Use Yurt-tunnel to connect apiserver and edge node
In this tutorial, we will show how the yurt-tunnel helps the apiserver send request to nodes when the network traffic from apiserver to the node is blocked. To mimic the real scenario where the cloud node and edge nodes may locate in separate network regions, we use a two-nodes minikube as the experimental cluster.
1. Provision a minikube cluster
Start from version 1.10, minikube allows users to provision multinode clusters. Depending on the version you are using, minikube may use docker as the default driver, which is not supported by yurt-tunnel. Therefore, make sure to choose hyperkit or virtualbox as your driver. For example, the OSX user can create a two-nodes minikube cluster by typing the following command:
minikube start --nodes 2 --driver hyperkit
If everything goes right, we will have a two-nodes cluster up and running:
$ kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
minikube Ready master 3h50m v1.18.3 192.168.64.3 <none> Buildroot 2019.02.11 4.19.114 docker://19.3.12
minikube-m02 Ready <none> 3h48m v1.18.3 192.168.64.9 <none> Buildroot 2019.02.11 4.19.114 docker://19.3.12
In the rest of this tutorial, we will assume that the node named
minikube is the
cloud node, and the node named
minikube-m02 is the edge node.
2. Create a test pod
As we plan to test the functionality of routing requests from the apiserver to nodes, which usually happens when the apiserver receives requests of accessing the pods, let's create a test pod that will run on the edge node.
$ kubectl apply -f-<<EOF
- name: test-po
test-po is running, we can check the connection between the apiserver
and the node by typing the following commands:
$ kubectl exec test-po -- date
Fri Aug 7 23:17:27 UTC 2020
4. Block the network traffic from the apiserver to the node
Next, let's block the network traffic from the apiserver to the node by dropping network packages that are sent from the apiserver to the node. Specifically, we add a nat rule to the cloud node that drops all packets to the node with destination port set as 10250 (kubelet listens on port 10250 which receives https request from the apiserver).
$ minikube ssh
_ _ ( ) ( )
___ ___ (_) ___ (_)| |/') _ _ | |_ __
/' _ ` _ `\| |/' _ `\| || , < ( ) ( )| '_`\ /'__`\
| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )( ___/
(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)
$ sudo iptables -A OUTPUT -p tcp -d 192.168.64.9 --dport 10250 -j DROP
Now, if we try to execute the
date command in
test-po again, the command
5. Setup the yurt-tunnel manually
It is recommended to use
yurtctl tool to deploy yurt-tunnel components by
--deploy-yurttunnel option when coverting a Kubernetes cluster. For example,
yurtctl convert --cloud-nodes minikube --provider minikube --deploy-yurttunnel
You may also setup the yurt-tunnel manually by deploying yurt-tunnel-server and yurt-tunnel-agent separately.
To set up the yurt-tunnel-server, let's first add a label to the cloud node
kubectl label nodes minikube openyurt.io/is-edge-worker=false
Then, we can deploy the yurt-tunnel-server:
$ kubectl apply -f config/setup/yurt-tunnel-server.yaml
Next, we can set up the yurt-tunnel-agent. Like before, we add a label to the edge node, which allows the yurt-tunnel-agent to be run on the edge node:
kubectl label nodes minikube-m02 openyurt.io/edge-enable-reverseTunnel-client=true
And, apply the yurt-tunnel-agent yaml:
kubectl apply -f config/setup/yurt-tunnel-agent.yaml
After the agent and the server are running, we should execute the command in the test-po again.