Configure public network access for ACK Edge nodes

更新时间:
复制 MD 格式

This topic applies when ACK Edge on-premises edge nodes connect over the public network to Alibaba Cloud Container Service. It lists the domains and ports you must allow through your firewall.

In the tables below, {region} is your cluster's region ID — for example, cn-hangzhou for China (Hangzhou). See Regions and zones.

Inbound ports on edge nodes

Control plane and monitoring components reach edge nodes from the cloud or other cluster nodes. Allow these inbound ports in each edge node's host CIDR block.

Protocol Port Source Purpose
TCP 10250, 10255 Host CIDR block of the edge node Kubelet access for API Server and Metrics Server. Traffic is proxied by the Raven component.
TCP 9100, 9445 Host CIDR block of the edge node Node-Exporter access for Prometheus. Traffic is proxied by the Raven component.
UDP 8472 Host CIDR block of the edge node Flannel VXLAN tunnel.

Outbound access from edge nodes

Edge nodes must reach the following endpoints. Required access differs between installation and runtime.

During node installation and upgrade

Allow access to these endpoints when installing or upgrading edge node components.

Access object Public endpoint Port Description
Component packages aliacs-k8s-{region}.oss-{region}.aliyuncs.com TCP 443 (v1.26 or later)<br>TCP 80 and 443 (earlier than v1.26) Downloads component packages from OSS: edgeadm, kubelet, CNI, runtime, and edgehub.
System tools No extra domains required N/A Installs missing prerequisite tools: net-tools, iproute, chrony (or ntpdate), crontabs, pciutils, socat, ebtables, iptables, and conntrack-tools. Uses apt-get on Ubuntu or yum on CentOS. The endpoint depends on your package manager source.

During ongoing cluster operations

Allow access to these endpoints at all times while the cluster runs.

Access object Public endpoint Port Description
Container Service control plane cs-anony.aliyuncs.com<br>cs-anony.{region}.aliyuncs.com TCP 443 (v1.26 or later)<br>TCP 80 (earlier than v1.26) Container Service management endpoint.
API Server See Find the API Server endpoint TCP 6443 All kube-apiserver communication.
Raven cloud gateway Server Load Balancer (SLB) See Find the Raven cloud gateway endpoints TCP 10280–10284<br>UDP 4500 Raven tunnel.
Tunnel server SLB (clusters earlier than v1.26 only) See Find the tunnel server endpoint TCP 10262, 10263 Edge tunnel (deprecated in v1.26 and later).
System component images dockerauth.{region}.aliyuncs.com<br>dockerauth-ee.{region}.aliyuncs.com<br>registry-{region}.ack.aliyuncs.com TCP 443 Pulls system component images.
NTP ntp1.aliyun.com<br>cn.ntp.org.cn Typically UDP 123 Clock synchronization. Not required if selfHostNtpServer is set to true during node registration (clock already synchronized manually).
Important

In China (Zhangjiakou), replace dockerauth.{region}.aliyuncs.com with dockerauth-{region}.aliyuncs.com (hyphen, not dot, before the region).

Find dynamic endpoints

The API Server endpoint, Raven cloud gateway SLB addresses, and tunnel server SLB address are assigned per cluster.

Find the API Server endpoint

On the cluster details page in the ACK console, find the endpoint on the Basic Information tab.

Find the Raven cloud gateway endpoints

Look up the Raven cloud gateway Services in the kube-system namespace:

kubectl get svc -n kube-system x-raven-proxy-svc-gw-cloud-xxx
kubectl get svc -n kube-system x-raven-tunnel-svc-gw-cloud-xxx

The EXTERNAL-IP column shows the SLB address to allow.

Find the tunnel server endpoint (clusters earlier than v1.26)

kubectl get svc -n kube-system x-tunnel-server-svc

The EXTERNAL-IP column shows the SLB address to allow.