When you need to extend Alibaba Cloud Service Mesh (ASM) traffic management to serverless workloads, you can deploy applications in Elastic Container Instance (ECI) pods on virtual nodes of your ACK cluster. This lets you run Envoy-managed workloads without pre-provisioning node capacity, combining the observability of ASM with the elasticity of ECI.
This topic shows you how to enable sidecar injection for a namespace and schedule pods to ECI virtual nodes using two methods: a pod-level label or a namespace-level label.
Prerequisites
Before you begin, ensure that you have:
An ASM instance at version 1.7.5.41 or later. For more information, see Create an ASM instance
The
ack-virtual-nodecomponent deployed and running in your ACK cluster. For more information, see Step 1: Deploy ack-virtual-node in ACK clustersThe kubeconfig file of the cluster obtained and configured for kubectl access
Step 1: Enable automatic sidecar proxy injection for a namespace
Enable automatic sidecar proxy injection for the target namespace in the ASM console. After you configure the namespace, an Envoy proxy is automatically injected as a sidecar into each pod created in that namespace. These Envoy proxies form the data plane of the ASM instance.
In this example, automatic sidecar proxy injection is enabled for the default namespace and the vk namespace. For more information, see Manage global namespaces.
Step 2: Create ECI-based pods
After a pod is deployed on an ECI instance, ASM manages the application through the Envoy sidecar on the data plane.
To schedule a pod to an ECI virtual node, add the alibabacloud.com/eci=true label to the pod or its namespace. Choose the method based on your scheduling scope:
| Method | Label target | Scope | When to use |
|---|---|---|---|
| Pod label | Individual pod | Only the labeled pod is scheduled to ECI | Schedule specific pods to ECI while keeping others on regular nodes |
| Namespace label | Namespace | All pods created in the namespace are scheduled to ECI | Dedicate an entire namespace to ECI workloads |
Method 1: Use a pod label
Add the alibabacloud.com/eci=true label directly to a pod to schedule it to an ECI virtual node. Only the labeled pod is affected; other pods in the same namespace continue to run on regular nodes.
Verify that the
istio-injection=enabledlabel is on thedefaultnamespace:kubectl get ns default --show-labelsExpected output:
NAME STATUS AGE LABELS default Active 16d istio-injection=enabled,kubernetes.io/metadata.name=default,provider=asmDeploy the NGINX application with the ECI label:
kubectl run nginx -n default --image nginx -l alibabacloud.com/eci=trueExpected output:
pod/nginx createdVerify that the pod is running on the virtual node:
kubectl get pod -n default -o wide | grep virtual-kubeletExpected output:
nginx 2/2 Running 0 8m49s 192.168.XXX.XXX virtual-kubelet-cn-beijing-i <none> <none>In the output:
2/2indicates that both the application container and the injected Envoy sidecar are running. Sidecar injection succeeded.virtual-kubelet-cn-beijing-iis the virtual node name, confirming the pod is running on an ECI instance.
Method 2: Use a namespace label
Add the alibabacloud.com/eci=true label to a namespace so that all pods created in that namespace are scheduled to ECI virtual nodes.
Verify that the
istio-injection=enabledlabel is on thevknamespace:kubectl get ns vk --show-labelsExpected output:
NAME STATUS AGE LABELS vk Active 96m istio-injection=enabled,kubernetes.io/metadata.name=vk,provider=asmAdd the ECI label to the
vknamespace:kubectl label namespace vk alibabacloud.com/eci=trueExpected output:
namespace/vk labeledDeploy the NGINX application:
kubectl -n vk run nginx --image nginxExpected output:
pod/nginx createdVerify that the pod is running on the virtual node:
kubectl -n vk get pod -o wide | grep virtual-kubeletExpected output:
nginx 2/2 Running 0 38s 192.168.XXX.XXX virtual-kubelet-cn-beijing-i <none> <none>In the output:
2/2indicates that both the application container and the injected Envoy sidecar are running. Sidecar injection succeeded.virtual-kubelet-cn-beijing-iis the virtual node name, confirming the pod is running on an ECI instance.