
  1. Log on to the ACK console and click Clusters in the left-side navigation pane.
  2. On the Clusters page, find the cluster that you want to manage and click the name of the cluster, or click Details in the Actions column. Then, the details page of the cluster appears.
  3. On the details page of the cluster, click the Cluster Resources tab and check the value of Pod vSwitch.

How do I check the cloud resources used in an ACK cluster?

You can perform the following steps to check the cloud resources used in ACK clusters, such as vSwitches, VPCs, and worker RAM roles:
  1. Log on to the ACK console and click Clusters in the left-side navigation pane.
  2. On the Clusters page, find the cluster that you want to manage and click the name of the cluster, or click Details in the Actions column. The details page of the cluster appears.
  3. On the Cluster Resources tab, view the information about the cloud resources that are used in the cluster.

How do I modify the kube-proxy configuration?

By default, a DaemonSet named kube-proxy-worker is deployed in an ACK managed cluster for load balancing. You can modify the ConfigMap named kube-proxy-worker to change the parameters of the kube-proxy-worker DaemonSet. If you use an ACK dedicated cluster, a DaemonSet and a ConfigMap both named kube-proxy-master are deployed on each master node.

The kube-proxy configuration items in ACK are fully compatible with the open source KubeProxyConfiguration. You can refer to the open source version when you customize configurations. For more information, see kube-proxy configuration. The kube-proxy configuration must conform to specific formats. Do not omit colons (:) or space characters. Perform the following steps to modify the kube-proxy configuration:

  • If you use an ACK managed cluster, modify the kube-proxy-worker ConfigMap.
    1. Log on to the ACK console and click Clusters in the left-side navigation pane.
    2. On the Clusters page, click the name of a cluster and choose Configurations > ConfigMaps in the left-side navigation pane.
    3. On the ConfigMap page, select the kube-system namespace, find the kube-proxy-worker ConfigMap, and then click Edit YAML in the Actions column.
    4. In the View in YAML panel, modify the parameters and click OK.
    5. Recreate all kube-proxy-worker pods for the configuration to take effect.
      Important Your workloads are not interrupted when kube-proxy is restarted. However, new releases will be postponed because the system must wait until kube-proxy is restarted. We recommend that you restart kube-proxy during off-peak hours.
      1. In the left-side navigation pane of the details page, choose Workloads > DaemonSets.
      2. On the DaemonSets page, find and click kube-proxy-worker.
      3. On the Pods tab of the kube-proxy-worker page, select a pod and choose More > Delete in the Actions column. In the message that appears, click OK.

        Repeat the preceding steps to delete all of the pods. After you delete the pods, the system automatically recreates the pods.

  • If you use an ACK dedicated cluster, modify the kube-proxy-worker and kube-proxy-master Configmaps, and then delete kube-proxy-worker and kube-proxy-master pods. The system automatically recreates them. For more information, see the preceding steps.

How do I increase the maximum number of tracked connections in the conntrack table of the Linux kernel?

If the dmesg command returns the conntrack full message, it indicates that the number of tracked connections in the conntrack table has exceeded the limit specified by conntrack_max. In this case, you may need to increase the maximum number of tracked connections in the conntrack table.
  1. Run the conntrack -L command to check the proportions of protocols used by the connections in the conntrack table.
    • If a large number of TCP connections are found, you must check the application type and consider using long-lived connections to replace short-lived connections.
    • If a large number of DNS connections are found, you must use NodeLocal DNSCache to improve DNS performance for your cluster. For more information, see Configure NodeLocal DNSCache.
  2. If the proportions of connections in the conntrack table are proper or you do not want to modify the application, you can add the maxPerCore parameter to the kube-proxy configuration to adjust the maximum number of tracked connections.
    • If you use an ACK managed cluster, add the maxPerCore parameter to the kube-proxy-worker ConfigMap and set its value to 65536 or greater. Then, delete kube-proxy-worker pods. The system automatically recreates the pods for the configuration to take effect. For more information about how to modify the kube-proxy-worker ConfigMap and delete kube-proxy-worker pods, see How do I modify the kube-proxy configuration? . 
      apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-proxy-worker
  namespace: kube-system
data:
  config.conf: |
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    featureGates:
      IPv6DualStack: true
    clusterCIDR: 172.20.0.0/16
    clientConnection:
      kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
    conntrack:
      maxPerCore: 65536 // Set maxPerCore to a proper value. Default value: 65536. 
    mode: ipvs
# Irrelevant fields are not shown.
    • If you use an ACK dedicated cluster, add the maxPerCore parameter to the kube-proxy-worker and kube-proxy-master ConfigMaps and set its value to 65536 or greater. Then, delete kube-proxy-worker and kube-proxy-master pods. The system automatically recreates the pods for the configurations to take effect. For more information about how to modify the kube-proxy-worker and kube-proxy-master ConfigMaps, and delete kube-proxy-worker and kube-proxy-master pods, see How do I modify the kube-proxy configuration? .

