Attach an independent EIP to a pod

更新时间:
复制 MD 格式

In Kubernetes clusters, pod IP addresses are typically private. Terway and ack-extend-network-controller support associating an elastic IP address (EIP) directly with a pod so it has an independent public egress without sharing traffic with other pods.

Prerequisites

Use an ACK Managed cluster or an ACK Dedicated cluster with the Terway network plugin. To create a cluster, see Create an ACK Managed cluster and Create an ACK Dedicated cluster (Creation of new clusters is no longer supported). For Terway network mode, see Use the Terway network plugin.

Important

As of November 2023, Terway no longer maintains the EIP feature; v1.7.0 removed it. Use ack-extend-network-controller to attach independent EIPs to pods. See Migrate the EIP feature from Terway to ack-extend-network-controller.

Limitations

  • Before using an EIP, review its limits. See Limits.

  • This feature is supported only on ECS nodes.

  • The add-on manages the lifecycle of controller-created EIPs. If you uninstall the component after assigning an EIP to a pod, the EIP stays allocated and is not automatically released.

    Before you stop the component, delete pods that use EIPs. Check EIP allocation and release status by inspecting the podeips.alibabacloud.com resource that matches the pod name. Confirm the EIP is no longer in use before disabling the EIP feature, or EIP billing continues.

Billing

Terway and ack-extend-network-controller are free to enable, but cloud resources they consume incur charges. See Billing for cloud resources for ACK billing details.

Background

In Terway network mode, pods typically access the public network through host SNAT or external SNAT via an EIP, with LoadBalancer Services routing ingress traffic. Some scenarios require an independent public IP address. For example:

  • A pod exposes services on random ports, common in UDP-based applications such as game servers and teleconferencing. For example, RTSP uses a different port for each client.

  • A pod needs dedicated public egress to avoid contention with other pods.

Step 1: Configure RAM permissions for EIPs

ack-extend-network-controller (Recommended)

  • Grant RAM permissions to an ACK managed cluster or an ACK dedicated cluster

    1. Create a custom permission policy with the following content. See Step 1: Create a custom permission policy.

          {
            "Effect": "Allow",
            "Action": [
              "vpc:DescribeVSwitches",
              "vpc:AllocateEipAddress",
              "vpc:AllocateEipAddressPro",
              "vpc:DescribeEipAddresses",
              "vpc:AssociateEipAddress",
              "vpc:UnassociateEipAddress",
              "vpc:ReleaseEipAddress",
              "vpc:AddCommonBandwidthPackageIp",
              "vpc:RemoveCommonBandwidthPackageIp",
              "vpc:TagResources",
              "ecs:DescribeNetworkInterfaces"
            ],
            "Resource": [
              "*"
            ],
            "Condition": {}
          }
    2. Grant permissions to the cluster worker RAM role. See Step 2: Grant permissions to the worker RAM role of the cluster.

Terway

Terway requires EIP-related permissions and additional configuration to assign EIPs to pods.

  • Grant RAM permissions to an ACK managed cluster or an ACK basic managed cluster created in or after June 2020

    1. Create a custom permission policy with the following content. See Step 1: Create a custom permission policy.

          {
            "Effect": "Allow",
            "Action": [
              "vpc:DescribeVSwitches",
              "vpc:AllocateEipAddress",
              "vpc:DescribeEipAddresses",
              "vpc:AssociateEipAddress",
              "vpc:UnassociateEipAddress",
              "vpc:ReleaseEipAddress",
              "vpc:AddCommonBandwidthPackageIp",
              "vpc:RemoveCommonBandwidthPackageIp"
            ],
            "Resource": [
              "*"
            ],
            "Condition": {}
          }
    2. Grant permissions to the cluster worker RAM role. See Step 2: Grant permissions to the worker RAM role of the cluster.

  • Grant RAM permissions to an ACK dedicated cluster or an ACK managed cluster created before June 2020

    1. Create a custom permission policy with the following content. See Step 1: Create a custom permission policy.

          {
            "Effect": "Allow",
            "Action": [
              "vpc:DescribeVSwitches",
              "vpc:AllocateEipAddress",
              "vpc:DescribeEipAddresses",
              "vpc:AssociateEipAddress",
              "vpc:UnassociateEipAddress",
              "vpc:ReleaseEipAddress",
              "vpc:AddCommonBandwidthPackageIp",
              "vpc:RemoveCommonBandwidthPackageIp"
            ],
            "Resource": [
              "*"
            ],
            "Condition": {}
          }
    2. On the Policies tab of the AliyunCSManagedNetworkRole RAM role page, click Grant Permission. Then, click Custom Policy, select the custom permission policy you created, and click OK.

