All Products
Search

This Product

    Elastic Container Instance:Manually deploy a VNode in a self-managed Kubernetes cluster

    Document Center

    Elastic Container Instance:Manually deploy a VNode in a self-managed Kubernetes cluster

    Last Updated:Mar 31, 2026

    Deploy a VNode (virtual node) to connect your self-managed Kubernetes cluster to Elastic Container Instance (ECI). Once connected, the cluster can schedule pods as serverless elastic container instances — no VM node provisioning required, and you pay only for actual pod execution time.

    This topic applies to self-managed clusters running in a data center or on Elastic Compute Service (ECS) instances.

    Limitations

    Before you begin, note the following constraints:

    • VNodes are not real nodes. DaemonSets cannot run on VNodes. After deployment, configure nodeAffinity on kube-proxy to exclude the VNode from DaemonSet scheduling.

    • ServiceAccount mode does not support certificate rotation. If the kubeconfig token expires, the VNode stops working.

    • Supported Kubernetes versions: 1.16 to 1.30.

    Prerequisites

    Before you begin, make sure you have:

    • A Kubernetes cluster (version 1.16–1.30)

    • If the cluster runs in a data center: a network connection between the data center and the virtual private cloud (VPC) where ECI pods will run, established via Express Connect, Smart Access Gateway (SAG), or VPN Gateway. For setup instructions, see What is Express Connect?, What is SAG?, or What is VPN Gateway?

    • The following network resources in the target region:

      • A VPC that can reach the Kubernetes API server

      • One or more vSwitches within the VPC (you can specify 1 to 10 vSwitches for a VPC)

      • An advanced security group with these inbound rules:

        • Allow all ports (1–65535) from the VPC CIDR block

        • Allow ports 10250 and 10255 from the Kubernetes API server endpoint

    Step 1: Prepare required permissions

    To create a VNode, the VNode identity needs both standard Kubernetes node permissions and additional ECI-specific permissions.

    Standard permissions:

    PermissionDescription
    system:nodeStandard node permissions
    system:node-proxierStandard kube-proxy permissions
    system:certificates.k8s.io:certificatesigningrequests:nodeclientAllows nodes to request new certificates
    system:certificates.k8s.io:certificatesigningrequests:selfnodeclientAllows nodes to rotate certificates using existing certificates

    Additional permissions:

    PermissionDescription
    pods update, pods patchUpdates pod annotations (for example, adds k8s.aliyun.com/eci-instance-id)
    pvc update, pvc patchUpdates PersistentVolumeClaim (PVC) annotations

    Step 2: Generate a kubeconfig certificate

    The VNode uses a kubeconfig certificate to authenticate against your Kubernetes cluster. Skip this step if you plan to use an admin certificate.

    Two modes are available:

    ModeCertificate rotationRecommendation
    TLS bootstrappingSupported (automatic)Use for production
    ServiceAccountNot supportedUse only when TLS bootstrapping is unavailable

    TLS bootstrapping (recommended)

    This mode automatically deploys vnode-approver to approve certificate signing requests (CSRs) from VNodes, and supports automatic certificate rotation. The vnode-approver source code is available at vnode-approver.

    1. Connect to your Kubernetes cluster.

    2. Run the following command to generate the kubeconfig:

      curl -fsSL https://eci-docs.oss-cn-beijing.aliyuncs.com/vnode/vnode-deploy.sh | bash -s -- bootstrap

    ServiceAccount

    Important

    This mode does not support certificate rotation. Make sure the token has a long validity period to prevent VNode failure when the kubeconfig expires.

    1. Connect to your Kubernetes cluster.

    2. Run the following command to generate the kubeconfig:

      curl -fsSL https://eci-docs.oss-cn-beijing.aliyuncs.com/vnode/vnode-deploy.sh | bash -s -- common

    View the generated kubeconfig

    The script generates a kubeconfig file named vnode-config. Run the following command to view it:

    cat vnode-config

    Before proceeding, verify the following:

    • Server connectivity: The VPC where the VNode will run must be able to reach the server address in the kubeconfig.

      • If the server address is an IP address, confirm the IP is reachable from the VPC.

      • If the server address is a domain name, confirm the domain resolves correctly within an Alibaba Cloud VPC and that the resolved IP is reachable.

    • Certificate data: If certificate-authority-data is empty, check whether the PATH field is used in ~/.kube/config.

