When you use a Container Service for Kubernetes (ACK) cluster, you may need to launch a large number of pods within a short period of time. If you choose to create Elastic Compute Service (ECS) instances for the pods, the creation process is time-consuming. If you choose to reserve ECS instances, the instances are idle before pod creation and after pod termination, resulting in resource waste. To address this issue, we recommend that you schedule the pods to elastic container instances that are deployed as virtual nodes. This way, you do not need to purchase or manage ECS instances. This topic describes how to schedule pods to elastic container instances in registered clusters.
How it works
Elastic Container Instance is a serverless compute service that is provided by Alibaba Cloud for containerization. You can use elastic container instances to efficiently set up an O&M-free and isolated runtime environment for your containers. Elastic container instances allow you to focus on containerized applications without the need to purchase or manage Elastic Compute Service (ECS) instances. This eliminates the need for infrastructure maintenance. You can create elastic container instances to meet your business requirements. You are charged for resource usage on a per second basis.
In most cases, an ACK cluster has at least one ECS node pool. After you create a pod, ACK schedules the pod to an ECS instance in the node pool. This scheduling mode is suitable for applications that receive a stable volume of traffic. However, this scheduling mode cannot handle traffic spikes, even though ACK can scale out ECS instances. This is because the creation and startup of ECS instances is time-consuming. To resolve this problem, we recommend that you schedule pods to elastic container instances that are deployed as virtual nodes. This eliminates the need to add new nodes, prevents resource waste, and reduces computing costs.
Prerequisites
A registered cluster is created and a self-managed cluster whose Kubernetes version is 1.14 or later is connected to the registered cluster. For more information, see Create a registered cluster.
Elastic Container Instance is activated.
The region where the cluster is deployed is supported by Elastic Container Instance. To view the supported regions and zones, log on to the Elastic Container Instance console. For more information about the supported regions and zones, see Regions and zones.
Step 1: Grant RAM permissions to ack-virtual-node
Use onectl
Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.
Run the following command to grant Resource Access Management (RAM) permissions to ack-virtual-node:
onectl ram-user grant --addon ack-virtual-nodeExpected output:
Ram policy ack-one-registered-cluster-policy-ack-virtual-node granted to ram user ack-one-user-ce313528c3 successfully.
Use the console
Before you can install the component in a registered cluster, you must specify an AccessKey pair in the self-managed Kubernetes cluster. The AccessKey pair is required when you access Alibaba Cloud services from the self-managed Kubernetes cluster. Before you set the AccessKey pair, create a RAM user and grant the RAM user the permissions to access Alibaba Cloud resources.
Create a RAM user. For more information, see Create a RAM user.
Optional: Create a custom policy. For more information, see Create a custom policy.
Attach a policy to the RAM user. For more information, see Create a RAM user and grant permissions to the RAM user.
You can create a custom policy or select the AliyunECIFullAccess policy to grant the permissions to the RAM user.
Create an AccessKey pair for the RAM user. For more information, see Obtain an AccessKey pair.
Use the AccessKey pair to create a Secret named alibaba-addon-secret in the registered cluster.
The system automatically uses the AccessKey pair to access cloud resources when you install ack-virtual-node.
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your access key id>' --from-literal='access-key-secret=<your access key secret>'NoteReplace
<your access key id>and<your access key secret>with the AccessKey pair that you obtained in the previous step.
Step 2: Install ack-virtual-node
Use onectl
Run the following command to install ack-virtual-node:
onectl addon install ack-virtual-nodeExpected output:
Addon ack-virtual-node, version **** installed.Use the console
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose .
Click the Others tab, find ack-virtual-node and click Install.
In the Note dialog box, click OK. The default vSwitch and security group of the cluster are used for elastic container instances that are deployed by ack-virtual-node. For more information, see What to do next.
Step 3: Schedule pods to elastic container instances
After ack-virtual-node is deployed in your cluster, you can schedule pods to elastic container instances that are deployed as virtual nodes in your cluster. You can use one of the following methods to schedule pods to elastic container instances in a registered cluster: Make sure that the virtual nodes are in the Ready state before you schedule the pods.
Run the following command to query the status of the virtual node:
kubectl get no |grep virtual-kubeletExpected output:
virtual-kubelet-cn-hangzhou-b Ready agent 18d v1.20.11-aliyun.1The output indicates that the virtual node is in the Ready state.
