×
Community Blog O&M and Component Installation for the Registered Cluster of ACK One

O&M and Component Installation for the Registered Cluster of ACK One

This article gives a rundown on O&M and component installation for the registered cluster of ACK One (with examples).

By Liusheng

Two Ways to Access an Off-Cloud Cluster on an Alibaba Cloud Kubernetes (ACK) Registered Cluster

You can register clusters deployed in data centers or on a third-party cloud to Alibaba Cloud Distributed Cloud Container Platform (ACK One). This way, you can build hybrid clusters and manage clusters in a centralized manner.

Internal Network Access

Suppose the on-premises cluster has been connected to the network through a leased line. In that case, you can use the private network cluster import proxy configuration of the registered cluster of ACK One to connect to the cluster. If you access the ACK One registered cluster with the internal network, the internal container image address is used by default when you install the addon component. For example:

registry-vpc.cn-hangzhou.aliyuncs.com/acs/ack-cluster-agent:latest

Public Network Access

Suppose the on-premises cluster has not been connected to the network through a leased line. In that case, you can use the public network cluster import proxy configuration of the ACK One registered cluster (select Bind EIP when creating the cluster) to connect to the cluster. If you access the ACK One registered cluster with the public network, the public container image address is used by default when you install the addon component. For example:

registry.cn-hangzhou.aliyuncs.com/acs/ack-cluster-agent:latest

The Differences in Cluster Features between Internal Network and Public Network Access

Internal network access Public network access
Node pools Supported Unsupported
Cluster management Supported Supported
Security governance Supported Supported
Observability Supported Supported

Use an Internal Domain Name to Access Container Registry (ACR)

If you access the ACK One registered cluster from the off-cloud internal network, you need to add a route that points to the Alibaba Cloud Container Repository (ACR) internal CIDR blocks in the Cloud Enterprise Network (CEN) product.

You must configure two types of internal domain name resolution for the ACK One registered cluster — the internal domain name address of the ACR Personal Edition and ACR Enterprise Edition (which are eventually converted to ACR Enterprise Edition).

Please see Configure Access to Cloud Services on CEN for more information about how to configure access to cloud services on the Cloud Enterprise Network.

Internal Domain Name Resolution of ACR Personal Edition

Please see the Comparison Table between Internal Domain Names and Route CIDR Blocks of ACR Personal Edition for more information about the comparison table between internal domain names and route CIDR blocks of ACR Personal Edition.

An example of the internal domain names of ACR Personal Edition:

registry-vpc.cn-hangzhou.aliyuncs.com

Internal Domain Name Resolution of ACR Enterprise Edition

Please see Access an ACR Enterprise Edition Instance from a Data Center for more information about how to configure the internal domain names and route CIDR blocks of ACR Enterprise Edition.

An example of internal domain names of ACR Enterprise Edition:

registry-cn-hangzhou-vpc.ack.aliyuncs.com

Off-Cloud Clusters Access Cloud Services

You can select an addon component for the off-cloud cluster through the ACK One registered cluster. The addon component deployed off the cloud must use an AccessKey pair (AK) to access cloud services on the cloud. Therefore, you must create a sub-account and grant the RAM permissions, generate AK, and use it to configure permissions for addon components.

Onectl CLI Configuration

Please see Configure Registered Cluster with Onectl for more information.

Manual Configuration

Example

Take the log collection component as an example. Before you choose Cluster Details -> Operations Management -> Log Center -> Application Logs to install the component, you must perform the following operations:

(1) Create a RAM sub-account and grant the required RAM permissions to the log component

Please see Create a RAM user for more information about how to create a RAM sub-account.

(2) Create a permission policy. Please see Create a custom policy for more information.

The following RAM permissions are required for the log component:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "log:CreateProject",
                "log:GetProject",
                "log:DeleteProject",
                "log:CreateLogStore",
                "log:GetLogStore",
                "log:UpdateLogStore",
                "log:DeleteLogStore",
                "log:CreateConfig",
                "log:UpdateConfig",
                "log:GetConfig",
                "log:DeleteConfig",
                "log:CreateMachineGroup",
                "log:UpdateMachineGroup",
                "log:GetMachineGroup",
                "log:DeleteMachineGroup",
                "log:ApplyConfigToGroup",
                "log:GetAppliedMachineGroups",
                "log:GetAppliedConfigs",
                "log:RemoveConfigFromMachineGroup",
                "log:CreateIndex",
                "log:GetIndex",
                "log:UpdateIndex",
                "log:DeleteIndex",
                "log:CreateSavedSearch",
                "log:GetSavedSearch",
                "log:UpdateSavedSearch",
                "log:DeleteSavedSearch",
                "log:CreateDashboard",
                "log:GetDashboard",
                "log:UpdateDashboard",
                "log:DeleteDashboard",
                "log:CreateJob",
                "log:GetJob",
                "log:DeleteJob",
                "log:UpdateJob",
                "log:PostLogStoreLogs",
                "log:CreateSortedSubStore",
                "log:GetSortedSubStore",
                "log:ListSortedSubStore",
                "log:UpdateSortedSubStore",
                "log:DeleteSortedSubStore",
                "log:CreateApp",
                "log:UpdateApp",
                "log:GetApp",
                "log:DeleteApp",
                "cs:DescribeTemplates",
                "cs:DescribeTemplateAttribute"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

(3) Add permissions to the RAM user. Please see Grant permissions to a RAM user for more information.

(4) Create an AccessKey pair for a RAM user. Please see Create an AccessKey pair for more information.

(5) Use the AccessKey pair to create a Secret resource named alibaba-addon-secret in the registered cluster.

Run the following command to create a Secret resource for the log component. (If the Secret resource already exists, skip this step, but make sure the AK has been granted the required RAM permissions.)

kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'

After you configure the AK, the installed log component can use the AK to transmit data with the log service on the cloud. The log component uses the AK by mounting a Secret resource. The details are listed below:

- name: ALICLOUD_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: access-key-id
name: alibaba-addon-secret
- name: ALICLOUD_ACCESS_KEY_SECRET
valueFrom:
secretKeyRef:
key: access-key-secret
name: alibaba-addon-secret

Components That Require AK Configuration

Name Whether it is required to configure the AK Secret Namespace Others
Log Center (logtail-ds) Yes kube-system Connect Log Service to the Registered Cluster
Event Center (ack-node-problem-detector) Yes kube-system Connect the Event Center to the Registered Cluster
Prometheus Monitoring (ack-arms-promethues) Yes arms-prom Connect Prometheus Service to the Registered Cluster
Alert Configuration (alibabacloud-monitor-controller) Yes kube-system Connect the Alert Configuration Feature to the Registered Cluster
Cost Analysis (ack-cost-exporter) Yes kube-system Cluster Cost Analysis
Application Backup (migrate-controller) Yes csdr Install Backup Service Components and Configure Permissions
ack-virtual-node Yes kube-system Scale out Elastic Container Instance
aliyun-acr-credential-helper Yes kube-system Pull Container Images with Password-free Components
terway-eniip Yes kube-system Deploy and Configure the Terway Network Plug-in
csi Yes kube-system Use the CSI in the Registered Cluster
0 0 0
Share on

Alibaba Container Service

122 posts | 26 followers

You may also like

Comments

Alibaba Container Service

122 posts | 26 followers

Related Products