This topic describes the configuration items for creating an ACK managed cluster in the console, covering basic settings, network configuration, node pool options, and components—including each item's description and whether it can be changed after creation.
How to read the tables:
In the Modifiable after creation column, ✓ means you can change the setting after the cluster is created. ✗ means you cannot—review these items carefully before proceeding.
Cloud resource icons, such as ECS instance, indicate that the configuration creates or uses other Alibaba Cloud resources. Click the resource name to view billing details.
For clarity, the order of configuration items in the tables may differ slightly from the console.
Important
The following settings cannot be changed after cluster creation. Plan your cluster topology before proceeding.
| Section | Non-modifiable settings |
|---|---|
| Cluster configuration | Region, VPC, Network plugin, Container CIDR Block, Number of Pods per Node, Service CIDR, IPv6 Dual-stack, IPv6 Service CIDR Block, Forwarding Mode |
| Cluster configuration – network ingress/egress | Access to API Server |
| Cluster configuration – advanced | Cluster Domain, Service Account Token Volume Projection, RRSA OIDC |
| Node pool configuration | Container Runtime, Security Hardening, CPU Policy, Custom Node Name, Worker RAM Role, Instance Metadata Access Mode, Custom Security Group |
Cluster configuration
This section defines the global properties of the cluster, including the Kubernetes version and network architecture.
Basic configuration
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| Cluster Name | Enter a custom name for your cluster. | ✓ |
| Cluster Specification | Select a cluster edition based on your use case. Pro Edition: provides an SLA guarantee and is suitable for enterprise production and testing environments. Basic Edition: has quotas (limited to two clusters per account); intended for personal learning and testing only. For a detailed comparison, see Cluster editions. | ✓ (supports migration from Basic Edition to Pro Edition only) |
| Region | The region where cluster resources (such as ECS instances and cloud disks) are deployed. Choose a region close to your users and workloads to minimize network latency. | ✗ |
| Kubernetes Version | Only the latest three minor versions are supported. Use the latest available version. For ACK version support details, see ACK version support overview. | ✓ (supports manual cluster upgrade and automatic cluster upgrade) |
| Automatic Update | Enable automatic upgrades to keep the control plane and node pools periodically updated. For upgrade policies and instructions, see Automatically upgrade clusters. | ✓ |
| Maintenance Window | ACK performs automated O&M tasks—such as automatic cluster upgrades and OS CVE vulnerability fixes—only during the defined maintenance window. | ✓ |
Define the cluster network boundary and high availability foundation
In this section, you define the virtual private cloud (VPC), vSwitches, and security groups that determine the network boundary, high availability, and basic security access policies for the cluster.
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| VPC | The VPC for the cluster. To ensure high availability, select two or more zones. Auto-create: ACK creates a vSwitch in each selected zone. Use existing: select a vSwitch to specify the cluster zone. Use standard private CIDR blocks (for example, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). For public CIDR blocks, apply at Quota Center (Create a cluster using a public CIDR block VPC). Cloud resource: VPC | ✗ |
| Security Group | The security group applies to the cluster control plane, the default node pool, and any node pool without a custom security group. Enterprise security groups support more private IP addresses than basic security groups, but do not support intra-group connectivity. For details, see Security group classification. Auto-create: all outbound traffic is allowed by default; inbound rules follow recommended configurations. If you modify inbound rules later, keep inbound access to the 100.64.0.0/10 CIDR block allowed—this block is required to access Alibaba Cloud services such as image pulling and querying ECS metadata. Use existing: ACK does not add extra access rules; manage security group rules yourself to avoid access issues. For details, see Configure cluster security groups. When using an existing VPC, you can select Select Existing Security Group. | ✓ |
Select the pod network model and plan address ranges
In this section, you configure the container network interface (CNI) plugin. Your CNI choice affects network performance, feature availability (such as NetworkPolicy), and IP address management. Plan your CIDR blocks for pod and Service communication within the cluster before proceeding. For details, see Network planning for ACK managed clusters.