How do I modify the IPVS load balancing algorithm in the kube-proxy configuration?

You can modify the IPVS load balancing algorithm in the kube-proxy configuration to resolve the issue that a large number of long-lived connections are not evenly distributed. To do this, perform the following steps:
  1. Select a proper scheduling algorithm. For more information about how to select scheduling algorithms, see Parameter changes on Kubernetes Blog.
  2. By default, cluster nodes that were created before October 2022 may not have all IPVS scheduling algorithms enabled. You need to manually enable the IPVS kernel modules on all cluster nodes. The following example uses the least connections algorithm as an example. If you want to use other scheduling algorithms, replace the lc keyword. Log on to each node, run the lsmod | grep ip_vs_lc command, and check the output.
    • If the output contains ip_vs_lc, the kernel modules are loaded. You can skip this step.
    • If the kernel modules are not loaded, run the modprobe ip_vs_lc command for the node to immediately take effect. Then, run the echo "ip_vs_lc" >> /etc/modules-load.d/ack-ipvs-modules.conf command to restart the node.
  3. Set the ipvs scheduler parameter to the proper scheduling algorithm.
    • If you use an ACK managed cluster, set the ipvs scheduler parameter to the proper scheduling algorithm in the kube-proxy-worker ConfigMap. Then, delete kube-proxy-worker pods. The system automatically recreates the pods for the configuration to take effect. For more information about how to modify the kube-proxy-worker ConfigMap and delete kube-proxy-worker pods, see How do I modify the kube-proxy configuration? . 
      apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-proxy-worker
  namespace: kube-system
data:
  config.conf: |
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    featureGates:
      IPv6DualStack: true
    clusterCIDR: 172.20.0.0/16
    clientConnection:
      kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
    conntrack:
      maxPerCore: 65536
    mode: ipvs
    ipvs:
      scheduler: lc // Set scheduler to a proper scheduling algorithm. 
# Irrelevant fields are not shown.
    • If you use an ACK dedicated cluster, set the ipvs scheduler parameter to the proper scheduling algorithm in the kube-proxy-worker and kube-proxy-master ConfigMaps. Then, delete kube-proxy-worker and kube-proxy-master pods. The system automatically recreates the pods for the configurations to take effect. For more information about how to modify the kube-proxy-worker and kube-proxy-master ConfigMaps, and delete kube-proxy-worker and kube-proxy-master pods, see How do I modify the kube-proxy configuration? .
  4. View the kube-proxy log.
    • Run the kubectl get pods command to check whether the status of the kube-proxy-worker container in the kube-system namespace is Running. If your cluster is an ACK dedicated cluster, you also need to check the status of the kube-proxy-master container.
    • Run the kubectl logs command to view the log of the container.
      • If the log contains Can't use the IPVS proxier: IPVS proxier will not be used because the following required kernel modules are not loaded: [ip_vs_lc], the IPVS kernel modules fail to be loaded. You need to check whether the preceding steps are performed without errors and then try again.
      • If the log contains Using iptables Proxier., kube-proxy fails to enable the IPVS kernel modules and switches back to the iptables mode. In this scenario, we recommend that you roll back the kube-proxy configuration and then restart the node.
      • If the log does not contain the preceding messages and contains Using ipvs Proxier., the IPVS kernel modules are enabled.
    • If kube-proxy passes the preceding checks, the load balancing algorithm is modified.

How do I modify the timeout period for IPVS UDP sessions in the kube-proxy configuration?

If the kube-proxy mode is set to IPVS in your cluster, the default session persistence policy of IPVS may cause packet loss five minutes after the UDP connection is closed. If your application is dependent on CoreDNS, issues such as API latency and request timeouts may occur five minutes after CoreDNS is updated or its host is restarted.

