When a VPC runs out of idle IP addresses, you can add a secondary CIDR block to the VPC and create a new vSwitch in that block.
After adding a secondary CIDR block, submit a ticket to have technical support configure the control planes for the new CIDR block. Without this configuration, the control planes cannot reach pods in the secondary CIDR block, which causes:
kubectl execorkubectl logsfailuresWebhook or APIService call failures
Failures to create pods or other resources
Prerequisites
Before you begin, confirm the CIDR block you want to add.
Check all CIDR blocks already in use. These include, but are not limited to:
CIDR block Where to find it VPC and vSwitch CIDR blocks of the cluster On the Cluster Information page, click the Cluster Resources tab. Click any ID to view details in the VPC console. Service CIDR block of the cluster On the Cluster Information page, click the Basic Information tab. CIDR blocks of Express Connect circuits, VPN gateways, and Cloud Enterprise Network (CEN) instances connected to the VPC Log on to each corresponding console to view details. In the VPC console, click the VPC ID, then go to the Resource Management tab. Under Communication between Networks, click any number to open the relevant console. Select a secondary CIDR block that does not overlap with any of the CIDR blocks listed above.
Step 1: Add a secondary CIDR block and create a vSwitch
Log on to the VPC console.
Add a secondary CIDR block.
On the VPC page, find your VPC and click its ID.
NoteAlternatively, go to the Cluster Information page of the ACS cluster, click the Cluster Resources tab, and click the VPC ID to go directly to the VPC details page.
Click the CIDR Block Management tab, then click Add Secondary IPv4 CIDR Block.
In the dialog box, enter your CIDR block in the Custom CIDR Block field and click OK.
Create a vSwitch in the secondary CIDR block.
Go to the vSwitch page and click Create vSwitch.
On the Create vSwitch page, select the VPC and the secondary CIDR block, specify the zone and vSwitch CIDR block, then click OK.
Step 2: Add security group rules for the secondary CIDR block
Log on to the ECS console.
On the Security Groups page, find your security group and click its ID.
NoteAlternatively, go to the Cluster Information page of the ACS cluster, click the Cluster Resources tab, and click the security group ID.
Add inbound and outbound rules for the secondary CIDR block based on your requirements. For details, see Add a security group rule.
Step 3: Add the vSwitch to the cluster
Update the acs-profile ConfigMap to add the new vSwitch to the ACS cluster. The change takes effect immediately.
The following steps use the console. You can also run kubectl edit configmap acs-profile -n kube-system directly in the cluster to make the same change.
Log on to the ACS console. In the left-side navigation pane, click Clusters.
Click the ID of the ACS cluster to go to the cluster management page.
In the left-side navigation pane, choose .
On the ConfigMaps page, select the kube-system namespace, find acs-profile, and click Edit YAML.
In the
vSwitchIdssection, add the ID of the new vSwitch and click OK.NoteSeparate multiple vSwitch IDs with commas (,).
(Optional) Step 4: Add a SNAT entry for the new vSwitch
If the ACS cluster accesses the Internet through SNAT and your SNAT entries are scoped to individual vSwitches, add a SNAT entry for the new vSwitch. Without it, pods in the zone of the new vSwitch cannot access the Internet.
Log on to the NAT Gateway console.
On the Internet NAT Gateway page, click the ID of the NAT gateway.
Click the SNAT Management tab, then click Create SNAT Entry.
Configure the SNAT entry for the new vSwitch and click OK.
Verify the result
Create a pod in the zone of the new vSwitch. If the pod is created and assigned an IP address from the vSwitch CIDR block, the secondary CIDR block is working correctly.
For information about how to specify a vSwitch, see Specify a vSwitch.