Using Services with CLB-to-Pod Direct Access Mode

Last updated: 2021-06-08 15:49:57

    Overview

    For a service in native LoadBalancer mode, a Cloud Load Balancer (CLB) can be automatically created. It first forwards traffic to a cluster through the Nodeport of the cluster, and then forwards it again through iptable or ipvs. Services in this mode can meet users’ needs in most scenarios, but in the following scenarios, services in CLB-to-Pod direct access mode are recommended:

    • The source IP needs to be obtained (local forwarding must be enabled for non-direct access mode)
    • Higher forwarding performance is required (there are two layers of CLBs when the CLB and service are in non-direct access mode, so performance loss is inevitable).
    • Complete health checks and session persistence are required for the Pod layer (there are two layers of CLBs when the CLB and service are in non-direct access mode, so health checks and session persistence are difficult to configure).
    Note:

    Currently, the CLB-to-Pod direct access mode is available for both GlobleRouter and VPC-CNI container network modes. Click the cluster ID in the cluster list to go to the cluster details page. In the Basic Information page, you can find the container network add-on used by the current cluster.

    VPC-CNI Mode

    Use limits

    • The Kubernetes version of the cluster must be 1.12 or later.
    • The VPC-CNI ENI mode must be enabled for the cluster network mode.
    • The workloads used by a service in direct access mode must adopt the VPC-CNI ENI mode.
    • The feature limits of a CLB bound to an ENI must be satisfied. For more information, see Binding an ENI.
    • When workloads in CLB-to-Pod direct access mode are updated, a rolling update is performed based on the health check status of the CLB, which will affect the update speed.

    Directions

    1. Log in to the TKE console.
    2. Go to the "Create a Service" page and configure the service parameters as required by referring to the step of creating a service in the console.
      Configure some key parameters as follows:
      • Service Access: select LoadBalancer (public network) or LoadBalancer (private network).
      • Network Mode: Enable CLB-to-Pod Direct Access.
      • Workload Binding: select Reference Workload. In the displayed window, select the backend workload of the VPC-CNI mode.
    3. Click Create Service to complete creation.

    GlobalRouter Mode

    Use limits

    • A workload can only run in one network mode. You can choose VPC-CNI ENI mode or GlobalRoute mode for the workloads used by a service in direct access mode.
    • It is only available for the bill-by-IP accounts.
    • When the CLB-to-Pod direct access mode is used, the network linkage is restricted by the security group of CVM. Please confirm whether the security group configuration opens the corresponding protocol and port. The port corresponding to the workload on the CVM needs to be opened.
    • After the CLB-to-Pod direct access mode is enabled, the ReadinessGate (readiness check) will be enabled by default. It will check whether the traffic from the load balancer is normal during the rolling update of Pod. You also need to configure the correct health check configuration for the application. For details, see Service CLB Configuration.
    • The CLB-to-Pod direct access in Globalrouter mode is in beta test. You can use it through the following two ways:
      -You can use it via CCN. (recommended). CCN can verify the bound IP address to prevent common IP binding problems such as binding errors and address loopback. The instructions are as follows:
      1. Create a CCN instance. For more information, please see Creating a CCN Instance.
      2. Add the VPC where the cluster is located to the created CCN instance.
      3. Register the container network CIDR block of the relevant cluster to the CCN. In the cluster’s Basic Information page, enable the CCN.
        • You can submit a ticket to apply for this feature. CCN will not verify the IP address in this method (not recommended).

    Directions

    1. Log in to the TKE console.
    2. Go to the "Create a Service" page and configure the service parameters as required by referring to the step of creating a service in the console.
      Configure some key parameters as follows:
      • Service Access: select LoadBalancer (public network) or LoadBalancer (private network).
      • Network Mode: Enable CLB-to-Pod Direct Access.
      • Workload Binding: select Reference Workload. In the displayed window, select the backend workload of the VPC-CNI mode.
    3. Click Create Service to complete creation.