Configure an ECI Profile to orchestrate pods - - Alibaba Cloud Documentation Center

To minimize changes to the YAML file, ECI provides the ECI Profile feature. This feature allows you to configure elastic container instances within a cluster and help you orchestrate pods based on selectors. This topic describes how to configure an ECI Profile.

Introduction to ECI profile

The ECI Profile feature provides the following capabilities:

ECI Scheduler
In scenarios in which both real nodes and virtual nodes (VNodes) are used, you can configure pod labels or namespace labels to schedule pods to a VNode, and then run the pods on the elastic container instances that are deployed in the VNode. You can also configure the nodeSelector and tolerations parameters to perform the same operations. To use these methods, you must modify your existing resources. These modifications may cause vulnerabilities in your system.
ECI Scheduler uses a scheduling mechanism based on Mutating Webhook. You can declare the namespace labels or pod labels to be matched in the eci-profile component. Pods that have the declared labels are automatically scheduled to VNodes and then are run on the elastic container instances that are deployed in the VNodes.
ECI Effect
You must add annotations or labels to pods to allow some Elastic Container Instance features to take effect, such as when you specify Elastic Compute Service (ECS) instance types or enable image caches. ECI Effect automatically adds annotations and labels. In the eci-profile component, you can declare the namespace labels or pod labels to be matched and specify the annotations and labels to be added. The specified annotations and labels are automatically added to the pods that have the declared labels.
For more information about the annotations that can be added, see Annotations supported by Elastic Container Instance.

Deploy the eci-profile component

Before you use the ECI Profile feature, you must deploy the eci-profile component in the cluster.

Save the following content as the eci-profile.yaml file.

apiVersion: v1
kind: ConfigMap
metadata:
  name: eci-profile
  namespace: kube-system
data:
  selectors: |
    [
        {
            "name":"default-pod-selector",
            "objectSelector":{
                "matchLabels":{
                    "alibabacloud.com/eci": "true"
                }
            }
        },
        {
            "name":"default-namespace-selector",
            "namespaceSelector":{
                "matchLabels":{
                    "alibabacloud.com/eci": "true"
                }
            }
        }
    ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: alicloud-eci-profile
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - "admissionregistration.k8s.io"
    resources:
      - mutatingwebhookconfigurations
    verbs:
      - get
      - patch
      - create
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: alicloud-eci-profile
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: alicloud-eci-profile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: alicloud-eci-profile
subjects:
  - kind: ServiceAccount
    name: alicloud-eci-profile
    namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
  labels:
    role: eci-profile
  name: eci-profile
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 443
  selector:
    app: eci-profile
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: alicloud-eci-profile
  namespace: kube-system
  labels:
    app: eci-profile
    webhook: eci-profile
spec:
  replicas: 1
  selector:
    matchLabels:
      app: eci-profile
  template:
    metadata:
      labels:
        app: eci-profile
    spec:
      serviceAccount: alicloud-eci-profile
      terminationGracePeriodSeconds: 60
      containers:
        - name: eci-profile
          image: registry.cn-hangzhou.aliyuncs.com/eci/eci-profile:v1.0.0
          imagePullPolicy: Always
          command:
            - /eci-profile
          args:
            - --profileProvider
            - cm
          resources:
            requests:
              memory: 30M
              cpu: 100m

By default, the following selectors are added to the preceding template:

default-pod-selector: The pods that have the alibabacloud.com/eci: true label are automatically scheduled to the VNode.
default-namespace-selector: The pods in the namespaces that have the alibabacloud.com/eci: true label are automatically scheduled to the VNode.

In addition, if you want to schedule the eci-profile component to the VNode, you must add nodeSelector and tolerations to eci-profile.

nodeSelector:
 k8s.aliyun.com/vnode: "true"
tolerations:
- key: k8s.aliyun.com/vnode
 operator: "Equal"
 value: "true"
 effect: "NoSchedule"

Deploy the eci-profile component.
```
kubectl create -f eci-profile.yaml
```

View the deployment result.

kubectl -n kube-system get pods

If the following command output is returned, the eci-profile component is deployed.