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| Network Plug-in | The network plugin provides the foundation for pod-to-pod communication. Flannel: a lightweight, open-source community plugin that integrates with Alibaba Cloud VPC and uses direct VPC route table management. Best suited for small-scale clusters (limited by VPC route table quotas), simple networking, and scenarios that do not require custom container network control. Terway: a high-performance plugin developed by Alibaba Cloud that uses Elastic Network Interfaces (ENIs) for pod communication. It supports eBPF-based network acceleration, NetworkPolicy, and per-pod vSwitch and security group configuration. Suitable for high-performance computing, gaming, microservices, and scenarios requiring large-scale nodes or strong network security. Each pod consumes one secondary IP address from an ENI, so the maximum number of pods per node is constrained by ENI and secondary IP quotas. When using a shared VPC, only Terway is supported. For a detailed comparison, see Compare Terway and Flannel container network plugins. | ✗ |
| Container CIDR Block | Required for Flannel only. The IP address pool for assigning pod IPs. Must not overlap with the VPC, any existing ACK cluster CIDR blocks in the VPC, or the Service CIDR. | ✗ |
| Number of Pods per Node | Required for Flannel only. The maximum number of pods allowed on a single node. | ✗ |
| Pod vSwitch | Required for Terway only. The vSwitch used to assign IP addresses to pods. Each pod vSwitch must correspond to a worker node vSwitch and be in the same zone. Important Use a subnet mask no larger than /19. The maximum allowed mask is /25. A larger mask severely limits the number of pod IPs available and may affect normal cluster operation. | ✓ |
| Service CIDR | The IP address pool for assigning IPs to cluster-internal services. Must not overlap with the VPC, any existing cluster CIDR blocks in the VPC, or the Container CIDR Block. | ✗ |
| IPv6 Dual-stack | Enables support for both IPv4 and IPv6 protocols. Communication between worker nodes and the control plane still uses IPv4. Requirements: Kubernetes 1.22 or later, Terway only, and cannot be used with eRDMA. When using Terway in shared ENI mode, the instance type must support IPv6 with the same number of assignable IPv4 and IPv6 addresses. The cluster VPC must support IPv6 dual-stack. | ✗ |
| IPv6 Service CIDR Block | Requires IPv6 Dual-stack to be enabled. Configure an IPv6 address range for the Service CIDR. Use a ULA address within the fc00::/7 range with a prefix length between /112 and /120. Match the number of available addresses to that of the Service CIDR. | ✗ |
| Forwarding Mode | The kube-proxy mode that determines how cluster Services distribute requests to backend pods. iptables: uses Linux firewall rules; stable but limited in performance—rules grow exponentially as the number of Services increases. Suitable for clusters with fewer Services. IPVS: uses hash tables for fast pod targeting, delivering lower latency under heavy Service loads. Suitable for large-scale production clusters or scenarios requiring high network performance. | ✗ |
Terway advanced options
When you select Terway, the following additional options are available. For details, see Use the Terway network plugin.
| Option | Description |
|---|---|
| DataPathV2 | Configurable only during cluster creation. Enables eBPF-based traffic forwarding optimization for lower latency and higher throughput. Supported on Alibaba Cloud Linux 3 (all versions), ContainerOS, and Ubuntu with Linux kernel 5.10 or later. For details, see Network acceleration. |
| NetworkPolicy support | In public preview. Supports native Kubernetes NetworkPolicy for pod-level network access control. Apply at the Quota Center console. |
| Support for ENI Trunking | Allows assigning dedicated IPs, vSwitches, and security groups to individual pods. Suitable for scenarios requiring fixed IPs or independent network policy management for specific pods. For details, see Assign fixed IPs, dedicated vSwitches, and security groups to pods. |
Configure public network access for the cluster
This section covers bidirectional communication between the cluster and the Internet: how to manage the cluster from the Internet via the API Server, and how cluster nodes and applications access the Internet (for example, to pull public images).
