In Kubernetes clusters, pod IP addresses are typically private. Terway and ack-extend-network-controller support associating an elastic IP address (EIP) directly with a pod so it has an independent public egress without sharing traffic with other pods.
Prerequisites
Use an ACK Managed cluster or an ACK Dedicated cluster with the Terway network plugin. To create a cluster, see Create an ACK Managed cluster and Create an ACK Dedicated cluster (Creation of new clusters is no longer supported). For Terway network mode, see Use the Terway network plugin.
As of November 2023, Terway no longer maintains the EIP feature; v1.7.0 removed it. Use ack-extend-network-controller to attach independent EIPs to pods. See Migrate the EIP feature from Terway to ack-extend-network-controller.
Limitations
Before using an EIP, review its limits. See Limits.
This feature is supported only on ECS nodes.
The add-on manages the lifecycle of controller-created EIPs. If you uninstall the component after assigning an EIP to a pod, the EIP stays allocated and is not automatically released.
Before you stop the component, delete pods that use EIPs. Check EIP allocation and release status by inspecting the
podeips.alibabacloud.comresource that matches the pod name. Confirm the EIP is no longer in use before disabling the EIP feature, or EIP billing continues.
Billing
Terway and ack-extend-network-controller are free to enable, but cloud resources they consume incur charges. See Billing for cloud resources for ACK billing details.
Background
In Terway network mode, pods typically access the public network through host SNAT or external SNAT via an EIP, with LoadBalancer Services routing ingress traffic. Some scenarios require an independent public IP address. For example:
A pod exposes services on random ports, common in UDP-based applications such as game servers and teleconferencing. For example, RTSP uses a different port for each client.
A pod needs dedicated public egress to avoid contention with other pods.
Step 1: Configure RAM permissions for EIPs
ack-extend-network-controller (Recommended)
Grant RAM permissions to an ACK managed cluster or an ACK dedicated cluster
Create a custom permission policy with the following content. See Step 1: Create a custom permission policy.
{ "Effect": "Allow", "Action": [ "vpc:DescribeVSwitches", "vpc:AllocateEipAddress", "vpc:AllocateEipAddressPro", "vpc:DescribeEipAddresses", "vpc:AssociateEipAddress", "vpc:UnassociateEipAddress", "vpc:ReleaseEipAddress", "vpc:AddCommonBandwidthPackageIp", "vpc:RemoveCommonBandwidthPackageIp", "vpc:TagResources", "ecs:DescribeNetworkInterfaces" ], "Resource": [ "*" ], "Condition": {} }Grant permissions to the cluster worker RAM role. See Step 2: Grant permissions to the worker RAM role of the cluster.
Terway
Terway requires EIP-related permissions and additional configuration to assign EIPs to pods.
Grant RAM permissions to an ACK managed cluster or an ACK basic managed cluster created in or after June 2020
Create a custom permission policy with the following content. See Step 1: Create a custom permission policy.
{ "Effect": "Allow", "Action": [ "vpc:DescribeVSwitches", "vpc:AllocateEipAddress", "vpc:DescribeEipAddresses", "vpc:AssociateEipAddress", "vpc:UnassociateEipAddress", "vpc:ReleaseEipAddress", "vpc:AddCommonBandwidthPackageIp", "vpc:RemoveCommonBandwidthPackageIp" ], "Resource": [ "*" ], "Condition": {} }Grant permissions to the cluster worker RAM role. See Step 2: Grant permissions to the worker RAM role of the cluster.
Grant RAM permissions to an ACK dedicated cluster or an ACK managed cluster created before June 2020
Create a custom permission policy with the following content. See Step 1: Create a custom permission policy.
