Container Service for Kubernetes:FAQ about network management

FAQ about container networks

FAQ about Terway

• Can I switch the network plug-in for an existing ACK cluster?

• What do I do if a cluster installed with Terway cannot access the Internet after I create a vSwitch for the cluster?

• How do I resolve network errors that occur when the Terway network plug-in is used in exclusive ENI mode?

• What do I do if the idle vSwitch IP addresses of an ACK cluster installed with Terway are insufficient?

• What do I do if the IP address of a newly created pod does not fall within the vSwitch CIDR block in Terway mode?

• What do I do if the IP address of a newly created pod does not fall within the vSwitch CIDR block after I add a vSwitch in Terway mode?

• How do I choose between Terway and Flannel for an ACK cluster?

• How do I enable load balancing for a cluster in Terway IPVLAN mode?

• How do I add the pod CIDR block to a whitelist if my cluster uses Terway?

• What is the number of pods that can be created on a node in Terway mode?

• How do I view the lifecycle of a pod in Terway mode?

• What is Terway DataPath V2?

• Troubleshoot Terway update failures

• What do I do if MAC address cannot be found during pod creation in Terway mode?

FAQ about Flannel

• What do I do if Flannel becomes incompatible with clusters of Kubernetes 1.16 or later after I manually update Flannel?

• How do I choose between Terway and Flannel for an ACK cluster?

• What do I do if I fail to ping ECS nodes from a pod?

• What do I do if a node has the NodeNetworkUnavailable taint?

• Configure multiple route tables for a VPC

• What do I do if a pod fails to be started and the "no IP addresses available in range" error message appears?

• How do I modify the number of node IP addresses, the pod CIDR block, and the Service IP block?

FAQ about kube-proxy

• How do I modify the kube-proxy configuration?

• How do I modify the IPVS load balancing algorithm in the kube-proxy configuration?

• How do I modify the timeout period for IPVS UDP sessions in the kube-proxy configuration?

FAQ about IPv6

How do I fix common issues related to IPv4/IPv6 dual stack?

Other issues

• What do I do if a pod is not immediately ready for communication after it is started?

• How do I enable a pod to access a Service that is used to expose the pod?

• How do I resolve network errors of pods in a cluster?

• How do I plan the network of a cluster?

• Can I use the hostPort feature to create port mappings in an ACK cluster?

• How do I check the network type and vSwitches of a cluster?

• How do I check the cloud resources used in an ACK cluster?

• How do I obtain the public IP address of an application in a cluster?

• What do I do if a cluster cannot connect to the public IP address of the SLB instance that is associated with a LoadBalancer Service?

• How do I increase the maximum number of tracked connections in the conntrack table of the Linux kernel?

• Can I install and configure third-party network plug-ins for a cluster?

• What do I do if the "no IP addresses available in range set" error message appears?

Service FAQ

FAQ about Server Load Balancer (SLB)

• How can I use SLB instances in an ACK cluster?

• Which external traffic policy should I use when I create a Service, Local or Cluster?

• Why are no events collected during the synchronization between a Service and an SLB instance?

• How do I handle an SLB instance that remains in the Pending state?

• What do I do if the vServer groups of an SLB instance are not updated?

• What do I do if the annotations of a Service do not take effect?

• Why are the configurations of an SLB instance modified?

• Why does the cluster fail to access the IP address of an SLB instance?

• When is an SLB instance automatically deleted?

• What do I do if I accidentally delete an SLB instance?

• If I delete a Service, is the SLB instance associated with the Service automatically deleted?

• How do I rename an SLB instance if the CCM version is V1.9.3.10 or earlier?

• How does the CCM calculate node weights in Local mode?

• How do I query the IP addresses, names, and address types of all SLB instances in a cluster?

• How do I ensure that the LoadBalancer gracefully disconnects existing connections when I change the backend of the LoadBalancer Service?

FAQ about updates of the CCM

• How do I troubleshoot failures to update the CCM?