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| Configure SNAT for VPC | Select this option if cluster nodes need public network access, such as pulling public images or accessing external services. ACK automatically creates a NAT gateway and SNAT rules to enable public access for cluster resources. VPC has no NAT Gateway: ACK creates a NAT gateway, purchases an Elastic IP Address (EIP), and configures SNAT rules for the cluster's vSwitches. VPC already has a NAT Gateway: ACK determines whether to purchase additional EIPs or configure SNAT rules. If no EIP is available, a new EIP is purchased. If no VPC-level SNAT rule exists, SNAT rules are configured for the cluster's vSwitches. Do not select this option when using a shared VPC. If you skip this now, configure a NAT gateway and SNAT rules manually after cluster creation. For details, see Public NAT Gateway. Cloud resources: NAT Gateway, EIP | ✓ |
| Access to API Server | ACK automatically creates a pay-as-you-go private Classic Load Balancer (CLB) instance as the internal endpoint for the API Server. This CLB instance cannot be reused or deleted—if deleted, the API Server becomes inaccessible and cannot be restored. To use an existing CLB instance, submit a ticket. Optionally enable Expose API server with EIP: Enabled: binds an EIP to the private CLB instance, allowing you to manage the cluster over the public Internet. This does not grant public network access to resources inside the cluster; to enable that, select Configure SNAT for VPC. Disabled: cluster management is only possible via kubeconfig from within the VPC. To enable public access after cluster creation, see Enable public network access to API Server. Note Starting December 1, 2024, newly created CLB instances incur instance fees. For details, see Adjustment announcement for Classic Load Balancer CLB billing items. Cloud resources: CLB, EIP | ✗ |
Advanced configuration
Expand Advanced Options (Optional) to configure cluster deletion protection, resource group, and additional settings.
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| Cluster Deletion Protection | Enable this to prevent accidental cluster deletion via the console or OpenAPI. | ✓ |
| Resource Group | Assign the cluster to a resource group for permission management and cost allocation. A resource can belong to only one resource group. | ✓ |
| Label | Bind key-value tags to the cluster as cloud resource identifiers. | ✓ |
| Time Zone | The time zone used by the cluster. Defaults to the browser's configured time zone. | ✓ |
| Cluster Domain | The top-level domain used by Services in the cluster. Defaults to cluster.local but supports custom domains. For example, a Service named my-service in the default namespace has the DNS name my-service.default.svc.cluster.local. For considerations when using a custom domain, see What should I consider when configuring a custom cluster local domain (ClusterDomain)? | ✗ |
| Custom Certificate SANs | By default, the Subject Alternative Name (SAN) field in the API Server certificate includes the cluster local domain, private IP, public EIP, and other fields. To access the cluster through a proxy server, custom domain, or special network environment, add those access addresses to the SAN field. To enable this later, see Customize the cluster API Server certificate SAN. | ✓ |
| Service Account Token Volume Projection | In traditional mode, pod identity credentials are permanently valid and shared among multiple pods, creating a security risk. When enabled, each pod receives its own temporary credentials with configurable expiration and permission limits. To enable this later, see Use ServiceAccount Token volume projection. | ✗ |
| Secret Encryption | Supported for Pro Edition clusters only. Uses keys created in Alibaba Cloud KMS to encrypt Secret keys, enhancing data security. To enable this later, see Use Alibaba Cloud KMS for Secret encryption at rest. Cloud resource: KMS | ✓ |
| RRSA OIDC | The cluster creates an OpenID Connect (OIDC) Provider. Application pods can use temporary OIDC tokens from their ServiceAccount to call Alibaba Cloud RAM services and assume RAM roles, enabling least-privilege permission management at the pod level. To enable this later, see Use RRSA to configure ServiceAccount RAM permissions for pod-level permission isolation. | ✗ |
Node pool configuration
A node pool is a group of ECS instances with the same configuration. Node pools provide the runtime environment for your workloads (pods).
You can skip this step and create node pools later to mix and isolate nodes of different types, such as nodes with different operating systems, CPU architectures, billing methods, or instance types. For details, see Create and manage a node pool. You can also add existing nodes to add purchased ECS instances to the cluster.