{ "Effect": "Allow", "Action": [ "vpc:DescribeVSwitches", "vpc:AllocateEipAddress", "vpc:DescribeEipAddresses", "vpc:AssociateEipAddress", "vpc:UnassociateEipAddress", "vpc:ReleaseEipAddress", "vpc:AddCommonBandwidthPackageIp", "vpc:RemoveCommonBandwidthPackageIp" ], "Resource": [ "*" ], "Condition": {} }On the Policies tab of the AliyunCSManagedNetworkRole RAM role page, click Grant Permission. Then, click Custom Policy, select the custom permission policy you created, and click OK.
Step 2: Install or upgrade a cluster plugin
Do not enable the EIP feature in both ack-extend-network-controller and Terway. This can cause duplicate EIP allocations and binding failures. Use ack-extend-network-controller.
Plugin comparison
Item | ack-extend-network-controller | Terway |
Supported cluster types |
|
|
Static EIP | Supported | Not supported |
Configuration phase | After a pod IP is assigned, the controller assigns and binds an EIP. | Assigns and binds an EIP during CNI execution. |
Supported versions | Plugin version v0.2.0 or later. | Terway plugin version v1.0.10.280-gdc2cb6c-aliyun or later, but earlier than v1.7.0. |
Install or upgrade a plugin
For ack-extend-network-controller, install it from the Marketplace and enable the EIP controller. For Terway, upgrade to v1.0.10.280-gdc2cb6c-aliyun or later.
ack-extend-network-controller (recommended)
Log on to the ACK console. In the left navigation pane, click .
On the Marketplace page, search for
ack-extend-network-controllerand click the target application.On the application details page, click Deploy in the upper-right corner.
In the Create panel, select a cluster and namespace, and then click Next.
On the OK page, select a version, configure the parameters, and then click OK.
This table describes the parameters.
Parameter
Type
Required
Description
clusterID
string
Yes
The cluster ID.
regionID
string
Yes
The cluster region.
enableControllers
[]string
Yes
Set to
eipto enable the EIP feature.networkController.vpcID
string
Yes
The cluster VPC ID.
networkController.eipController.maxConcurrentReconciles
int
No
The number of concurrent reconciles for the EIP controller.
networkController.eipController.garbageCollectionPeriodInMinutes
int
No
The interval, in minutes, for static EIP garbage collection.
networkController.customStatefulWorkloadKinds
[]string
No
The kinds of custom stateful controllers.
enableVirtualNode
bool
No
Enables ECI virtual node support.
ImportantIf you enable this feature, the controller assigns EIPs to pods on ECI instances. The configured pod annotation cannot be the same as the one used for the EIP feature supported by ECI. Use this feature with caution.
enableRRSA
bool
No
Enables RRSA for authentication.
NoteSupported by ack-extend-network-controller plugin v0.10.0 and later.
For configuration details, see Use RRSA to configure RAM permissions for a ServiceAccount to isolate pod permissions.
rrsaRoleName
string
No
The role name.
NoteSupported by ack-extend-network-controller plugin v0.10.0 and later.
credential.accessKey
string
No
The AccessKey ID of the account with permissions to attach EIPs.
This parameter is not required if you completed the setup in Step 1: Configure the RAM permissions required to attach an EIP.
ImportantNot recommended, as this method stores sensitive information in a Kubernetes Secret.
credential.accessSecret
string
No
The AccessKey Secret of the account with permissions to attach EIPs.
This parameter is not required if you completed the setup in Step 1: Configure the RAM permissions required to attach an EIP.
ImportantNot recommended, as this method stores sensitive information in a Kubernetes Secret.
kubeClientQPS
float32
No
QPS limit when the component accesses the cluster API server.
NoteSupported by ack-extend-network-controller plugin v0.12.2 and later.
kubeClientBurst
int
No
Maximum burst requests to the cluster API server.
NoteSupported by ack-extend-network-controller plugin v0.12.2 and later.
