All Products
Search

This Product

    Container Service for Kubernetes:Configure NodePort listening based on node pools

    Document Center

    Container Service for Kubernetes:Configure NodePort listening based on node pools

    Last Updated:Mar 26, 2026

    In edge computing scenarios, NodePort Services may conflict if multiple node pools expose the same port. NodePort service isolation lets you restrict which node pools listen on a NodePort Service's ports, preventing port conflicts across node pools.

    How it works

    The edge-hub component includes a built-in programmable data filtering framework that intercepts and transforms responses from kube-apiserver before delivering them to edge nodes. A filter named nodeportisolation works with the nodeport.openyurt.io/listen annotation to control which node pools listen on a NodePort Service's ports.

    Architecture diagram

    Prerequisites

    Before you begin, ensure that you have:

    • edge-hub component version 0.11.0 or later

    • A NodePort or LoadBalancer Service to configure

    Configure NodePort listening by node pool

    Add the nodeport.openyurt.io/listen annotation to your NodePort or LoadBalancer Service.

    Annotation key: nodeport.openyurt.io/listen

    Annotation value: A comma-separated list of node pool names, using the following syntax:

    • foo — Enable listening on nodes in the node pool named foo.

    • -foo — Disable listening on nodes in the node pool named foo.

    • * — Enable listening on nodes in all node pools.

    Behavioral rules:

    • If a node pool name appears in multiple annotation values, only the first entry takes effect.

    • Node pools not listed in the annotation have NodePort listening disabled.

    • Orphaned nodes (nodes not belonging to any node pool) behave the same as in standard Kubernetes—NodePort listening is enabled.

    Annotation examples

    nodeport.openyurt.io/listen=foo,bar       # Listen on nodes in foo and bar
nodeport.openyurt.io/listen=foo,*         # Listen on nodes in all node pools
nodeport.openyurt.io/listen=-foo,-bar     # Disable listening on nodes in all node pools
nodeport.openyurt.io/listen=-foo,*        # Disable listening only on nodes in foo
nodeport.openyurt.io/listen=foo,-foo      # Listen on nodes in foo
nodeport.openyurt.io/listen=-foo          # Disable listening on nodes in all node pools (including foo)
    Note

    nodeport.openyurt.io/listen=foo,* and nodeport.openyurt.io/listen=foo,-foo both enable listening on foo because foo appears before the conflicting entry and takes precedence.

    Usage notes

    • Add the nodeport.openyurt.io/listen annotation when creating the Service. If you add it after the Service is created, restart all kube-proxy instances for the change to take effect.

    • When adding a new node pool, update the annotation to include the new node pool before adding nodes to it. This ensures NodePort listening is active on all nodes as they join the pool.

    • Use the node pool ID (format: npxxxx) instead of the node pool name, because node pool names are customizable and can change. Find the node pool ID in the ACK console.