If your applications in the cluster do not use the UDP protocol, you can shorten the timeout period for IPVS UDP sessions to minimize the effect of DNS resolution latency or failures. Perform the following operations:
Note If your application uses the UDP protocol, Submit a ticket to request technical support.
  • ACK clusters that run Kubernetes 1.18 or later
    • If you use an ACK managed cluster, modify the udpTimeout parameter in the kube-proxy-worker ConfigMap. Then, delete kube-proxy-worker pods. The system automatically recreates the pods for the configuration to take effect. For more information about how to modify the kube-proxy-worker ConfigMap and delete kube-proxy-worker pods, see How do I modify the kube-proxy configuration? . 
      apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-proxy-worker
  namespace: kube-system
data:
  config.conf: |
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    # Irrelevant fields are not shown. 
    mode: ipvs
    // If the ipvs field does not exist, you must add the field. 
    ipvs:
      udpTimeout: 10s // The default timeout period is 300 seconds. In this example, the timeout period is set to 10 seconds. This way, the time period during which packet loss may occur is reduced to 10 seconds after a UDP connection is closed.
    • If you use an ACK dedicated cluster, modify the udpTimeout parameter in the kube-proxy-worker and kube-proxy-master ConfigMaps. Then, delete kube-proxy-worker and kube-proxy-master pods. The system automatically recreates the pods for the configurations to take effect. For more information about how to modify the kube-proxy-worker ConfigMap and delete kube-proxy-worker pods, see How do I modify the kube-proxy configuration? .
  • ACK clusters that run Kubernetes 1.16 or earlier
    The kube-proxy component in these ACK clusters does not support the udpTimeout parameter. We recommend that you use Operation Orchestration Service (OOS) to run the following ipvsadm commands on all cluster nodes to modify the UDP timeout configuration: Run the following commands:
    yum install -y ipvsadm
ipvsadm -L --timeout > /tmp/ipvsadm_timeout_old
ipvsadm --set 900 120 10
ipvsadm -L --timeout > /tmp/ipvsadm_timeout_new
diff /tmp/ipvsadm_timeout_old /tmp/ipvsadm_timeout_new

    For more information about how to use OOS to manage multiple ECS instances at the same time, see Manage multiple instances.

How do I fix common issues related to IPv4/IPv6 dual stack?

  • Symptom: The pod IP addresses displayed in kubectl are still IPv4 addresses.

    Solution: Run the following command to display pod IPv6 addresses: 

    kubectl get pods -A -o jsonpath='{range .items[*]}{@.metadata.namespace} {@.metadata.name} {@.status.podIPs[*].ip} {"\n"}{end}'
  • Symptom: The cluster IP addresses displayed in kubectl are still IPv4 addresses.
    Solution:
    1. Confirm that the spec.ipFamilyPolicy field is not set to SingleStack.
    2. Run the following command to display cluster IPv6 addresses: 
      kubectl get svc -A -o jsonpath='{range .items[*]}{@.metadata.namespace} {@.metadata.name} {@.spec.ipFamilyPolicy} {@.spec.clusterIPs[*]} {"\n"}{end}'
  • Symptom: You cannot access a pod through its IPv6 address.

    Cause: By default, some applications do not listen on IPv6 addresses, such as NGINX containers.

    Solution: Run the netstat -anp command to check whether the pod listens on IPv6 addresses.

    Expected output:

    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.XX.XX:10248         0.0.0.0:*               LISTEN      8196/kubelet
tcp        0      0 127.0.XX.XX:41935         0.0.0.0:*               LISTEN      8196/kubelet
tcp        0      0 0.0.XX.XX:111             0.0.0.0:*               LISTEN      598/rpcbind
tcp        0      0 0.0.XX.XX:22              0.0.0.0:*               LISTEN      3577/sshd
tcp6       0      0 :::30500                :::*                    LISTEN      1916680/kube-proxy
tcp6       0      0 :::10250                :::*                    LISTEN      8196/kubelet
tcp6       0      0 :::31183                :::*                    LISTEN      1916680/kube-proxy
tcp6       0      0 :::10255                :::*                    LISTEN      8196/kubelet
tcp6       0      0 :::111                  :::*                    LISTEN      598/rpcbind
tcp6       0      0 :::10256                :::*                    LISTEN      1916680/kube-proxy
tcp6       0      0 :::31641                :::*                    LISTEN      1916680/kube-proxy
udp        0      0 0.0.0.0:68              0.0.0.0:*                           4892/dhclient
udp        0      0 0.0.0.0:111             0.0.0.0:*                           598/rpcbind
udp        0      0 47.100.XX.XX:323           0.0.0.0:*                           6750/chronyd
udp        0      0 0.0.0.0:720             0.0.0.0:*                           598/rpcbind
udp6       0      0 :::111                  :::*                                598/rpcbind
udp6       0      0 ::1:323                 :::*                                6750/chronyd
udp6       0      0 fe80::216:XXXX:fe03:546 :::*                                6673/dhclient
udp6       0      0 :::720                  :::*                                598/rpcbind