Step 2: Install or upgrade a cluster plugin

Warning

Do not enable the EIP feature in both ack-extend-network-controller and Terway. This can cause duplicate EIP allocations and binding failures. Use ack-extend-network-controller.

Plugin comparison

Item

ack-extend-network-controller

Terway

Supported cluster types

  • ACK Managed Cluster

  • ACK Dedicated Cluster

  • ACK Serverless Cluster

  • ACK Managed Cluster

  • ACK Dedicated Cluster

Static EIP

Supported

Not supported

Configuration phase

After a pod IP is assigned, the controller assigns and binds an EIP.

Assigns and binds an EIP during CNI execution.

Supported versions

Plugin version v0.2.0 or later.

Terway plugin version v1.0.10.280-gdc2cb6c-aliyun or later, but earlier than v1.7.0.

Install or upgrade a plugin

For ack-extend-network-controller, install it from the Marketplace and enable the EIP controller. For Terway, upgrade to v1.0.10.280-gdc2cb6c-aliyun or later.

ack-extend-network-controller (recommended)

  1. Log on to the ACK console. In the left navigation pane, click Marketplace > Marketplace.

  2. On the Marketplace page, search for ack-extend-network-controller and click the target application.

  3. On the application details page, click Deploy in the upper-right corner.

  4. In the Create panel, select a cluster and namespace, and then click Next.

    1. On the OK page, select a version, configure the parameters, and then click OK.

      This table describes the parameters.

      Parameter

      Type

      Required

      Description

      clusterID

      string

      Yes

      The cluster ID.

      regionID

      string

      Yes

      The cluster region.

      enableControllers

      []string

      Yes

      Set to eip to enable the EIP feature.

      networkController.vpcID

      string

      Yes

      The cluster VPC ID.

      networkController.eipController.maxConcurrentReconciles

      int

      No

      The number of concurrent reconciles for the EIP controller.

      networkController.eipController.garbageCollectionPeriodInMinutes

      int

      No

      The interval, in minutes, for static EIP garbage collection.

      networkController.customStatefulWorkloadKinds

      []string

      No

      The kinds of custom stateful controllers.

      enableVirtualNode

      bool

      No

      Enables ECI virtual node support.

      Important

      If you enable this feature, the controller assigns EIPs to pods on ECI instances. The configured pod annotation cannot be the same as the one used for the EIP feature supported by ECI. Use this feature with caution.

      enableRRSA

      bool

      No

      Enables RRSA for authentication.

      Note

      Supported by ack-extend-network-controller plugin v0.10.0 and later.

      For configuration details, see Use RRSA to configure RAM permissions for a ServiceAccount to isolate pod permissions.

      rrsaRoleName

      string

      No

      The role name.

      Note

      Supported by ack-extend-network-controller plugin v0.10.0 and later.

      credential.accessKey

      string

      No

      The AccessKey ID of the account with permissions to attach EIPs.

      This parameter is not required if you completed the setup in Step 1: Configure the RAM permissions required to attach an EIP.

      Important

      Not recommended, as this method stores sensitive information in a Kubernetes Secret.

      credential.accessSecret

      string

      No

      The AccessKey Secret of the account with permissions to attach EIPs.

      This parameter is not required if you completed the setup in Step 1: Configure the RAM permissions required to attach an EIP.

      Important

      Not recommended, as this method stores sensitive information in a Kubernetes Secret.

      kubeClientQPS

      float32

      No

      QPS limit when the component accesses the cluster API server.

      Note

      Supported by ack-extend-network-controller plugin v0.12.2 and later.

      kubeClientBurst

      int

      No

      Maximum burst requests to the cluster API server.

      Note

      Supported by ack-extend-network-controller plugin v0.12.2 and later.

      Sample configuration:

      clusterID: "c11ba338192xxxxxxx"  
      regionID: "cn-hangzhou"      
      vpcID: "vpc-bp1rkq0zxxxxxx" 
      enableControllers:
        - eip              
      networkController:
        eipController:
          maxConcurrentReconciles: 1   
          garbageCollectionPeriodInMinutes: 1  
        customStatefulWorkloadKinds:           
        - foo
      credential:                             
        accessKey: ""
        accessSecret: ""

To update ack-extend-network-controller version and parameters, see Modify a Helm chart.