FAQ about using existing SLB instances

• Why does the system fail to use an existing SLB instance for more than one Service?

• Why is no listener created when I reuse an existing SLB instance?

Other issues

• What do I do if errors occur in Services?

• How do I troubleshoot CCM update failures?

• How is session persistence implemented in Kubernetes Services?

• How do I configure listeners for a NodePort Service?

• How do I access a NodePort Service?

• How do I configure a proper node port range?

Ingress FAQ

FAQ about Ingress configurations

• Which SSL or TLS protocol versions are supported by Ingresses?

• Do Ingresses pass Layer 7 request headers to backend servers by default?

• Can ingress-nginx forward requests to backend HTTPS servers?

• Do Ingresses pass client IP addresses at Layer 7?

• Does the NGINX Ingress controller support HSTS?

• Which rewrite rules are supported by ingress-nginx?

• Configure an Internet-facing or internal-facing NGINX Ingress controller

• What gets updated in the system after I update the NGINX Ingress controller on the Add-ons page of the ACK console?

• How do I specify an existing SLB instance for ack-ingress-nginx deployed from the Marketplace page?

• How do I change Layer 4 listeners to Layer 7 HTTP or HTTPS listeners for ingress-nginx?

• Nginx Ingress FAQ

FAQ about connectivity

• Why am I unable to access the IP address of the LoadBalancer Service within the Kubernetes cluster?

• Why does the Ingress controller pod fail to access the Ingress controller?

• Why is the default TLS certificate or previous TLS certificate used after I add a TLS certificate to the cluster or change the TLS certificate?

• NGINX Ingress controller troubleshooting

• Why am I unable to access gRPC Services that are exposed by an Ingress?

• Why am I unable to access backend HTTPS services?

• Why does the Ingress controller pod fail to preserve client IP addresses?

FAQ about canary releases

• Why do canary release rules fail to take effect?

• What do I do if traffic is not distributed based on canary release rules or traffic from other Ingresses is routed to the canary Service?

FAQ about errors

• What do I do if an error "failed calling webhook" occurs when I create an Ingress?

• What do I do if an error "SSL_ERROR_RX_RECORD_TOO_LONG" is returned for HTTPS requests?

• What do I do if a common HTTP status code is returned?

• What do I do if an error "net::ERR_HTTP2_SERVER_REFUSED_STREAM" occurs?

• What do Id do if an error "The param of ServerGroupName is illegal" occurs?

• What do I do if an error "certificate signed by unknown authority" occurs when I create an Ingress?

FAQ about other issues

• Why does the Ingress controller pod restart after it fails the health check?

• How do I add Services that use TCP or UDP?

• Why do Ingress rules fail to take effect?

• Why does the system fail to load some web page resources or return a blank white screen when requests are redirected to the root directory?

• How do I fix the issue that Simple Log Service cannot parse logs as expected after ingress-nginx-controller is updated?

DNS FAQ

What do I do if I cannot access a CoreDNS pod by running the exec command?

Why does CoreDNS use deprecated APIs?

What do I do if the error message dns: buffer size too small appears in CoreDNS logs?

FAQ about network configurations

How do I access cluster workloads over the Internet?

How do I configure the pods to obtain the real IP addresses of clients?

• If Web Application Firewall (WAF) is used and your cluster uses SLB instances to provide external services, set externaltrafficpolicy to Local for the Services that are used to expose the pods. This way, you can obtain the real IP addresses of clients. If your cluster uses Ingresses to provide external services, set externaltrafficpolicy to Local for the nginx-ingress-lb Service.

• For more information about WAF, see Use WAF or transparent WAF.

How do I throttle traffic for an ACK cluster?

You can use Service Mesh (ASM) to throttle traffic for an ACK cluster. ASM helps you cope with issues such as traffic spikes, service overloading, resource exhaustion, and attacks. This ensures the stability of backend services, reduces costs, and improves user experience. For more information, see Throttling.