In gaming and P2P scenarios, you may need to directly expose application pods to clients instead of assigning elastic IP addresses (EIPs) to the pods. However, the number of EIPs that you can assign to pods is limited and security management is required. This topic describes how to configure DNAT rules for an Internet NAT gateway and use the Internet NAT gateway to expose a pod. This method requires you only to associate an EIP with the Internet NAT gateway.
Table of contents
Prerequisites
A Container Service for Kubernetes (ACK) managed cluster or ACK Pro cluster is created and Terway is installed as the network plug-in. For more information, see Create an ACK managed cluster or Create an ACK dedicated cluster.
An Internet NAT gateway is created in the virtual private cloud (VPC) where the cluster is deployed. Enable the natgw controller after you create the Internet NAT gateway. For more information about how to create an Internet NAT gateway, see Create and manage Internet NAT gateways.
A DNAT rule specifies the mapping between a public IP address and a private IP address, and the mapping between public ports and private ports. For more information about DNAT, see Configure DNAT on an Internet NAT gateway for an ECS instance.
Set the public IP address to the EIP that is associated with the Internet NAT gateway.
The natgw controller automatically allocates public ports from the port range that is specified by the
portRangeStartandportRangeEndparameters in the configuration file of natgw. The allocated ports are recorded in thepoddnats.alibabacloud.comfield of a PodDNAT object that is named after the pod.Set the private ports to the ports on which the pod listens.
Set the private IP address to the IP address of the pod.
Limits
You cannot configure DNAT to expose pods in ACK Serverless clusters, ACK edge clusters, or ASI clusters.
The number of DNAT entries supported by an Internet NAT gateway varies based on gateway specifications. For more information, see FAQ about DNAT.
Pod configurations
The following table describes the pod configurations.
Pod annotation | Description |
k8s.aliyun.com/pod-dnat | Configure DNAT rules for the pod. |
k8s.aliyun.com/pod-dnat-expose-port | The ports on which the pod listens. Separate multiple ports with commas (,). Example: '80,443'. |
k8s.aliyun.com/pod-dnat-expose-protocol | The protocol that you want to use. Valid values: |
k8s.aliyun.com/pod-dnat-fixed | After this annotation is added, the DNAT configurations remain unchanged for the pod if the pod is created for a stateful application. |
You must configure security group rules for the pod to allow inbound traffic to the ports that are exposed on the pod.
Enable DNAT for ack-extend-network-controller
ack-extend-network-controller needs to access OpenAPI Explorer to create resources. You need to grant Resource Access Management (RAM) permissions to ack-extend-network-controller, install ack-extend-network-controller from the marketplace in the ACK console, and create DNAT entries and associate them with specific pods by adding annotations.
Step 1: Grant RAM permissions on DNAT
ACK clusters:
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.
On the Cluster Information page, click the Cluster Resources tab, and then click the hyperlink next to Worker RAM Role.
On the Permissions tab of the Roles page, click the name of the policy that you want to manage in the Policy column.
On the Policy Document tab of the Policies page, click Modify Policy Document. On the JSON tab, add the following content.
{ "Effect": "Allow", "Action": [ "ecs:DescribeNetworkInterfaces", "vpc:DescribeNatGateways", "vpc:DescribeForwardTableEntries", "vpc:CreateForwardEntry", "vpc:DescribeEipAddresses", "vpc:DeleteForwardEntry", "vpc:DescribeRouteTableList", "vpc:DescribeRouteEntryList" ], "Resource": [ "*" ], "Condition": {} }After you add the content, click Next to edit policy information and click OK.
ACK Serverless clusters:
Generate an AccessKey pair for the RAM user. Fore more information, see Create a RAM user and Create a custom policy.
Step 2: Enable the natgw controller for ack-extend-network-controller
Install ack-extend-network-controller and enable the natgw controller. You can install ack-extend-network-controller from the marketplace in the ACK console. For more information, see App Marketplace.
Configure the following parameters for the natgw controller:
clusterID: "c11ba338192xxxxxxx" # Replace with the actual value.
regionID: "cn-hangzhou" # Replace with the actual value.
vpcID: "vpc-bp1rkq0zxxxxxx" # Replace with the actual value.
enableControllers:
- natgw # Enable DNAT.
networkController:
natGwPool:
- natgwId: "< nat gateway id. >" # The ID of the Internet NAT gateway.
zoneId: "< nat gateway zone id. cn-hangzhou-j >" # The zone ID of the Internet NAT gateway.
portRangeStart: 512 # The first port.
portRangeEnd: 1024 # The last port.
eips:
- "<auto config all nat gateway eips if not config. 0.0.0.0 >" # Specify an EIP that is associated with the Internet NAT gateway. If you leave this parameter empty, all EIPs associated with the Internet NAT gateway are used.
credential: # Specify an AccessKey pair. For ACK clusters, we recommend that you use the RamRole mode.
accessKey: ""
accessSecret: ""Use a custom resource object to track the DNAT configurations of the pod
After you create a pod, the natgw controller automatically creates a PodDNAT object that is named after the pod. Use the following YAML template to create a Deployment. In this example, DNAT configurations are added to expose port 80 of the pod to the Internet.
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
labels:
app: example
spec:
replicas: 1
selector:
matchLabels:
app: example
template:
metadata:
labels:
app: example
annotations:
k8s.aliyun.com/pod-dnat: ""
k8s.aliyun.com/pod-dnat-expose-port: "80"
spec:
containers:
- name: example
image: nginxRun the following command to access poddnats.alibabacloud.com to obtain the public IP address and public port of the pod:
kubectl get poddnats -oyaml example-6cd498d7b-9****Expected output:
apiVersion: alibabacloud.com/v1
kind: PodDNAT
metadata:
creationTimestamp: "2022-09-20T03:26:44Z"
finalizers:
- natgw-controller
generation: 2
name: example-6cd498d7b-9****
namespace: default
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: true
kind: Pod
name: example-6cd498d7b-9****
uid: 7af54e1c-eeb7-4fd0-b070-ff99ddbd****
resourceVersion: "357150"
uid: 2fad9bb7-cc84-46b4-b6eb-5d15f06c****
spec:
eni: eni-xxx
externalIP: 114.55.**.**
internalIP: 172.16.**.**
portMapping:
- externalPort: "512"
internalPort: "80"
protocol: tcp
tableId: ngw-xxx
vswitch: vsw-xxx
zoneID: cn-hangzhou-k
status:
entries:
- externalIP: 114.55.**.**
externalPort: "512"
forwardEntryId: fwd-xxx
internalIP: 172.16.**.**
internalPort: "80"
ipProtocol: tcpThe following information is displayed:
externalPort: the public port that is mapped to the private port of the pod. The port is allocated by the natgw controller from the specified port range.
externalIP: the EIP that is associated with the Internet NAT gateway. The EIP is used to enable external access to the pod.