Terway

If your cluster uses Terway, upgrade terway-eni or terway-eniip to a version that supports EIPs. See Manage components.

Note

The Terway plugin version must be v1.0.10.280-gdc2cb6c-aliyun or later, but earlier than v1.7.0. See Terway for version details.

Step 3: Enable the EIP feature

EIP annotations

Use pod annotations to enable EIPs: automatically assign one to a pod or associate an existing EIP.

Automatically assign an EIP

Important

Automatic EIP assignment may repeatedly create and release EIPs during pod recreation or CNI failures. Specify an existing EIP instead.

Pod annotations

Value

network.alibabacloud.com/pod-with-eip

k8s.aliyun.com/pod-with-eip

Specifies whether to automatically create and associate an EIP. Valid values:

  • true: Automatically create and associate an EIP.

  • false: Do not automatically create and associate an EIP.

k8s.aliyun.com/eci-with-eip (Compatible)

network.alibabacloud.com/eip-bandwidth

k8s.aliyun.com/eip-bandwidth

This annotation applies only when creating an EIP.

Specifies the peak bandwidth of the EIP in Mbps. See Request an EIP.

network.alibabacloud.com/eip-internet-charge-type

k8s.aliyun.com/eip-internet-charge-type

This annotation applies only when creating an EIP.

Specifies the metering method of the EIP. Valid values:

  • PayByTraffic (default): pay-by-traffic.

  • PayByBandwidth: pay-by-bandwidth.

See Request an EIP.

k8s.aliyun.com/eip-charge-type (Compatible)

network.alibabacloud.com/eip-instance-charge-type

k8s.aliyun.com/eip-instance-charge-type

This annotation applies only when creating an EIP.

Specifies the billing method of the EIP. Valid values:

  • PostPaid: pay-as-you-go.

See Request an EIP.

Note

This annotation is supported only by ack-extend-network-controller.

The PrePaid (subscription) option is not supported.

network.alibabacloud.com/eip-common-bandwidth-package-id

k8s.aliyun.com/eip-common-bandwidth-package-id

ID of the EIP Bandwidth Plan to associate.

Note

This feature requires Terway v1.2.3 or later. No version restrictions apply to the ack-extend-network-controller component.

network.alibabacloud.com/eip-isp

k8s.aliyun.com/eip-isp

This annotation applies only when creating an EIP.

Specifies the line type of the EIP. Valid values:

  • BGP: BGP (Multi-ISP) line.

  • BGP_PRO: BGP (Multi-ISP) Pro line.

  • If you are allowlisted for single-ISP bandwidth, you can also select one of the following types:

    • ChinaTelecom: China Telecom

    • ChinaUnicom: China Unicom

    • ChinaMobile: China Mobile

    • ChinaTelecom_L2: China Telecom L2

    • ChinaUnicom_L2: China Unicom L2

    • ChinaMobile_L2: China Mobile L2

  • If you use the China (Hangzhou Finance) region, set the value to BGP_FinanceCloud.

See Request an EIP.

Note

This feature requires Terway v1.2.3 or later. No version restrictions apply to the ack-extend-network-controller component.

network.alibabacloud.com/eip-public-ip-address-pool-id

k8s.aliyun.com/eip-public-ip-address-pool-id

This annotation applies only when creating an EIP.

Specifies the IP address pool ID. See IP address pools for limits and procedures.

Note

This is supported only by ack-extend-network-controller.

network.alibabacloud.com/eip-resource-group-id

k8s.aliyun.com/eip-resource-group-id

This annotation applies only when creating an EIP.

Specifies the resource group ID for the EIP. See Request an EIP.

Note

This is supported by ack-extend-network-controller v0.4.0 and later.

network.alibabacloud.com/eip-name

k8s.aliyun.com/eip-name

This annotation applies only when creating an EIP.

Specifies the EIP name. See Request an EIP.

Note

This is supported by ack-extend-network-controller v0.6.0 and later.

network.alibabacloud.com/eip-description

k8s.aliyun.com/eip-description

This annotation applies only when creating an EIP.

Specifies the EIP description. See Request an EIP.

Note

This is supported by ack-extend-network-controller v0.6.0 and later.

network.alibabacloud.com/eip-security-protection-types

k8s.aliyun.com/eip-security-protection-types

This annotation applies only when creating an EIP.

Specifies the security protection level for the EIP. Anti-DDoS enabled EIPs are supported.