Sample configuration:
clusterID: "c11ba338192xxxxxxx" regionID: "cn-hangzhou" vpcID: "vpc-bp1rkq0zxxxxxx" enableControllers: - eip networkController: eipController: maxConcurrentReconciles: 1 garbageCollectionPeriodInMinutes: 1 customStatefulWorkloadKinds: - foo credential: accessKey: "" accessSecret: ""
To update ack-extend-network-controller version and parameters, see Modify a Helm chart.
Terway
If your cluster uses Terway, upgrade terway-eni or terway-eniip to a version that supports EIPs. See Manage components.
The Terway plugin version must be v1.0.10.280-gdc2cb6c-aliyun or later, but earlier than v1.7.0. See Terway for version details.
Step 3: Enable the EIP feature
EIP annotations
Use pod annotations to enable EIPs: automatically assign one to a pod or associate an existing EIP.
Automatically assign an EIP
Automatic EIP assignment may repeatedly create and release EIPs during pod recreation or CNI failures. Specify an existing EIP instead.
Pod annotations | Value |
network.alibabacloud.com/pod-with-eip k8s.aliyun.com/pod-with-eip | Specifies whether to automatically create and associate an EIP. Valid values:
|
k8s.aliyun.com/eci-with-eip (Compatible) | |
network.alibabacloud.com/eip-bandwidth k8s.aliyun.com/eip-bandwidth | This annotation applies only when creating an EIP. Specifies the peak bandwidth of the EIP in Mbps. See Request an EIP. |
network.alibabacloud.com/eip-internet-charge-type k8s.aliyun.com/eip-internet-charge-type | This annotation applies only when creating an EIP. Specifies the metering method of the EIP. Valid values:
See Request an EIP. |
k8s.aliyun.com/eip-charge-type (Compatible) | |
network.alibabacloud.com/eip-instance-charge-type k8s.aliyun.com/eip-instance-charge-type | This annotation applies only when creating an EIP. Specifies the billing method of the EIP. Valid values:
See Request an EIP. Note This annotation is supported only by ack-extend-network-controller. The PrePaid (subscription) option is not supported. |
network.alibabacloud.com/eip-common-bandwidth-package-id k8s.aliyun.com/eip-common-bandwidth-package-id | ID of the EIP Bandwidth Plan to associate. Note This feature requires Terway v1.2.3 or later. No version restrictions apply to the ack-extend-network-controller component. |
network.alibabacloud.com/eip-isp k8s.aliyun.com/eip-isp | This annotation applies only when creating an EIP. Specifies the line type of the EIP. Valid values:
See Request an EIP. Note This feature requires Terway v1.2.3 or later. No version restrictions apply to the ack-extend-network-controller component. |
network.alibabacloud.com/eip-public-ip-address-pool-id k8s.aliyun.com/eip-public-ip-address-pool-id | This annotation applies only when creating an EIP. Specifies the IP address pool ID. See IP address pools for limits and procedures. Note This is supported only by ack-extend-network-controller. |
network.alibabacloud.com/eip-resource-group-id k8s.aliyun.com/eip-resource-group-id | This annotation applies only when creating an EIP. Specifies the resource group ID for the EIP. See Request an EIP. Note This is supported by ack-extend-network-controller v0.4.0 and later. |
network.alibabacloud.com/eip-name k8s.aliyun.com/eip-name | This annotation applies only when creating an EIP. Specifies the EIP name. See Request an EIP. Note This is supported by ack-extend-network-controller v0.6.0 and later. |
network.alibabacloud.com/eip-description k8s.aliyun.com/eip-description | This annotation applies only when creating an EIP. Specifies the EIP description. See Request an EIP. Note This is supported by ack-extend-network-controller v0.6.0 and later. |
network.alibabacloud.com/eip-security-protection-types k8s.aliyun.com/eip-security-protection-types | This annotation applies only when creating an EIP. Specifies the security protection level for the EIP. Anti-DDoS enabled EIPs are supported.
