Deploy LF Edge eKuiper on OpenYurt with Yurt Tunnel for Cloud‑to‑Edge Management

Prerequisites

Both cloud and edge nodes must run Kubernetes v1.20.x (or lower) and have kubeadm, kubectl, helm, and golang installed. The cloud node needs an external IP; the edge node is internal‑only.

Install required components

On the cloud node install the Kubernetes binaries (example for Debian/Ubuntu):

sudo apt-get install -y kubelet=1.20.8-00 kubeadm=1.20.8-00 kubectl=1.20.8-00

Install Go (https://golang.org/doc/install) and build OpenYurt from its repository (https://github.com/openyurtio/openyurt#getting-started). Install Helm (https://helm.sh/docs/intro/install/).

Initialize the control plane (cloud node)

Assuming the cloud node external IP is 34.209.219.149:

# sudo kubeadm init --control-plane-endpoint 34.209.219.149 --kubernetes-version stable-1.20

Copy /etc/kubernetes/admin.conf to $HOME/.kube/config as instructed and deploy a pod network, e.g. Weave Net:

kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '
')"

Join the edge node

Run the kubeadm join command printed by the init on the edge node:

sudo kubeadm join 34.209.219.149:6443 --token i24p5i.nz1feykoggszwxpq \
  --discovery-token-ca-cert-hash sha256:3aacafdd44d1136808271ad4aafa34e5e9e3553f3b6f21f972d29b8093554325

Verify both nodes: kubectl get nodes -o wide If the status is NotReady, install the CNI plugin as shown above.

Make the cloud node reachable from the edge

If the cloud node internal IP ( 172.31.0.236) is not directly reachable, add NAT rules on both nodes:

sudo iptables -t nat -A OUTPUT -d 172.31.0.236 -j DNAT --to-destination 34.209.219.149

Test connectivity from the edge node with ping 172.31.0.236.

Deploy eKuiper to the edge node

Clone the eKuiper repository and modify the Helm chart to schedule the pod on the edge node:

git clone https://github.com/lf-edge/ekuiper
cd ekuiper/deploy/chart/Kuiper

Edit template/StatefulSet.yaml (line 38) and add:

nodeName: edge-node
hostNetwork: true

Deploy with Helm: helm install ekuiper . Check services and pods:

kubectl get services
kubectl get pods -o wide

The eKuiper REST service listens on port 9081. Verify from the edge node:

curl http://192.168.2.143:9081

Deploy the eKuiper manager UI to the cloud node

Apply the manager manifest (https://github.com/lf-edge/ekuiper/blob/master/docs/zh_CN/deploy/kmanager.yaml) after ensuring the image tag matches the eKuiper version: kubectl apply -f kmanager.yaml The UI is exposed via a NodePort (e.g. 32555). Access it at http://34.209.219.149:32555 with default credentials admin/public.

Configure Yurt tunnel for cloud‑to‑edge traffic

Edit openyurt/config/setup/yurt-tunnel-server.yaml and add a NAT port mapping:

apiVersion: v1
kind: ConfigMap
metadata:
  name: yurt-tunnel-server-cfg
  namespace: kube-system
data:
  dnat-ports-pair: "9081=10264"

If the cloud node lacks a public IP, set the certificate IP:

args:
  - --bind-address=$(NODE_IP)
  - --insecure-bind-address=$(NODE_IP)
  - --proxy-strategy=destHost
  - --v=2
  - --cert-ips=34.209.219.149

Convert the Kubernetes cluster to an OpenYurt cluster:

_output/bin/yurtctl convert --cloud-nodes cloud-node --provider kubeadm

Label the nodes and deploy the tunnel components:

# Cloud node (non‑edge)
kubectl label nodes cloud-node openyurt.io/is-edge-worker=false
kubectl apply -f config/setup/yurt-tunnel-server.yaml

# Edge node (edge worker)
kubectl label nodes edge-node openyurt.io/is-edge-worker=true
kubectl apply -f config/setup/yurt-tunnel-agent.yaml

After the server and agent are running, the manager UI can reach the eKuiper service on the edge node. In the UI select the ekuiper service, switch to the system tab and verify the service status is healthy.

References

https://github.com/lf-edge/ekuiper/

https://github.com/lf-edge/ekuiper/blob/edgex/docs/en_US/reference.md

https://github.com/openyurtio/openyurt/tree/master/docs/tutorial

https://github.com/lf-edge/ekuiper/blob/master/docs/zh_CN/manager-ui/overview.md