    If the value in the Proto column is tcp, it indicates that the pod listens on IPv4 addresses. If the value is tcp6, it indicates that the pod listens on IPv6 addresses.

  • Symptom: You can access a pod through its IPv6 address from within the cluster but not from the Internet.

    Cause: No public bandwidth is configured for the IPv6 address.

    Solution: Configure public bandwidth for the IPv6 address. For more information, see Enable and manage IPv6 Internet bandwidth.

  • Symptom: You cannot access a pod through the cluster IPv6 address.
    Solution:
    1. Confirm that the spec.ipFamilyPolicy field is not set to SingleStack.
    2. Run the netstat -anp command to check whether the pod listens on IPv6 addresses.

      Expected output:

      Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.XX.XX:10248         0.0.0.0:*               LISTEN      8196/kubelet
tcp        0      0 127.0.XX.XX:41935         0.0.0.0:*               LISTEN      8196/kubelet
tcp        0      0 0.0.XX.XX:111             0.0.0.0:*               LISTEN      598/rpcbind
tcp        0      0 0.0.XX.XX:22              0.0.0.0:*               LISTEN      3577/sshd
tcp6       0      0 :::30500                :::*                    LISTEN      1916680/kube-proxy
tcp6       0      0 :::10250                :::*                    LISTEN      8196/kubelet
tcp6       0      0 :::31183                :::*                    LISTEN      1916680/kube-proxy
tcp6       0      0 :::10255                :::*                    LISTEN      8196/kubelet
tcp6       0      0 :::111                  :::*                    LISTEN      598/rpcbind
tcp6       0      0 :::10256                :::*                    LISTEN      1916680/kube-proxy
tcp6       0      0 :::31641                :::*                    LISTEN      1916680/kube-proxy
udp        0      0 0.0.0.0:68              0.0.0.0:*                           4892/dhclient
udp        0      0 0.0.0.0:111             0.0.0.0:*                           598/rpcbind
udp        0      0 47.100.XX.XX:323           0.0.0.0:*                           6750/chronyd
udp        0      0 0.0.0.0:720             0.0.0.0:*                           598/rpcbind
udp6       0      0 :::111                  :::*                                598/rpcbind
udp6       0      0 ::1:323                 :::*                                6750/chronyd
udp6       0      0 fe80::216:XXXX:fe03:546 :::*                                6673/dhclient
udp6       0      0 :::720                  :::*                                598/rpcbind

      If the value in the Proto column is tcp, it indicates that the pod listens on IPv4 addresses. If the value is tcp6, it indicates that the pod listens on IPv6 addresses.

    3. Symptom: You cannot access the Internet from a pod by using an IPv6 address.

      Solution: Create an IPv6 gateway for the VPC in which the pod resides and configure public bandwidth for the IPv6 address that you use. For more information, see Create and manage an IPv6 gateway and Enable and manage IPv6 Internet bandwidth.

What do I do if the IP address of a newly created pod does not fall within the vSwitch CIDR block in Terway mode?

Issue

In Terway mode, the IP address of a newly created pod does not fall within the vSwitch CIDR block.

Cause

After the pod is created, the ENI of the ECS instance assigns an IP address from the VPC CIDR block to the pod. You can configure vSwitches only if a newly created ENI is attached to the node. If an ENI is attached to the node before you add the node to the cluster or modify vSwitches used by Terway, the ENI assigns IP addresses to newly created pods on the node from the vSwitch to which the ENI belongs.

This issue may occur in the following scenarios:

  • You add a node that is removed from another cluster to your cluster. The node was not drained when it was removed. In this case, the node uses the ENI that was attached by the cluster to which the node previously belonged.
  • You manually add or modify vSwitches used by Terway. However, a node may still be attached to the original ENI. In this case, the ENI assigns IP addresses to newly created pods on the node from the vSwitch to which the ENI belongs.