To specify multiple protection levels, separate them with a comma ( Note This is supported by ack-extend-network-controller v0.9.0 and later. |
network.alibabacloud.com/eip-tags k8s.aliyun.com/eip-tags | This annotation applies only when creating an EIP. Specifies tags to add to the EIP. The value must be a valid JSON string. See Manage tags. Example: Note This is supported by ack-extend-network-controller v0.11.0 and later. |
Specify an EIP instance
Specify the EIP instance ID in a pod annotation to associate an existing EIP. The annotation only binds the EIP; it does not change EIP configuration.
This feature does not suit multi-replica controllers such as Deployments. Only one pod can reference each EIP instance. Use it with stateful workloads such as StatefulSets.
Pod annotations | Value |
network.alibabacloud.com/pod-eip-instanceid k8s.aliyun.com/pod-eip-instanceid | The ID of the EIP instance to associate, for example, eip-bp14qxxxxxxx. Important Do not assign the same EIP instance to pods with different names. After a pod is deleted, the EIP controller disassociates the EIP. During this period, you cannot use the same EIP instance for a new pod. To check whether the disassociation is complete, verify that the PodEIP resource that has the same name as the pod no longer exists. |
k8s.aliyun.com/eci-eip-instanceid (Compatible) |
EIP release strategy annotations
This release strategy retains a pod's EIP after recreation. Combine it with automatic assignment for persistent EIPs on stateful workloads.
This feature is supported only by ack-extend-network-controller and applies only to stateful replica controllers. It cannot be used for stateless controllers.
If you specify an EIP instance ID, the EIP instance is not released when the pod is deleted.
Pod annotation | Value |
network.alibabacloud.com/pod-eip-release-strategy k8s.aliyun.com/pod-eip-release-strategy | The release strategy for the pod's EIP. Valid values:
You can also specify a retention period. Go-style duration expressions are supported. For example, |
Enable EIP in ack-extend-network-controller or Terway
Enable in ack-extend-network-controller
ack-extend-network-controller calls Alibaba Cloud APIs to create resources. Configure RAM permissions, install the component from the Marketplace, and use annotations to create and associate EIPs with pods.
Create and associate EIPs with annotations
Use pod manifest annotations to create an EIP and associate it with the pod. See FAQ for annotation details.
Create an application and use annotations to create and associate an EIP with a pod.
Deployment
This manifest creates a Deployment where ACK automatically assigns an EIP instance with a peak bandwidth of 5 Mbps to each pod.
apiVersion: apps/v1 kind: Deployment metadata: name: example labels: app: example spec: replicas: 1 selector: matchLabels: app: example template: metadata: labels: app: example annotations: k8s.aliyun.com/pod-with-eip: "true" k8s.aliyun.com/eip-bandwidth: "5" spec: readinessGates: - conditionType: "k8s.aliyun.com/eip" containers: - name: example image: nginxAfter the pod is created, query the
podeips.alibabacloud.comresource that has the same name as the pod to view details of the assigned EIP.kubectl get podeip -n <namespace> <podname> -o yamlExpected output:
apiVersion: alibabacloud.com/v1beta1 kind: PodEIP metadata: creationTimestamp: "2023-12-15T04:25:37Z" finalizers: - podeip-controller.alibabacloud.com/finalizer generation: 1 name: example-xxx namespace: default resourceVersion: "222800" uid: 43xxx-f1xx-4xxx-b3xx-969faxxx spec: allocationID: eip-2ze2qe8zsxxx allocationType: releaseStrategy: Follow type: Auto status: eipAddress: 39.102.XX.XX internetChargeType: PayByTraffic isp: BGP networkInterfaceID: eni-2zeagv8f3xxxx podLastSeen: "2023-12-15T05:18:47Z" privateIPAddress: 192.168.XX.XX resourceGroupID: rg-acfmwxxxxxsq status: InUseStatefulSet
Use the following manifest to create a StatefulSet with two pods. An EIP is automatically assigned to each pod, and the release strategy is set to delete the PodEIP resource 10 minutes after the corresponding pod is deleted.
