When traffic spikes exceed the capacity of your Elastic Compute Service (ECS) nodes, ASM ingress gateway pods need somewhere to overflow. By scheduling gateway pods to virtual nodes backed by Elastic Container Instance (ECI), pods automatically scale to serverless infrastructure without node provisioning or maintenance.
Under normal conditions, gateway pods run on a labeled ECS node. When that node reaches capacity, pods overflow to ECI through virtual nodes. This setup uses Kubernetes scheduling primitives -- node affinity, taints, and tolerations -- to control where pods land.
If your ASM gateway runs in a Serverless Kubernetes (ASK) cluster, pods already run on ECI by default. Skip this topic and see Create an ingress gateway service instead.
How it works
The configuration relies on three Kubernetes scheduling mechanisms working together:
| Mechanism | Role |
|---|---|
| Taint + Toleration | Virtual nodes carry a default virtual-kubelet.io/provider=alibabacloud:NoSchedule taint to prevent accidental ECI usage. You add a custom taint to the ECS node to restrict it to gateway pods. Gateway pods need tolerations for both taints. |
| Required node affinity | Hard constraint that limits pod placement to two node types: your labeled ECS node or virtual nodes. Pods cannot land on unrelated nodes. |
| Preferred node affinity | Soft constraint with weights. The ECS node gets weight 80 (strongly preferred) and the virtual node gets weight 20 (fallback). When ECS has capacity, pods run there. When ECS is full, pods overflow to ECI. |
For details, see the Kubernetes documentation on Taints and Tolerations and Assigning Pods to Nodes.
Prerequisites
Before you begin, make sure you have:
A Container Service for Kubernetes (ACK) cluster (ACK standard, ACK Pro, or ACK dedicated) added to the ASM instance
The ack-virtual-node component deployed in your ACK cluster
An ingress gateway deployed in the ASM instance
Configure elastic overflow for the gateway
This procedure has four parts: label an ECS node for gateway pods, taint the node to exclude other workloads, configure the gateway YAML with affinity rules and tolerations, and verify the deployment.
Step 1: Label the target node
Add a label to the ECS node where gateway pods should run by default.
Get the node names in your cluster:
kubectl get nodesAdd a label to the target node: Replace
<node-name>with the actual node name from step 1.# Syntax kubectl label nodes <node-name> <label-key>=<label-value> # Example kubectl label nodes node1 mykey4pod=asmgateway
Step 2: Taint the node
Add a custom taint so that only pods with a matching toleration run on this node:
kubectl taint nodes node1 mykey=myvalue:NoScheduleThis taint uses key mykey, value myvalue, and effect NoSchedule. Only pods that explicitly tolerate this taint can be scheduled on node1.
Step 3: Add node affinity and tolerations to the gateway
Update the gateway YAML to direct pods to the labeled ECS node by default, with automatic overflow to ECI when the node is at capacity.
Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
Find the target gateway and click YAML.
In the Edit dialog box, add the following content to the
specfield and click OK. The following table explains the scheduling behavior:ImportantMake sure the label key-value pair in
matchExpressionsmatches the label you added in Step 1, and the toleration key-value pair matches the taint you added in Step 2. Mismatched values cause pods to remain in a Pending state.Field What it does preferredDuringSchedulingIgnoredDuringExecutionSets soft scheduling preferences with relative weights. The ECS node (weight 80) is strongly preferred over ECI (weight 20). When the ECS node has capacity, pods run there. When it is full, pods overflow to ECI via virtual nodes. requiredDuringSchedulingIgnoredDuringExecutionDefines hard constraints. Pods can only be scheduled on nodes matching either the custom label ( mykey4pod=asmgateway) or the virtual node label (type=virtual-kubelet). This prevents pods from landing on unrelated nodes.tolerations[0]Allows pods to run on virtual nodes by tolerating the default virtual-kubelet.io/provider=alibabacloud:NoScheduletaint. Without this toleration, pods cannot use ECI.tolerations[1]Matches the custom taint ( mykey=myvalue:NoSchedule) added in Step 2, allowing pods to run on the labeled ECS node.affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: type operator: In values: - virtual-kubelet weight: 20 - preference: matchExpressions: - key: mykey4pod operator: In values: - asmgateway weight: 80 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: mykey4pod operator: In values: - asmgateway - matchExpressions: - key: type operator: In values: - virtual-kubelet tolerations: - effect: NoSchedule key: virtual-kubelet.io/provider operator: Equal value: alibabacloud - effect: NoSchedule key: mykey operator: Equal value: myvalue
Step 4: Verify the deployment
Confirm that gateway pods are running on the expected nodes.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left-side navigation pane, choose Workloads > Pods.
On the Pods page, select istio-system from the Namespace drop-down list.
Check the Node column for the gateway pods:
Under normal load, pods should appear on your labeled ECS node (
node1).When ECS capacity is exhausted, pods should appear on a virtual node.