In a native Kubernetes Service, backend endpoints are distributed across all nodes in the cluster. This distribution can cause access issues or poor performance for traffic that crosses node pools. Service traffic topology ensures that applications on edge nodes are accessible only from nodes in the same node pool or from the local node. This topic describes the Service traffic topology management feature and how to configure it.
Background information
In edge computing scenarios, edge nodes are often grouped by location, region, or other logical attributes, such as CPU architecture or Internet Service Provider (ISP). These node groups are typically isolated and may have separate networks, resources, or applications.
Service traffic topology management implementation
To address these challenges, ACK Edge extends the native Service with an endpoint topology management feature. You can use a simple configuration to restrict the access scope of a Service’s backend endpoints. For example, you can ensure that applications on edge nodes are accessible only from nodes in the same node pool or from the local node. The following figure illustrates this behavior.
-
Service 1 is associated with two backend instances: Pod 2 and Pod 3. The annotation
"openyurt.io/topologyKeys: kubernetes.io/zone"on Service 1 defines its node pool topology scope. -
Node 2, which hosts Pod 2, and Node 4, which hosts Pod 3, belong to different node pools: A and B.
-
Pod 1 and Pod 3 are not in the same node pool. When Pod 1 accesses Service 1, traffic is forwarded only to Pod 2. Traffic to Pod 3 is blocked.
Notes
-
For versions earlier than v1.26.3-aliyun.1: To enable the traffic topology feature, you must add the topology annotation when you create the Service. If you add the annotation after the Service is created, the feature does not take effect. You must delete and recreate the Service.
-
For v1.26.3-aliyun.1 and later: You can add or modify the topology annotation after the Service is created. The change takes effect immediately.
Annotation description
Add an annotation to a native Service to configure traffic topology. The following table describes the parameters.
|
Annotation Key |
Annotation Value |
Description |
|
openyurt.io/topologyKeys |
kubernetes.io/hostname |
Restricts Service access to the local node only. |
|
openyurt.io/topologyKeys |
kubernetes.io/zone or openyurt.io/nodepool |
You can restrict access to the Service to only nodes in the current node pool. For ACK Edge cluster versions 1.18 or later, we recommend that you use openyurt.io/nodepool. |
|
- |
- |
The Service has no topology restrictions. |
Configure Service traffic topology
You can configure Service traffic topology using the console or the command line.
Method 1: Configure Service traffic topology using the console
To create a Service that is accessible only from within its node pool, add an annotation to the Service. For example, set Name to openyurt.io/topologyKeys and Value to kubernetes.io/zone. For more information about how to create a Service, see Service management.
Method 2: Configure Service traffic topology using the command line
The following YAML template shows how to create a Service that uses the node pool topology domain.
apiVersion: v1
kind: Service
metadata:
annotations:
openyurt.io/topologyKeys: kubernetes.io/zone
name: my-service-nodepool
namespace: default
spec:
ports:
- port: 80
protocol: TCP
targetPort: 8080
selector:
app: nginx
sessionAffinity: None
type: ClusterIP