alicloud_cs_managed_kubernetes fails with EmptyCIDR and InvalidPodVswitchIds when creating ACK cluster with Terway

[zodiac12k]

Hi Alibaba Cloud team,

I'm encountering an issue when trying to create an ACK (Alibaba Cloud Container Service for Kubernetes) cluster using the alicloud_cs_managed_kubernetes resource in Terraform. I believe this issue is related to the use of the Terway CNI plugin, as it happens when I provide pod_vswitch_ids.

The error message indicates that the pod or service CIDR is empty, even though I am explicitly setting service_cidr, and providing a valid VSwitch for pod_vswitch_ids.

Error Output

Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_cs_managed_kubernetes.go:1063: Resource alicloud_cs_managed_kubernetes CreateManagedKubernetesCluster Failed!!! [SDK alibaba-cloud-sdk-go ERROR]:
SDKError:
   StatusCode: 400
   Code: EmptyCIDR
   Message: code: 400, pod or service cidr is empty request id: 3AAE48EC-13A3-3D21-BC9B-1EB388B6F362
   Data: {
     "code": "EmptyCIDR",
     "data": [
       {"code": "EmptyCIDR", "message": "pod or service cidr is empty"},
       {"code": "InvalidPodVswitchIds", "message": "PodCidr conflict with PodVswitch"},
       {"code": "InvalidCIDR", "message": "Invalid pod CIDR: invalid CIDR address: "}
     ],
     "message": "pod or service cidr is empty",
     "requestId": "3AAE48EC-13A3-3D21-BC9B-1EB388B6F362",
     "status": 400,
     "statusCode": 400
   }

Terraform Configuration

main.tf (simplified):

provider "alicloud" {
  region = var.region
}

resource "alicloud_cs_managed_kubernetes" "managed_kubernetes" {
  name                  = "${var.shortname}-${var.environment}-${var.region}-${var.stack_name}"
  cluster_spec          = var.cluster_spec
  version               = var.k8s_version
  resource_group_id     = var.resource_group_id
  vswitch_ids           = [var.switch_id]
  pod_vswitch_ids       = [var.pod_switch_id]
  service_cidr          = var.service_cidr
  node_cidr_mask        = 25
  ip_stack              = "ipv4"
  timezone              = "Asia/Seoul"
  profile               = "Default"
  enable_rrsa           = true
  control_plane_log_ttl = 30

  control_plane_log_components = [
    "apiserver",
    "kcm",
    "scheduler",
    "ccm",
    "controlplane-events",
    "alb"
  ]

  maintenance_window {
    enable         = true
    maintenance_time = "Monday"
    duration       = "3h"
  }

  operation_policy {
    cluster_auto_upgrade {
      enabled = true
      channel = "stable"
    }
  }

  audit_log_config {
    enabled = true
  }

  tags = var.common_tags

  lifecycle {
    prevent_destroy = true
  }
}

output "managed_kubernetes_id" {
  value = alicloud_cs_managed_kubernetes.managed_kubernetes.id
}

variables.tf

variable "region" {
  description = "The region to deploy the resources."
  type        = string
  default     = "ap-northeast-2"
}

variable "shortname" {
  description = "A short name for the cluster."
  type        = string
  default     = "ack"
}

variable "environment" {
  description = "The deployment environment (e.g., dev, prod)."
  type        = string
}

variable "stack_name" {
  description = "The name of the current stack."
  type        = string
}

variable "cluster_spec" {
  description = "The specification of the ACK cluster."
  type        = string
  default     = "ack.standard"
}

variable "service_cidr" {
  description = "The service CIDR block for the Kubernetes cluster."
  type        = string
  default     = "192.168.0.0/16"
}

variable "k8s_version" {
  description = "The version of the Kubernetes cluster."
  type        = string
  default     = "1.33.1-aliyun.1"
}

variable "resource_group_id" {
  description = "The ID of the resource group."
  type        = string
}

variable "switch_id" {
  description = "The ID of the VSwitch for nodes."
  type        = string
}

variable "pod_switch_id" {
  description = "The ID of the VSwitch for pods."
  type        = string
}

variable "common_tags" {
  description = "Common tags to apply to the resources."
  type        = map(string)
  default     = {}
}

terraform.tfvars

environment     = "dev"
stack_name      = "example"

resource_group_id = "rg-***"
switch_id         = "vsw-***"
pod_switch_id     = "vsw-***"

cluster_spec = "ack.standard"
service_cidr = "192.168.0.0/16"
k8s_version      = "1.33.1-aliyun.1"

common_tags = {
  "Creator" = "Terraform"
  "Project" = "ContainerService"
}

What I Expect

Since I am providing both a valid service_cidr and pod_vswitch_ids, I expect the ACK cluster with Terway networking to be created successfully. The VSwitches are verified to be in the correct zone and subnet range.

What Actually Happens

Terraform returns a 400 EmptyCIDR and InvalidPodVswitchIds error. It appears that the provider is not resolving the pod CIDR correctly for Terway mode.

Notes

• I have reproduced the same behavior using both Pulumi and Terraform.
• This happens only when pod_vswitch_ids is set, i.e., when attempting to use Terway.
• My suspicion is that the Terraform provider is not setting or deriving the pod CIDR correctly based on the provided VSwitch.

Please let me know if there’s any workaround or if additional parameters need to be set. I’d be happy to provide more information if needed.

Thank you!

[afaytelson]

+1 seeing the same exact error message when trying to spin up an ACK cluster with terway instead of flannel for cluster CNI.
terraform provider alicloud version: v1.247.0.

[sanyangji]

Currently, if you want to create an ACK cluster with terway CNI, you need to specify addon terway-eniip explicitly as Document mentioned.

The example in the document provides an example.