Use VNodectl to automatically deploy a VNode - Elastic Container Instance

If you run a self-managed Kubernetes cluster in an on-premises data center or on an Alibaba Cloud Elastic Compute Service (ECS) instance and want to use Elastic Container Instance (ECI), you must deploy a virtual node (VNode) in the cluster. To simplify VNode deployment and management, ECI provides the VNodectl command-line interface (CLI). This topic describes how to use VNodectl to automatically deploy a VNode in your self-managed Kubernetes cluster.

Prerequisites

A Kubernetes cluster of version 1.16 to 1.30 is deployed.
If your Kubernetes cluster is deployed in a data center, make sure that the data center and the virtual private cloud (VPC) to which the Elastic Container Instance-based pods belong are connected with each other by using Express Connect, Smart Access Gateway, or VPN Gateway. For more information, see the following topics:

Preparations

Before you deploy a VNode in a self-managed Kubernetes cluster, prepare the parameter information that is required for creating a VNode and understand the permissions that are required to deploy the VNode in the cluster. The following table describes the parameters that are required to create a VNode.

Parameter	Description	Operation
Region	A region is a geographic location where Alibaba Cloud data centers are deployed. Select a region based on the geographical location of your end users and resource prices. For more information, see Regions and Zones. The elastic container instance and relevant resources are created in the region that you selected.	You can query the regions where Elastic Container Instance is available by using the Elastic Container Instance console or by calling the DescribeRegions API operation.
VPC	A VPC is a private network established on Alibaba Cloud. VPCs are logically isolated from each other. For more information, see What is VPC? The elastic container instance and relevant resources are created in the VPC that you configured. Note If your Kubernetes cluster is deployed in a data center, make sure that the network of the data center and the VPC is established.	You can create and view VPCs on the VPCs page in the VPC console.
vSwitch	A vSwitch is a basic network device that connects different cloud resources. If you want to create an elastic container instance and relevant resources in a VPC, you must specify a vSwitch. You can also specify multiple vSwitches. In this case, the system automatically selects a vSwitch from the pool of vSwitches.	You can create and view vSwitches on the vSwitch page in the VPC console and select a vSwitch in the VPC that you selected.
Security Group	Security groups are virtual firewalls that control the inbound and outbound traffic of resources in the group to improve network security. For more information about security groups, see Security group overview. The elastic container instance and relevant resources are added to the security group that you selected. Note We recommend that you select an advanced security group and add the following inbound security group rules: One rule allows access to all ports from 1 to 65535 over the CIDR blocks of the VPC. The other rule allows access to the service ports 10250 and 10255 of the VNode over the endpoint of the Kubernetes API server.	You can create and view security groups on the Security Groups page in the ECS console and select a security group in the VPC that you selected.

To create a VNode, you must configure standard permissions for native Kubernetes nodes and additional permissions for the VNode, as shown in the following table.

Type	Permission	Description
Standard permissions	system:node	Standard permissions for nodes.
	system:node-proxier	Standard permissions for kube-proxy.
	system:certificates.k8s.io:certificatesigningrequests:nodeclient	The permission for nodes to initiate the request to create a certificate.
	system:certificates.k8s.io:certificatesigningrequests:selfnodeclient	The permission for nodes to initiate a request to create a certificate based on existing certificates. The permission is to request for certificate rotation.
Additional permissions	pods update and pods patch	The permissions for updating annotations of pods. For example, you can add computed annotations such as `k8s.aliyun.com/eci-instance-id` to pods.
Additional permissions	pvc update and pvc patch	The permissions for updating annotations of PersistentVolumeClaims (PVCs).

Install VNodectl

Before you use VNodectl, install the CLI. Obtain the installation package for your environment and install VNodectl.

Operating system	CPU architecture	Download link
macOS	AMD64	macOS_AMD64
macOS	ARM64	macOS_ARM64
Linux	AMD64	Linux_AMD64
Linux	ARM64	Linux_ARM64
Windows	AMD64	Windows_AMD64
Windows	ARM64	Windows_ARM64

We recommend that you install VNodectl on the master node of your Kubernetes cluster. To install VNodectl, perform the following steps:

Connect to your cluster.

Download the installation package.

wget https://eci-docs.oss-cn-beijing.aliyuncs.com/vnode/vnodectl_0.0.5-beta_linux_amd64.tar.gz -O vnodectl.tar.gz

Extract the package.
```
tar xvf vnodectl.tar.gz 
```
Copy vnodectl to a directory.
```
cp vnodectl /usr/local/bin/vnode
```

Note

Add --dry to any vnode command to verify it on the client side.
If you encounter an API version compatibility error when you run a vnode command, add --kubernetes-version to specify the Kubernetes version of your cluster.

