How Serverless Containers Reshape Kubernetes Architecture on Alibaba Cloud

Serverless Container Origin

In 2018, Alibaba's container and elastic compute teams launched R&D on Serverless Container and Kubernetes to fuse container technology with cloud elasticity and automated operations.

Key architectural principles include Single Responsibility (isolated sandbox per application), Immutability (immutable infrastructure after creation), and Location Independence (no fixed physical node, persistent state stored externally).

ECI Elastic Container Instance Overview

ECI (Elastic Container Instance) is Alibaba Cloud's implementation of Serverless Container. Each instance runs in an independent security sandbox with a clear boundary and exposes standard APIs for pod lifecycle, health probes, logging, and monitoring. Two architectural models are offered: a pooled architecture that shares a unified resource pool across ECI, ECS, and bare‑metal instances, and a dedicated architecture that offloads most components to the host while keeping only essential parts inside the sandbox.

Alibaba Cloud Serverless Kubernetes Architecture

ACK (Alibaba Cloud Kubernetes Service) fully supports ECI. ACK clusters can combine ECS nodes and ECI instances, while ASK (Serverless Kubernetes) is a special ACK cluster type that runs only Serverless Containers and provides managed add‑ons such as PrivateZone‑based DNS and ALB‑based Ingress. Core components include the ACK Scheduler (enhanced K8s scheduler that can place pods on ECS or ECI), the Virtual Node Addon (adapter for ECI pods), and numerous application‑level elasticity enhancements.

Limitations and Mitigations in Serverless Kubernetes

Because Serverless Containers hide the node concept, traditional node‑network models such as NodePort, HostPort, and DaemonSet are unsupported; users must use LoadBalancer services or Ingress. The security sandbox enforces strong isolation, disallows privileged mode, restricts Linux capabilities, and prevents host access. To run infrastructure agents, two patterns are used: Sidecar (co‑located container with limited permissions) and Hidecar (cloud‑provided privileged sidecar invisible to users).

Scalability Challenges

Short‑lived container lifecycles dramatically increase pressure on both the infrastructure control plane and the Kubernetes control plane. Strategies include leveraging immutability to minimize API‑server calls, using pod‑name indexing for watch traffic, consolidating TCP connections, and supporting mixed scheduling of ECS and ECI resources via ResourcePolicy to prioritize cost‑effective placement.

Conclusion

Serverless Containers and Serverless Kubernetes form a new cloud‑native paradigm that blends container ecosystems with cloud‑level elasticity. Their special architecture brings security, scalability, and operational trade‑offs that require holistic design across infrastructure and Kubernetes layers to deliver maximal cloud value.