All Products
Search
Document Center

Container Service for Kubernetes:edge-tunnel

Last Updated:Jul 18, 2023

You can use the edge-tunnel component to access edge nodes from the cloud. After you create a Container Service for Kubernetes (ACK) edge cluster, the edge-tunnel-server and edge-tunnel-agent components are automatically deployed in the cluster to establish tunnels between the cloud and edge nodes. This topic introduces the edge-tunnel component and describes the usage notes and release notes for edge-tunnel.

Introduction

edge-tunnel can establish reverse tunnels, which are commonly used to enable communication between different networks. edge-tunnel is deployed in the client-server architecture. edge-tunnel-server is deployed on the cloud and runs as the server. edge-tunnel-agent is deployed on edge nodes and runs as the client. edge-tunnel provides the following features:

  • edge-tunnel establishes encrypted tunnels over the Internet. The system creates a Server Load Balancer (SLB) instance for the Service that is created by edge-tunnel-server. edge-tunnel-agent on each node establishes an encrypted tunnel to edge-tunnel-server through the SLB instance.

  • When components in the cloud, such as kube-apiserver and metrics-server, send requests to port 10250 and port 10255 on edge nodes, edge-tunnel automatically forwards the requests to edge-tunnel-server. You do not need to modify the components in the cloud.

G-11

Usage notes

For more information about how to use edge-tunnel, see Cloud-edge tunneling.

Release notes

June 2023

Version

Image address

Description

Release date

Impact

v0.22.1

edge-tunnel-server: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/edge-tunnel-server:v0.22.1

edge-tunnel-agent: registry-cn-hangzhou.ack.aliyuncs.com/acs/edge-tunnel-agent:v0.22.1

  • Communication between edge-tunnel and the API server is optimized to resolve the issue that edge-tunnel is restarted due to unstable networks.

  • The capability of edge-tunnel to forward requests from the cloud to edge nodes is optimized to reduce the risk of URL leaks that are caused by unstable Internet connections.

  • The iptables module is disabled and CoreDNS is used to resolve domain names during cloud-edge request forwarding.

2023-06-28

No impact on workloads

December 2022

Version

Image address

Description

Release date

Impact

v0.10.3

edge-tunnel-server: registry.cn-hangzhou.aliyuncs.com/acs/edge-tunnel-server:v0.10.3

edge-tunnel-agent: registry.cn-hangzhou.aliyuncs.com/acs/edge-tunnel-agent:v0.10.3

  • Multiple network modes are supported to enable cloud-edge communication:

    • Edge node pools can connect to the cloud over the Internet, over an Express Connect circuit, or by using a Cloud Connect Network (CCN) instance. Requests from the cloud are sent to different types of edge node pools in different network modes.

    • Requests destined for edge node pools that connect to the cloud over the Internet are sent to the cloud-edge tunnel that serves as a forward proxy.

    • Requests destined for edge node pools that connect to the cloud over an Express Connect circuit or by using a CCN instance are directly sent to the ports of the nodes in the edge node pools. For example, requests from kube-apiserver are sent to port 10250 and port 10255 on edge nodes.

  • Changes to cluster resources:

    • Different labels are automatically added to edge node pools that connect to the cloud in different network modes:

      • alibabacloud.com/interconnection-mode = normal is automatically added to edge node pools that connect to the cloud over the Internet.

      • alibabacloud.com/interconnection-mode = private is automatically added to edge node pools that connect to the cloud by using Express Connect circuits.

      • alibabacloud.com/interconnection-mode = improved is automatically added to edge node pools that connect to the cloud by using CCN instances.

    • DNS records are dynamically updated based on whether tunnel-agent is deployed on edge nodes. tunnel-agent is deployed only on nodes in edge node pools that connect to the cloud over the Internet.

  • Requests from components, such as kube-apiserver and Prometheus, in the cloud are sent to port 10263 of x-tunnel-server-internal-svc instead of port 10263 of x-tunnel-server-svc.

2022-12-14

No impact on workloads

January 2022

Version

Image address

Description

Release date

Impact

v0.10.0

edge-tunnel-server: registry.cn-hangzhou.aliyuncs.com/acs/edge-tunnel-server:v0.10.0

edge-tunnel-agent: registry.cn-hangzhou.aliyuncs.com/acs/edge-tunnel-agent:v0.10.0

The first edge-tunnel version for ACK edge clusters of 1.20.11-aliyunedge.1.

  • Request forwarding is improved:

    • Requests that are destined for {nodeName:Port} can be forwarded from the cloud to edge nodes.

    • Requests that are destined for the localhost endpoints on edge nodes can be forwarded from the cloud to edge nodes. This requires you to configure the localhost-proxy-ports field in the edge-tunnel-server-cfg ConfigMap.

  • The configuration for access to ports other than ports 10250 and 10255 is optimized:

    • To configure access to ports other than ports 10250 and 10255 on an edge node, configure the http-proxy-ports field in the edge-tunnel-server-cfg ConfigMap if the edge node uses HTTP endpoints or configure the https-proxy-ports field in the edge-tunnel-server-cfg ConfigMap if the edge node uses HTTPS endpoints. The dnat-ports-pair field is retained. However, we recommend that you do not use dnat-ports-pair.

  • Certificate management is improved for edge-tunnel-server. When the IP address of the edge-tunnel-server-svc Service is changed, the tls server certificate of edge-tunnel-server is automatically updated. For example, the certificate is automatically updated when the edge-tunnel-server-svc Service is associated with a new SLB instance.

2022-01-27

No impact on workloads