Basic configuration
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| Node Pool Name | Enter a custom name for the node pool. | ✓ |
| Container Runtime | Select the container runtime for the node pool. For guidance, see Compare containerd, sandboxed container, and Docker runtimes. containerd (recommended): community standard, supported for Kubernetes 1.20 and later. Sandboxed container: provides a strongly isolated environment based on lightweight virtualization. For procedures and limitations, see Create and manage sandboxed container node pools. Docker (deprecated): supported only for Kubernetes 1.22 and earlier; creation is no longer supported. | ✗ |
| Managed Node Pool | Enable to use ACK's automated O&M capabilities. If your workloads are sensitive to node changes and cannot tolerate node restarts or pod migrations, do not enable this. To enable later, edit the node pool. | ✓ |
| Auto Repair | ACK automatically monitors node status and performs self-healing when nodes become abnormal. If you select Restart Faulty Node, self-healing may involve draining nodes and replacing disks. For trigger conditions, see Enable node self-healing. | ✓ |
| Automatically fix security vulnerabilities | Fix CVE vulnerabilities in node pool OS, with configurable vulnerability fix levels. Cloud resource: Security Center | ✓ |
| Maintenance Window | ACK performs automated O&M operations on managed node pools only during the defined maintenance window. | ✓ |
Instance and image configuration
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| Billing Method | The default billing method when scaling out nodes. Pay-As-You-Go: nodes can be started and released on demand. Subscription: configure Duration and Auto Renewal. Preemptible Instance: only spot instances with a protection period are supported; configure the Instance Price Cap. The instance is created when the real-time price is below your bid price. After the protection period (1 hour), the system checks price and inventory every 5 minutes—if the market price exceeds your bid or inventory is insufficient, the spot instance is released. For usage recommendations, see Spot instance node pool best practices. You cannot change a Pay-As-You-Go or Subscription node pool to a Preemptible Instance node pool, or vice versa. | ✓ |
| Instance types | Nodes are allocated from the configured ECS instance families when scaling out. To improve scale-out success rates, select multiple instance types across multiple zones. The specific instance type used for scaling is determined by the Scaling Policy. Do not mix GPU and non-GPU instance types in the same node pool. Configure instance types in one of two ways: Specific types: specify exact instance types by vCPU, memory, family, and architecture. Generalized configuration: select instance types based on attributes (vCPU, memory, and so on) to further improve scale-out success rates. For details, see Configure node pools using specified instance attributes. For unsupported instance types and recommendations, see ECS instance type configuration recommendations. Cloud resources: ECS instance, GPU instance | ✓ |
| Operating System | The default OS image used when scaling out nodes. Public Image: uses Alibaba Cloud Linux 3 container-optimized, ContainerOS, Alibaba Cloud Linux 3, Ubuntu, Windows, and other public images. For image details, cgroup versions, and usage limits, see Operating system. Custom Image: uses a custom OS image. For details, see How to create a custom image from an existing ECS instance and use it to create nodes. We recommend Alibaba Cloud Linux 3 container-optimized or ContainerOS. Alibaba Cloud Linux 2 and CentOS 7 are no longer maintained. To upgrade or change the OS later, see Change operating system. Note Marketplace Image is in phased release. | ✓ |
