Practice of Accessing the Public Network by the Cluster of VPC-CNI Mode
Overview
In some scenarios, the users should enable the nodes and Pods in the cluster of VPC-CNI mode to access the public network. To access the external source address to download and install software and containers through the yum install, and other commands, some services, etc. in the public network should be accessed.
For the operation of accessing the public network by nodes, please refer to CCE Practice of Accessing Public Network.
Because all the Pod traffic in the cluster of VPC-CNI mode flows through the elastic network interface card mounted on the nodes, for the demands of the Pod in the cluster in accessing the public network, we provide the following two plans to configure the elastic network interface cards, and the users can make a selection according to their specific demands.
Related Concepts
EIP: EIP is the elastic IP service provided by Baidu AI Cloud and can be mounted to CCE node, BLB, NAT gateway, and other services to provide the address which can access the public network.
NAT gateway: The NAT gateway of Baidu AI Cloud supports the connection of BCC, DCC and other instances in the user VPC subnet to the public network, and realizes the conversion of the intranet IP into the public network IP address by the NAT gateway.
Node subnet: The users can select the VPC subnet where the node is located when creating the CCE work node. Generally, there two types of subnets: Universal subnet and NAT exclusive subnet. The nodes in the universal subnet can mount EIP to directly access the public network. The nodes in the NAT exclusive subnet can realize the public network access only by the NAT gateway.
Elastic network interface card: the elastic network interface card is created by the users themselves and mounted on the virtual machine instances. The users can mount the elastic network interface cards in the creation, shutdown or operation of virtual machines. After mounting and configuring the network interface card, the users can realize that different kinds of traffic flows through different network interface cards by configuring the system routes. The Pod traffic in the cluster of CCE VPC-CNI mode exactly flows in and out via the elastic network interface cards mounted on the nodes.
Plan 1: Universal Subnet + Elastic IP
After creating the cluster of VPC-CNI mode, enter the page of [Node List]:
Click the node name of the public network to be accessed by Pod, enter the page of node management, and click the left [Network interface card] column:
Click the button of [Public Network IP] in the row of main IP of the elastic network interface card to add EIP to the main IP of the elastic network interface card. After EIP is bound to the main IP of the elastic network interface card, one iptables rule is generated dynamically in the nodes to ensure all the traffic in the Pod except that accessing the VPC segment flows through the EIP for SNAT, so as to realize the accessing of the public network by Pod. If EIP is unbound from the main IP of the elastic network interface card, the iptables SNAT rule is to be deleted.
Meanwhile, you can add EIP to the secondary IP of the elastic network interface card. The Pod with EIP bound to its secondary IP does directly access the public network through SNAT, and can be directly accessed on the public network.
Currently, the default interval synchronized by iptables SNAT is 1 minute. To modify the interval, you can modify the cce-vpc-cni-backend daemonset parameter by the following commands,
kubectl edit daemonset cce-vpc-cni-backend -n kube-system Add or modify the environment variable IPTABLES_INTERVAL (in seconds), and restart all Pods of cce-vpc-cni-backend.
spec:
containers:
- command:
- /usr/bin/cce-vpc-cni-backend
- -log-level
- debug
- -daemon-mode
- ENI
env:
- name: IPTABLES_INTERVAL
value: "120" # The interval is 2 minutes.
- name: CLUSTER_CIDR
value: 10.0.0.0/8
- name: SERVICE_CIDR
value: 172.16.0.0/16
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName Plan 2: NAT Exclusive Subnet + NAT Gateway
If you don't want the Pod to expose the public network IP of the elastic network interface card when accessing the public network, you can provide the public network access services for the private network by the NAT gateway. Refer to Best Practices of NAT Gateway.
Currently, the elastic network interface card and node in the cluster of VPC-CNI mode are in the same subnet. By selecting "NAT exclusive subnet" for the node subnet when the cluster is created, the created cluster node and the mounted elastic network interface card can both access the public network by the NAT gateway of the subnet.
If you do not know how to create the NAT exclusive subnet and NAT gateway, you can refer to Plan II: NAT Exclusive Subnet + NAT Gateway
Note: The EIP cannot be bound to the node and elastic network interface card in the NAT exclusive subnet. The nodes can access the public network only after the NAT gateway is created and the routing table rules are established.
Analyze Advantages and Disadvantages
| Plan | Advantages | Disadvantages |
|---|---|---|
| Universal subnet + EIP | Easy operation the elastic network interface card or Pod can be accessed by the public network |
The EIP requiring the exposure of elastic network interface card or Pod has security risks. |
| NAT exclusive subnet + NAT gateway | No EIP for nodes, high security |
The EIP cannot be bound to the elastic network interface card and Pod, and the elastic network interface card and Pod cannot be accessed by the public network. |