All Products
Search

This Product

    Container Service for Kubernetes:Configure separate vSwitches and security groups for a pod

    Document Center

    Container Service for Kubernetes:Configure separate vSwitches and security groups for a pod

    Last Updated:Apr 11, 2025

    You can create a cluster-specific PodNetworking ConfigMap on a virtual node to specify separate vSwitches and security groups for each pod on the virtual node. This topic describes how to configure separate vSwitches and security groups for a pod by creating a PodNetworking ConfigMap in scenarios where ACK Serverless clusters are used.

    Table of contents

    Step 1: Create a PodNetworking ConfigMap

    In an ACK Serverless cluster, you can create multiple PodNetworking ConfigMaps to define different network planes. Before you start, you must create at least one PodNetworking ConfigMap to specify network configurations. The following code block shows a sample PodNetworking ConfigMap:

    apiVersion: network.alibabacloud.com/v1beta1
kind: PodNetworking
metadata:
  name: example
spec:
  allocationType:
    type: Elastic
  selector:
    podSelector:
      matchLabels:
        foo: bar
    namespaceSelector:
      matchLabels:
        foo: bar
  securityGroupIDs:
  - sg-bpxxxx
  vSwitchOptions:
  - vsw-bpxxxx

    The following table describes the parameters.

    Parameter

    Type

    Description

    allocationType

    type

    Valid values:

    • Elastic: Allocate elastic IP addresses (EIPs) to pods. The EIPs are released after the pods are deleted.

    • Fixed: Allocate static IP addresses to pods. Pods deployed in ACK Serverless clusters do not support static IP addresses.

    Important

    Pods deployed in ACK Serverless clusters do not support static IP addresses. When the type parameter is set to Fixed, the corresponding PodNetworking ConfigMap takes effect on all pods that match the selectors of the PodNetworking ConfigMap, including pods created by StatefulSets. In this case, the PodNetworking ConfigMap does not support the releaseStrategy or releaseAfter parameter.

    selector

    podSelector

    • A pod selector is used to match the labels of pods in an ACK cluster. If the labels of a pod match the pod selector, the pod uses the network configurations specified in the PodNetworking ConfigMap.

    • Make sure that the labels of a pod match the selectors of only one PodNetworking ConfigMap. If a pod matches multiple PodNetworking ConfigMaps, the pod uses the network configurations in an arbitrary PodNetworking ConfigMap.

    • If a pod selector and a namespace selector are configured, only pods that match both the pod selector and namespace selector use the network configurations specified in the PodNetworking ConfigMap.

    namespaceSelector

    • A namespace selector is used to match the labels of namespaces in an ACK cluster. If the labels of a namespace match the namespace selector, all pods created in the namespace use the network configurations specified in the PodNetworking ConfigMap.

    • When no namespace selector is configured, the PodNetworking ConfigMap takes effect on all pods that match the pod selector in the namespace.

    • Make sure that the labels of a pod match the selectors of only one PodNetworking ConfigMap. If a pod matches multiple PodNetworking ConfigMaps, the pod uses the network configurations in an arbitrary PodNetworking ConfigMap.

    • If a pod selector and a namespace selector are configured, only pods that match both the pod selector and namespace selector use the network configurations specified in the PodNetworking ConfigMap.

    securityGroupIDs

    N/A

    Specify multiple security group IDs. In an ACK Serverless cluster, only the first security group ID takes effect. You can specify at most five security groups.

    vSwitchOptions

    N/A

    • Specify the vSwitches used by pods. The logical relationship among multiple vSwitches is OR. Each pod can use only one vSwitch. virtual-kubelet will automatically select vSwitches for pods.

    • After you configure vSwitchOptions for a pod, a constraint is added to the zones to which the pod can be scheduled. This ensures that the zones are the same as those of the vSwitches specified in vSwitchOptions.

    • When the zones of the vSwitches in vSwitchOptions do not support ACK Serverless clusters, virtual nodes are automatically created in these zones and then pods are scheduled to the virtual nodes.

    • Make sure that the zones of the vSwitches in vSwitchOptions are the same as those of the nodes to which pods are scheduled. In addition, make sure that these vSwitches can provide sufficient idle IP addresses. Otherwise, ACK fails to create pods.

    Step 2: Create a pod

    When ACK creates a pod, ACK matches the labels of the pod with PodNetworking ConfigMaps. If the pod does not match any PodNetworking ConfigMap, the pod uses an IP address allocated from a shared elastic network interface (ENI) by default. If the pod matches a PodNetworking ConfigMap, an IP address is allocated from an ENI to the pod based on the network configurations in the PodNetworking ConfigMap. For more information about pod labels, see Labels.

    Example

    The following code block shows how ACK allocates network resources to pods with specific labels, and uses Deployments to create the desired number of pods. 

    ---
apiVersion: network.alibabacloud.com/v1beta1
kind: PodNetworking
metadata:
  name: example
spec:
  allocationType:
    type: Elastic
  selector:
    podSelector:
      matchLabels:
        foo: bar
# Security groups that are created in the same virtual private cloud (VPC).
  securityGroupIDs:
  - sg-2zee386juyk226k1cb5h
# vSwitches that reside in the same VPC.
  vSwitchOptions:
  - vsw-2zewh0vanjx3vmjisna6z
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: elastic-podnetworking
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
# Match the pod selector of a PodNetworking ConfigMap.
        foo: bar
    spec:
      containers:
      - name: my-container
        image: nginx

    FAQ

    How do I check whether a pod uses the network configurations specified in a PodNetworking ConfigMap?

    If a pod uses the network configurations specified in a PodNetworking ConfigMap, an annotation whose value is k8s.aliyun.com/pod-networking is added to the pod after the pod is created. 

    apiVersion: v1
kind: Pod
metadata:
  annotations:
    k8s.aliyun.com/pod-eni: "true"
    k8s.aliyun.com/pod-networking: podnetworking
  labels:
    app: example
    pod-ip: elastic

    Why does a pod not use the network configurations specified in the desired PodNetworking ConfigMap after the pod is created?

    Make sure that the labels of the pod match only one PodNetworking ConfigMap.