Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The network connection between Cloud and Edge #138

Closed
vincent-pli opened this issue Nov 7, 2020 · 7 comments
Closed

The network connection between Cloud and Edge #138

vincent-pli opened this issue Nov 7, 2020 · 7 comments

Comments

@vincent-pli
Copy link
Member

Maybe it's a stupid question, sorry firstly.

I'm little confuse about the scenario of network between Cloud and Edge.
openyurt introduce Tunnel server and Tunnel agent, I guess it handle the case the cloud and edge can not directly contact each other with IP? but seems the Tunnel server only redirect request to kubelet (10250) then send it to Tunnel agent (correct me if it's not true).

My question is: in such scenario, how about other request from cloud to edge? for example prometheus, istio or knatiive?

Seems in kubeedge case, it requires extra manual step to apply iptables rule and hostnetwork mode to enable metriic-server, so, how about openyurt? thanks.
@rambohe-ch
Copy link
Member

@vincent-pli thank you for filing the issue.

  1. just like you said, yurt-tunnel is used to proxy requests from cloud to edge. and the default iptable rule only redirects requests that access 10250 and 10255 port. but this is default action.

  2. if you need to redirect requests that access other ports(not 10250 and 10255), you can configure dnat-ports-pair field in kube-system/yurttunnel-server-cfg configmap. for example: redirect requests that access 30050 port, you can set dnat-ports-pair: 30050=10264, yurttunnel server will generate iptable rule to dnat these requests.

if you have more interests, you can dive into the code here

@vincent-pli
Copy link
Member Author

@rambohe-ch
Thanks, happy to know that, i will take a try.

@vincent-pli
Copy link
Member Author

@rambohe-ch
Oh, another question, how about when edge want to connect to cloud in that scenario?

@charleszheng44
Copy link
Member

@vincent-pli Yurttunnel is built on top of the apiserver-network-proxy. Currently, ANP only support cloud -> edge traffic, but there is a KEP about setting up the bi-direction tunnel. Once the ANP supports the bi-direction tunnel, Yurttunnel will support the edge->cloud traffic as well.

@vincent-pli
Copy link
Member Author

@charleszheng44 Thanks.

but for now, I mean before apiserver-network-proxy support bi-direction tunnel, any suggest solution to handle the request from edge to cloud? i means an application agent(on edge) want to connect to its server(on cloud), does it require its server expose a public ip/port for connection?

@charleszheng44
Copy link
Member

charleszheng44 commented Nov 9, 2020
edited
Loading

@vincent-pli Then the server on the cloud has to listen on an address that can be reached by the application on the edge. If security is a critical concern, then the layer 3/4 mechanism needs to be enforced, e.g., route the traffic to a dedicated switch/router.

@vincent-pli
Copy link
Member Author

@charleszheng44
got it, thanks

@vincent-pli vincent-pli mentioned this issue Nov 16, 2020
Merged
@tiezhuoyu tiezhuoyu mentioned this issue Oct 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@charleszheng44 @vincent-pli @rambohe-ch