  • If left empty, this parameter defaults to Anti-DDoS Origin Basic.

  • Set the value to AntiDDoS_Enhanced to use Anti-DDoS Origin Pro.

To specify multiple protection levels, separate them with a comma (,). See Request an EIP.

Note

This is supported by ack-extend-network-controller v0.9.0 and later.

network.alibabacloud.com/eip-tags

k8s.aliyun.com/eip-tags

This annotation applies only when creating an EIP.

Specifies tags to add to the EIP. The value must be a valid JSON string. See Manage tags.

Example: k8s.aliyun.com/eip-tags: "{\"foo\":\"bar\"}".

Note

This is supported by ack-extend-network-controller v0.11.0 and later.

Specify an EIP instance

Specify the EIP instance ID in a pod annotation to associate an existing EIP. The annotation only binds the EIP; it does not change EIP configuration.

Important

This feature does not suit multi-replica controllers such as Deployments. Only one pod can reference each EIP instance. Use it with stateful workloads such as StatefulSets.

Pod annotations

Value

network.alibabacloud.com/pod-eip-instanceid

k8s.aliyun.com/pod-eip-instanceid

The ID of the EIP instance to associate, for example, eip-bp14qxxxxxxx.

Important

Do not assign the same EIP instance to pods with different names. After a pod is deleted, the EIP controller disassociates the EIP. During this period, you cannot use the same EIP instance for a new pod. To check whether the disassociation is complete, verify that the PodEIP resource that has the same name as the pod no longer exists.

k8s.aliyun.com/eci-eip-instanceid (Compatible)

EIP release strategy annotations

This release strategy retains a pod's EIP after recreation. Combine it with automatic assignment for persistent EIPs on stateful workloads.

Important
  • This feature is supported only by ack-extend-network-controller and applies only to stateful replica controllers. It cannot be used for stateless controllers.

  • If you specify an EIP instance ID, the EIP instance is not released when the pod is deleted.

Pod annotation

Value

network.alibabacloud.com/pod-eip-release-strategy

k8s.aliyun.com/pod-eip-release-strategy

The release strategy for the pod's EIP. Valid values:

  • Follow (default): The EIP is released when the pod is deleted.

  • Never: The EIP is not deleted when the pod is deleted. Manually delete the PodEIP resource when it is no longer needed.

You can also specify a retention period. Go-style duration expressions are supported. For example, 5m30s specifies that the EIP is released 5.5 minutes after the pod is deleted.

Enable EIP in ack-extend-network-controller or Terway

Enable in ack-extend-network-controller

Note

ack-extend-network-controller calls Alibaba Cloud APIs to create resources. Configure RAM permissions, install the component from the Marketplace, and use annotations to create and associate EIPs with pods.

Create and associate EIPs with annotations

Use pod manifest annotations to create an EIP and associate it with the pod. See FAQ for annotation details.

  1. Create an application and use annotations to create and associate an EIP with a pod.

    Deployment

    This manifest creates a Deployment where ACK automatically assigns an EIP instance with a peak bandwidth of 5 Mbps to each pod.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: example
      labels:
        app: example
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: example
      template:
        metadata:
          labels:
            app: example
          annotations:
            k8s.aliyun.com/pod-with-eip: "true"
            k8s.aliyun.com/eip-bandwidth: "5"
        spec:
          readinessGates:
          - conditionType: "k8s.aliyun.com/eip"
          containers:
          - name: example
            image: nginx

    After the pod is created, query the podeips.alibabacloud.com resource that has the same name as the pod to view details of the assigned EIP.

    kubectl get podeip -n <namespace> <podname>  -o yaml

    Expected output:

    apiVersion: alibabacloud.com/v1beta1
    kind: PodEIP
    metadata:
      creationTimestamp: "2023-12-15T04:25:37Z"
      finalizers:
      - podeip-controller.alibabacloud.com/finalizer
      generation: 1
      name: example-xxx
      namespace: default
      resourceVersion: "222800"
      uid: 43xxx-f1xx-4xxx-b3xx-969faxxx
    spec:
      allocationID: eip-2ze2qe8zsxxx
      allocationType:
        releaseStrategy: Follow
        type: Auto
    status:
      eipAddress: 39.102.XX.XX
      internetChargeType: PayByTraffic
      isp: BGP
      networkInterfaceID: eni-2zeagv8f3xxxx
      podLastSeen: "2023-12-15T05:18:47Z"
      privateIPAddress: 192.168.XX.XX
      resourceGroupID: rg-acfmwxxxxxsq
      status: InUse

    StatefulSet

    Use the following manifest to create a StatefulSet with two pods. An EIP is automatically assigned to each pod, and the release strategy is set to delete the PodEIP resource 10 minutes after the corresponding pod is deleted.

