All Products
Search
Document Center

Container Service for Kubernetes:Configure NodePort listening based on node pools

Last Updated:May 13, 2024

Service isolation is required in edge computing scenarios. For example, when you use a NodePort Service, you can listen on the ports exposed by the NodePort Service on nodes only in the specified node pool. This helps avoid port conflicts. This topic describes how to configure NodePort listening based on node pools.

Architecture design

The edge-hub component uses a built-in programmable data filtering framework to convert responses returned by kube-apiserver in the cloud after receiving requests from the edge. These responses are converted transparently and on demand to meet the requirements in cloud-edge collaboration scenarios. The following figure shows the architecture design of the edge-hub component.架构图.png

A filter named nodeportisolation is introduced to the edge-hub component. This filter can be used with the nodeport.openyurt.io/listen annotation of NodePort Services to listen on the ports exposed by a NodePort Service on nodes in the specified node pool.

Usage notes

  • Make sure that the version of the edge-hub component is 0.11.0 or later.

  • When you create a Service, you need to decide whether to add the nodeport.openyurt.io/listen annotation. If you add this annotation after the Service is created, you need to restart all Kubernetes network proxies (kube-proxy) for this feature to take effect.

  • After you add a node pool, you need to specify the newly created node pool in the annotation of the NodePort Service before you add nodes to the node pool. This way, NodePort listening takes effect on all nodes added to the node pool.

  • The node pool name is customizable. Therefore, we recommend that you specify the node pool by its ID. You can view the node pool ID in the Container Service for Kubernetes (ACK) console. The node pool ID is in the npxxxx format.

Procedure

You can add the nodeport.openyurt.io/listen annotation to NodePort and LoadBalancer Services.

  • Key of the annotation: nodeport.openyurt.io/listen.

  • Value of the annotation: node pool names separated by commas (,).

    • foo: listens on ports exposed by the NodePort Service on nodes in the node pool named foo.

    • -foo: does not listen on ports exposed by the NodePort Service on nodes in the node pool named foo.

    • *: listens on ports exposed by the NodePort Service on nodes in all node pools.

Important
  • If a node pool name is specified in multiple annotations, only the node pool name in the first annotation takes effect.

  • NodePort listening is disabled for nodes in node pools that you have not specified.

  • By default, the system listens on ports exposed by the NodePort Service on orphaned nodes (nodes that do not belong to any node pool) in the same way as open source Kubernetes.

Annotation examples

Annotation

Description

nodeport.openyurt.io/listen=foo,bar

Listens on ports exposed by the NodePort Service on nodes in the node pools named foo and bar.

nodeport.openyurt.io/listen=foo,*

Listens on ports exposed by the NodePort Service on nodes in all node pools.

nodeport.openyurt.io/listen=-foo,-bar

Does not listen on ports exposed by the NodePort Service on nodes in all node pools.

nodeport.openyurt.io/listen=-foo,*

Does not listen on ports exposed by the NodePort Service on nodes in the node pool named foo.

nodeport.openyurt.io/listen=foo,-foo

Listens on ports exposed by the NodePort Service on nodes in the node pool named foo.

nodeport.openyurt.io/listen=-foo

Does not listen on ports exposed by the NodePort Service on nodes in all node pools, including the node pool named foo.