All Products
Search

This Product

    Alibaba Cloud Service Mesh:Manage ECI-based pods on ACK virtual nodes with ASM

    Document Center

    Alibaba Cloud Service Mesh:Manage ECI-based pods on ACK virtual nodes with ASM

    Last Updated:Mar 10, 2026

    Container Service for Kubernetes (ACK) supports serverless pod scheduling through virtual nodes backed by Elastic Container Instance (ECI). Pods scheduled to virtual nodes run on ECI without pre-provisioned node capacity, but by default they are not part of the service mesh. Service Mesh (ASM) extends traffic management and observability to these pods through automatic Envoy sidecar injection. This guide walks you through enabling sidecar injection for a namespace and scheduling pods to virtual nodes so that ASM manages them on the data plane.

    How it works

    Bringing ECI-based pods into the mesh requires two independent labeling systems:

    LabelApplied toPurpose
    istio-injection=enabledNamespaceTriggers automatic Envoy sidecar injection for all pods in the namespace
    alibabacloud.com/eci=truePod or namespaceSchedules pods to ECI-backed virtual nodes instead of regular cluster nodes

    Both labels must be in effect for a pod to run on a virtual node and participate in the service mesh:

    • The istio-injection=enabled label controls whether ASM adds an Envoy proxy to the pod.

    • The alibabacloud.com/eci=true label controls where the pod is scheduled.

    After injection, each pod shows 2/2 in the READY column -- one container for the application and one for the Envoy sidecar proxy. A pod showing 1/1 means the sidecar was not injected.

    Prerequisites

    Before you begin, ensure that you have:

    Step 1: Enable automatic sidecar injection for a namespace

    Enable automatic sidecar injection in the ASM console so that an Envoy proxy is injected into every pod created in the target namespace. These Envoy proxies form the data plane of the ASM instance.

    In this example, sidecar injection is enabled for both the default namespace and the vk namespace. For detailed instructions, see Manage global namespaces.

    Step 2: Schedule pods to ECI-backed virtual nodes

    After sidecar injection is enabled, schedule pods to virtual nodes by adding the alibabacloud.com/eci=true label. You can apply this label at either the pod level or the namespace level.

    Note

    After a pod runs on an ECI-backed virtual node with a sidecar, ASM manages its traffic on the data plane.

    Choose a scheduling method

    MethodWhen to useScope
    Pod label (recommended for selective scheduling)Only specific workloads should run on ECI. Other pods in the same namespace continue to run on regular nodes.Individual pods
    Namespace label (recommended for full-namespace scheduling)All pods in a namespace should run on ECI. Avoids labeling each pod individually.All pods in the namespace

    Schedule individual pods with a pod label

    1. Verify that the default namespace has sidecar injection enabled: Expected output: Confirm that istio-injection=enabled appears in the labels.

         kubectl get ns default --show-labels
         NAME      STATUS   AGE   LABELS
   default   Active   16d   istio-injection=enabled,kubernetes.io/metadata.name=default,provider=asm

    2. Deploy an NGINX pod with the ECI scheduling label: Expected output:

         kubectl run nginx -n default --image nginx -l alibabacloud.com/eci=true
         pod/nginx created

    3. Verify the pod is running on a virtual node with the sidecar injected: Expected output: 2/2 in the READY column confirms that both the application container and the Envoy sidecar proxy are running.

         kubectl get pod -n default -o wide | grep virtual-kubelet
         nginx   2/2     Running   0   8m49s   192.168.XXX.XXX   virtual-kubelet-cn-beijing-i   <none>   <none>

    Schedule all pods in a namespace with a namespace label

    1. Verify that the vk namespace has sidecar injection enabled: Expected output:

         kubectl get ns vk --show-labels
         NAME   STATUS   AGE   LABELS
   vk     Active   96m   istio-injection=enabled,kubernetes.io/metadata.name=vk,provider=asm

    2. Add the ECI scheduling label to the vk namespace: Expected output: All new pods in this namespace are now scheduled to ECI-backed virtual nodes.

         kubectl label namespace vk alibabacloud.com/eci=true
         namespace/vk labeled

    3. Deploy an NGINX pod in the labeled namespace: Expected output: The namespace label covers all pods, so no pod-level ECI label is needed.

         kubectl -n vk run nginx --image nginx
         pod/nginx created

    4. Verify the pod is running on a virtual node with the sidecar injected: Expected output:

         kubectl -n vk get pod -o wide | grep virtual-kubelet
         nginx   2/2     Running   0   38s   192.168.XXX.XXX   virtual-kubelet-cn-beijing-i   <none>   <none>