Solution

Create new nodes or create pods on other nodes.

What do I do if the IP address of a newly created pod does not fall within the vSwitch CIDR block after I add a vSwitch in Terway mode?

Issue

In Terway mode, the IP address of a newly created pod does not fall within the vSwitch CIDR block after you add a vSwitch.

Cause

After the pod is created, the ENI of the ECS instance assigns an IP address from the VPC CIDR block to the pod. You can configure vSwitches only if a newly created ENI is attached to the node. If an ENI is attached to the node before you add the node to the cluster or modify vSwitches used by Terway, the ENI assigns IP addresses to newly created pods on the node from the vSwitch to which the ENI belongs. If the number of ENIs that are attached to the node reaches the upper limit, new ENIs cannot be created. As a result, an error is returned. For more information about the ENI quota, see Limits.

Solution

Create new nodes or create pods on other nodes.

How do I enable load balancing within a cluster in Terway IPVLAN mode?

Issue

In Terway IPVLAN mode, when you create a cluster that uses Terway 1.2.0 or a later version, load balancing is automatically enabled within the cluster. If you access an external IP address or an SLB instance from within a cluster, the traffic is routed to the backend Service. How do I enable load balancing within an existing cluster that uses the Terway IPVLAN mode?

Cause

If you access an external IP address or an SLB instance from within a cluster, kube-proxy directly routes the traffic to the endpoint of the backend Service. In Terway IPVLAN mode, the traffic is handled by Cilium instead of kube-proxy. This feature is not supported in Terway versions earlier than 1.2.0. This feature is automatically enabled for clusters that use Terway 1.2.0 or later versions. You must manually enable this feature for clusters that use Terway versions earlier than 1.2.0.

Solution

Note
  • Update Terway to 1.2.0 or later and enable the IPVLAN mode.
  • If the IPVLAN mode is not enabled, the following configuration does not take effect.
  • This feature is automatically enabled for newly created clusters that use Terway 1.2.0 or later versions.
  1. Run the following command to modify the ConfigMap of Terway named eni_conf: 
    kubectl edit cm eni-config -n kube-system
  2. Add the following content to the eni_conf ConfigMap: 
    in_cluster_loadbalance: "true"
    Note Make sure that in_cluster_loadbalance is aligned with eni_conf.
  3. Run the following command to enable load balancing within the cluster by recreating the Terway pod: 
    kubectl delete pod -n kube-system -l app=terway-eniip
    Verify the configuration
    Run the following command to query the policy log of the terway-ennip application. If enable-in-cluster-loadbalance=true is returned, the configuration is applied. 
    kubectl logs -n kube-system <terway pod name> policy | grep enable-in-cluster-loadbalance

How do I add the pod CIDR block to a whitelist if my cluster uses the Terway network plug-in?

Issue

You want to enforce access control on services such as database services by using whitelists. To configure access control in container networks, you must add pod IP addresses to a whitelist. However, pod IP addresses dynamically change.

Cause

ACK provides the Flannel and Terway network plug-ins to set up the container network:
  • If your cluster uses Flannel as the network plug-in, pods in the cluster use the IP addresses of the nodes that host the pods to access services such as database services. You can schedule client pods to a small number of nodes and then add the IP addresses of these nodes to the whitelist of a database service.
  • If your cluster uses Terway as the network plug-in, ENIs assign IP addresses to pods in the cluster. Pods use the IP addresses assigned by ENIs to access external services. Therefore, client pods do not use the IP addresses of nodes to access external services even if you schedule the client pods to specific nodes based on affinity settings. Random IP addresses are allocated to pods from the vSwitch that is specified by Terway. In most cases, auto scaling is required for pods. Therefore, static IP addresses are not suitable for pods. To meet the requirement of auto scaling, we recommend that you specify a CIDR block for pods and then add the CIDR block to the whitelist of a database service that you want to access.

Solution

Add a label to a node to specify the vSwitch that is used to allocate IP addresses to pods. This way, the system uses the vSwitch to allocate IP addresses to pods when the pods are scheduled to the node with the specified label.

  1. Create a ConfigMap named eni-config-fixed in the kube-system namespace. Specify the vSwitch that you want to use in the ConfigMap.