    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: example
      labels:
        app: example
    spec:
      serviceName: "example"
      replicas: 2
      selector:
        matchLabels:
          app: example
      template:
        metadata:
          labels:
            app: example
          annotations:
            k8s.aliyun.com/pod-with-eip: "true"
            k8s.aliyun.com/pod-eip-release-strategy: "10m"
        spec:
          containers:
          - name: example
            image: nginx

    After the pods are created, query the podeips.alibabacloud.com resources to track information about the assigned EIPs.

    kubectl get podeip -n <namespace> -o yaml

    Expected output:

    apiVersion: v1
    items:
    - apiVersion: alibabacloud.com/v1beta1
      kind: PodEIP
      metadata:
        creationTimestamp: "2023-12-15T03:28:01Z"
        finalizers:
        - podeip-controller.alibabacloud.com/finalizer
        generation: 1
        name: example-0
        namespace: default
        resourceVersion: "227221"
        uid: 79954xx-17xx-4dxx-b7xx-15b84xxx
      spec:
        allocationID: eip-2ze08metxxx
        allocationType:
          releaseAfter: 10m
          releaseStrategy: TTL
          type: Auto
      status:
        eipAddress: 39.105.XX.XX
        internetChargeType: PayByTraffic
        isp: BGP
        networkInterfaceID: eni-2ze4tkg4xxx
        podLastSeen: "2023-12-15T05:31:34Z"
        privateIPAddress: 192.168.XX.XX
        resourceGroupID: rg-acfmwxxx
        status: InUse
    - apiVersion: alibabacloud.com/v1beta1
      kind: PodEIP
      metadata:
        creationTimestamp: "2023-12-15T03:28:03Z"
        finalizers:
        - podeip-controller.alibabacloud.com/finalizer
        generation: 1
        name: example-1
        namespace: default
        resourceVersion: "227222"
        uid: 1339xxxe7-97xx-46xx-9bxx-537690xxx
      spec:
        allocationID: eip-2zetwhffqxxx
        allocationType:
          releaseAfter: 10m
          releaseStrategy: TTL
          type: Auto
      status:
        eipAddress: 39.105.XX.XX
        internetChargeType: PayByTraffic
        isp: BGP
        networkInterfaceID: eni-2zeagv8f3wxxx
        podLastSeen: "2023-12-15T05:31:34Z"
        privateIPAddress: 192.168.XX.XX
        resourceGroupID: rg-acfmwqnwxxx
        status: InUse
    - apiVersion: alibabacloud.com/v1beta1
      kind: PodEIP
      metadata:
        creationTimestamp: "2023-12-15T04:25:37Z"
        finalizers:
        - podeip-controller.alibabacloud.com/finalizer
        generation: 1
        name: example-5bxxx-9xx
        namespace: default
        resourceVersion: "227220"
        uid: 43cdfxxx-f1xx-42xx-b3xx-969fxxx
      spec:
        allocationID: eip-2ze2qe8zsmnxxx
        allocationType:
          releaseStrategy: Follow
          type: Auto
      status:
        eipAddress: 39.102.XX.XX
        internetChargeType: PayByTraffic
        isp: BGP
        networkInterfaceID: eni-2zeagv8f3wxxx
        podLastSeen: "2023-12-15T05:31:34Z"
        privateIPAddress: 192.168.XX.XX
        publicIpAddressPoolID: pippool-2ze498cxxx
        resourceGroupID: rg-acfmwqnxxx
        status: InUse
    kind: List
    metadata:
      resourceVersion: ""

    After a pod in this stateful application is deleted, its PodEIP custom resource (CR) is retained for 10 minutes before being deleted. If a pod with the same name is created during this period, it reuses the corresponding EIP.

  2. Verify the configuration.

    After the pod enters the Running state, check the k8s.aliyun.com/allocated-eipAddress annotation to view its assigned EIP address and access the pod.

Enable in Terway

  1. Deploy the Terway configuration to support the EIP feature.

    1. Edit the Terway ConfigMap.

      kubectl edit cm eni-config -n kube-system
    2. In eni_conf, add the following line.