NAME                                                     READY   STATUS    RESTARTS   AGE
alicloud-eci-profile-568d64cf84-f7sz8                    1/1     Running   0          26h

Configuration description and sample configurations

ECI Profile reads the selectors in eci-profile to match pods. The pods that have the labels in the selectors are automatically scheduled to VNodes or are added with annotations and labels to allow the features of Elastic Container Instance to take effect.

After eci-profile is deployed, you can run the following command to modify the configurations of eci-profile:

kubectl edit configmap eci-profile -n kube-system

The following code shows how to configure a selector:

selectors: |
   [
    {
        "name":"demo",  
        "namespaceSelector":{  
            "matchLabels":{  
                "eci":"true"
            }
        },
        "objectSelector":{  
            "matchLabels":{  
                "eci":"true"
            }
        },
        "effect":{  
            "annotations":{
                "k8s.aliyun.com/eci-image-cache": "true"
            },
            "labels":{
                "created-by-eci":"true"
            }
        }
    }
   ]

In the preceding template, a selector named demo is declared to enable the following feature:

If both the namespace to which a pod belongs and the pod itself have the eci: true label, the pod is automatically scheduled to the VNode. In addition, the "k8s.aliyun.com/eci-image-cache": "true" annotation and the created-by-eci: true label are added to the pod.

You must declare the name of each selector. You can also declare the following fields based on your business requirements:

namespaceSelector: the namespace labels to match.
objectSelector: the pod labels to match.
effect: the annotations and labels to be dynamically added.

Notice

In a selector, you must configure namespaceSelector, objectSelector, or both. If you configure both, only the pods that have all the labels specified in both namespaceSelector and objectSelector can be automatically scheduled to the VNode.
If the cluster version is 1.16 or later, the objectSelector feature is supported. If the cluster version is earlier than 1.16, try to use feature-gate to enable the objectSelector feature.

Sample configuration 1: Schedule specific pods to an elastic container instance

Scenario: Schedule the pods that have the created-by-eci: true label and whose namespaces have the type: eci label to a VNode. The following code provides a sample YAML file.

apiVersion: v1
kind: ConfigMap
metadata:
  name: eci-profile
  namespace: kube-system
data:
  selectors: |
    [
      {
        "name":"eci-selector-1",
        "namespaceSelector":{
          "matchLabels":{
            "type":"eci"
          }
        },
        "objectSelector":{
          "matchLabels":{
            "created-by-eci":"true"
          }
        }
      }
    ]

Sample configuration 2: Schedule all pods in a specific namespace to a GPU-accelerated elastic container instance

Scenario: Schedule all pods in the namespaces that have the gpu: true label to a VNode. In addition, the elastic container instances are created based on the ECS instances of the ecs.gn6v-c8g1.2xlarge GPU-accelerated instance type. The following code provides a sample YAML file.

apiVersion: v1
kind: ConfigMap
metadata:
  name: eci-profile
  namespace: kube-system
data:
  selectors: |
    [
      {
        "name":"gpu-namespace-selector-1",
        "namespaceSelector":{
          "matchLabels":{
            "gpu":"true"
          }
        },
        "effect": {
          "annotations": {
            "k8s.aliyun.com/eci-use-specs":"ecs.gn6v-c8g1.2xlarge"
          }
        }
      }
    ]

Sample configuration 3: Schedule specific pods to an AMD-based elastic container instance

Scenario: Schedule the pods that have the amd: true label to a VNode. In addition, the elastic container instances are created based on the ECS instances of the ecs.c6a.xlarge AMD-based ECS instance type. The following code provides a sample YAML file.

apiVersion: v1
kind: ConfigMap
metadata:
  name: eci-profile
  namespace: kube-system
data:
  selectors: |
    [
      {
        "name":"amd-object-selector-1",
        "objectSelector":{
          "matchLabels":{
            "amd":"true"
          }
        },
        "effect": {
          "annotations": {
            "k8s.aliyun.com/eci-use-specs": "ecs.c6a.xlarge"
          }
        }
      }
    ]