Access pods directly using NAT gateway DNAT rules - Container Service for Kubernetes

In scenarios such as games and peer-to-peer (P2P) applications, clients often need to access pods directly. Traditionally, you can assign elastic IP addresses (EIPs) to pods to enable access. However, this method has issues, such as limits on the number of EIPs and security management challenges. You can configure EIPs on a NAT Gateway and use its Destination Network Address Translation (DNAT) feature to expose the access endpoint for a pod. This helps reduce the number of EIPs that you use.

Prerequisites

An ACK managed cluster or an ACK dedicated cluster is created. The cluster must use Terway as the network plug-in. For more information, see Create an ACK managed cluster and Create an ACK dedicated cluster (new creation stopped).
A NAT Gateway is created in a VPC, and the natgw controller is used. For more information about how to create a NAT Gateway, see Internet NAT Gateway.
A DNAT rule is created to map a public IP address, a public port, a private port, and a private IP address. For more information about how DNAT works, see Use the DNAT feature of an Internet NAT gateway to allow an ECS instance to provide services over the internet.
- Public IP address: An EIP that is configured on the Internet NAT gateway.
- Public port: A port within the range specified by the portRangeStart and portRangeEnd parameters in the configuration file of the natgw controller. The port is automatically allocated by the natgw controller. After the port is allocated, the information is recorded in the poddnats.alibabacloud.com Custom Resource (CR). The CR has the same name as the pod.
- Private port: The listening port of the pod that is configured in the pod's annotations.
- Private IP address: The IP address of the pod.

Limits

This feature supports regular ECS nodes but not ECI instances.
The number of configurable entries is limited by the NAT Gateway. For more information about the limits, see DNAT feature FAQ.

Pod annotations

You can use the following pod annotations:

Pod Annotations	Value
k8s.aliyun.com/pod-dnat	Enables the DNAT feature for the pod. Set the value to `true` or leave it empty (`""`) to enable the feature. To disable the DNAT feature, remove all DNAT-related annotations.
k8s.aliyun.com/pod-dnat-expose-port	The listening port of the pod. To specify multiple ports, separate them with commas. Example: `"80,443"`.
k8s.aliyun.com/pod-dnat-expose-protocol	The protocol type. Valid values are `tcp` and `udp`. The default value is `tcp`.
k8s.aliyun.com/pod-dnat-fixed	Enables configuration persistence for a stateful container.

Important

Security group configuration: Add an inbound rule to the security group of the pod to allow traffic on the exposed port.

Enable the DNAT feature in ack-extend-network-controller

The ack-extend-network-controller component needs to access Alibaba Cloud OpenAPI to create resources. To do this, you must configure the required permissions in RAM and install the ack-extend-network-controller component from the marketplace. Then, you can use an annotation to create and associate a DNAT rule for a specific pod.

Step 1: Configure the required RAM permissions for DNAT

ACK cluster

Log on to the Container Service Management Console . In the navigation pane on the left, click Clusters.
On the Clusters page, click the name of your cluster. In the navigation pane on the left, click Cluster Information.
On the Basic Information tab of the Cluster Information page, click the link to the right of Worker RAM Role.

Create a custom policy that contains the following content. For more information, see Step 1: Create a custom policy.

{
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeNetworkInterfaces",
        "vpc:DescribeNatGateways",
        "vpc:DescribeForwardTableEntries",
        "vpc:CreateForwardEntry",
        "vpc:DescribeEipAddresses",
        "vpc:DeleteForwardEntry",
        "vpc:DescribeRouteTableList",
        "vpc:DescribeRouteEntryList"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {}
    }

Grant permissions to the worker RAM role of the cluster. For more information, see Step 2: Grant permissions to the worker RAM role of the cluster.

ACK serverless cluster

Create an AccessKey pair for a RAM user. For more information, see Create a RAM user and Create a custom policy.

Step 2: Enable the natgw controller for the ack-extend-network-controller component

Install the ack-extend-network-controller component and enable the natgw controller. For more information about how to install the ack-extend-network-controller component, see Marketplace.

The configuration parameters for the natgw controller are as follows.

clusterID: "c11ba338192xxxxxxx"          # Enter the actual value.
regionID: "cn-hangzhou"                  # Enter the actual value.
vpcID: "vpc-bp1rkq0zxxxxxx"              # Enter the actual value.
enableControllers:
  - natgw                                  # Enable DNAT.

networkController:
  natGwPool:
    - natgwId: "< nat gateway id. >"                   # The ID of the Internet NAT gateway.
      zoneId: "< nat gateway zone id. cn-hangzhou-j >" # The zone ID of the Internet NAT gateway.
      portRangeStart: 512                              # The start port.
      portRangeEnd: 1024                               # The end port.
      eips:
        - "<auto config all nat gateway eips if not config. 0.0.0.0 >"  # The EIPs of the Internet NAT gateway. If you do not set this parameter, all EIPs that are configured on the gateway are used.

credential:                               # Use an AccessKey pair. For ACK clusters, use the RAM role mode for configuration. If you granted permissions to the worker RAM role of the cluster in Step 1, you do not need to configure this section.
  accessKey: ""
  accessSecret: ""

Track configurations using a Custom Resource (CR)

After you create a pod, the controller creates a CR with the same name as the pod. The following example shows how to configure a DNAT rule for a pod to expose port 80 of the pod to the public network.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example
  labels:
    app: example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: example
  template:
    metadata:
      labels:
        app: example
      annotations:
        k8s.aliyun.com/pod-dnat: ""
        k8s.aliyun.com/pod-dnat-expose-port: "80"
    spec:
      containers:
      - name: example
        image: nginx

Run the following command to read the allocation information from poddnats.alibabacloud.com and obtain the external address and port of the pod.

kubectl get poddnats -oyaml

Expected output:

apiVersion: alibabacloud.com/v1
kind: PodDNAT
metadata:
  creationTimestamp: "20**-09-20T03:26:44Z"
  finalizers:
  - natgw-controller
  generation: 2
  name: example-6cd498d7b-9****
  namespace: default
  ownerReferences:
  - apiVersion: v1
    blockOwnerDeletion: true
    kind: Pod
    name: example-6cd498d7b-9****
    uid: 7af54e1c-eeb7-4fd0-b070-ff99ddbd****
  resourceVersion: "357150"
  uid: 2fad9bb7-cc84-46b4-b6eb-5d15f06c****
spec:
  eni: eni-xxx
  externalIP: 114.55.**.**
  internalIP: 172.16.**.**
  portMapping:
  - externalPort: "512"
    internalPort: "80"
  protocol: tcp
  tableId: ngw-xxx
  vswitch: vsw-xxx
  zoneID: cn-hangzhou-k
status:
  entries:
  - externalIP: 114.55.**.**
    externalPort: "512"
    forwardEntryId: fwd-xxx
    internalIP: 172.16.**.**
    internalPort: "80"
    ipProtocol: tcp

The external address and port of the pod are described as follows:

externalIP: The public IP address of the NAT Gateway. This is the address for external access. In this example, the value is 114.55.**.**.
externalPort: The public port. The controller allocates this port from the specified port range. In this example, the value is "512".