      "enable_eip_pool": "true"
      Note

      To forcibly disassociate an EIP from its current instance when you associate it with a new one, add the "allow_eip_rob": "true" parameter to eni_conf.

    3. After you finish editing, press the Esc key, enter :wq!, and press the Enter key to save your changes and exit edit mode.

    4. Recreate the Terway pods to apply the changes.

      kubectl delete pod -n kube-system -l app=terway-eniip # If you installed the terway-eni component, replace terway-eniip with terway-eni.
  2. Create and associate an EIP with a pod by using annotations.

    Use pod manifest annotations to create an EIP and associate it with the pod. See EIP-related limits.

    Automatically assign an EIP

    Add these annotations to automatically assign an EIP and specify bandwidth:

    • k8s.aliyun.com/pod-with-eip: "true": Assign a dedicated public EIP to the pod.

    • k8s.aliyun.com/eip-bandwidth: "5": Specify EIP bandwidth. The default is 5 Mbps.

    Sample manifest:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: nginx-deployment-basic
      labels:
        app: nginx
    spec:
      replicas: 2
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
          annotations:
            network.alibabacloud.com/pod-with-eip: "true" # Automatically assign a public EIP to the Nginx container.
            network.alibabacloud.com/eip-bandwidth: "5"   # Specify the bandwidth of the EIP. The default is 5 Mbps, which is consistent with the EIP default value.
          labels:
            app: nginx
        spec:
          containers:
          - name: nginx
            image: nginx

    Specify an EIP

    Important
    • Because a single EIP cannot be associated with multiple pods, this method is not suitable for workloads such as Deployments and StatefulSets that have more than one replica.

    • By default, if the specified EIP is already associated with an instance, the association fails. To force the disassociation of the EIP from the previous instance and associate it with the new one, you must set "allow_eip_rob": "true" in the ConfigMap as described earlier.

    • You can specify an EIP instance ID only for single-replica workloads. For example, a Deployment cannot have more than one replica.

    Add the following annotation to specify an EIP instance ID for a pod:

    k8s.aliyun.com/pod-eip-instanceid: "<your-eip-instance-id>"
  3. Verify the configuration.

    After the pod enters the Running state, check the network.alibabacloud.com/allocated-eipAddress annotation to view its assigned EIP address and access the pod.

FAQ

Pod ready before EIP is bound

The controller assigns an EIP only after a pod IP is allocated, so the pod may become Ready before the EIP binds. Use the following methods to control timing.

Readiness gates

Note

Configuring readiness gates requires the ack-extend-network-controller.

With readinessGates, the controller updates pod conditions only after the EIP binds, preventing Ready status until binding completes.

kind: Pod
...
spec:
  readinessGates:
  - conditionType: "k8s.aliyun.com/eip"
status:
  conditions:
  - lastProbeTime: "2022-12-12T03:45:48Z"
    lastTransitionTime: "2022-12-12T03:45:48Z"
    reason: Associate eip succeed
    status: "True"
    type: k8s.aliyun.com/eip
...

Init container

Configure an init container to verify EIP assignment.

apiVersion: v1
kind: Pod
metadata:
  name: example
  annotations:
    network.alibabacloud.com/pod-with-eip: "true"
spec:
  containers:
  - name: example
    image: busybox:1.28
    command: ['sh', '-c', 'echo The app is running! && sleep 3600']
  initContainers:
  - name: init
    image: busybox:1.28
    command: ['timeout', '-t' ,'60', 'sh','-c', "until grep -E '^k8s.aliyun.com\\/allocated-eipAddress=\\S?[0-9]+\\S?' /etc/podinfo/annotations; do echo waiting for annotations; sleep 2; done"]
    volumeMounts:
      - name: podinfo
        mountPath: /etc/podinfo
  volumes:
    - name: podinfo
      downwardAPI:
        items:
          - path: "labels"
            fieldRef:
              fieldPath: metadata.labels
          - path: "annotations"
            fieldRef:
              fieldPath: metadata.annotations

Pod inaccessible via EIP

Restrictive ACL policies often cause this. Check these access controls:

  • Cloud Firewall: EIP traffic is subject to Cloud Firewall access control rules. Allow inbound and outbound traffic for the pod's EIP and service ports. See Configure access control policies for an internet firewall.

  • Node security group: After an EIP attaches to a pod, the node's security group still governs traffic. Allow inbound traffic from the client IP to the pod's service ports and any required outbound traffic. See Configure cluster security groups.