Why Pods Suddenly Fail with “Address not available” and How to Fix It

Problem description

A pod that had been running normally stopped being able to create new outbound TCP connections. Tools such as wget reported Address not available, which corresponds to the POSIX error EADDRNOTAVAIL. netstat -an showed that the number of established connections had reached the limit of the kernel’s random‑port range.

Root cause – kernel random port exhaustion

Linux chooses the source port for each TCP connection from the range defined by net.ipv4.ip_local_port_range. The default range is 32768‑60999. When a pod repeatedly connects to a fixed destination IP and port, only the source port varies. If the pod creates many long‑lived connections, the range can be exhausted, causing the kernel to return EADDRNOTAVAIL (or EADDRINUSE) for subsequent connect() calls.

Different tools emit different messages

curl: (7) Couldn't connect to server nc: bind: Address in use wget: cannot connect to remote host: Address not available Each utility maps the same underlying POSIX error to its own error‑string. BusyBox‑based images (e.g., Alpine) use BusyBox implementations of these tools, which may produce slightly different messages.

Mitigation – enlarge the source‑port range

Adjust the kernel port range inside the pod’s network namespace using a securityContext sysctl or an init container with privileged mode.

securityContext:
  sysctls:
    - name: net.ipv4.ip_local_port_range
      value: "1024 65535"

Or with an init container:

initContainers:
  - name: set-port-range
    command: ["/bin/sh", "-c", "sysctl -w net.ipv4.ip_local_port_range=\"1024 65535\""]
    securityContext:
      privileged: true

HostNetwork considerations

From Kubernetes 1.22 onward, changing net.ipv4.ip_local_port_range on nodes can conflict with the Service NodePort range ( --service-node-port-range, default 30000‑32767). Overlap may cause occasional TCP connection failures and health‑check errors. When a pod uses hostNetwork, add a guard so the sysctl is applied only if the pod IP differs from the host IP.

initContainers:
  - name: safe-set-port-range
    command: ["/bin/sh", "-c", "if [ \"$POD_IP\" != \"$HOST_IP\" ]; then sysctl -w net.ipv4.ip_local_port_range=\"1024 65535\"; fi"]
    env:
      - name: POD_IP
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
      - name: HOST_IP
        valueFrom:
          fieldRef:
            fieldPath: status.hostIP
    securityContext:
      privileged: true

NodePort range alignment

The API server flag --service-node-port-range (default 30000‑32767) must not overlap with net.ipv4.ip_local_port_range. Overlap can cause services to capture random source ports, leading to dropped connections and health‑check failures. Ensure the two ranges are disjoint, or adjust one of them and update any existing services that fall within the conflicting range.

Key references

POSIX error definitions: https://man7.org/linux/man-pages/man3/errno.3.html

Linux networking sysctl documentation: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

BusyBox command help (used in Alpine images): https://www.busybox.net/downloads/BusyBox.html

Kubernetes sysctl configuration guide: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/

Kubernetes PR removing NodePort listening logic (relevant for 1.22+): https://github.com/kubernetes/kubernetes/pull/108888

Source code showing port‑opener removal: https://github.com/kubernetes/kubernetes/blob/f98f27bc2f318add77118906f7595abab7ab5200/pkg/proxy/iptables/proxier.go#L1304

ACK Pro control‑plane parameter customization (NodePort range): https://help.aliyun.com/zh/ack/ack-managed-and-ack-dedicated/user-guide/customize-ack-pro-control-plane-component-parameters