Schedule pods to elastic container instances through virtual nodes in registered clusters -

When using Container Service for Kubernetes (ACK) clusters, you may need to quickly launch many pods in a short time. Scaling out Elastic Compute Service (ECS) nodes for these pods takes too long, while reserving extra idle ECS instances wastes resources. A better solution is to schedule pods to run on elastic container instances through ACK virtual nodes. This way, you do not need to purchase or manage ECS instances. This topic describes how to schedule pods to elastic container instances in ACK One registered clusters.

How it works

Elastic Container Instance is a serverless compute service provided by Alibaba Cloud for containerization that offers an O&M-free, isolated, and rapidly deployable runtime environment for your containers. Elastic container instances allow you to focus on containerized applications without the need to purchase or manage ECS instances. You can create elastic container instances as needed, and are charged for resource usage on a per second basis.

Typically, your cluster has at least one group of data center nodes. After you create pods, the cluster schedules the pods to run on nodes. This scheduling mode is suitable for applications that receive a stable volume of traffic. If your workload has sudden or unpredictable spikes, use virtual nodes to schedule pods directly to elastic container instances is recommended. This solution skips node creation time and avoids idle resource costs.

Prerequisites

A registered cluster is created and a self-managed cluster whose Kubernetes version is 1.14 or later is connected to the registered cluster.
The region where the cluster is deployed is supported by Elastic Container Instance. To view the supported regions and zones, log on to the Elastic Container Instance console. For more information about the supported regions and zones, see Regions and zones.

Step 1: Grant RAM permissions to ack-virtual-node

Use onectl

Install onectl on your on-premises machine. For more information, see Use onectl to manage registered clusters.

Run the following command to grant Resource Access Management (RAM) permissions to ack-virtual-node:

onectl ram-user grant --addon ack-virtual-node

Expected output:

Ram policy ack-one-registered-cluster-policy-ack-virtual-node granted to ram user ack-one-user-ce313528c3 successfully.

Use the console

Before you can install the component in a registered cluster, you must specify an AccessKey pair in the self-managed Kubernetes cluster. The AccessKey pair is required when you access Alibaba Cloud services from the self-managed Kubernetes cluster. Before you set the AccessKey pair, create a RAM user and grant the RAM user the permissions to access Alibaba Cloud resources.

Create a RAM user.

Optional: Create a custom policy.

Show sample code

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "vpc:DescribeVSwitches",
                "vpc:DescribeVpcs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "eci:CreateContainerGroup",
                "eci:DeleteContainerGroup",
                "eci:DescribeContainerGroups",
                "eci:DescribeContainerGroupStatus",
                "eci:DescribeContainerGroupEvents",
                "eci:DescribeContainerLog",
                "eci:UpdateContainerGroup",
                "eci:UpdateContainerGroupByTemplate",
                "eci:CreateContainerGroupFromTemplate",
                "eci:RestartContainerGroup",
                "eci:ExportContainerGroupTemplate",
                "eci:DescribeContainerGroupMetric",
                "eci:DescribeMultiContainerGroupMetric",
                "eci:ExecContainerCommand",
                "eci:CreateImageCache",
                "eci:DescribeImageCaches",
                "eci:DeleteImageCache",
                "eci:DescribeContainerGroupMetaInfos",
                "eci:UpdateImageCache",
                "eci:RestartContainer",
                "eci:RestartContainers"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "acc:DescribeZones",
                "acc:CreateInstance",
                "acc:UpdateInstance",
                "acc:DeleteInstance",
                "acc:RestartInstance",
                "acc:DescribeInstances",
                "acc:DescribeInstanceStatus",
                "acc:DescribeInstanceEvents",
                "acc:DescribeInstanceDetail",
                "acc:DescribeMultiInstanceMetric",
                "acc:DescribeContainerLog",
                "acc:ResizeInstanceVolume",
                "acc:CreateCustomResource",
                "acc:UpdateCustomResource",
                "acc:DeleteCustomResource",
                "acc:DescribeCustomResources",
                "acc:DescribeCustomResourceDetail"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Attach a policy to the RAM user.
You can grant RAM users permissions by adding system policies such as AliyunECIFullAccess, AliyunVPCReadOnlyAccess, and AliyunAccFullAccess, or custom permission policies.
Create an AccessKey pair for the RAM user.
Warning
We recommend that you configure AccessKey pair-based policies for network access control, limiting AccessKey invocation sources to trusted network environments to enhance AccessKey security.
Use the AccessKey pair to create a Secret named alibaba-addon-secret in the registered cluster.
The system automatically uses the AccessKey pair to access cloud resources when you install ack-virtual-node.
```
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your access key id>' --from-literal='access-key-secret=<your access key secret>'
```
Note
Replace <your access key id> and <your access key secret> with the AccessKey pair that you obtained in the previous step.

Step 2: Install ack-virtual-node

Use onectl

Run the following command to install ack-virtual-node:

onectl addon install ack-virtual-node

Expected output:

Addon ack-virtual-node, version **** installed.

