Use the Raven component for cloud-edge O&M communication - Container Service for Kubernetes

The Raven component provides cross-domain networking between the cloud and edge nodes in an ACK Edge cluster. It supports two communication modes—proxy mode and tunnel mode—and lets you control which edge gateway nodes can establish tunnels with the cloud.

Note

If your cluster uses an Express Connect circuit for cloud-edge communication, you can uninstall the Raven component.

Prerequisites

Before you begin, ensure that you have:

An ACK Edge cluster running version v1.26.3 or later. See Create an ACK Edge cluster.
Proxy mode: Inbound TCP traffic on ports 10280–10284 allowed by security policies on your edge nodes.
Tunnel mode: UDP port 4500 allowed by security policies on your edge nodes, and inbound UDP port 8472 allowed by the cloud security group.
Edge node security policies that do not block traffic from the elastic IP address (EIP) associated with the Raven component. Edge nodes use this EIP to establish a reverse tunnel to the cloud. To find this EIP, see the Usage notes section.

Usage notes

Cross-domain communication depends on cloud resources: elastic IP addresses (EIPs), Classic Load Balancer (CLB) instances, and access control lists (ACLs).
The Edge-Controller-Manager (ECM) managed component automatically provisions these resources when you enable Raven's cross-domain communication and releases them when you disable or uninstall it. You can resize these resources based on your requirements. Cloud resources follow this naming format: k8s/raven-agent-ds/kube-system/{CLUSTER_ID}. Do not rename these resources—if you do, ECM may fail to recognize them, which can cause resource leaks. Do not manually delete them, as this disrupts Raven's functionality.

The kube-system/raven-cfg ConfigMap stores information about the provisioned cloud resources. Do not manually delete this ConfigMap. The ConfigMap contains the following fields:

apiVersion: v1
kind: ConfigMap
metadata:
  name: raven-cfg
  namespace: kube-system
data:
  acl-id: acl-xxx
  acl-entry: ""
  eip-id: eip-xxx
  eip-ip: 47.XX.XX.47
  enable-l3-tunnel: "false"
  enable-l7-proxy: "true"
  loadbalancer-id: lb-xxx
  loadbalancer-ip: 192.XX.XX.1

Choose a communication mode

The raven-agent-ds component supports two communication modes. Proxy mode is enabled by default when you create an ACK Edge cluster.

	Proxy mode (recommended)	Tunnel mode
Network layer	Host network	Container network
Mechanism	Reverse proxy tunnel	VPN tunnel
Use when	Cross-domain communication at the host network level	Node pools where nodes can communicate directly; primarily used to monitor metrics of cloud-edge containers
Data loss risk	—	Higher—traffic goes over the public network; do not use for important business data

For a detailed explanation of both modes, see The Raven cross-domain O&M communication component.

Configure raven-agent-ds

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Add-ons.
Find the raven-agent-ds component and click Configuration on its card.
Configure the following parameters:

controller

Select the communication mode:
- Enable Proxy Mode (Recommended): Establishes a reverse proxy tunnel for cross-domain communication at the host network level.
- Enable Tunnel Mode: Creates a VPN tunnel for cross-domain communication at the container network level. Choose this mode for node pools where nodes can communicate directly. Primarily used to monitor metrics of cloud-edge containers.
  
  Important
  Cross-domain communication in tunnel mode travels over the public network, which carries a risk of data loss. Do not use tunnel mode for important business data. If you encounter issues, submit a ticket to contact the container service team.
accessControlListEntry

Specifies the access control whitelist for edge gateway nodes. Only nodes on this list can establish tunnels with the cloud.
- Format: CIDR block. For a single IP address, use a /32 subnet mask.
- Separate multiple entries with a comma (,).
- If left blank, the load balancer allows traffic from all source addresses.
- If you add any entries, also include the CIDR block 100.64.0.0/10, which CLB uses for health checks.

Pin gateway nodes

Raven builds cross-domain tunnels between gateway nodes. By default, it randomly selects gateway nodes from a node pool. To ensure a stable operations and maintenance (O&M) channel, designate specific nodes as dedicated gateway nodes:

kubectl label node node-xxx raven.openyurt.io/gateway-node=true

What's next

To learn more about the Raven component architecture and communication modes, see The Raven cross-domain O&M communication component.
For the raven-agent-ds changelog, see raven-agent-ds.