If you have self-managed Kubernetes clusters in a data center or on an Alibaba Cloud Elastic Compute Service (ECS) instance and you want to use elastic container instances in the self-managed Kubernetes clusters, you must deploy VNodes. This topic describes how to configure a kubeconfig certificate and manually create a VNode in a Kubernetes cluster. This way, you can use elastic container instances in the Kubernetes cluster.
Prerequisites
A Kubernetes cluster whose version is from 1.13 to 1.22 is deployed.
If your Kubernetes cluster is deployed in a data center, make sure that the data center and the virtual private cloud (VPC) are connected with each other by using Express Connect, Smart Access Gateway, or VPN Gateway. For more information, see the following topics:
Preparations
Before you connect a VNode to a self-managed Kubernetes cluster, prepare the parameter information that is required for creating a VNode and understand the permissions that are required to connect the VNode to the cluster. The following table describes the parameter information that is required for creating a VNode.
Parameter | Description | Operation |
Region | A region is a geographic location where Alibaba Cloud data centers are deployed. Select a region based on the geographical location of your end users and resource prices. For more information, see Regions and zones. The elastic container instance and relevant resources are created in the region that you selected. | You can query the regions where Elastic Container Instance is available by using the Elastic Container Instance console or by calling the DescribeRegions API operation. |
VPC | A VPC is a private network established on Alibaba Cloud. VPCs are logically isolated from each other. For more information, see What is a VPC? The elastic container instance and relevant resources are created in the VPC that you configured. Note If your Kubernetes cluster is deployed in a data center, make sure that the network of the data center and the VPC are connected with each other. | You can create and view VPCs on the VPCs page in the VPC console. |
vSwitch | A vSwitch is a basic network device that connects different cloud resources. If you want to create an elastic container instance and relevant resources in a VPC, you must specify a vSwitch. You can also specify multiple vSwitches. In this case, the system automatically selects a vSwitch from the pool of vSwitches. | You can create and view vSwitches on the vSwitch page in the VPC console and select a vSwitch in the VPC that you selected. |
Security Group | Security groups are virtual firewalls that control the inbound and outbound traffic of resources in the group to improve network security. For more information about security groups, see Overview. The elastic container instance and relevant resources are added to the security group that you selected. Note We recommend that you select an advanced security group and add the following inbound security group rules:
| You can create and view security groups on the Security Groups page in the ECS console and select a security group in the VPC that you selected. |
To create a VNode, you must configure standard permissions for native Kubernetes nodes and additional permissions for the VNode, as shown in the following table.
Type | Permission | Description |
Standard permissions | system:node | Standard permissions for nodes. |
system:node-proxier | Standard permissions for kube-proxy. | |
system:certificates.k8s.io:certificatesigningrequests:nodeclient | The permission for nodes to initiate the request to create a certificate. | |
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient | The permission for nodes to initiate a request to create a certificate based on existing certificates. The permission is to request for certificate rotation. | |
Additional permissions | pods update and pods patch | The permissions for updating annotations of pods. For example, you can add computed annotations such as |
pvc update and pvc patch | The permissions for updating annotations of PersistentVolumeClaims (PVCs). | |
endpoints create and endpoints update | Leader election assurance. You do not need to configure these permissions for clusters of later than V1.13. |
Configure the cluster to generate a kubeconfig certificate
Before you create a VNode, you must generate a kubeconfig certificate for the VNode.
If you use an admin certificate, skip this section.
Connect to your Kubernetes cluster.
Download and execute a configuration script to generate a kubeconfig certificate.
In TLS bootstrapping or ServiceAccount mode, run the appropriate command to generate a kubeconfig certificate based on the version of your Kubernetes cluster. TLS is the acronym of Transport Layer Security.
TLS bootstrapping
If you have security requirements, we recommend that you use the TLS bootstrapping mode. In this mode, the vnode-approver component is automatically deployed. The vnode-approver component is used to approve certificate signing requests (CSRs) that are sent by VNodes. vnode-approver has open source code on GitHub. For more information, see vnode-approver.
