How to configure NodePort listening based on node pools - Container Service for Kubernetes

Service isolation is required in edge computing scenarios. For example, when you use a NodePort Service, you can listen on the ports exposed by the NodePort Service on nodes only in the specified node pool. This helps avoid port conflicts. This topic describes how to configure NodePort listening based on node pools.

Architecture design

The edge-hub component uses a built-in programmable data filtering framework to convert responses returned by kube-apiserver in the cloud after receiving requests from the edge. These responses are converted transparently and on demand to meet the requirements in cloud-edge collaboration scenarios. The following figure shows the architecture design of the edge-hub component. 架构图.png

A filter named nodeportisolation is introduced to the edge-hub component. This filter can be used with the nodeport.openyurt.io/listen annotation of NodePort Services to listen on the ports exposed by a NodePort Service on nodes in the specified node pool.

Limits

The version of the edge-hub component is 0.11.0 or later.

Procedure

You can add the nodeport.openyurt.io/listen annotation to NodePort and LoadBalancer Services.

Key of the annotation: nodeport.openyurt.io/listen.
Value of the annotation: node pool names separated by commas (,).
- foo: listens on ports exposed by the NodePort Service on nodes in the node pool named foo.
- -foo: does not listen on ports exposed by the NodePort Service on nodes in the node pool named foo.
- *: listens on ports exposed by the NodePort Service on nodes in all node pools.

Important

If a node pool name is specified in multiple annotations, only the node pool name in the first annotation takes effect.
NodePort listening is disabled for nodes in node pools that you have not specified.
By default, the system listens on ports exposed by the NodePort Service on orphaned nodes (nodes that do not belong to any node pool) in the same way as open source Kubernetes.

Annotation examples

Annotation	Description
nodeport.openyurt.io/listen=foo,bar	Listens on ports exposed by the NodePort Service on nodes in the node pools named foo and bar.
nodeport.openyurt.io/listen=foo,*	Listens on ports exposed by the NodePort Service on nodes in all node pools.
nodeport.openyurt.io/listen=-foo,-bar	Does not listen on ports exposed by the NodePort Service on nodes in all node pools.
nodeport.openyurt.io/listen=-foo,*	Does not listen on ports exposed by the NodePort Service on nodes in the node pool named foo.
nodeport.openyurt.io/listen=foo,-foo	Listens on ports exposed by the NodePort Service on nodes in the node pool named foo.
nodeport.openyurt.io/listen=-foo	Does not listen on ports exposed by the NodePort Service on nodes in all node pools, including the node pool named foo.