    In this example, the vsw-2zem796p76viir02c**** vSwitch is used. The CIDR block of the vSwitch is 10.2.1.0/24. 

    apiVersion: v1
data:
  eni_conf: |
    {
       "vswitches": {"cn-beijing-h":["vsw-2zem796p76viir02c****"]},
       "security_group": "sg-bp19k3sj8dk3dcd7****",
       "security_groups": ["sg-bp1b39sjf3v49c33****","sg-bp1bpdfg35tg****"]
    }
kind: ConfigMap
metadata:
  name: eni-config-fixed
  namespace: kube-system
  2. Create a node pool and add the terway-config: eni-config-fixed label to the nodes in the node pool. For more information about how to create a node pool, see Procedure.
    To ensure that irrelevant pods are not scheduled to the nodes in the node pool, add specific taints, for example, fixed=true:NoSchedule, to the nodes. Node label.png
  3. Scale out the node pool. For more information, see Increase the number of nodes in an ACK cluster.
    The label and taint that you added in the previous step are automatically added to the nodes that are newly added to the node pool.
  4. Create pods. To ensure that the pods are scheduled to nodes with the terway-config: eni-config-fixed label, you must add a specific toleration to the pod configuration. 
    apiVersion: apps/v1 # Use apps/v1beta1 in clusters that run Kubernetes 1.8.0 or earlier versions. 
kind: Deployment
metadata:
  name: nginx-fixed
  labels:
    app: nginx-fixed
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-fixed
  template:
    metadata:
      labels:
        app: nginx-fixed
    spec:
      tolerations:        # Add a toleration. 
      - key: "fixed"
        operator: "Equal"
        value: "true"
        effect: "NoSchedule"
      nodeSelector:
        terway-config: eni-config-fixed
      containers:
      - name: nginx
        image: nginx:1.9.0 # Replace the value with the actual image that you use. Set the value in the following format: <image_name:tags>. 
        ports:
        - containerPort: 80
    Verify the result
    1. Run the following command to query the IP addresses of the pods that you created: 
      kubectl get po -o wide | grep fixed
      Expected output:
      nginx-fixed-57d4c9bd97-l****                   1/1     Running             0          39s    10.2.1.124    bj-tw.062149.aliyun.com   <none>           <none>
nginx-fixed-57d4c9bd97-t****                   1/1     Running             0          39s    10.2.1.125    bj-tw.062148.aliyun.com   <none>           <none>
      The output shows that the IP addresses of the pods are allocated from the vSwitch that you specified.
    2. Run the following command to increase the number of pods to 30: 
      kubectl scale deployment nginx-fixed --replicas=30
      Expected output:
      nginx-fixed-57d4c9bd97-2****                   1/1     Running     0          60s     10.2.1.132    bj-tw.062148.aliyun.com   <none>           <none>
nginx-fixed-57d4c9bd97-4****                   1/1     Running     0          60s     10.2.1.144    bj-tw.062149.aliyun.com   <none>           <none>
nginx-fixed-57d4c9bd97-5****                   1/1     Running     0          60s     10.2.1.143    bj-tw.062148.aliyun.com   <none>           <none>
...
      The output shows that the IP addresses of the pods are allocated from the vSwitch that you specified. You can add the CIDR block of the vSwitch to the whitelist of a database service that you want to access. This way, access control is enforced for pods that use dynamic IP addresses.
Note
  • We recommend that you create new nodes. If you use existing nodes, you must disassociate ENIs from the ECS instances before you can add the ECS instances to the cluster. You must add existing nodes in Auto mode. In Auto mode, the system disks of the nodes are replaced. For more information, see Unbind an ENI and Automatically add ECS instances.
  • You must add specific labels and taints to the nodes in the node pools that you want to use to host client pods. This ensures that irrelevant pods are not scheduled to the node pools.
  • After you create the eni-config-fixed ConfigMap, it overwrites the eni-config ConfigMap. For more information about how to configure the eni-config ConfigMap, see Dynamic Terway configuration on nodes.
  • We recommend that you specify a vSwitch that can provide at least twice as many IP addresses as the client pods. This ensures sufficient IP addresses when pods are scaled out or IP addresses cannot be reclaimed.

What do I do if I fail to ping ECS nodes from a pod?

Issue

Your cluster uses Flannel as the network plug-in and the VPN gateway works as normal. After you log on to a pod, you fail to ping specific ECS nodes.

