Manage applications in ACK Serverless clusters with ASM - Alibaba Cloud Service Mesh

Alibaba Cloud Container Service for Kubernetes (ACK) provides various serverless containers based on virtual nodes and elastic container instances. ACK Serverless clusters enable seamless integration of Kubernetes and Elastic Container Instance (ECI). Integrate an ACK Serverless cluster with Service Mesh (ASM) to manage applications deployed in pods that run on ECI-based pods.

After completing this guide, you will have:

Enabled automatic sidecar proxy injection in a namespace
Deployed a sample application with an Envoy sidecar
Verified that ASM manages the application through its data plane

Prerequisites

Before you begin, ensure that you have:

An ACK Serverless cluster with the service discovery mode set to PrivateZone or CoreDNS. Without PrivateZone or CoreDNS, sidecars cannot resolve the istiod.istio-system control plane service. For more information, see ACK Serverless quick start
The ACK Serverless cluster added to your ASM instance. For more information, see Add a cluster to an ASM instance

Note

The service discovery mode must be set when you create the ACK Serverless cluster. See FAQ if you encounter DNS resolution issues.

Step 1: Enable automatic sidecar proxy injection

Enable automatic sidecar proxy injection for a namespace in the ASM console. After you enable injection, ASM automatically injects an Envoy proxy as a sidecar into every new pod created in that namespace. These Envoy proxies form the data plane of your ASM instance.

The following example uses the default namespace. For instructions on enabling injection for other namespaces, see Manage global namespaces.

Note

Enabling sidecar injection only affects new pods. To add existing applications to the mesh, restart their deployments after you enable injection:

kubectl rollout restart deployment <deployment-name> -n <namespace>

Step 2: Deploy an application and verify sidecar injection

In ACK Serverless clusters, all pods run on ECI through virtual nodes. No labels are needed to specify that the application is deployed in an ECI-based pod.

Deploy the NGINX application:

kubectl run nginx -n default --image nginx

Verify that the pod runs on a virtual node and the sidecar is injected:
```
kubectl get pod -n default -o wide | grep virtual-kubelet
```
Expected output:
```
nginx-xxx   2/2     Running   0          30s   x.x.x.x   virtual-kubelet   <none>   <none>
```
Field Expected value Meaning
READY 2/2 Two containers running: the NGINX application container and the Envoy sidecar proxy
NODE virtual-kubelet The pod runs on an ECI-based virtual node
If the READY column shows 1/1, the sidecar was not injected. Go back to Step 1 and verify that injection is enabled for the namespace.

Field	Expected value	Meaning
READY	`2/2`	Two containers running: the NGINX application container and the Envoy sidecar proxy
NODE	`virtual-kubelet`	The pod runs on an ECI-based virtual node

After the sidecar is injected, ASM manages the application through the data plane.

FAQ

Why does service discovery fail in my ACK Serverless cluster?

Check the sidecar container logs. If istiod.istio-system resolves to an invalid IP address, the Alibaba Cloud DNS PrivateZone service is not activated.

To fix this, do one of the following:

Activate the Alibaba Cloud DNS PrivateZone service
Install CoreDNS from the Add-ons page in the ACK console