    TLS bootstrapping

    Sample kubeconfig (TLS bootstrapping):

    apiVersion: v1
kind: Config
current-context: kubernetes-admin@kubernetes
contexts:
- name: kubernetes-admin@kubernetes
  context:
    cluster: kubernetes-admin@kubernetes
    user: vnode
    namespace: kube-system
clusters:
- name: kubernetes-admin@kubernetes
  cluster:
    certificate-authority-data: "*****************************************=="
    server: https://10.16.XX.XX:6443
users:
- name: vnode
  user:
    token: ******.****************

    ServiceAccount

    Sample kubeconfig (ServiceAccount):

    apiVersion: v1
kind: Config
current-context: kubernetes-admin@kubernetes
contexts:
- name: kubernetes-admin@kubernetes
  context:
    cluster: kubernetes-admin@kubernetes
    user: vnode
    namespace: kube-system
clusters:
- name: kubernetes-admin@kubernetes
  cluster:
    certificate-authority-data: "*****************************************=="
    server: https://10.16.XX.XX:6443
users:
- name: vnode
  user:
    token: ***********************************************

    Step 3: Create a VNode

    Use the console

    1. Log on to the Elastic Container Instance console.

    2. In the top navigation bar, select the region.

    3. In the left-side navigation pane, click Virtual Node.

    4. Click Create Virtual Node.

    5. Configure the following parameters, then click OK.

    ParameterDescription
    VPC, vSwitch, and Security GroupThe VPC and security group for the VNode, and the associated vSwitch(es). See the Prerequisites section for setup details.
    KubeConfigThe kubeconfig certificate generated in Step 2.
    TlsBootstrapEnabledEnable if you generated the kubeconfig using TLS bootstrapping mode. When enabled, the system automatically renews the kubeconfig certificate before it expires.
    TagsTags bound to the VNode. Use tags to filter costs by VNode in split-bill analysis. For details, see View split bills based on tags.
    TaintsTaints bound to the VNode.
    Resource GroupThe resource group for the VNode. If left blank, the VNode is added to the default resource group.

    Use the API

    Call the CreateVirtualNode API operation. The following table lists the key parameters.

    ParameterTypeExampleDescription
    RegionIdStringcn-shanghaiThe region where the VNode is created.
    VSwitchIdStringvsw-2ze23nqzig8inprou****The vSwitch for the VNode and its elastic container instances. You can specify 1 to 10 vSwitches for a VPC.
    SecurityGroupIdStringsg-2ze81zoc3yl7a3we****The security group for the VNode and its elastic container instances.
    KubeConfigStringJTVDbmFwaVZlcnNpb24...The kubeconfig certificate. Must be Base64-encoded.
    TlsBootstrapEnabledBooleantrueEnable if you generated the kubeconfig using TLS bootstrapping mode.

    Step 4: Verify the VNode

    After creating the VNode, wait a few minutes, then run the following command in your Kubernetes cluster:

    kubectl get nodes

    If the VNode information is displayed in the node list, the VNode is created successfully. If the VNode does not appear, see Troubleshooting.

    Step 5: Prevent DaemonSets from scheduling to the VNode

    VNodes are virtual — DaemonSets cannot run on them. After creating the VNode, configure nodeAffinity on kube-proxy to exclude the VNode.

    1. Open the kube-proxy DaemonSet for editing:

      kubectl -n kube-system edit ds kube-proxy

    2. Add the following block to spec.template.spec:

      affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: type
          operator: NotIn
          values:
          - virtual-kubelet

    Troubleshooting

    If the VNode does not appear in kubectl get nodes, open the Elastic Container Instance console, go to the Virtual Node page, click the VNode ID, and view the Events tab.

    Common errors

    Error: `failed to get kubernetes server version, Get "https://10.50.XX.XX:6443/version?timeout=32s": net/http: request canceled (Client.Timeout exceeded while awaiting headers`

    The VPC cannot reach the Kubernetes API server. Verify that the VNode and the API server are in the same VPC, or that the VPC-to-API-server connection is established.

    Error: `failed to get kubernetes server version, Get "https://lb.kubesphere.local:6443/version?timeout=32s": dial tcp: lookup lb.kubesphere.local on 100.100.X.:53: no such host`

    The Kubernetes API server domain name cannot be resolved within the Alibaba Cloud VPC. Use Alibaba Cloud DNS PrivateZone to resolve the domain name.

    What's next

    Schedule pods to the VNode to run them as elastic container instances:

    • Manual scheduling: Use nodeSelector, tolerations, or nodeName to target the VNode explicitly. For details, see Schedule pods to a VNode.

    • Automatic scheduling: Deploy the eci-profile component and configure a Selector. Pods matching the selector are automatically scheduled to the VNode. For details, see Use eci-profile to schedule pods to a VNode.

    For questions or issues deploying a VNode in a self-managed Kubernetes cluster, join the DingTalk group (ID: 44666389) for assistance.