Cause

The following causes are possible:
  • Cause 1: The ECS instances that you accessed from the pod are deployed in the same VPC as the cluster in which the pod is deployed but do not belong to the same security group as the cluster.
  • Cause 2: The ECS instances that you accessed from the pod are not deployed in the same VPC as the cluster in which the pod is deployed.

Solution

The solution to the issue varies based on the cause.
  • If the issue is caused by Cause 1, you must add the ECS instances to the security group to which the cluster belongs. For more information, see Configure a security group.
  • If the issue is caused by Cause 2, you must add the public IP address of the cluster in which the pod is deployed to the inbound rules of the security group to which the ECS instances belong.

What do I do if a node has the NodeNetworkUnavailable taint?

Issue

In a cluster that uses Flannel, if a newly added node has the NodeNetworkUnavailable taint, pods cannot be scheduled to the node.

Cause

The NodeNetworkUnavailable taint is not deleted by the cloud controller manager (CCM) due to reasons such as that the route table is full or the VPC has multiple route tables.

Solution

Run the kubectl describe node command to check the node events and fix the issue based on the issue details in the output.

What do I do if I fail to launch a pod and the following error message is displayed: no IP addresses available in range?

Issue

You fail to launch a pod in the Flannel network and the following message is displayed in the relevant pod event: failed to allocate for range 0: no IP addresses available in range set: 172.30.34.129-172.30.34.190.

Cause

In the Flannel network, a CIDR block is allocated to each node in the cluster. When the system schedules a pod to a node, Flannel allocates an idle IP address from the pod CIDR block of the node to the pod. If the failed to allocate for range 0: no IP addresses available in range set: 172.30.34.129-172.30.34.190 message is returned during pod scheduling, it indicates that no idle IP address can be allocated. This error may be caused by IP leaks in the following cases:
  • In ACK clusters that run Kubernetes versions earlier than 1.20, pod IP addresses may be leaked if the pods are repeatedly restarted or the pods created by CronJobs exit within a short period of time. For more information, see Issues 75665 and Issues 92614.
  • If a Flannel version earlier 0.15.1.11-7e95fe23-aliyun is used, pods may be destroyed when the host is restarted or accidentally shut down. In this case, the IP addresses of the pods are leaked. For more information, see Issues 332.

Solution

  • If the Kubernetes version of your cluster is earlier than 1.20, update the Kubernetes version to 1.20 or later. For more information, see Update the Kubernetes version of an ACK cluster.
  • If the version of the Flannel plug-in used by your cluster is earlier 0.15.1.11-7e95fe23-aliyun, update the Flannel plug-in to 0.15.1.11-7e95fe23-aliyun or later. Perform the following steps:

    If Flannel 0.15.1.11-7e95fe23-aliyun or later is used by your cluster, ACK migrates the database that stores the default CIDR block to the temporary directory /var/run. If a node is restarted, the system automatically deletes the data in the temporary directory to prevent leaking the IP addresses in the temporary directory.

    1. Update Flannel to 0.15.1.11-7e95fe23-aliyun or later. For more information, see Manage system components.
    2. Run the following command to modify the kube-flannel-cfg file. Then, add the dataDir and ipam parameters to the kube-flannel-cfg file. 
      kubectl -n kube-system edit cm kube-flannel-cfg

      Example of the kube-flannel-cfg file: 

      // The original settings.
    {
      "name": "cb0",
      "cniVersion":"0.3.1",
      "plugins": [
        {
          "type": "flannel",
          "delegate": {
            "isDefaultGateway": true,
            "hairpinMode": true
           },
        },
        // portmap # This section may not be used in earlier versions of Flannel. You can ignore this section if it is not required. 
        {
          "type": "portmap",
          "capabilities": {
            "portMappings": true
          },
          "externalSetMarkChain": "KUBE-MARK-MASQ"
        }
      ]
    }

// The modified settings.
    {
      "name": "cb0",
      "cniVersion":"0.3.1",
      "plugins": [
        {
          "type": "flannel",
          "delegate": {
            "isDefaultGateway": true,
            "hairpinMode": true
           },
          // Add a comma (,) to the end of each parameter. 
          "dataDir": "/var/run/cni/flannel",
          "ipam": {
            "type": "host-local",
            "dataDir": "/var/run/cni/networks"
           }
        },
        {
          "type": "portmap",
          "capabilities": {
            "portMappings": true
          },
          "externalSetMarkChain": "KUBE-MARK-MASQ"
        }
      ]
    }
    3. Run the following command to restart Flannel pods:

