Service isolation is required in edge computing scenarios. For example, when you use a NodePort Service, you can listen on the ports exposed by the NodePort Service on nodes only in the specified node pool. This helps avoid port conflicts. This topic describes how to configure NodePort listening based on node pools.
Architecture design
The edge-hub component uses a built-in programmable data filtering framework to convert responses returned by kube-apiserver in the cloud after receiving requests from the edge. These responses are converted transparently and on demand to meet the requirements in cloud-edge collaboration scenarios. The following figure shows the architecture design of the edge-hub component.
A filter named nodeportisolation is introduced to the edge-hub component. This filter can be used with the nodeport.openyurt.io/listen annotation of NodePort Services to listen on the ports exposed by a NodePort Service on nodes in the specified node pool.
Usage notes
Make sure that the version of the edge-hub component is 0.11.0 or later.
When you create a Service, you need to decide whether to add the
nodeport.openyurt.io/listenannotation. If you add this annotation after the Service is created, you need to restart all Kubernetes network proxies (kube-proxy) for this feature to take effect.After you add a node pool, you need to specify the newly created node pool in the annotation of the NodePort Service before you add nodes to the node pool. This way, NodePort listening takes effect on all nodes added to the node pool.
The node pool name is customizable. Therefore, we recommend that you specify the node pool by its ID. You can view the node pool ID in the Container Service for Kubernetes (ACK) console. The node pool ID is in the npxxxx format.
Procedure
You can add the nodeport.openyurt.io/listen annotation to NodePort and LoadBalancer Services.
Key of the annotation:
nodeport.openyurt.io/listen.Value of the annotation: node pool names separated by commas (,).
foo: listens on ports exposed by the NodePort Service on nodes in the node pool namedfoo.-foo: does not listen on ports exposed by the NodePort Service on nodes in the node pool namedfoo.*: listens on ports exposed by the NodePort Service on nodes in all node pools.
If a node pool name is specified in multiple annotations, only the node pool name in the first annotation takes effect.
NodePort listening is disabled for nodes in node pools that you have not specified.
By default, the system listens on ports exposed by the NodePort Service on orphaned nodes (nodes that do not belong to any node pool) in the same way as open source Kubernetes.
Annotation examples
Annotation | Description |
nodeport.openyurt.io/listen=foo,bar | Listens on ports exposed by the NodePort Service on nodes in the node pools named foo and bar. |
nodeport.openyurt.io/listen=foo,* | Listens on ports exposed by the NodePort Service on nodes in all node pools. |
nodeport.openyurt.io/listen=-foo,-bar | Does not listen on ports exposed by the NodePort Service on nodes in all node pools. |
nodeport.openyurt.io/listen=-foo,* | Does not listen on ports exposed by the NodePort Service on nodes in the node pool named foo. |
nodeport.openyurt.io/listen=foo,-foo | Listens on ports exposed by the NodePort Service on nodes in the node pool named foo. |
nodeport.openyurt.io/listen=-foo | Does not listen on ports exposed by the NodePort Service on nodes in all node pools, including the node pool named foo. |