| Security Hardening | The security baseline policy applied when creating nodes. Disable: no security hardening. MLPS Security Hardening: applies Alibaba Cloud Linux baseline check standards for MLPS 2.0 Level 3 compliance ("GB/T22239-2019 Information Security Technology—Cybersecurity Classified Protection Basic Requirements"). In this mode, the root user cannot log on remotely via SSH—connect via VNC in the ECS console and create a regular user that supports SSH logon. For details, see ACK MLPS hardening usage guide. OS Security Hardening: supported for Alibaba Cloud Linux 2 or Alibaba Cloud Linux 3 only. | ✗ |
| Logon Type | The logon method pre-configured on the instance when nodes are created. When MLPS Security Hardening is selected, only Password is supported. ContainerOS supports only Key Pair or Later—if using a key pair, start an administrative container after configuration to use it. For details, see Manage ContainerOS nodes. Set during creation: Key Pair: SSH key pairs for Linux instances. Configure both the Username (root or ecs-user) and the Key Pair. For details, see SSH key pairs. Password: configure the Username and password. Later: bind a key pair or reset the instance password after creation. For details, see Bind SSH key pairs and Reset instance logon password. | ✓ |
Storage configuration
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| System Disk | Select a cloud disk type based on your business needs: ESSD AutoPL, ESSD, ESSD Entry, and previous-generation disks (SSD and ultra disk). Configure capacity, IOPS, and other parameters. Available disk types depend on the selected instance family. ESSD: supports custom performance levels—PL2 for capacities over 460 GiB, PL3 for over 1260 GiB. For details, see ESSD. Only ESSD system disks support Encrypted. By default, Alibaba Cloud uses the Default Service CMK. You can also specify a custom key (BYOK) created in KMS. Select More Disk Categories to configure backup disk types—when creating nodes, ACK selects the first matching disk type in the specified order. Cloud resource: ECS block storage | ✓ |
| Data Disk | Select a cloud disk type based on your business needs: ESSD AutoPL, ESSD, ESSD Entry, and previous-generation disks (SSD and ultra disk). Configure capacity, IOPS, and other parameters. Available disk types depend on the selected instance family. ESSD AutoPL: supports provisioned performance (decoupling capacity from performance) and performance burst. ESSD: supports custom performance levels—PL2 for over 460 GiB, PL3 for over 1260 GiB. All cloud disk types support Encrypted; by default, Alibaba Cloud uses the Default Service CMK. During node creation, the last data disk is automatically formatted and /var/lib/container is mounted to it; /var/lib/kubelet and /var/lib/containerd are then mounted to /var/lib/container. For custom mount directories, see Can I customize directory mounting for data disks in ACK node pools? For scenarios requiring container image acceleration or rapid large model loading, create data disks from snapshots to improve response speed. An ECS instance can mount up to 64 data disks; the exact limit varies by instance type (query using the DescribeInstanceTypes API DiskQuantity field). Select Add Data Disk Type to configure backup disk types. Cloud resource: ECS block storage | ✓ |
Instance quantity
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| Expected Number of Nodes | The total number of nodes the node pool should maintain. Configure at least two nodes to ensure normal operation of cluster components. Adjust the desired count to scale the node pool in or out. For details, see Scale node pools. If you do not need to create nodes now, enter 0 and adjust manually later or add existing nodes. | ✓ |
Node pool advanced configuration
Expand Advanced Options (Optional) to configure scaling policies, ECS tags, taints, and other settings.