      The restart operation does not interrupt workloads that are running. 

      kubectl -n kube-system delete pod -l app=flannel
    4. Delete the directories that store CIDR blocks on nodes and then restart the nodes.
      1. Drain nodes. For more information, see Set node schedulability.
      2. Log on to each node and run the following command to delete the directory that stores the CIDR block: 
        rm -rf /etc/cni/
rm -rf /var/lib/cni/
      3. Restart nodes. For more information, see Restart instances.
      4. Perform the preceding steps to delete the directories that store CIDR blocks on all nodes in your cluster.
    5. Run the following command to check whether a temporary directory is created on the node to store the CIDR block: 
      if [ -d /var/lib/cni/networks/cb0 ]; then echo "not using tmpfs"; fi
if [ -d /var/run/cni/networks/cb0 ]; then echo "using tmpfs"; fi
cat /etc/cni/net.d/10-flannel.conf*

      If using tmpfs is displayed in the output, the temporary directory /var/run has been created on the node and used as the database that stores the CIDR block.

  • If you cannot update the Kubernetes version of your cluster or the Flannel plug-in used by your cluster, you can use the following method to resolve the issue of pod IP leakage in the preceding scenarios.

    This method is used to delete the leaked pod IP addresses. You cannot use this method to prevent leaking pod IP addresses.

    Note
    • The following commands are not applicable to nodes that use Flannel 0.15.1.11-7e95fe23-aliyun or later and have stored CIDR blocks in the /var/run directory.
    • The following script is for reference only. If you have configured custom node configurations, you may fail to execute the script.
    1. Set the node on which pod IP addresses are leaked as Unschedulable. For more information, see Set node schedulability.
    2. Select a script based on the container runtime used by the node and execute the script on the node to delete the leaked pod IP addresses.
      • If the node uses Docker, execute the following script on the node to delete the leaked pod IP addresses: 
        #!/bin/bash
cd /var/lib/cni/networks/cb0;
docker ps -q > /tmp/running_container_ids
find /var/lib/cni/networks/cb0 -regex ".*/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" -printf '%f\n' > /tmp/allocated_ips
for ip in $(cat /tmp/allocated_ips); do
  cid=$(head -1 $ip | sed 's/\r//g' | cut -c-12)
  grep $cid /tmp/running_container_ids > /dev/null || (echo removing leaked ip $ip && rm $ip)
done
      • If the node uses containerd, execute the following script on the node to delete the leaked pod IP addresses: 
        #!/bin/bash
# install jq
yum install -y jq

# export all running pod's configs
crictl -r /run/containerd/containerd.sock pods -s ready -q | xargs -n1 crictl -r /run/containerd/containerd.sock inspectp > /tmp/flannel_ip_gc_all_pods

# export and sort pod ip
cat /tmp/flannel_ip_gc_all_pods | jq -r '.info.cniResult.Interfaces.eth0.IPConfigs[0].IP' | sort > /tmp/flannel_ip_gc_all_pods_ips

# export flannel's all allocated pod ip
ls -alh /var/lib/cni/networks/cb0/1* | cut -f7 -d"/" | sort > /tmp/flannel_ip_gc_all_allocated_pod_ips

# print leaked pod ip
comm -13 /tmp/flannel_ip_gc_all_pods_ips /tmp/flannel_ip_gc_all_allocated_pod_ips > /tmp/flannel_ip_gc_leaked_pod_ip

# clean leaked pod ip
echo "Found $(cat /tmp/flannel_ip_gc_leaked_pod_ip | wc -l) leaked Pod IP, press <Enter> to clean."
read sure

# delete leaked pod ip
for pod_ip in $(cat /tmp/flannel_ip_gc_leaked_pod_ip); do
    rm /var/lib/cni/networks/cb0/${pod_ip}
done

echo "Leaked Pod IP cleaned, removing temp file."
rm /tmp/flannel_ip_gc_all_pods_ips /tmp/flannel_ip_gc_all_pods /tmp/flannel_ip_gc_leaked_pod_ip /tmp/flannel_ip_gc_all_allocated_pod_ips
    3. Set the node as Schedulable. For more information, see Set node schedulability.

How do I modify the number of node IP addresses, the pod CIDR block, and the Service IP block?

The number of node IP addresses, the pod CIDR block, and the Service IP block cannot be modified after you create a cluster. We recommend that you set these items to proper values when you create a cluster.