All Products
Search

This Product

    Container Compute Service:Expand the address space of a cluster by adding a secondary CIDR block to a VPC

    Document Center

    Container Compute Service:Expand the address space of a cluster by adding a secondary CIDR block to a VPC

    Last Updated:Dec 25, 2024

    The CIDR blocks and IP addresses that an ACS cluster can use are limited by the VPC of the ACS cluster. If the VPC does not have sufficient idle IP addresses, you can add a secondary CIDR block to the VPC.

    Important

    After you add a secondary CIDR block to the VPC, submit a ticket to contact the technical support to configure control planes accordingly. Otherwise, the control planes cannot access pods residing in the secondary CIDR block. This may cause certain issues, including but not limited to:

    • Failures to execute kubectl exec or kubectl logs.

    • Webhook or APIService call failures.

    • Failures to create pods or other resources.

    Before you begin

    Confirm the CIDR block that you want to add.

    1. Check the CIDR blocks that are in use.

      The CIDR blocks include but are not limited to the following described in the table.

      CIDR block

      Description

      The VPC and vSwitch CIDR blocks of the cluster.

      On the Cluster Information page of the ACS cluster, click the Cluster Resources tab. You can view the VPC and vSwitches of the cluster. You can click an ID to log on to the VPC console and view details.

      The Service CIDR block of the cluster.

      On the Cluster Information page of the ACS cluster, click the Basic Information tab. You can view the Service CIDR block of the cluster.

      The CIDR blocks of connections over Express Connect circuits, VPN gateways, and Cloud Enterprise Network (CEN) instances that are connected to the VPC of the cluster.

      Log on to the corresponding console and view the details.

      In the VPC console, click the ID of the desired VPC to go to the details page. On the Resource Management tab, you can view the Express Connect, VPN, and CEN information in the Communication between Networks section. Click a number to log on to the corresponding console and view details.

    2. Select a CIDR block that does not overlap with the preceding CIDR blocks, and use this CIDR block as the secondary CIDR block of the VPC.

    Procedure

    Step 1: Add a secondary CIDR block and create a vSwitch

    1. Log on to the VPC console.

    2. Add a secondary CIDR block

      1. On the VPC page, find your VPC and click its ID.

        Note

        You can also go to the Cluster Information page of the ACS cluster and click the Cluster Resources tab. Then, click the VPC ID to go to the VPC details page.

      2. Click the CIDR Block Management tab and click Add Secondary IPv4 CIDR Block.

      3. In the dialog box that appears, Custom CIDR Block, enter the desired CIDR block, and click OK.

    3. Create a vSwitch in the secondary CIDR block.

      1. Go to the vSwitch page and click Create vSwitch.

      2. On the Create vSwitch page, select the VPC and secondary CIDR block, specify the zone and CIDR block of the vSwitch, and click OK.

    Step 2: Add a security group rule to allow the secondary CIDR block

    1. Log on to the ECS console.

    2. On the Security Groups page, find your security group and click its ID.

      Note

      You can also go to the Cluster Information page of the ACS cluster, click the Cluster Resources tab, and click the security group ID to go to the details page.

    3. Add inbound and outbound rules for the secondary CIDR block based on your business requirement.

      For more information, see Add a security group rule.

    Step 3: Add the vSwitch to the cluster

    You can update acs-profile to add vSwitches to the ACS cluster. The update takes effect in real time.

    Note

    The following steps are performed in the console. You can also connect to the cluster and run the kubectl edit configmap acs-profile -n kube-system command to update acs-profile.

    1. Log on to the ACS console. In the left-side navigation pane, click Clusters.

    2. Click the ID of the ACS cluster to go to the cluster management page.

    3. In the left-side navigation pane, choose Configurations > ConfigMaps.

    4. On the ConfigMaps page, select the kube-system namespace, find acs-profile, and click Edit YAML.

    5. In the vSwitchIds section, enter the ID of the new vSwitch and click OK.

      Note

      Separate vSwitch IDs with commas (,).

    (Optional) Step 4: Add a SNAT entry

    If your ACS cluster accesses the Internet through SNAT, you need to check the SNAT configuration after adding the vSwitch.

    For example, if the SNAT entries are scoped to vSwitches, you need to add a SNAT entry for the new vSwitch. Otherwise, the pods in the zone of the new vSwitch cannot access the Internet.

    1. Log on to the NAT Gateway console.

    2. On the Internet NAT Gateway page, click the ID of the NAT gateway that you want to manage.

    3. On the SNAT Management tab, click Create SNAT Entry.

    4. Add a SNAT entry for the new vSwitch and click OK.

    Verify the result

    Create a pod in the zone of the new vSwitch. If the pod is created and assigned an IP address from the vSwitch, the secondary CIDR block takes effect. For information about how to specify a vSwitch, see Specify a vSwitch.