The CIDR block used by a Container Service for Kubernetes (ACK) cluster is limited by the virtual private cloud (VPC) of the cluster. If the current CIDR block of the VPC does not have sufficient IP addresses, you can add a secondary CIDR block to the VPC. This way, you can expand the cluster based on your business requirements.
Prerequisites
An ACK dedicated cluster is created or an ACK managed cluster is created in February 2021 or later. For more information, see Create an ACK managed cluster or Create an ACK dedicated cluster (discontinued).
You can update ACK managed clusters created earlier than February 2021 to ACK Pro clusters and then expand the available CIDR block of the cluster by adding a secondary CIDR block to the VPC of the cluster. For more information, see Hot migration from ACK managed Basic clusters to ACK managed Pro clusters.
Step 1: Select a secondary CIDR block
Check the CIDR blocks that are in use.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
On the Cluster Information page, click the Basic Information tab and click the link next to VPC.
On the VPC Details page, click the CIDR Block Management tab to view the CIDR blocks that are in use.
The CIDR blocks include but are not limited to:
The current CIDR block of the VPC.
For more information about how to check the current CIDR block of a VPC, see View a VPC.
The CIDR blocks of the pods and Services that are deployed in the VPC.
For more information about how to check the CIDR blocks of pods and Services, see View cluster information.
If the cluster uses the Terway network plug-in, check the CIDR block of Services.
If the cluster uses the Flannel network plug-in, check the CIDR blocks of pods and Services.
The CIDR blocks of connections over Express Connect circuits, VPN gateways, and Cloud Enterprise Network (CEN) instances that are connected to the VPC.
Select a CIDR block that does not overlap with the preceding CIDR blocks, and use this CIDR block as the secondary CIDR block of the VPC.
For example, a cluster that uses the Flannel network plug-in may use the following CIDR blocks. In this case, you can use 10.0.0.0/8 as a secondary CIDR block.
VPC CIDR block: 192.168.0.0/16
Pod CIDR block: 172.20.0.0/16
Service CIDR block: 172.21.0.0/16
The VPC is not connected with connections over Express Connect circuits, VPN gateways, or CEN instances.
Step 2: Add a secondary CIDR block and vSwitch
Log on to the VPC console.
In the top navigation bar, select the region where the VPC is deployed.
On the VPCs page, find the VPC that you want to manage and click its ID.
On the VPC Details page, click the CIDR Block Management tab. Click Add Secondary IPv4 CIDR Block and add the IPv4 CIDR block that you selected in the preceding step.
You can create a vSwitch in the secondary CIDR block based on your business requirements.
For more information about how to create a vSwitch, see Create a vSwitch.
Step 3: Add permit rules for the secondary CIDR block in the security group
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
On the Basic Information tab, click the ID of the cluster security group next to Control Plane Security Group.
Add inbound and outbound rules to the security group to permit access from and to the secondary CIDR block.
Step 4: Modify the node pool information
Add the vSwitch of the secondary CIDR block to the available vSwitch list of the node pool. After the node pool is scaled out, the new nodes can use IP addresses from the secondary CIDR block.
Log on to the ACK console.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster to go to the details page of the cluster. In the left-side navigation pane, choose .
Click Edit in the Actions column of the node pool that you want to modify, select the vSwitch of the secondary CIDR block, and click Confirm.
Click More in the Actions column of the node pool that you want to manage, and select Scale from the drop-down list to scale out the node pool.
For ACK managed clusters that are created before February 15, 2023, you need to submit a ticket to contact the technical support to configure the control planes. Otherwise, the control planes cannot access the newly created nodes or the pods on these nodes. Consequently, the following issues may occur:
Failures to execute
kubectl execorkubectl logs.Webhook or APIService call failures.
Pods or other resources creation failures.
(Optional) Step 5: Increase the number of pod vSwitches in a cluster that uses the Terway plug-in
In an ACK cluster that uses the Terway plug-in, you must manually modify the vSwitch configuration of the Terway plug-in so that pods can use the IP addresses of the secondary CIDR block. For more information, see Modify the pod vSwitches.
When the Terway network mode of the cluster is not set to DataPathV2, if a Terway pod uses an IP address from the secondary CIDR block to access the ClusterIP, the source IP will be replaced with the IP address of the host through Source Network Address Translation (SNAT). If the node is in a security group or configured with a whitelist, you must add a security group rule to allow access from the IP address or CIDR block of the node.