If the cluster version is from 1.14 to 1.22, run the following command to generate a kubeconfig certificate:
curl -fsSL https://eci-docs.oss-cn-beijing.aliyuncs.com/vnode/vnode-deploy.sh | bash -s -- bootstrapIf the cluster version is 1.13, run the following command to generate a kubeconfig certificate:
For clusters of v1.13, the endpoint resource needs to select a leader. You must configure additional permissions by setting EXTRA_PRIVILEDGE=true in the script.
curl -fsSL https://eci-docs.oss-cn-beijing.aliyuncs.com/vnode/vnode-deploy.sh | env EXTRA_PRIVILEDGE=true bash -s -- bootstrapServiceAccount
This mode does not support certificate rotation. When you generate a kubeconfig certificate, make sure that the token has a long enough or permanent validity period to prevent VNode failure due to expiration of the kubeconfig.
If the cluster version is from 1.14 to 1.22, run the following command to generate a kubeconfig certificate:
curl -fsSL https://eci-docs.oss-cn-beijing.aliyuncs.com/vnode/vnode-deploy.sh | bash -s -- commonIf the cluster version is 1.13, run the following command to generate a kubeconfig certificate:
For clusters of v1.13, the endpoint resource needs to select a leader. You must configure additional permissions by setting EXTRA_PRIVILEDGE=true in the script.
curl -fsSL https://eci-docs.oss-cn-beijing.aliyuncs.com/vnode/vnode-deploy.sh | env EXTRA_PRIVILEDGE=true bash -s -- common
View the content of the kubeconfig.
The generated kubeconfig is named vnode-config. Run the following command to view the content of the kubeconfig:
cat vnode-configWhen you view the content of the kubeconfig, take note of the following items:
Make sure that the VPC to which the VNode belongs can be connected to the server. To ensure the VPC can be connected to the server, the VNode and the server must reside in the same VPC, or the VPC and the server can communicate with each other.
If the server address is an IP address, make sure that you can access the IP address from the VPC in which the VNode resides.
If the server address is a domain name, make sure that the domain name can be resolved in an Alibaba Cloud VPC. In addition, from the VPC in which the VNode resides, you must be able to access the IP address that is obtained after the domain name is resolved.
If the content of
certificate-authority-datais empty, check whether the PATH field is used in~/.kube/config.
The following code provides a sample content of the kubeconfig.
TLS bootstrapping
apiVersion: v1 kind: Config current-context: kubernetes-admin@kubernetes contexts: - name: kubernetes-admin@kubernetes context: cluster: kubernetes-admin@kubernetes user: vnode namespace: kube-system clusters: - name: kubernetes-admin@kubernetes cluster: certificate-authority-data: "*****************************************==" server: https://10.16.XX.XX:6443 users: - name: vnode user: token: ******.****************ServiceAccount
apiVersion: v1 kind: Config current-context: kubernetes-admin@kubernetes contexts: - name: kubernetes-admin@kubernetes context: cluster: kubernetes-admin@kubernetes user: vnode namespace: kube-system clusters: - name: kubernetes-admin@kubernetes cluster: certificate-authority-data: "*****************************************==" server: https://10.16.XX.XX:6443 users: - name: vnode user: token: ***********************************************
Create a VNode
Procedure
You can use the Elastic Container Instance console or call an API operation to create a VNode.
Use the Elastic Container Instance console
Log on to the Elastic Container Instance console.
In the top navigation bar, select the region.
In the left-side navigation pane, click Virtual Node.
Click Create Virtual Node.
Configure parameters and click OK.
The following table describes the parameters.
Parameter
Description
VPC, vSwitch, and Security Group
The VPC and security group to which the VNode belongs. The vSwitch with which the VNode is associated. For information about how to create a VPC, vSwitch, and security group, see the "Preparations" section in this topic.
KubeConfig
The kubeconfig certificate of the Kubernetes cluster to which the VNode is connected. For information about how to generate a kubeconfig certificate, see the "Configure the cluster to generate a kubeconfig certificate" section in this topic.
TlsBootstrapEnabled
Specifies whether to enable TLS bootstrapping.
If a kubeconfig certificate has been generated by using the TLS bootstrapping mode, enable TLS strapping when you create a VNode. After you enable TLS strapping, certificate rotation is also enabled. The system automatically applies for a new kubeconfig certificate for the VNode when the current kubeconfig certificate is about to expire.
Tags
The tags that are bound to the VNode.
Tags can be used to manage split bills. After you bind a custom tag to the VNode, you can use the tag to filter the charged fees of instances in the VNode when you view the fee analysis. For more information, see View split bills based on tags.