apiVersion: apps/v1 kind: StatefulSet metadata: name: example labels: app: example spec: serviceName: "example" replicas: 2 selector: matchLabels: app: example template: metadata: labels: app: example annotations: k8s.aliyun.com/pod-with-eip: "true" k8s.aliyun.com/pod-eip-release-strategy: "10m" spec: containers: - name: example image: nginxAfter the pods are created, query the
podeips.alibabacloud.comresources to track information about the assigned EIPs.kubectl get podeip -n <namespace> -o yamlExpected output:
apiVersion: v1 items: - apiVersion: alibabacloud.com/v1beta1 kind: PodEIP metadata: creationTimestamp: "2023-12-15T03:28:01Z" finalizers: - podeip-controller.alibabacloud.com/finalizer generation: 1 name: example-0 namespace: default resourceVersion: "227221" uid: 79954xx-17xx-4dxx-b7xx-15b84xxx spec: allocationID: eip-2ze08metxxx allocationType: releaseAfter: 10m releaseStrategy: TTL type: Auto status: eipAddress: 39.105.XX.XX internetChargeType: PayByTraffic isp: BGP networkInterfaceID: eni-2ze4tkg4xxx podLastSeen: "2023-12-15T05:31:34Z" privateIPAddress: 192.168.XX.XX resourceGroupID: rg-acfmwxxx status: InUse - apiVersion: alibabacloud.com/v1beta1 kind: PodEIP metadata: creationTimestamp: "2023-12-15T03:28:03Z" finalizers: - podeip-controller.alibabacloud.com/finalizer generation: 1 name: example-1 namespace: default resourceVersion: "227222" uid: 1339xxxe7-97xx-46xx-9bxx-537690xxx spec: allocationID: eip-2zetwhffqxxx allocationType: releaseAfter: 10m releaseStrategy: TTL type: Auto status: eipAddress: 39.105.XX.XX internetChargeType: PayByTraffic isp: BGP networkInterfaceID: eni-2zeagv8f3wxxx podLastSeen: "2023-12-15T05:31:34Z" privateIPAddress: 192.168.XX.XX resourceGroupID: rg-acfmwqnwxxx status: InUse - apiVersion: alibabacloud.com/v1beta1 kind: PodEIP metadata: creationTimestamp: "2023-12-15T04:25:37Z" finalizers: - podeip-controller.alibabacloud.com/finalizer generation: 1 name: example-5bxxx-9xx namespace: default resourceVersion: "227220" uid: 43cdfxxx-f1xx-42xx-b3xx-969fxxx spec: allocationID: eip-2ze2qe8zsmnxxx allocationType: releaseStrategy: Follow type: Auto status: eipAddress: 39.102.XX.XX internetChargeType: PayByTraffic isp: BGP networkInterfaceID: eni-2zeagv8f3wxxx podLastSeen: "2023-12-15T05:31:34Z" privateIPAddress: 192.168.XX.XX publicIpAddressPoolID: pippool-2ze498cxxx resourceGroupID: rg-acfmwqnxxx status: InUse kind: List metadata: resourceVersion: ""After a pod in this stateful application is deleted, its PodEIP custom resource (CR) is retained for 10 minutes before being deleted. If a pod with the same name is created during this period, it reuses the corresponding EIP.
Verify the configuration.
After the pod enters the Running state, check the k8s.aliyun.com/allocated-eipAddress annotation to view its assigned EIP address and access the pod.
Enable in Terway
Deploy the Terway configuration to support the EIP feature.
Edit the Terway ConfigMap.
kubectl edit cm eni-config -n kube-systemIn eni_conf, add the following line.
"enable_eip_pool": "true"NoteTo forcibly disassociate an EIP from its current instance when you associate it with a new one, add the "allow_eip_rob": "true" parameter to eni_conf.
