PortMap for Alibaba ACK

Add port mapping support for terway on Alibaba Cloud Container Service for Kubernetes (ACK).

Work with terway, a CNI plugin for Alibaba Cloud VPC / Elastic Network Interface (ENI).

Build Example

FROM alpine AS downloader

ARG TARGETOS=linux
ARG TARGETARCH
ARG VERSION=1.3.0

RUN apk add --no-cache wget

RUN wget https://github.com/containernetworking/plugins/releases/download/v${VERSION}/cni-plugins-${TARGETOS}-${TARGETARCH}-v${VERSION}.tgz \
         -O /cni-plugins.tgz && \
    tar -xzf /cni-plugins.tgz ./portmap -C /

FROM busybox

COPY --from=downloader /portmap /

docker buildx build \
       --tag registry.address.fix.me/portmap:v1.3.0 \
       --builder container \
       --platform linux/arm64,linux/amd64 \
       --progress plain \
       --push \
       .

Usage Example

Add a new ConfigMap for new init container.

kind: ConfigMap
apiVersion: v1
metadata:
  name: eni-config-cni
  namespace: kube-system
data:
  0-terway.conflist: |-
    {
   
        "cniVersion": "0.3.0",
        "name": "terway",
        "plugins": [
            {
   
                "type": "terway"
            },
            {
   
                "type": "portmap",
                "capabilities": {
   
                    "portMappings": true
                }
            }
        ]
    }

Add an init container to terway's deployment config yaml.

      initContainers:
# Add a new init container
        - name: terway-portmap-init
          command:
            - sh
            - '-c'
            - >-
              cp /portmap /opt/cni/bin/;
              chmod +x /opt/cni/bin/portmap;
              cp /etc/eni/0-terway.conflist /etc/cni/net.d/
          image: 'registry.address.fix.me/portmap:v1.3.0'
          securityContext:
            privileged: true
            procMount: Default
          volumeMounts:
            - name: cni-bin
              mountPath: /opt/cni/bin/
            - name: configvolume-cni
              mountPath: /etc/eni
            - name: cni
              mountPath: /etc/cni/net.d/
# DO NOT modify the original volumes config, just add new elements for new configMap.
# Digital pre set in default file name is 10-terway.conf, and new file name is 0-terway.conflist
# 0 < 10, this makes sure the file 0-terway.conflist will be load.
      volumes:
        - name: configvolume-cni
          configMap:
            name: eni-config-cni
            items:
              - key: 0-terway.conflist
                path: 0-terway.conflist
            defaultMode: 420

Trouble Shooting

Find out port mapping status.

iptables -t nat -vnL | grep CNI

Delete the CNI hostport related iptables Rules, Chains, and then recreate the pod that use the hostPort.

iptables -t nat -D xxxx n
iptables -t nat -X xxxx

Originally published address: https://github.com/maskshell/ack-portmap