Configure ACS pod parameters via eci-profile-Container Service for Kubernetes(ACK)-阿里云帮助中心

To minimize modifications to your application YAML files, Alibaba Cloud Container Compute Service (ACS) provides the eci-profile feature for cluster-level resource configuration. This topic describes how to configure the eci-profile ConfigMap.

Introduction

The eci-profile ConfigMap automatically injects pod configurations at the cluster level, including settings for vSwitches, security groups, and domain name resolution modes. You can update these settings as needed.

You do not need to restart the acs-virtual-node component when you update the configuration.
For existing ACS pods, the changes take effect after a rolling update.

Configuration

When you create a pod, the system reads the eci-profile configuration file, which is a ConfigMap named eci-profile in the kube-system namespace. The system then creates the pod based on the settings in this file. You can view the YAML file of the eci-profile ConfigMap by running the following command:

kubectl get cm -n kube-system eci-profile -o yaml

The following code shows an example of the YAML file:

apiVersion: v1
kind: ConfigMap
metadata:
  name: eci-profile
  namespace: kube-system
data:
  enablePrivateZone: "false"
  securityGroupId: sg-2zeeyaaxlkq9sppl****
  vSwitchIds: vsw-2ze23nqzig8inprou****,vsw-2ze94pjtfuj9vaymf****
  vpcId: vpc-2zeghwzptn5zii0w7****
  selectors: ""

You can modify the eci-profile ConfigMap in one of the following ways:

Use the kubectl edit command

kubectl edit configmap eci-profile -n kube-system

Use the Container Service Management Console
1. Log on to the ACK console. In the left navigation pane, click Clusters.
2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Configurations > ConfigMaps.
3. On the ConfigMaps page, select kube-system from the Namespace drop-down list, find the eci-profile ConfigMap, and then click Edit YAML.
  Note
  If the eci-profile ConfigMap contains a format error after you modify a configuration, the changes do not take effect. The system records the specific error information in an event. You can view the event by running the following kubectl command:
```
kubectl -n kube-system get event --field-selector involvedObject.namespace=kube-system,involvedObject.name=eci-profile
```

Update cluster configurations

The eci-profile ConfigMap contains cluster configurations such as vpcId and vSwitchIds, which correspond to resources like a Virtual Private Cloud (VPC) and vSwitches. You can update these configurations as needed. The changes take effect immediately through a hot update. The following table describes the configurations that you can update.

Parameter	Example	Description
`securityGroupId`	`sg-2ze0b9o8pjjzts4h****`	The security group to which the ACS pod belongs.
`vSwitchIds`	`vsw-2zeet2ksvw7f14ryz****`	The vSwitches to which the ACS pod belongs. You can specify multiple vSwitch IDs, separated by commas.
`vpcId`	`vpc-2zeghwzptn5zii0w7****`	The Virtual Private Cloud (VPC) to which the ACS pod belongs.
`enablePrivateZone`	`"false"`	Specifies whether to use PrivateZone for domain name resolution.

Note

The preceding configurations are default settings at the cluster level. If you do not explicitly specify or override these parameters when you create an ACS pod, the system uses the default configurations defined in the eci-profile ConfigMap.

Configure selectors

When you create a pod, the system uses selectors to match the pod. If a pod's labels match a selector, the system automatically adds the specified annotations and labels to the pod. This process enables specific features for the ACS pod.

The selectors field contains a list of selector objects, each requiring a unique name. The following table describes the configuration format.

Parameter	Description
`name`	The name of the selector. This parameter is required and cannot be empty.
`namespaceSelector`	Selects pods based on the labels of their namespace.
`namespaceSelector.matchLabels`	Describe the matching rules in the `{key,value}` format.
`namespaceSelector.matchExpressions`	Defines matching rules by using a list of expressions. Valid operators include `In`, `NotIn`, `Exists`, and `DoesNotExist`. For `In` and `NotIn`, the specified value must be non-empty.
`objectSelector`	Selects pods based on their own labels.
`objectSelector.matchLabels`	Specify the matching rules in the `{key,value}` format.
`objectSelector.matchExpressions`	Defines matching rules by using a list of expressions. Valid operators include `In`, `NotIn`, `Exists`, and `DoesNotExist`. In the case of `In` and `NotIn`, the values must be non-empty.
`effect`	The annotations and labels to dynamically add to matching pods.

The following code provides a template for the selectors configuration:

apiVersion: v1
kind: ConfigMap
metadata:
  name: eci-profile
  namespace: kube-system
data:
  selectors: |
    [
      {
        "name": "selector-demo1",
        "namespaceSelector": {
          "matchLabels": {
            "kubernetes.io/metadata.name": "dev-ns"
          }
        },
        "objectSelector": {
          "matchLabels": {
            "acs": "true"
          },
          "matchExpressions": [
            {
              "key": "usage",
              "operator": "In",
              "values": ["testing"]
            }
          ]
        },
        "effect": {
          "annotations": {
            "network.alibabacloud.com/custom-dnsconfig": "{\"servers\":[\"114.114.114.114\",\"8.8.8.8\"],\"searches\":[\"xx.com\",\"yy.com\"],\"options\":[\"ndots:2\",\"edns0\"]}"
          },
          "labels": {
            "created-by-acs": "true"
          }
        }
      }
    ]

In the preceding template, the selector named selector-demo1 performs the following action:

If a Pod belongs to the dev-ns namespace and has the acs=true and usage=testing labels, the Pod is automatically updated with the network.alibabacloud.com/custom-dnsconfig="{\"servers\":[\"114.114.114.114\",\"8.8.8.8\"],\"searches\":[\"xx.com\",\"yy.com\"],\"options\":[\"ndots:2\",\"edns0\"]}" annotation and the created-by-acs=true label.

Important

To ensure a precise match, we recommend that you configure at least one of namespaceSelector or objectSelector in a Selector. If both are configured, a pod must satisfy both conditions to be successfully matched. If neither is configured, the effect will apply to all ACS pods in the cluster, which may cause unnecessary impact.

If multiple Selectors are configured, ACS matches them in order. After a Selector is successfully matched, the Annotations and Labels declared in its effect are automatically appended to the Pod without overwriting the Pod's original values. If there are duplicate Annotations and Labels, the priority is as follows:

1. Values originally defined on the pod.

The value of the effect declaration in the first matched Selector.

The value declared for effect in the subsequently matched Selector.

Example

Create a pod that matches the selector-demo1 selector by using the following YAML content.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  namespace: dev-ns
  labels:
    alibabacloud.com/acs: 'true'
    alibabacloud.com/compute-class: general-purpose
    alibabacloud.com/compute-qos: default  
    acs: "true"
    usage: "testing"
spec:
  containers:
  - name: nginx
    image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
    command: ["sleep", "infinity"]
    ports:
    - containerPort: 80

After the pod is created, you can inspect it to confirm that the injected labels and annotations have been added.