| Configuration item | Description | Modifiable after creation |
|---|---|---|
| Scaling Policy | Controls how the node pool selects instances during scaling. Priority-based Policy: scales based on vSwitch priority (top to bottom indicates decreasing priority). If instances cannot be created in the higher-priority zone, the next vSwitch is used. Cost Optimization: scales from lowest to highest vCPU unit price. When the node pool uses Preemptible Instance, spot instances are prioritized; configure the Percentage of pay-as-you-go instances (%) to supplement with pay-as-you-go instances when spot instances are unavailable. Distribution Balancing: distributes ECS instances evenly across multiple zones (multi-zone scenarios only). | ✓ |
| Use Pay-as-you-go Instances When Spot Instances Are Insufficient | Requires the spot instance billing method. When enabled, if spot instances cannot be created due to price or inventory constraints, ACK automatically attempts to create pay-as-you-go instances as a supplement. Cloud resource: ECS instance | ✓ |
| Enable Supplemental Spot Instance | Requires the spot instance billing method. When enabled, upon receiving a system notification that a spot instance will be reclaimed (5 minutes before reclamation), ACK attempts to scale out new instances for compensation. Compensation successful: ACK drains the old node and removes it from the cluster. Compensation failed: ACK does not drain the old node; after 5 minutes, the instance is reclaimed. When inventory is restored or price conditions are met, ACK automatically purchases instances to maintain the desired node count. For details, see Spot instance node pool best practices. Enable Use Pay-as-you-go Instances When Spot Instances Are Insufficient alongside this option to improve compensation success rates. Cloud resource: ECS instance | ✓ |
| ECS Tags | Add tags to ECS instances automatically created by ACK. Each ECS instance can have up to 20 tags; ACK and ESS occupy some tags, leaving up to 17 custom tags per instance. Tag usage details: ACK occupies two tags by default: ack.aliyun.com:<cluster ID> and ack.alibabacloud.com/nodepool-id:<node pool ID>. ESS occupies one tag by default: acs:autoscaling:scalingGroupId:<scaling group ID>. After enabling node autoscaling, Auto Scaling occupies two additional tags: k8s.io/cluster-autoscaler:true and k8s.aliyun.com:true. Autoscaling also uses tags to record node labels (k8s.io/cluster-autoscaler/node-template/label/<key>:<value>) and taints (k8s.io/cluster-autoscaler/node-template/taint/<key>/<value>:<effect>). To increase the tag limit, apply at the Quota Platform. | ✓ |
| Taints | Add key-value taints to nodes. Key: 1–63 characters, starts and ends with [a-z0-9A-Z], can contain letters, digits, hyphens (-), underscores (_), and periods (.). If a prefix is specified, it must be a DNS subdomain up to 253 characters, ending with a forward slash (/). Value: up to 63 characters, can be empty, starts and ends with [a-z0-9A-Z], can contain letters, digits, hyphens (-), underscores (_), and periods (.). Effect: NoSchedule: prevents new pods that do not tolerate the taint from being scheduled to the node, but does not affect running pods. NoExecute: prevents new intolerant pods from being scheduled and evicts running intolerant pods. PreferNoSchedule: ACK tries to avoid scheduling intolerant pods to the node, but does not enforce this strictly. | ✓ |
| Node Labels | Add key-value labels to nodes. Key: 1–63 characters, starts and ends with [a-z0-9A-Z], can contain letters, digits, hyphens (-), underscores (_), and periods (.). If a prefix is specified, it must be a DNS subdomain up to 253 characters, ending with a forward slash (/). The following prefixes are reserved by Kubernetes core components and cannot be used: kubernetes.io/, k8s.io/, and any prefix ending with kubernetes.io/ or k8s.io/ (except kubelet.kubernetes.io/, node.kubernetes.io, and prefixes ending with those). Value: up to 63 characters, can be empty, starts and ends with [a-z0-9A-Z], can contain letters, digits, hyphens (-), underscores (_), and periods (.). | ✓ |
| Set to Unschedulable | Newly added nodes are set as unschedulable by default when registered to the cluster. Manually adjust the node scheduling status in the node list. Note This setting applies only to clusters running Kubernetes versions earlier than 1.34. For details, see Kubernetes 1.34 version notes. | ✓ |
| Container Image Acceleration | Supported for containerd runtime version 1.6.34 or later. Newly added nodes automatically detect whether container images support on-demand loading. If supported, containers start using on-demand loading by default, reducing application startup time. For details, see Use on-demand loading to accelerate container startup. | ✓ |
| [Deprecated] CPU Policy | Specify the CPU management policy for kubelet nodes. None: default policy. Static: allows pods with certain resource characteristics to have enhanced CPU affinity and exclusivity. Use custom node pool kubelet configuration instead. | ✗ |
