Configure an acs-profile to automatically inject pod configurations - Container Compute Service

To minimize changes to YAML files, Alibaba Cloud Container Compute Service (ACS) provides the acs-profile feature. An acs-profile provides a resource view at the cluster level. This topic describes how to configure an acs-profile.

Feature description

acs-profile can automatically inject pod configurations. The configurations include the vSwitch, security group, and domain name resolution mode. You can update the configurations based on your business requirements.

You do not need to restart the acs-virtual-node component to update the configurations.
The updated configurations are immediately applied to newly created ACS pods, but are applied to existing ACS pods only after rolling releases are performed on the pods.

Procedure

When the system creates a pod, the system reads the acs-profile configuration file (the ConfigMap named acs-profile) in the kube-system namespace. Then, the system creates the pod based on the configurations in the configuration file. You can run the following commands to view the YAML file of the acs-profile:

kubectl get cm -n kube-system acs-profile -o yaml

In this example, the following code in the YAML format is used:

apiVersion: v1
kind: ConfigMap
metadata:
  name: acs-profile
  namespace: kube-system
data:
  enablePrivateZone: "false"
  securityGroupId: sg-2zeeyaaxlkq9sppl****
  vSwitchIds: vsw-2ze23nqzig8inprou****,vsw-2ze94pjtfuj9vaymf****
  vpcId: vpc-2zeghwzptn5zii0w7****
  selectors: ""

You can use one of the following methods to modify the acs-profile:

Run the kubectl edit command

kubectl edit configmap acs-profile -n kube-system

Use the ACS console
1. Log on to the ACS console.
2. On the Clusters, click the name of the cluster to go to the cluster management page.
3. In the left-side navigation pane of the cluster management page, choose Configurations > ConfigMaps.
4. Select kube-system from the Namespace drop-down list.
5. Find the acs-profile and click Edit YAML.

Note

If a formatting error exists in the file after you modify a configuration in the acs-profile, the configuration does not take effect. The error information is saved in the event. You can view the error information by using the following kubectl command:

kubectl -n kube-system get event --field-selector involvedObject.namespace=kube-system,involvedObject.name=acs-profile

Update cluster parameters

The acs-profile contains cluster parameters. For example, the vpcId parameter specifies the virtual private cloud (VPC) to which the pod is deployed. The vSwitchIds parameter specifies the vSwitches that are associated with the pod. You can update the required parameters based on your business requirements. The updated configurations immediately take effect. The following table describes the parameters that you can update.

Parameter	Example	Description
`securityGroupId`	`sg-2ze0b9o8pjjzts4h****`	The security group to which the ACS pod belongs.
`vSwitchIds`	`vsw-2zeet2ksvw7f14ryz****`	The IDs of vSwitches with which the ACS pod is associated. Separate the vSwitch IDs with commas (,).
`vpcId`	`vpc-2zeghwzptn5zii0w7****`	The ID of the VPC in which the ACS pod is deployed.
`enablePrivateZone`	`"false"`	Specifies whether to use PrivateZone to resolve domain names.

Note

The preceding parameters are cluster-level default configurations. If you do not modify or overwrite the parameters when you create an ACS pod, the system uses the built-in default configurations specified in the acs-profile.

Configure selectors

When the system creates pods, the system matches pods based on selectors. If a pod has the corresponding labels in the selectors, the specified annotations and labels are added to the pod to make the features of the ACS pod to take effect.

You can configure multiple selectors for the selectors parameter. You must specify the name of each selector. Example:

Parameter	Description
`name`	The name of the selector. This parameter is required.
`namespaceSelector`	Filter pods by using the labels of namespaces.
`namespaceSelector.matchLabels`	The match rule is described in the `{key,value}` format.
`namespaceSelector.matchExpressions`	Describe the matching rule by using a list of pod selector requirements. The valid operators include `In`, `NotIn`, `Exists`, and `DoesNotExist`. The values that you specify for the `In` and `NotIn` operators must be non-empty.
`objectSelector`	Filter pods by using the labels of pods.
`objectSelector.matchLabels`	The match rule is described in the `{key,value}` format.
`objectSelector.matchExpressions`	Describe the matching rule by using a list of pod selector requirements. The valid operators include `In`, `NotIn`, `Exists`, and `DoesNotExist`. The values that you specify for the `In` and `NotIn` operators must be non-empty.
`effect`	The annotations and labels that you want to dynamically add to the pods.

The configuration template of selectors:

apiVersion: v1
kind: ConfigMap
metadata:
  name: acs-profile
  namespace: kube-system
data:
  selectors: |
    [
      {
        "name": "selector-demo1",
        "namespaceSelector": {
          "matchLabels": {
            "kubernetes.io/metadata.name": "dev-ns"
          }
        },
        "objectSelector": {
          "matchLabels": {
            "acs": "true"
          },
          "matchExpressions": [
            {
              "key": "usage",
              "operator": "In",
              "values": ["testing"]
            }
          ]
        },
        "effect": {
          "annotations": {
            "network.alibabacloud.com/custom-dnsconfig": "{\"servers\":[\"114.114.114.114\",\"8.8.8.8\"],\"searches\":[\"xx.com\",\"yy.com\"],\"options\":[\"ndots:2\",\"edns0\"]}"
          },
          "labels": {
            "created-by-acs": "true"
          }
        }
      }
    ]

In the preceding template, a selector named selector-demo1 provides the following capabilities:

If the namespace of a pod is dev-ns and the pod contains the acs=true and usage=testing labels, the network.alibabacloud.com/custom-dnsconfig="{\"servers\":[\"114.114.114.114\",\"8.8.8.8\"],\"searches\":[\"xx.com\",\"yy.com\"],\"options\":[\"ndots:2\",\"edns0\"]}" annotation and the created-by-acs=true label are automatically added to the pod.

Important

To ensure an exact match, we recommend that you configure at least one of the namespaceSelector and objectSelector parameters for each selector. If both namespaceSelector and objectSelector are configured, the pod must match the values of both parameters. If none of them is configured but the effect parameter is configured, the effect settings are applied to all ACS pods, which may cause unnecessary impacts.

If you configure multiple selectors, the selectors are matched by ACS in sequence. After pods are matched, the annotations and labels specified in the effect settings are automatically added to the pods. These annotations and labels do not overwrite existing annotations and labels of the pods. If duplicate annotations or labels exist, the priorities of the annotations or labels are as follows:

The existing annotations and labels of the pods.

The annotations and labels specified in the effect settings of the first-matched selectors.

The annotations and labels specified in the effect settings of the subsequently matched selectors.

Example

Use the following content to create a Deployment that meets the selector-demo1 conditions. For more information, see Use a YAML template to create an application.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  namespace: dev-ns
  labels:
    acs: "true"
    usage: "testing"
spec:
  containers:
  - name: nginx
    image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
    command: ["sleep", "infinity"]
    ports:
    - containerPort: 80

After you create the Deployment, the pod information is displayed, as shown in the following figure: