VNodectl is a CLI tool for deploying and managing VNodes in self-managed Kubernetes clusters. Once a VNode is deployed, pods scheduled to it run as Elastic Container Instance-based elastic container instances—no changes to your existing cluster are needed.
Limitations
-
VNodes are not real nodes. DaemonSets cannot run on VNodes. After creating a VNode, configure
nodeAffinityon kube-proxy to prevent DaemonSet pods from being scheduled to it. See Prevent DaemonSets from scheduling to the VNode. -
The ServiceAccount authentication mode does not support certificate rotation. If you use this mode, make sure the token has a long enough validity period to prevent VNode failure.
Prerequisites
Before you begin, make sure you have the following:
-
A Kubernetes cluster version 1.16 to 1.30.
-
If your cluster runs in a data center: network connectivity between the data center and the virtual private cloud (VPC) where Elastic Container Instance-based pods will run. Supported options: Express Connect, Smart Access Gateway (SAG), or VPN Gateway.
-
The following resource IDs and credentials:
Resource How to get it Region ID Check Regions and zones for available regions, or query via the Elastic Container Instance console or the DescribeRegions API. VPC ID Create or view VPCs on the VPCs page in the VPC console. vSwitch ID Create or view vSwitches on the vSwitch page in the VPC console. Select a vSwitch in the same VPC. Security group ID Create or view security groups on the Security Groups page in the ECS console. Select a security group in the same VPC. AccessKey ID and AccessKey secret See Create an AccessKey pair.
Use an advanced security group and add the following inbound rules:
All ports 1–65535 from the VPC CIDR blocks
Ports 10250 and 10255 from the Kubernetes API server endpoint
The following permissions are required to create a VNode:
| Type | Permission | Description |
|---|---|---|
| Standard | system:node |
Standard node permissions |
| Standard | system:node-proxier |
Standard kube-proxy permissions |
| Standard | system:certificates.k8s.io:certificatesigningrequests:nodeclient |
Allows nodes to request certificate creation |
| Standard | system:certificates.k8s.io:certificatesigningrequests:selfnodeclient |
Allows nodes to rotate certificates |
| Additional | pods update and pods patch |
Updates pod annotations, such as k8s.aliyun.com/eci-instance-id |
| Additional | pvc update and pvc patch |
Updates PersistentVolumeClaim (PVC) annotations |
Install VNodectl
Install VNodectl on the master node of your Kubernetes cluster.
Download the package for your operating system and CPU architecture:
| Operating system | CPU architecture | Download |
|---|---|---|
| macOS | AMD64 | macOS_AMD64 |
| ARM64 | macOS_ARM64 | |
| Linux | AMD64 | Linux_AMD64 |
| ARM64 | Linux_ARM64 | |
| Windows | AMD64 | Windows_AMD64 |
| ARM64 | Windows_ARM64 |
The following steps use Linux AMD64 as an example:
-
Connect to your Kubernetes cluster.
-
Download the VNodectl package.
wget https://eci-docs.oss-cn-beijing.aliyuncs.com/vnode/vnodectl_0.0.5-beta_linux_amd64.tar.gz -O vnodectl.tar.gz -
Extract the package.
tar xvf vnodectl.tar.gz -
Move the binary to a directory in your PATH.
cp vnodectl /usr/local/bin/vnode
Add--dryto anyvnodecommand to run a client-side validation without applying changes. If an API version compatibility error occurs, add--kubernetes-versionto specify your cluster's Kubernetes version.
Configure the cluster
Before creating a VNode, generate a kubeconfig certificate for it. VNodectl supports two authentication modes:
| Mode | When to use |
|---|---|
| TLS Bootstrap | If you have security requirements, use this mode. Automatically deploys vnode-approver to approve certificate signing requests (CSRs) from VNodes. Supports certificate rotation. |
| ServiceAccount | Does not support certificate rotation—make sure the token has a permanent or long enough validity period. |
TLS Bootstrap
-
Prepare the following cluster information:
Parameter Description How to get it Example kubeconfigAdmin kubeconfig used to grant deployment permissions Default path: ~/.kube/config/path/to/kubeconfigcluster-ca-pathCertificate authority (CA) used to generate the VNode kubeconfig Run ps aux | grep apiserverand get the--client-ca-filevalue/path/to/ca.crtapiserver-addressAPI server endpoint for cluster communication Read from your kubeconfig https://8.134.XX.XX:6443bootstrap-token-idPart of the TLS bootstrap token Choose a 6-character alphanumeric string eci123bootstrap-token-secretChoose a 16-character alphanumeric string eci1233333333333 -
Deploy vnode-approver to automatically approve CSRs from VNodes.
vnode addon enable vnode-approverFor source code, see vnode-approver on GitHub.