| Custom Node Name | Node names consist of a prefix, node IP address, and a suffix. When enabled, node names, ECS instance names, and ECS instance hostnames change accordingly. Linux: node name, ECS instance name, and hostname all follow the format <prefix><IP><suffix>. Windows: hostname is fixed as the IP address with - replacing .; ECS instance name and node name use the full format. Important When the custom node name format depends on truncating part of the IP address, set the IP truncation length ( | ✗ |
| Worker RAM Role | Supported for ACK managed clusters only; specifiable only when creating a new node pool. Specify a Worker RAM role at the node pool level to reduce security risks from sharing a single role across all nodes. Default Role: uses the default Worker RAM role created for the cluster. Custom: uses the specified role; if left blank, the default role is used. For details, see Use a custom Worker RAM role. | ✗ |
| Instance Metadata Access Mode | Supported for clusters running Kubernetes 1.28 or later. Configures the ECS instance metadata access mode for obtaining instance properties (instance ID, VPC information, NIC information, and so on). For details, see Instance metadata. Normal Mode and Security Hardening Mode: supports both normal and reinforced metadata access. Security Hardening Mode: supports only reinforced mode. For details, see Use reinforced mode only to access ECS instance metadata. | ✗ |
| Pre-defined Custom Data | Runs the specified User-Data script before nodes join the cluster (pre-user data). The script runs before the ACK node initialization script. For example, if the pre-user data is touch /tmp/pre-script, the execution order on the node is: (1) touch /tmp/pre-script, then (2) the ACK node initialization script. For the full execution logic, see Node initialization process overview. | ✓ |
| User Data | Runs the specified User-Data script after nodes join the cluster (post-user data). The script runs after the ACK node initialization script. For example, if the user data is touch /tmp/post-script, the execution order on the node is: (1) the ACK node initialization script, then (2) touch /tmp/post-script. Successful cluster creation or node scale-out does not guarantee successful script execution—log on to the node and run grep cloud-init /var/log/messages to view execution logs. For the full execution logic, see Node initialization process overview. | ✓ |
| CloudMonitor Agent | View and monitor node and application status in the CloudMonitor console. This setting applies only to new nodes added to the node pool, not existing nodes. To enable this for existing nodes, install it from the CloudMonitor console. Cloud resource: Cloud Monitor | ✓ |
| Public IP | Assigns an IPv4 public IP address to nodes. This setting applies only to new nodes added to the node pool, not existing nodes. To grant public network access to existing nodes, bind an EIP. For details, see Bind EIP to cloud resources. Cloud resource: ECS public network | ✓ |
| Custom Security Group | Specify a basic or enterprise security group for the node pool. ACK does not add extra access rules—manage security group rules yourself to avoid access issues. For details, see Configure cluster security groups. Each ECS instance has a limit on the number of security groups it can join; ensure sufficient security group quota. | ✗ |
| RDS Whitelist | Add node IPs to the RDS instance whitelist. | ✓ |
| Deployment Set | After creating a deployment set in the ECS console, specify it for the node pool so that scaled-out nodes are distributed across different physical servers, improving high availability. A deployment set supports up to 20 × number of zones nodes (determined by vSwitches)—ensure sufficient quota. To enable later, see Node pool deployment set best practices. | ✓ |
| Resource Pool Policy | Supported only when Instance Configuration Mode is set to Specify Instance Type. Controls which resource pool is used when adding nodes. Resource pools include private pools (from elastic provisioning, immediate-effect capacity reservation, or scheduled-effect capacity reservation) and public pools. Private Pool First: prioritizes the specified private pool; if no private pool is specified or the specified private pool lacks capacity, matches open-type private pools; if none exist, uses the public pool. Private Pool Only: requires a specified private pool ID—if the pool lacks capacity, node startup fails. Do Not Use: does not use resource pool strategies. | ✓ |
| [Deprecated] Private Pool Type | This configuration item is deprecated. Use Resource Pool Policy instead. The private pool resources available for the selected zone and instance type. Open: automatically matches open-type private pools; if none exist, uses public pool resources. Do Not Use: uses only public pool resources. Specified: restricts instances to a specific private pool ID; if unavailable, instance startup fails. | ✓ |
Component configuration
ACK installs some components by default based on best practices. Confirm the component selection on this page. You can also install, uninstall, or upgrade components after cluster creation. For details, see Manage components.
