In this tutorial, we will show how the yurt-tunnel helps the apiserver send request to nodes when the network traffic from apiserver to the node is blocked. To mimic the real scenario where the cloud node and edge nodes may locate in separate network regions, we use a two-nodes minikube as the experimental cluster.
Start from version 1.10, minikube allows users to provision multinode clusters. Depending on the version you are using, minikube may use docker as the default driver, which is not supported by yurt-tunnel. Therefore, make sure to choose hyperkit or virtualbox as your driver. For example, the OSX user can create a two-nodes minikube cluster by typing the following command:
minikube start --nodes 2 --driver hyperkitIf everything goes right, we will have a two-nodes cluster up and running:
$ kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
minikube Ready master 3h50m v1.18.3 192.168.64.3 <none> Buildroot 2019.02.11 4.19.114 docker://19.3.12
minikube-m02 Ready <none> 3h48m v1.18.3 192.168.64.9 <none> Buildroot 2019.02.11 4.19.114 docker://19.3.12In the rest of this tutorial, we will assume that the node named minikube is the
cloud node, and the node named minikube-m02 is the edge node.
As we plan to test the functionality of routing requests from the apiserver to nodes, which usually happens when the apiserver receives requests of accessing the pods, let's create a test pod that will run on the edge node.
$ kubectl apply -f-<<EOF
apiVersion: v1
kind: Pod
metadata:
name: test-po
namespace: default
spec:
nodeName: minikube-m02
containers:
- name: test-po
image: busybox
command:
- top
EOFAfter the test-po is running, we can check the connection between the apiserver
and the node by typing the following commands:
$ kubectl exec test-po -- date
Fri Aug 7 23:17:27 UTC 2020Next, let's block the network traffic from the apiserver to the node by dropping network packages that are sent from the apiserver to the node. Specifically, we add a nat rule to the cloud node that drops all packets to the node with destination port set as 10250 (kubelet listens on port 10250 which receives https request from the apiserver).
$ minikube ssh
_ _
_ _ ( ) ( )
___ ___ (_) ___ (_)| |/') _ _ | |_ __
/' _ ` _ `\| |/' _ `\| || , < ( ) ( )| '_`\ /'__`\
| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )( ___/
(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)
$ sudo iptables -A OUTPUT -p tcp -d 192.168.64.9 --dport 10250 -j DROPNow, if we try to execute the date command in test-po again, the command
will hang.
It is recommended to use yurtctl tool to deploy yurt-tunnel components by
adding the --deploy-yurttunnel option when coverting a Kubernetes cluster. For example,
yurtctl convert --cloud-nodes minikube --provider minikube --deploy-yurttunnelYou may also setup the yurt-tunnel manually by deploying yurt-tunnel-server and yurt-tunnel-agent separately.
To set up the yurt-tunnel-server, let's first add a label to the cloud node
kubectl label nodes minikube openyurt.io/is-edge-worker=falseThen, we can deploy the yurt-tunnel-server:
$ kubectl apply -f config/setup/yurt-tunnel-server.yamlNext, we can set up the yurt-tunnel-agent. Like before, we add a label to the edge node, which allows the yurt-tunnel-agent to be run on the edge node:
kubectl label nodes minikube-m02 openyurt.io/is-edge-worker=trueAnd, apply the yurt-tunnel-agent yaml:
kubectl apply -f config/setup/yurt-tunnel-agent.yamlAfter the agent and the server are running, we should execute the command in the test-po again.