[feature request]Need support NodePort service isolate

[yuanmaomao]

What would you like to be added:
we need NodePort service isolate function, when create a NodePort service we can choose which node or nodepool it worked!

Why is this needed:
when we use edge network ,we need to make service isolate, for example, when we use NodePort type service ,we just want it servers some specific node pool.

it needs some feature

1. pod must run at some specific node pool, we can use label to finish it.
2. service can only forward network flow to specific node pool pod, we can also use label selector to finish it.
3. NodePort service can be isolate, for example when we create a NodePort service open node 80 port, it only need to open nodes which in specific edge node pool, not all nodes in all edge.

others
/kind feature

[rambohe-ch]

@yuanmaomao Thanks for raising issue. I think that this feature request is reasonable, and i want to know more details about this feature.
--> all of nodes in specified NodePool can listen on 80 port of node, or only nodes that pods exist listen on 80 port of node?

[yuanmaomao]

i think specified NodePool better.

1. it will be more freedom, for example GuangZhou node pool has 10 node, it probably not run pod on each node.
2. i think achieve it more easy? it need not to related with pod run or destroy. just related with node pool label.

[rambohe-ch]

i think specified NodePool better.

1. it will be more freedom, for example GuangZhou node pool has 10 node, it probably not run pod on each node.
2. i think achieve it more easy? it need not to related with pod run or destroy. just related with node pool label.

@yuanmaomao Thanks for your kindly reply. yes, it's more convenient to specify by NodePool.

@Congrool @LaurenceLiZhixin @donychen1134 Do you have any comments about this feature?

[LaurenceLiZhixin]

I think this requirement is reasonable too, and there are redundancies and misunderstandings about service port occupancy across node pools in the whole cluster.
I think it can be implemented based on the existing service topology filter, passing the modified resource to kube-proxy for the service resource

[rambohe-ch]

/assign @rambohe-ch

[rambohe-ch]

I will take this work and post a pull request as soon as possible.

[rambohe-ch]

@yuanmaomao @LaurenceLiZhixin @Congrool
I will name the new filter as nodeportisolation, and add a new annotation nodeport.openyurt.io/listen for NodePort service in order to trigger nodeportisolation filter in Yurthub.

The details of nodeport.openyurt.io/listen annotation of service:

• key: nodeport.openyurt.io/listen
• value: A list of nodepool names that separated by ','

  • foo: enable specified NodePort service listening on nodes of NodePool named foo

  • -foo: disable specified NodePort service listening on nodes of NodePool named fool

  • *: enable specified NodePort service listening on nodes of all NodePools

  • if NodePool name is duplicated in the configuration, we will take the first configuration

  • if NodePool name is not configured, we will disable NodePort listening on nodes of these unconfigured NodePools.

  • orphan nodes(don't locate in NodePool) will be kept the same as native Kubernetes, so NodePort will be listened on orphan nodes.

    for example:

    • foo, bar: enable NodePort service listening on nodes in foo and bar NodePool.
    • foo, *: enable NodePort service listening on nodes of all NodePools
    • -foo, -bar: disable NodePort service listening on nodes of all NodePools
    • -foo, *: disable NodePort service listening only on nodes in foo NodePool
    • foo,-foo: enable NodePort service listening on nodes in foo NodePool
    • -foo: disable NodePort service listening on nodes of all NodePools(include foo NodePool).

[yuanmaomao]

it seems a fantastic function.