In gaming and P2P scenarios, you may need to directly expose application pods to clients instead of assigning elastic IP addresses (EIPs) to the pods. In traditional mode, you can use EIPs to expose pods. However, the number of EIPs that you can assign to pods is limited and security management is required. In this case, you can configure DNAT rules for an Internet NAT gateway and use the Internet NAT gateway to expose a pod. This way, you need only to associate an EIP with the Internet NAT gateway, which reduces the number of EIPs to be used.
Prerequisites
A ACK managed cluster or an ACK dedicated cluster is created and Terway is installed. For more information, see Create a managed ACK cluster and Create a dedicated ACK cluster.
An Internet NAT gateway is created in the virtual private cloud (VPC) in which the cluster is deployed. The natgw controller is enabled after you create the Internet NAT gateway. For more information about how to create an Internet NAT gateway, see Create and manage an Internet NAT gateway.
A DNAT rule that specifies the mapping between a public IP address and a private IP address, and the mappings between public ports and private ports is created. For more information about DNAT, see Configure DNAT on an Internet NAT gateway for an ECS instance.
Set the public IP address to the EIP that is associated with the Internet NAT gateway.
Public ports: The natgw controller automatically allocates public ports from the port range that is specified by the
portRangeStart
andportRangeEnd
parameters in the configuration file of natgw. The allocated ports are recorded in thepoddnats.alibabacloud.com
field of a custom resource object that is named after the pod.Set the private ports to the ports on which the pod listens.
Set the private IP address to the IP address of the pod.
Limits
You can allocate IPv6 Internet bandwidth only to pods that run on ECS instances but not to pods that run on elastic container instances (ECIs).
The number of DNAT rules supported by an Internet NAT gateway varies based on the gateway type. For more information, see FAQ about DNAT.
Pod configurations
The following table describes the pod configurations.
Pod Annotations | Value |
k8s.aliyun.com/pod-dnat | Enables DNAT for the pod. This parameter is left empty. |
k8s.aliyun.com/pod-dnat-expose-port | The ports on which the pod listens. Separate multiple ports with commas (,). Example: '80,443'. |
k8s.aliyun.com/pod-dnat-expose-protocol | The protocol that you want to use. Valid values: |
k8s.aliyun.com/pod-dnat-fixed | After this annotation is added, the DNAT configurations remain unchanged for the pod if the pod is created for a stateful application. |
You must configure security group rules for the pod to allow inbound traffic to the ports that are exposed on the pod.
Enable DNAT for ack-extend-network-controller
ack-extend-network-controller needs to access OpenAPI Explorer to create resources. You need to grant Resource Access Management (RAM) permissions to ack-extend-network-controller, install ack-extend-network-controller from the marketplace in the ACK console, and create DNAT rules and associate them with specific pods by adding annotations.
Step 1: Grant RAM permissions on DNAT
For ACK clusters:
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
On the Cluster Information page, click the Basic Information tab, and then click the hyperlink next to Worker RAM Role.
Create a custom policy and add the following content to the policy. For more information, see the Step 1: Create a custom policy section of the "[Product Changes] Permissions of the worker RAM role of ACK managed clusters are revoked" topic.
{ "Effect": "Allow", "Action": [ "ecs:DescribeNetworkInterfaces", "vpc:DescribeNatGateways", "vpc:DescribeForwardTableEntries", "vpc:CreateForwardEntry", "vpc:DescribeEipAddresses", "vpc:DeleteForwardEntry", "vpc:DescribeRouteTableList", "vpc:DescribeRouteEntryList" ], "Resource": [ "*" ], "Condition": {} }
Attach the custom policy to the worker RAM role of the cluster. For more information, see the Attach the custom policy to the worker RAM role section of the "[Product Changes] Permissions of the worker RAM role of ACK managed clusters are revoked" topic.
For ACK Serverless clusters:
Generate an AccessKey pair for the RAM user. For more information, see Create a RAM user and Create custom policies.
Step 2: Enable the natgw controller for ack-extend-network-controller
Install ack-extend-network-controller and enable the natgw controller. For more information about how to install ack-extend-network-controller, see App Marketplace.
Specify the following parameters for the natgw controller:
clusterID: "c11ba338192xxxxxxx" # Specify the actual value.
regionID: "cn-hangzhou" # Specify the actual value.
vpcID: "vpc-bp1rkq0zxxxxxx" # Specify the actual value.
enableControllers:
- natgw # Enable DNAT.
networkController:
natGwPool:
- natgwId: "< nat gateway id. >" # The ID of the Internet NAT gateway.
zoneId: "< nat gateway zone id. cn-hangzhou-j >" # The zone ID of the Internet NAT gateway.
portRangeStart: 512 # The first port.
portRangeEnd: 1024 # The last port.
eips:
- "<auto config all nat gateway eips if not config. 0.0.0.0 >" # Specify an EIP that is associated with the Internet NAT gateway. If you leave this parameter empty, all EIPs associated with the Internet NAT gateway are used.
credential: # Specify an AccessKey pair. For ACK clusters, we recommend that you use the RamRole mode. You do not need to configure this parameter if you granted permissions to the worker RAM role of the cluster in step 1.
accessKey: ""
accessSecret: ""
Use a custom resource object to track the DNAT configurations of the pod
After you create a pod, the natgw controller automatically creates a PodDNAT object that is named after the pod. Use the following YAML template to create a Deployment. In this example, DNAT configurations are added to expose port 80 of the pod to the Internet.
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
labels:
app: example
spec:
replicas: 1
selector:
matchLabels:
app: example
template:
metadata:
labels:
app: example
annotations:
k8s.aliyun.com/pod-dnat: ""
k8s.aliyun.com/pod-dnat-expose-port: "80"
spec:
containers:
- name: example
image: nginx
Run the following command to access poddnats.alibabacloud.com
to obtain the public IP address and public port of the pod:
kubectl get poddnats -oyaml
Expected results:
apiVersion: alibabacloud.com/v1
kind: PodDNAT
metadata:
creationTimestamp: "2022-09-20T03:26:44Z"
finalizers:
- natgw-controller
generation: 2
name: example-6cd498d7b-9****
namespace: default
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: true
kind: Pod
name: example-6cd498d7b-9****
uid: 7af54e1c-eeb7-4fd0-b070-ff99ddbd****
resourceVersion: "357150"
uid: 2fad9bb7-cc84-46b4-b6eb-5d15f06c****
spec:
eni: eni-xxx
externalIP: 114.55.**.**
internalIP: 172.16.**.**
portMapping:
- externalPort: "512"
internalPort: "80"
protocol: tcp
tableId: ngw-xxx
vswitch: vsw-xxx
zoneID: cn-hangzhou-k
status:
entries:
- externalIP: 114.55.**.**
externalPort: "512"
forwardEntryId: fwd-xxx
internalIP: 172.16.**.**
internalPort: "80"
ipProtocol: tcp
Parameters:
externalPort
: the public port that is mapped to the private port of the pod. The port is allocated by the natgw controller from the specified port range.externalIP
: the EIP of the NAT gateway for external access.