Configure the cluster

VNodes use a kubeconfig file to connect to the cluster. Before you create a VNode, generate a kubeconfig file for it. You can generate the kubeconfig file in TLS Bootstrap mode or ServiceAccount mode.

Note

If you have security requirements, use TLS Bootstrap mode. In this mode, the vnode-approver component deploys automatically. vnode-approver approves certificate signing requests (CSRs) submitted by VNodes. The source code is open on GitHub. For more information, see vnode-approver.
ServiceAccount mode does not support certificate rotation. When you generate the kubeconfig file, make sure the token has a long or permanent validity period. This prevents VNode failures caused by expired tokens.

TLS Bootstrap

Generate a kubeconfig file.

Prepare the cluster configuration information.

Configuration Parameters	Description	How to obtain	Example
kubeconfig	Configures the permissions that the VNode needs in the cluster.	The default path is `~/.kube/config`. You can also use another kubeconfig file.	/path/to/kubeconfig
Cluster CA	Generates the kubeconfig file that the VNode needs to connect to the cluster. You can use the certificate authority (CA) from a kubeconfig file with admin permissions. We recommend that you use the CA passed when you start the API server.	Run `ps aux \| grep apiserver` and get the value of `--client-ca-file` from the output.	/path/to/ca.crt
API server address	Used for cluster communication, authentication, and authorization.	Print the kubeconfig file and get the API server address from the output.	https://8.134.XX.XX:6443
tokenId	Generates a TLS bootstrap token and creates a bootstrap token secret.	Custom alphanumeric string of six characters.	eci123
tokenSecret		Custom alphanumeric string of 16 characters.	eci1233333333333

Deploy the vnode-approver component.
```
vnode addon enable vnode-approver
```

Configure the cluster to generate the kubeconfig file.

Replace the parameter values in the command with your actual cluster information. Example:

vnode cluster setup --kubeconfig  /path/to/kubeconfig  --bootstrap --bootstrap-token-id <token-id> --bootstrap-token-secret <token-secret> --apiserver-address https://8.134.XX.XX:6443 --cluster-ca-path  /path/to/ca.crt

Validate whether the cluster supports VNode deployment.
```
vnode cluster validate
```
The following output appears. By default, the kubeconfig file is saved to ~/.vnode/deploy/kubeconfig.
```
kubeconfig can't be empty
```

ServiceAccount

Generate a kubeconfig file.

Prepare the cluster configuration information.

Configuration parameters	Description	How to obtain	Example
kubeconfig	Configures the permissions that the VNode needs in the cluster.	The default path is `~/.kube/config`. You can also use another kubeconfig file.	/path/to/kubeconfig
Cluster CA	Generates the kubeconfig file that the VNode needs to connect to the cluster. You can use the CA from a kubeconfig file with admin permissions. We recommend that you use the CA passed when you start the API server.	Run `ps aux \| grep apiserver` and get the value of `--client-ca-file` from the output.	/path/to/ca.crt
API server address	Used for cluster communication, authentication, and authorization.	Print the kubeconfig file and get the API server address from the output.	https://8.134.XX.XX:6443

Configure the cluster to generate the kubeconfig file.
Replace the parameter values in the command with your actual cluster information. Example:
```
vnode cluster setup --kubeconfig /path/to/kubeconfig --apiserver-address https://8.134.XX.XX:6443 --cluster-ca-path /path/to/ca.crt
```

Validate whether the cluster supports VNode deployment.
```
vnode cluster validate
```
The following output appears. By default, the kubeconfig file is saved to ~/.vnode/deploy/kubeconfig.
```
kubeconfig can't be empty
```

Configure the ~/.vnode/config file

The ~/.vnode/config file contains the VNode configuration. VNodectl reads this file when it runs. Configure this file before you create a VNode.

Print the configuration required to run the VNode.

vnode config default

The following table describes the fields under contexts in the configuration.

