Raven Edge Network Communication in ACK Edge Clusters - Container Service for Kubernetes

In ACK Edge clusters, edge nodes span isolated network domains and may have conflicting IP addresses, which blocks cloud-side components such as the APIServer, MetricsServer, and Prometheus from reaching edge workloads. Raven solves this by building encrypted tunnels between cloud and edge gateway nodes, enabling cross-domain monitoring and operations without changing the existing network topology.

This topic describes Raven's architecture, how it works, and how to choose between its two communication modes.

Background

ACK Edge clusters use a cloud-edge collaboration architecture: control plane components run on the cloud, while workloads run at the edge in data centers or on edge devices. Edge nodes connect to the ACK control plane's public endpoint over the Internet.

Edge nodes are grouped into node pools, where each node pool represents a distinct network domain. Nodes in different node pools cannot communicate directly and may have overlapping IP addresses. This isolation is by design in edge computing — but it prevents cloud-side components from reaching edge workloads for monitoring and operations.

How it works

Raven works in two phases: establishing tunnels between gateway nodes, then forwarding cross-domain traffic through those tunnels.

Phase 1: Initialization

In each node pool, one node is elected as the edge gateway node. Nodes not belonging to a node pool act as their own gateway.
The raven-agent-ds DaemonSet runs on every node in the cluster using host network mode. On gateway nodes, it establishes encrypted tunnels to the cloud gateway node.
The ack-edge-yurt-manager control plane component divides nodes into network domains based on node pool membership and creates a gateway custom resource for each domain to record node and configuration information.

Phase 2: Request forwarding

Cross-domain requests from cloud-side components are routed through the cloud gateway node to the appropriate edge gateway node.
The edge gateway node forwards requests to the target host, container, or service within its network domain.

Choose a communication mode

Raven provides two communication modes.

Mode	Traffic type	Supports IP conflicts	Use when
Proxy mode	Host-level (Layer 7)	Yes	Node pools have IP conflicts, or you need `kubectl logs/exec/attach/top`
Tunnel mode	Container-level (Layer 3)	No	Node pools have inter-node connectivity and no IP conflicts

Proxy mode

Proxy mode creates an encrypted reverse channel between the elected edge gateway node and the cloud gateway node. The cloud gateway node forwards cross-domain requests to the edge gateway node at Layer 7, using a NodeName+Port combination to identify the target. A solo node is a gateway node and can directly create a tunnel with the gateway node in the cloud.

Proxy mode supports:

Host network communication for the APIServer, MetricsServer, and Prometheus
kubectl logs, kubectl exec, kubectl attach, and kubectl top
Node pools with conflicting IP address ranges

In IP conflict scenarios, use proxy mode — tunnel mode cannot route host-level traffic when IP addresses overlap between network domains.

Tunnel mode

Tunnel mode creates IPSec-VPN tunnels between the elected edge gateway node and the cloud gateway node. Within each network domain, Raven creates a Virtual Extensible LAN (VXLAN) overlay network using Flannel VXLAN, and all cross-domain container traffic is forwarded through the VPN tunnel via the VXLAN.

Tunnel mode supports:

Container-to-container communication across network domains
Metrics collection from edge containers by Prometheus

Tunnel mode only supports node pools where nodes have direct inter-node connectivity.

Important

Data loss may occur during cross-domain communication over the Internet. Do not use tunnel mode to transmit business-critical data. If you encounter issues or have suggestions, submit a ticket to contact the ACK technical team.

Component architecture

Raven consists of two components:

Component	Type	Role
ack-edge-yurt-manager	Control plane	Divides nodes into network domains based on node pools and creates `gateway` custom resources
raven-agent-ds	Data plane (DaemonSet)	Runs on every node; configures routes or VPN tunnels between gateway nodes

Raven requires a gateway custom cluster resource to record node information and configuration for each network domain.

Prerequisites

Before you begin, ensure that you have:

An ACK Edge cluster running Kubernetes 1.26.3 or later
At least one Elastic Compute Service (ECS) instance designated as the cloud gateway node (required when creating the ACK Edge cluster)
If edge hosts communicate with the ACK Edge control plane over the Internet: a Classic Load Balancer (CLB) instance, an elastic IP address (EIP), and configured network access control lists (ACLs) — these resources establish the encrypted tunnels between gateway nodes in different node pools

What's next

To change the communication mode, configure network ACLs, or set up custom gateways, see Use the cross-region O&M communication component Raven.
For raven-agent-ds release notes, see raven-agent-ds.