You can use the edge-tunnel component to access edge nodes from the cloud. After you create a Container Service for Kubernetes (ACK) edge cluster, the edge-tunnel-server and edge-tunnel-agent components are automatically deployed in the cluster to establish tunnels between the cloud and edge nodes. This topic introduces the edge-tunnel component and describes the usage notes and release notes for edge-tunnel.
Introduction
edge-tunnel can establish reverse tunnels, which are commonly used to enable communication between different networks. edge-tunnel is deployed in the client-server architecture. edge-tunnel-server is deployed on the cloud and runs as the server. edge-tunnel-agent is deployed on edge nodes and runs as the client. edge-tunnel provides the following features:
edge-tunnel establishes encrypted tunnels over the Internet. The system creates a Server Load Balancer (SLB) instance for the Service that is created by edge-tunnel-server. edge-tunnel-agent on each node establishes an encrypted tunnel to edge-tunnel-server through the SLB instance.
When components in the cloud, such as kube-apiserver and metrics-server, send requests to port 10250 and port 10255 on edge nodes, edge-tunnel automatically forwards the requests to edge-tunnel-server. You do not need to modify the components in the cloud.
Release notes
June 2023
Version | Image address | Description | Release date | Impact |
v0.22.1 | edge-tunnel-server: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/edge-tunnel-server:v0.22.1 edge-tunnel-agent: registry-cn-hangzhou.ack.aliyuncs.com/acs/edge-tunnel-agent:v0.22.1 | Communication between edge-tunnel and the API server is optimized to resolve the issue that edge-tunnel is restarted due to unstable networks. The capability of edge-tunnel to forward requests from the cloud to edge nodes is optimized to reduce the risk of URL leaks that are caused by unstable Internet connections. The iptables module is disabled and CoreDNS is used to resolve domain names during cloud-edge request forwarding.
| 2023-06-28 | No impact on workloads |
December 2022
Version | Image address | Description | Release date | Impact |
v0.10.3 | edge-tunnel-server: registry.cn-hangzhou.aliyuncs.com/acs/edge-tunnel-server:v0.10.3 edge-tunnel-agent: registry.cn-hangzhou.aliyuncs.com/acs/edge-tunnel-agent:v0.10.3 | Multiple network modes are supported to enable cloud-edge communication: Edge node pools can connect to the cloud over the Internet, over an Express Connect circuit, or by using a Cloud Connect Network (CCN) instance. Requests from the cloud are sent to different types of edge node pools in different network modes. Requests destined for edge node pools that connect to the cloud over the Internet are sent to the cloud-edge tunnel that serves as a forward proxy. Requests destined for edge node pools that connect to the cloud over an Express Connect circuit or by using a CCN instance are directly sent to the ports of the nodes in the edge node pools. For example, requests from kube-apiserver are sent to port 10250 and port 10255 on edge nodes.
Changes to cluster resources: Different labels are automatically added to edge node pools that connect to the cloud in different network modes: alibabacloud.com/interconnection-mode = normal is automatically added to edge node pools that connect to the cloud over the Internet.
alibabacloud.com/interconnection-mode = private is automatically added to edge node pools that connect to the cloud by using Express Connect circuits.
alibabacloud.com/interconnection-mode = improved is automatically added to edge node pools that connect to the cloud by using CCN instances.
DNS records are dynamically updated based on whether tunnel-agent is deployed on edge nodes. tunnel-agent is deployed only on nodes in edge node pools that connect to the cloud over the Internet.
Requests from components, such as kube-apiserver and Prometheus, in the cloud are sent to port 10263 of x-tunnel-server-internal-svc instead of port 10263 of x-tunnel-server-svc.
| 2022-12-14 | No impact on workloads |
January 2022
Version | Image address | Description | Release date | Impact |
v0.10.0 | edge-tunnel-server: registry.cn-hangzhou.aliyuncs.com/acs/edge-tunnel-server:v0.10.0 edge-tunnel-agent: registry.cn-hangzhou.aliyuncs.com/acs/edge-tunnel-agent:v0.10.0 | The first edge-tunnel version for ACK edge clusters of 1.20.11-aliyunedge.1. Request forwarding is improved: Requests that are destined for {nodeName:Port} can be forwarded from the cloud to edge nodes. Requests that are destined for the localhost endpoints on edge nodes can be forwarded from the cloud to edge nodes. This requires you to configure the localhost-proxy-ports field in the edge-tunnel-server-cfg ConfigMap.
The configuration for access to ports other than ports 10250 and 10255 is optimized: To configure access to ports other than ports 10250 and 10255 on an edge node, configure the http-proxy-ports field in the edge-tunnel-server-cfg ConfigMap if the edge node uses HTTP endpoints or configure the https-proxy-ports field in the edge-tunnel-server-cfg ConfigMap if the edge node uses HTTPS endpoints. The dnat-ports-pair field is retained. However, we recommend that you do not use dnat-ports-pair.
Certificate management is improved for edge-tunnel-server. When the IP address of the edge-tunnel-server-svc Service is changed, the tls server certificate of edge-tunnel-server is automatically updated. For example, the certificate is automatically updated when the edge-tunnel-server-svc Service is associated with a new SLB instance.
| 2022-01-27 | No impact on workloads |