You can use one of the following three methods to schedule pods to elastic container instances.
Method 1: Add labels to pods (version of the cluster is later than 1.16)
Add the
alibabacloud.com/eci=truelabel to the pod that you want to create. Then, an Elastic Container Instance-based pod is created and scheduled to the virtual node. Example:Run the following command to add a label to the pod:
Run the following command to query the pod:
Expected output:
kubectl run nginx --image nginx -l alibabacloud.com/eci=truekubectl get pod -o wide|grep virtual-kubeletnginx-7fc9f746b6-r4xgx 0/1 ContainerCreating 0 20s 192.168.XX.XX virtual-kubelet <none> <none>Method 2: Add labels to namespaces
Add the
alibabacloud.com/eci=truelabel to the namespace to which the pod belongs. Then, an Elastic Container Instance-based pod is created and scheduled to the virtual node. Example:Run the following command to create a virtual node:
Run the following command to add a label to the namespace to which the pod belongs:
Run the following command to schedule the pod to the virtual node:
Run the following command to query the pod:
Expected output:
kubectl create ns vkkubectl label namespace vk alibabacloud.com/eci=truekubectl -n vk run nginx --image nginxkubectl -n vk get pod -o wide|grep virtual-kubeletnginx-6f489b847d-vgj4d 1/1 Running 0 1m 192.168.XX.XX virtual-kubelet <none> <none>Method 3: Specify node names
Schedule only specified pods to virtual nodes. Add the
nodeName: virtual-kubelet-cn-shanghai-klabel to the the pod. Then, an Elastic Container Instance-based pod is created and scheduled to a virtual node. Example:Create a file named nginx-deployment.yaml and copy the following content to the file:
apiVersion: apps/v1 # for versions before 1.8.0 use apps/v1beta1 kind: Deployment metadata: name: nginx-deployment-basic labels: app: nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: nodeName: virtual-kubelet-cn-shanghai-k # nodeName of the specified virtual kubelet containers: - name: nginx image: nginx:1.7.9 # replace it with your exactly <image_name:tags> ports: - containerPort: 80 resources: limits: cpu: "500m"Run the following command to deploy the application:
kubectl apply -f nginx-deployment.yamlRun the following command to query the pod:
kubectl get pod -o wide|grep virtual-kubeletExpected output:
nginx-6f489b847d-XXX 1/1 Running 0 1m 192.168.XX.XX virtual-kubelet <none> <none> nginx-6f489b847d-XXX 1/1 Running 0 1m 192.168.XX.XX virtual-kubelet <none> <none>
What to do next
Modify the configurations of the vSwitch to which an elastic container instance is connected
You can modify the ECI_VSWITCH environment variable to change the vSwitch of the pods that are scheduled to the virtual node. We recommend that you configure multiple vSwitches that are deployed in different zones to ensure high availability. When elastic container instances in the current zone are out of stock, the virtual node controller creates pods in another zone.
Run the following command to modify the configurations of the vSwitch to which an elastic container instance is connected:
kubectl edit configmap eci-profile -n kube-systemConfiguration example:
data:
enableClusterIp: "true"
enableHybridMode: "false"
enablePrivateZone: "false"
securityGroupId: sg-2zeeyaaxlkq9sppl****
selectors: ""
vSwitchIds: vsw-2ze23nqzig8inprou****,vsw-2ze94pjtfuj9vaymf**** # the vSwitch to which an elastic container instance pod is connected. Separate multiple vSwitch IDs with commas (,).
vpcId: vpc-2zeghwzptn5zii0w7****For more information about how to configure an eci-profile, see Configure an eci-profile.
Delete a virtual node
Uninstall ack-virtual-node from the registered cluster.
Use onectl
Run the following command to uninstall ack-virtual-node:
onectl addon uninstall ack-virtual-nodeExpected output:
Addon ack-virtual-node uninstalled.Use the console
Go to the Add-ons page in the ACK console and uninstall ack-virtual-node.
Run the
kubectl delete node <node name>to delete the virtual nodes that you do not need.NoteAfter you uninstall ack-virtual-node, existing elastic container instances in your cluster are not deleted.