tencent cloud

Tencent Kubernetes Engine

소식 및 공지 사항
릴리스 노트
제품 릴리스 기록
제품 소개
제품 장점
제품 아키텍처
시나리오
제품 기능
리전 및 가용존
빠른 시작
신규 사용자 가이드
표준 클러스터를 빠르게 생성
Demo
클라우드에서 컨테이너화된 애플리케이션 배포 Check List
TKE 표준 클러스터 가이드
Tencent Kubernetes Engine(TKE)
클러스터 관리
네트워크 관리
스토리지 관리
Worker 노드 소개
Kubernetes Object Management
워크로드
클라우드 네이티브 서비스 가이드
Tencent Managed Service for Prometheus
TKE Serverless 클러스터 가이드
TKE 클러스터 등록 가이드
실습 튜토리얼
Serverless 클러스터
네트워크
로그
모니터링
유지보수
DevOps
탄력적 스케일링
자주 묻는 질문
클러스터
TKE Serverless 클러스터
유지보수
서비스
이미지 레지스트리
원격 터미널
문서Tencent Kubernetes Engine

ip-masq-agent NonMasqueradeCIDRs Missing Configuration Cluster Container Ip Range

포커스 모드
폰트 크기
마지막 업데이트 시간: 2025-08-27 11:19:20

Issue Background

In clusters created between July and August 2025 with Global Router network mode, the ip-masq-agent configuration may miss the cluster container CIDR. In some scenarios, the following risks may exist:
1. If high-concurrency Pods within the cluster access one another, causing a large number of SNATs, some connections may time out due to failed conntrack insertion.
2. If a unique bidirectional connection usage exists within the cluster, connection refusal may occur: Assume there are two Pods, A and B. After A establishes a connection to B, B then initiates a new connection using A's source address as the destination. At this point, since the source address of A seen by B is the SNAT-translated address (not the actual address A is listening on), the connection initiated to it will be rejected.
3. If the cluster has a network policy (such as NetworkPolicy) configured to only allow specific Pods (like those in a specified namespace or with specified labels) to access it, the security policy may fail because the source IP seen by the target Pod's node is the SNAT-translated node IP address, making it unable to associate with the real source Pod.
4. If there is a need to "obtain the real Pod source IP," business anomalies may occur (the obtained source IP might be the SNAT-translated node IP).

Handling Suggestion

Modify the configmap named ip-masq-agent-config in the kube-system namespace to add the cluster container IP range to the NonMasqueradeCIDRs configuration.

FAQs

How to Check the Current Cluster IP Range

In the TKE cluster list, click the cluster ID to enter the Basic Information webpage. Under the Basic Information tab, check the Node and Network Information section for the Container Network, where the CIDR list represents the cluster container IP range.


How to Modify ip-masq-agent-config

The following provides two modification methods using kubectl and the TKE console. Choose either one.

Using Kubectl

1. Ensure the kubeconfig is configured correctly, execute the following commands to modify the ip-masq-agent-config configmap:
kubectl -n kube-system edit configmap ip-masq-agent-config
2. Add the missing cluster container IP range to the NonMasqueradeCIDRs array and save. As shown below:


Via the TKE Console

1. In the TKE cluster list, click the cluster ID to enter the cluster details page.
2. Select Configuration Management in the left sidebar, then choose the kube-system namespace on the ConfigMap tab.
3. In the ip-masq-agent-config row, click Edit YAML on the right.
4. Add the missing cluster container IP range to the NonMasqueradeCIDRs array. As shown below:

5. Click Done.

다음 주제: TKE Serverless 클러스터 업데이트(2023년)

도움말 및 지원

문제 해결에 도움이 되었나요?

피드백