After you finish editing, press the Esc key, enter :wq!, and press the Enter key to save your changes and exit edit mode.
Recreate the Terway pods to apply the changes.
kubectl delete pod -n kube-system -l app=terway-eniip # If you installed the terway-eni component, replace terway-eniip with terway-eni.
Create and associate an EIP with a pod by using annotations.
Use pod manifest annotations to create an EIP and associate it with the pod. See EIP-related limits.
Automatically assign an EIP
Add these annotations to automatically assign an EIP and specify bandwidth:
k8s.aliyun.com/pod-with-eip: "true": Assign a dedicated public EIP to the pod.k8s.aliyun.com/eip-bandwidth: "5": Specify EIP bandwidth. The default is 5 Mbps.
Sample manifest:
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment-basic labels: app: nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: annotations: network.alibabacloud.com/pod-with-eip: "true" # Automatically assign a public EIP to the Nginx container. network.alibabacloud.com/eip-bandwidth: "5" # Specify the bandwidth of the EIP. The default is 5 Mbps, which is consistent with the EIP default value. labels: app: nginx spec: containers: - name: nginx image: nginxSpecify an EIP
ImportantBecause a single EIP cannot be associated with multiple pods, this method is not suitable for workloads such as Deployments and StatefulSets that have more than one replica.
By default, if the specified EIP is already associated with an instance, the association fails. To force the disassociation of the EIP from the previous instance and associate it with the new one, you must set "allow_eip_rob": "true" in the ConfigMap as described earlier.
You can specify an EIP instance ID only for single-replica workloads. For example, a Deployment cannot have more than one replica.
Add the following annotation to specify an EIP instance ID for a pod:
k8s.aliyun.com/pod-eip-instanceid: "<your-eip-instance-id>"Verify the configuration.
After the pod enters the Running state, check the network.alibabacloud.com/allocated-eipAddress annotation to view its assigned EIP address and access the pod.
FAQ
Pod ready before EIP is bound
The controller assigns an EIP only after a pod IP is allocated, so the pod may become Ready before the EIP binds. Use the following methods to control timing.
Readiness gates
Configuring readiness gates requires the ack-extend-network-controller.
With readinessGates, the controller updates pod conditions only after the EIP binds, preventing Ready status until binding completes.
kind: Pod
...
spec:
readinessGates:
- conditionType: "k8s.aliyun.com/eip"
status:
conditions:
- lastProbeTime: "2022-12-12T03:45:48Z"
lastTransitionTime: "2022-12-12T03:45:48Z"
reason: Associate eip succeed
status: "True"
type: k8s.aliyun.com/eip
...Init container
Configure an init container to verify EIP assignment.
apiVersion: v1
kind: Pod
metadata:
name: example
annotations:
network.alibabacloud.com/pod-with-eip: "true"
spec:
containers:
- name: example
image: busybox:1.28
command: ['sh', '-c', 'echo The app is running! && sleep 3600']
initContainers:
- name: init
image: busybox:1.28
command: ['timeout', '-t' ,'60', 'sh','-c', "until grep -E '^k8s.aliyun.com\\/allocated-eipAddress=\\S?[0-9]+\\S?' /etc/podinfo/annotations; do echo waiting for annotations; sleep 2; done"]
volumeMounts:
- name: podinfo
mountPath: /etc/podinfo
volumes:
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "annotations"
fieldRef:
fieldPath: metadata.annotationsPod inaccessible via EIP
Restrictive ACL policies often cause this. Check these access controls:
Cloud Firewall: EIP traffic is subject to Cloud Firewall access control rules. Allow inbound and outbound traffic for the pod's EIP and service ports. See Configure access control policies for an internet firewall.
Node security group: After an EIP attaches to a pod, the node's security group still governs traffic. Allow inbound traffic from the client IP to the pod's service ports and any required outbound traffic. See Configure cluster security groups.