All Products
Search

This Product

    Container Compute Service:Configure an acs-profile to automatically inject pod configurations

    Document Center

    Container Compute Service:Configure an acs-profile to automatically inject pod configurations

    Last Updated:Mar 26, 2026

    acs-profile is a cluster-level ConfigMap that automatically injects network and DNS settings into ACS pods at creation time. Instead of adding vSwitch IDs, security group IDs, or DNS configuration to every workload YAML, you define these defaults once in acs-profile and ACS applies them transparently.

    How it works

    When ACS creates a pod, it reads the ConfigMap named acs-profile in the kube-system namespace and merges the configured defaults into the pod spec. No restart of the acs-virtual-node component is required when you update the ConfigMap.

    Update behavior:

    • New pods: Updated settings take effect immediately.

    • Existing pods: Updated settings do not take effect until you perform a rolling update.

    acs-profile supports two types of configuration:

    • Cluster parameters — Default network settings applied to all ACS pods (vSwitch IDs, security group, VPC, and DNS resolution mode).

    • Selectors — Label-based rules that inject additional annotations and labels into pods matching specific criteria.

    Prerequisites

    Before you begin, ensure that you have:

    • An ACS cluster with the acs-virtual-node component deployed

    • kubectl configured with access to the cluster

    • Permission to read and edit ConfigMaps in the kube-system namespace

    View the current configuration

    Run the following command to view the current acs-profile:

    kubectl get cm -n kube-system acs-profile -o yaml

    A default acs-profile looks like this:

    apiVersion: v1
kind: ConfigMap
metadata:
  name: acs-profile
  namespace: kube-system
data:
  enablePrivateZone: "false"
  securityGroupId: sg-2zeeyaaxlkq9sppl****
  vSwitchIds: vsw-2ze23nqzig8inprou****,vsw-2ze94pjtfuj9vaymf****
  vpcId: vpc-2zeghwzptn5zii0w7****
  selectors: ""

    Update cluster parameters

    The cluster parameters in acs-profile define the default network environment for all ACS pods. Pods that do not explicitly set these values inherit them from the profile.

    Edit the ConfigMap using kubectl:

    kubectl edit configmap acs-profile -n kube-system

    Alternatively, use the ACS console:

    1. Log on to the ACS console.

    2. On the Clusters page, click the name of your cluster.

    3. In the left-side navigation pane, choose Configurations > ConfigMaps.

    4. Select kube-system from the namespace drop-down list.

    5. Find acs-profile and click Edit YAML.

    The following table describes the parameters you can update:

    Parameter Example Description
    securityGroupId sg-2ze0b9o8pjjzts4h**** The security group that ACS pods belong to. Controls inbound and outbound traffic rules for all pods using this profile.
    vSwitchIds vsw-2zeet2ksvw7f14ryz**** The vSwitch IDs to associate with ACS pods. Separate multiple IDs with commas. Determines which subnets pods are launched into.
    vpcId vpc-2zeghwzptn5zii0w7**** The virtual private cloud (VPC) where ACS pods are deployed. Must match the VPC of the specified vSwitches.
    enablePrivateZone "false" Whether to use PrivateZone for domain name resolution. Set to "true" if your pods need to resolve private DNS records.
    Note

    These are cluster-level defaults. A pod spec that explicitly sets any of these values takes precedence over the acs-profile defaults.

    Troubleshoot configuration errors

    If a formatting error exists in the acs-profile after an edit, the configuration does not take effect. ACS records the error as a Kubernetes event. Run the following command to view error details:

    kubectl -n kube-system get event --field-selector involvedObject.namespace=kube-system,involvedObject.name=acs-profile

    Configure selectors

    Selectors let you inject additional annotations and labels into specific pods based on their namespace or pod labels, without modifying those pods' YAML files.

    When ACS creates a pod, it evaluates each selector in order. For each selector whose criteria match the pod, ACS merges the effect settings (annotations and labels) into the pod. Annotations and labels already present on the pod are never overwritten.

    Selector parameters

    Parameter Required Description
    name Yes A unique name for the selector.
    namespaceSelector No Filters pods by the labels on their namespace.
    namespaceSelector.matchLabels No Match rule in {key: value} format.
    namespaceSelector.matchExpressions No List of selector requirements. Valid operators: In, NotIn, Exists, DoesNotExist. For In and NotIn, values must be non-empty.
    objectSelector No Filters pods by the labels on the pod itself.
    objectSelector.matchLabels No Match rule in {key: value} format.
    objectSelector.matchExpressions No List of selector requirements. Same operators as namespaceSelector.matchExpressions.
    effect No The annotations and labels to inject into matching pods.
    Important

    namespaceSelector and objectSelector use AND logic — when both are configured, a pod must satisfy both conditions to match. Configure at least one of them for each selector. If neither is configured but effect is set, the effect applies to all ACS pods in the cluster.

    Selector priority

    If multiple selectors match the same pod, ACS applies them in the order they appear in the selectors array. The injected annotations and labels follow this priority:

    1. Existing annotations and labels on the pod (highest priority — never overwritten)

    2. The effect settings of the first-matched selector

    3. The effect settings of subsequent matched selectors

    Example

    The following acs-profile uses a selector named selector-demo1 to inject a custom DNS configuration into pods that meet specific label criteria:

    apiVersion: v1
kind: ConfigMap
metadata:
  name: acs-profile
  namespace: kube-system
data:
  selectors: |
    [
      {
        "name": "selector-demo1",
        "namespaceSelector": {
          "matchLabels": {
            "kubernetes.io/metadata.name": "dev-ns"
          }
        },
        "objectSelector": {
          "matchLabels": {
            "acs": "true"
          },
          "matchExpressions": [
            {
              "key": "usage",
              "operator": "In",
              "values": ["testing"]
            }
          ]
        },
        "effect": {
          "annotations": {
            "network.alibabacloud.com/custom-dnsconfig": "{\"servers\":[\"114.114.114.114\",\"8.8.8.8\"],\"searches\":[\"xx.com\",\"yy.com\"],\"options\":[\"ndots:2\",\"edns0\"]}"
          },
          "labels": {
            "created-by-acs": "true"
          }
        }
      }
    ]

    What this selector does: Any pod in the dev-ns namespace that has both the acs=true label and usage=testing label receives:

    • Annotation: network.alibabacloud.com/custom-dnsconfig with DNS servers 114.114.114.114 and 8.8.8.8, search domains xx.com and yy.com, and options ndots:2 and edns0

    • Label: created-by-acs=true

    To verify the selector works, create a pod that matches the criteria:

    apiVersion: v1
kind: Pod
metadata:
  name: nginx
  namespace: dev-ns
  labels:
    acs: "true"
    usage: "testing"
spec:
  containers:
  - name: nginx
    image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
    command: ["sleep", "infinity"]
    ports:
    - containerPort: 80

    After the pod is created, verify that the annotations and labels were injected:

    kubectl get pod nginx -n dev-ns -o yaml

    In the output, confirm that the network.alibabacloud.com/custom-dnsconfig annotation and created-by-acs=true label appear under metadata.

    image

    What's next