Basic configuration
| Configuration item | Description |
|---|---|
| Ingress | Ingress manages how external traffic accesses services inside the cluster. Three gateway types are available. ALB Ingress: routes traffic through Alibaba Cloud Application Load Balancer (ALB), offering rich routing policies, deep integration with cloud products like WAF, and elastic scaling. Suitable for large-scale, high-traffic production workloads or scenarios requiring enterprise-grade reliability. Create a new ALB instance or use an existing ALB instance in the current VPC that is not associated with another cluster (only when using an existing VPC). To enable later, see Create and use ALB Ingress to expose services externally. Cloud resource: ALB billing overview. Nginx Ingress: compatible with and optimized from the community Nginx Ingress Controller. Create a new CLB instance or use an existing CLB instance in the current VPC that is not associated with another cluster. To enable later, see Create and use Nginx Ingress to expose services externally. Cloud resource: CLB. MSE Ingress: implemented based on MSE cloud-native gateway, providing service governance, authentication, and phased releases. Suitable for fine-grained microservice traffic control. To enable later, see Access Container Service through MSE Ingress. Cloud resource: Standard instance billing overview. For a detailed comparison, see Ingress management. |
| Service Discovery | Installs NodeLocal DNSCache to cache DNS resolution results on nodes, improving DNS resolution performance and stability for internal service calls. |
| Volume Plug-in | Implements persistent storage based on CSI storage plugins, supporting Alibaba Cloud disks, NAS, OSS, CPFS, and other storage volumes. When you select default creation of NAS and Container Network File System (CNFS), ACK automatically creates a general-purpose NAS file system managed by CNFS. To create CNFS later, see Manage NAS file systems through CNFS. Cloud resource: NAS |
| Container Monitoring | Monitors cluster health, resource usage, and application performance, triggering alerts when anomalies occur. ACK Cluster Monitoring Pro Edition: managed container monitoring with built-in Grafana dashboards; data stored for 90 days by default. For billing rules, see Container monitoring billing. Additional fees apply for custom metrics or adjusting storage duration—see Prometheus instance billing. ACK Cluster Monitoring Basic Edition: free, unmanaged monitoring with basic dashboards; data stored for 7 days by default. Defaults to single-replica (3 vCPUs and 4 GB memory), requires self-maintenance. Additional fees apply for custom metrics—see Prometheus instance billing. Disable: disables container monitoring. To enable later, see Integrate and configure Alibaba Cloud Prometheus monitoring. Cloud resource: Prometheus |
| Cost Suite | Provides cost and resource usage analysis for clusters, namespaces, node pools, and workloads to improve cluster resource utilization. To enable later, see Cost insights. |
| Log Service | Use an existing Simple Log Service (SLS) Project or create a new one to collect cluster application logs. Also enables the cluster API Server audit feature to collect Kubernetes API requests and results. To enable later, see Collect ACK cluster container logs and Use cluster API Server audit feature. Create Ingress Dashboard: creates an Ingress Dashboard in the SLS console to collect Nginx Ingress access logs. For details, see Collect and analyze Nginx Ingress access logs. Install node-problem-detector and create Event Hub: adds an Event Hub in the SLS console to collect all Kubernetes Events in real time. For details, see Create and use K8s Event Hub. Cloud resource: SLS |
| Alerts | Enables Container Service alert management, sending alert notifications to contact groups based on data from SLS, Managed Service for Prometheus, and Cloud Monitor when cluster anomalies occur. |
| Control Plane Logs | Collects control plane component logs into an SLS Project for troubleshooting and root cause analysis. To enable later, see Collect ACK managed cluster control plane component logs. Cloud resource: SLS |
| Cluster Inspections | Enables the cluster inspection feature of AIOps to regularly scan quotas, resource usage, component versions, and other aspects within the cluster, ensuring configurations follow best practices and exposing potential risks early. |
Advanced configuration
Expand Advanced Options (Optional) and select the components to install, such as components for application management, log monitoring, storage, networking, and security.