-
Run the cluster setup command. Replace the placeholder values with your actual cluster information.
vnode cluster setup \ --kubeconfig /path/to/kubeconfig \ --bootstrap \ --bootstrap-token-id <token-id> \ --bootstrap-token-secret <token-secret> \ --apiserver-address https://8.134.XX.XX:6443 \ --cluster-ca-path /path/to/ca.crt -
Validate the setup.
vnode cluster validateThe expected output is:
kubeconfig can't be emptyBy default, the kubeconfig certificate is saved in
~/.vnode/deploy/kubeconfig.
ServiceAccount
-
Prepare the following cluster information:
Parameter Description How to get it Example kubeconfigAdmin kubeconfig used to grant deployment permissions Default path: ~/.kube/config/path/to/kubeconfigcluster-ca-pathCA used to generate the VNode kubeconfig Run ps aux | grep apiserverand get the--client-ca-filevalue/path/to/ca.crtapiserver-addressAPI server endpoint for cluster communication Read from your kubeconfig https://8.134.XX.XX:6443 -
Run the cluster setup command. Replace the placeholder values with your actual cluster information.
vnode cluster setup \ --kubeconfig /path/to/kubeconfig \ --apiserver-address https://8.134.XX.XX:6443 \ --cluster-ca-path /path/to/ca.crt -
Validate the setup.
vnode cluster validateThe expected output is:
kubeconfig can't be emptyBy default, the kubeconfig certificate is saved in
~/.vnode/deploy/kubeconfig.
Configure the ~/.vnode/config file
~/.vnode/config stores the configuration VNodectl reads at runtime. Configure it before creating a VNode.
-
Generate the default configuration template.
Parameter Required Description nameYes Context name vnode-nameNo VNode name. Leave blank to let the system generate a unique name. region-idYes Region ID where the VNode runs. See the Prerequisites section for details. access-key-idYes Your AccessKey ID for API authentication. See Create an AccessKey pair. access-key-secretYes vswitch-idYes vSwitch ID for the VNode. Specify multiple IDs to enable automatic vSwitch selection. security-group-idYes Security group ID for the VNode. resource-group-idNo Resource group for the VNode. Defaults to the account's default resource group. See What is Resource Management? kubeconfigYes Path to the kubeconfig generated in the previous step. Default: ~/.vnode/deploy/kubeconfigtaintsNo Taints to bind to the VNode. tagsNo Tags for split billing. After binding a custom tag, filter charges by tag in the fee analysis view. See View split bills based on tags. network-typeNo Network type for the Elastic Container Instance control service. Leave blank for internet access; set to vpcfor VPC access.vnode config defaultThe following table describes the parameters in the
contextssection. -
Write the template to
~/.vnode/configand edit it.vnode config default > ~/.vnode/config vim ~/.vnode/configThe following example shows a minimal configuration with required parameters only:
kind: vnode contexts: - name: default region-id: cn-guangzhou access-key-id: <yourAccessKeyID> access-key-secret: <yourAccessKeySecret> vswitch-id: vsw-7xv2yk45qp5etidgf**** security-group-id: sg-7xv5tcch4kjdr65t**** kubeconfig: ~/.vnode/deploy/kubeconfig current-context: default -
Verify that VNodectl reads the configuration correctly.
vnode config -
If you have multiple contexts, switch to the one you want to use.
vnode config set-context <context-name>
Create a VNode
-
Create the VNode.
vnode createThe VNode is created based on
~/.vnode/config. To configurecustomResources,clusterDNS, orclusterDomain, see Manage VNodes. The expected output includes the VNode ID:{"RequestId":"AB772F9D-2FEF-5BFD-AAFB-DA3444851F29","VirtualNodeId":"vnd-7xvetkyase7gb62u****"} -
Verify the VNode status.
vnode listWhen
STATUSshowsReady, the VNode is running:VNODE ID VNODE NAME CREATED STATUS SCHEDULABLE ZONES vnd-7xvetkyase7gb62u**** vnode-cn-guangzhou-a-7xvetkyase7gb62u**** 2 minutes ago Ready cn-guangzhou-a -
Confirm the VNode appears in the cluster.
kubectl get nodeThe VNode is listed as an
agentnode:NAME STATUS ROLES AGE VERSION cn-guangzhou.vnd-7xvetkyase7gb62u**** Ready agent 174m v1.20.6 vnode-test001 Ready control-plane,master 23h v1.20.6 vnode-test002 Ready <none> 22h v1.20.6
Prevent DaemonSets from scheduling to the VNode
VNodes are not real nodes, so DaemonSet pods cannot run on them. Configure nodeAffinity on kube-proxy to exclude the VNode.
-
Edit the kube-proxy DaemonSet.
kubectl -n kube-system edit ds kube-proxy -
Add the following
nodeAffinityblock tospec.template.spec.affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: type operator: NotIn values: - virtual-kubelet
Schedule pods to the VNode
After the VNode is created, schedule pods to it using one of the following methods:
-
Manual scheduling: Configure
nodeSelectorandtolerations, or setnodeNameon the pod spec. See Schedule pods to a VNode. -
Automatic scheduling: Deploy the eci-profile component and specify a
Selector. The system automatically schedules matching pods to the VNode. See Use eci-profile to schedule pods to a VNode.