Taints
The taints that are bound to the VNode.
Resource Group
A resource group is a mechanism in which resources are managed by groups in an Alibaba Cloud account. Each Alibaba Cloud account is assigned a default resource group. For more information, see What is Resource Management?
If you do not specify a resource group, the VNode is added to the default resource group.
Call an API operation
You can call the CreateVirtualNode API operation to create a VNode. The following table lists the major parameters. For more information, see CreateVirtualNode.
Parameter | Type | Example | Description |
RegionId | String | cn-shanghai | The region ID of the VNode. |
VSwitchId | String | vsw-2ze23nqzig8inprou**** | The vSwitch ID. The vSwitch is associated with the VNode and the elastic container instances in the NMode. You can specify 1 to 10 vSwitches for a VPC. |
SecurityGroupId | String | sg-2ze81zoc3yl7a3we**** | The ID of the security group. Specify a security group. The VNode and the elastic container instances in the VNode are added to the security group. |
KubeConfig | String | JTVDbmFwaVZlcnNpb24lM0ElMjB2MSU1Q25jbHVzdGVycyUzQSU1Q24tJTIwY2x1c3RlciUzQSU1Q24uLi****** | The kubeconfig certificate of the Kubernetes cluster to which the VNode is connected. The value must be Base64-encoded. |
TlsBootstrapEnabled | Boolean | true | Specifies whether to enable TLS bootstrapping. If a kubeconfig certificate has been generated by using the TLS bootstrapping mode, enable TLS strapping when you create a VNode. After you enable TLS strapping, certificate rotation is also enabled. The system automatically applies for a new kubeconfig certificate for the VNode when the current kubeconfig certificate is about to expire. |
Check the result
Wait for a few minutes after you create the VNode. Then, log on to the Kubernetes cluster and run the kubectl get nodes command to view the information of nodes.
If the information of the VNode is displayed, the VNode is created. The following command output is returned:
If no information of the VNode is displayed, the VNode fails to be created. We recommend that you troubleshoot issues based on VNode-related events.
On the Virtual Node page of the Elastic Container Instance console, click the ID of the VNode that fails to be created. On the Events tab, you can view the events about the VNode.
Common event errors:
failed to get kubernetes server version, Get \"https://10.50.XX.XX:6443/version?timeout=32s\": net/http: request canceled (Client.Timeout exceeded while awaiting headersThis error message indicates that the VPC to which the VNode belongs cannot be connected to the Kubernetes API server. To solve this issue, check whether the VNode and the API server reside in the same VPC. If they are not in the same VPC, make sure that the VPC to which the VNode belongs can communicate with the API server.
failed to get kubernetes server version, Get \"https://lb.kubesphere.local:6443/version?timeout=32s\": dial tcp: lookup lb.kubesphere.local on 100.100.X.:53: no such hostThis error message indicates that the domain name of the Kubernetes API server cannot be resolved in an Alibaba Cloud VPC. You can use Alibaba Cloud DNS PrivateZone to resolve the domain name.
This error message indicates that the domain name of the Kubernetes API server cannot be resolved in an Alibaba Cloud VPC. You can use Alibaba Cloud DNS PrivateZone to resolve the domain name.
Configure an anti-affinity policy
DaemonSets cannot run on VNodes because VNodes are not real nodes. After you create a VNode, you need to modify the DaemonSet in kube-proxy and configure nodeAffinity to prevent DaemonSets from being scheduled to the VNode.
Modify the configurations of the DaemonSet.
kubectl -n kube-system edit ds kube-proxyConfigure nodeAffinity.
Add the following YAML content to spec > template > spec:
affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: type operator: NotIn values: - virtual-kubelet
What to do next
After you create a VNode, you can use one of the following methods to schedule pods to the VNode. Then, you can run the pods as elastic container instances in the VNode.
Manual scheduling
You can configure the nodeSelector and tolerations parameters or specify the nodeName parameter to schedule pods to the VNode. For more information, see Schedule pods to a VNode.
Automatic Scheduling
After you deploy the eci-profile component, you can specify the Selector parameter. This way, the system automatically schedules pods that meet the conditions specified by Selector to the VNode. For more information, see Use eci-profile to schedule pods to a VNode.