Field	Required	Description
name	Yes	The name of the context.
vnode-name	No	The name of the VNode. Do not set this field. The system generates a unique name automatically.
region-id	Yes	The ID of the region where the VNode resides. For information about how to select a region, see Preparations.
access-key-id	Yes	Use an AccessKey pair to complete identity verification when you call Alibaba Cloud API operations. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. For more information, see Create an AccessKey pair.
access-key-secret	Yes
vswitch-id	Yes	The ID of the vSwitch associated with the VNode. You can specify multiple vSwitches. For information about how to create a vSwitch, see Preparations.
security-group-id	Yes	The ID of the security group to which the VNode belongs. For information about how to create a security group, see Preparations.
resource-group-id	No	The resource group to which the VNode belongs. A resource group is a mechanism for grouping resources in an Alibaba Cloud account. Each account has a default resource group. For more information, see Resource Management. If you do not specify a resource group, the VNode joins the default resource group.
kubeconfig	Yes	The path of the kubeconfig file required to connect the VNode to the cluster. This path is generated automatically after you configure the cluster. By default, the kubeconfig file is saved to `~/.vnode/deploy/kubeconfig`.
taints	No	The taints bound to the VNode.
tags	No	The tags bound to the VNode. Tags help manage split bills. After you bind a custom tag to the VNode, you can filter the instance fees charged to the VNode in cost analysis. For more information, see View split bills by tag.
network-type	No	The network type used by VNodectl to access the ECI control service endpoint. Leave this field empty to use the Internet endpoint. If VNodectl runs in a VPC, set this field to `vpc` to use the VPC endpoint.

Redirect the configuration to the ~/.vnode/config file and configure the fields.

vnode config default > ~/.vnode/config
vim ~/.vnode/config

Modify the ~/.vnode/config file based on your needs. The following example shows only the required fields.

kind: vnode
contexts:
    - name: default
      region-id: cn-guangzhou
      access-key-id: <yourAccessKeyID>
      access-key-secret: <yourAccessKeySecret>
      vswitch-id: vsw-7xv2yk45qp5etidgf****
      security-group-id: sg-7xv5tcch4kjdr65t****
      kubeconfig: ~/.vnode/deploy/kubeconfig
current-context: default

Verify the configuration that the VNode reads at runtime.
```
vnode config
```
Switch the context so the VNode loads the configuration in that context.
```
vnode config set-context <context-name>
```

Create a VNode

Create a VNode.
```
vnode create
```
Note
The VNode is created using the configuration in the ~/.vnode/config file. You can add parameters to configure customResources, clusterDNS, and clusterDomain. For more information, see Manage VNodes.
The following sample output appears. The value of VirtualNodeId is the ID of the new VNode.
```
{"RequestId":"AB772F9D-2FEF-5BFD-AAFB-DA3444851F29","VirtualNodeId":"vnd-7xvetkyase7gb62u****"}
```

View the status of the VNode.

vnode list

The following sample output appears. If STATUS is Ready, the VNode is created successfully.

VNODE ID                    VNODE NAME                                   CREATED          STATUS    SCHEDULABLE ZONES
vnd-7xvetkyase7gb62u****    vnode-cn-guangzhou-a-7xvetkyase7gb62u****    2 minutes ago    Ready     cn-guangzhou-a

View node information.

kubectl get node

The following sample output appears. It shows that the VNode is connected to the cluster.

NAME                                    STATUS     ROLES                  AGE    VERSION
cn-guangzhou.vnd-7xvetkyase7gb62u****   Ready      agent                  174m   v1.20.6
vnode-test001                           Ready      control-plane,master   23h    v1.20.6
vnode-test002                           Ready      <none>                 22h    v1.20.6

Prevent DaemonSets from being scheduled to the VNode

DaemonSets cannot run on VNodes because VNodes are not real nodes. After you create a VNode, you need to modify the DaemonSet in kube-proxy and configure nodeAffinity to prevent DaemonSets from being scheduled to the VNode.

Modify the configurations of the DaemonSet.
```
kubectl -n kube-system edit ds kube-proxy
```

Configure nodeAffinity.

Add the following YAML content to spec.template.spec.

affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: type
          operator: NotIn
          values:
          - virtual-kubelet

Schedule pods to the VNode

After you create a VNode, you can use one of the following methods to schedule pods to the VNode. Then, you can run the pods as elastic container instances in the VNode.

Manual scheduling
You can configure the nodeSelector and tolerations parameters or specify the nodeName parameter to schedule pods to the VNode. For more information, see Schedule pods to a VNode.
Automatic Scheduling
After you deploy the eci-profile component, you can specify the Selector parameter. This way, the system automatically schedules pods that meet the conditions specified by Selector to the VNode. For more information, see Use eci-profile to schedule pods to a VNode.

References

Common VNodectl commands