Use the console

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the one you want to manage and click its name. In the left-side navigation pane, choose Operations > Add-ons.
On the Add-ons page, find ack-virtual-node and click Install.
In the Note dialog box, click OK. The default vSwitch and security group of the cluster are used for elastic container instances that are deployed by ack-virtual-node. For more information, see What to do next.

Step 3: Schedule pods to elastic container instances

After ack-virtual-node is deployed in your cluster, you can schedule pods to elastic container instances that are deployed as virtual nodes in your cluster. You can use one of the following methods to schedule pods to elastic container instances in a registered cluster: Make sure that the virtual nodes are in the Ready state before you schedule the pods.

Run the following command to query the status of the virtual node:
```
kubectl  get no |grep virtual-kubelet
```
Expected output:
```
virtual-kubelet-cn-hangzhou-b   Ready    agent                  18d   v1.20.11-aliyun.1
```
The output indicates that the virtual node is in the Ready state.

You can use one of the following three methods to schedule pods to elastic container instances.

Method 1: Add labels to pods (version of the cluster is later than 1.16)

Add the alibabacloud.com/eci=true label to the pod that you want to create. Then, an Elastic Container Instance-based pod is created and scheduled to the virtual node. Example:

Run the following command to add a label to the pod:

kubectl run nginx --image nginx -l alibabacloud.com/eci=true

Run the following command to query the pod:

kubectl get pod -o wide|grep virtual-kubelet

Expected output:

nginx-7fc9f746b6-r4xgx     0/1     ContainerCreating   0          20s   192.168.XX.XX   virtual-kubelet        <none>           <none>

Method 2: Add labels to namespaces

Add the alibabacloud.com/eci=true label to the namespace to which the pod belongs. Then, an Elastic Container Instance-based pod is created and scheduled to the virtual node. Example:

Run the following command to create a virtual node:

kubectl create ns vk

Run the following command to add a label to the namespace to which the pod belongs:

kubectl label namespace vk alibabacloud.com/eci=true

Run the following command to schedule the pod to the virtual node:

kubectl -n vk run nginx --image nginx

Run the following command to query the pod:

kubectl -n vk get pod -o wide|grep virtual-kubelet

Expected output:

nginx-6f489b847d-vgj4d      1/1     Running             0          1m   192.168.XX.XX   virtual-kubelet        <none>           <none>

Method 3: Specify node names

Schedule only specified pods to virtual nodes. Add the nodeName: virtual-kubelet-cn-shanghai-k label to the the pod. Then, an Elastic Container Instance-based pod is created and scheduled to a virtual node. Example:

Create a file named nginx-deployment.yaml and copy the following content to the file:

apiVersion: apps/v1 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment-basic
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      nodeName: virtual-kubelet-cn-shanghai-k             # nodeName of the specified virtual kubelet
      containers:
      - name: nginx
        image: nginx:1.7.9 # replace it with your exactly <image_name:tags>
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: "500m"

Run the following command to deploy the application:
```
kubectl apply -f nginx-deployment.yaml
```

Run the following command to query the pod:

kubectl  get pod -o wide|grep virtual-kubelet

Expected output:

nginx-6f489b847d-XXX      1/1     Running             0          1m   192.168.XX.XX   virtual-kubelet        <none>           <none>
nginx-6f489b847d-XXX      1/1     Running             0          1m   192.168.XX.XX   virtual-kubelet        <none>           <none>

What to do next

Modify the configurations of the vSwitch to which an elastic container instance is connected

You can modify the ECI_VSWITCH environment variable to change the vSwitch of the pods that are scheduled to the virtual node. We recommend that you configure multiple vSwitches that are deployed in different zones to ensure high availability. When elastic container instances in the current zone are out of stock, the virtual node controller creates pods in another zone.

Run the following command to modify the configurations of the vSwitch to which an elastic container instance is connected:

kubectl edit configmap eci-profile -n kube-system

Configuration example:

data:
  enableClusterIp: "true"
  enableHybridMode: "false"
  enablePrivateZone: "false"
  securityGroupId: sg-2zeeyaaxlkq9sppl****
  selectors: ""
  vSwitchIds: vsw-2ze23nqzig8inprou****,vsw-2ze94pjtfuj9vaymf****     # the vSwitch to which an elastic container instance pod is connected. Separate multiple vSwitch IDs with commas (,).
  vpcId: vpc-2zeghwzptn5zii0w7****

For more information about how to configure an eci-profile, see Configure an eci-profile.

Delete a virtual node

Uninstall ack-virtual-node from the registered cluster.
Use onectl
Run the following command to uninstall ack-virtual-node:
```
onectl addon uninstall ack-virtual-node
```
Expected output:
```
Addon ack-virtual-node uninstalled.
```
Use the console
Go to the Add-ons page in the ACK console and uninstall ack-virtual-node.
Run the kubectl delete node <node name> to delete the virtual nodes that you do not need.
Note
After you uninstall ack-virtual-node, existing elastic container instances in your cluster are not deleted.