By Liusheng
You can register clusters deployed in data centers or on a third-party cloud to Alibaba Cloud Distributed Cloud Container Platform (ACK One). This way, you can build hybrid clusters and manage clusters in a centralized manner.
Suppose the on-premises cluster has been connected to the network through a leased line. In that case, you can use the private network cluster import proxy configuration of the registered cluster of ACK One to connect to the cluster. If you access the ACK One registered cluster with the internal network, the internal container image address is used by default when you install the addon component. For example:
registry-vpc.cn-hangzhou.aliyuncs.com/acs/ack-cluster-agent:latest
Suppose the on-premises cluster has not been connected to the network through a leased line. In that case, you can use the public network cluster import proxy configuration of the ACK One registered cluster (select Bind EIP when creating the cluster) to connect to the cluster. If you access the ACK One registered cluster with the public network, the public container image address is used by default when you install the addon component. For example:
registry.cn-hangzhou.aliyuncs.com/acs/ack-cluster-agent:latest
Internal network access | Public network access | |
Node pools | Supported | Unsupported |
Cluster management | Supported | Supported |
Security governance | Supported | Supported |
Observability | Supported | Supported |
If you access the ACK One registered cluster from the off-cloud internal network, you need to add a route that points to the Alibaba Cloud Container Repository (ACR) internal CIDR blocks in the Cloud Enterprise Network (CEN) product.
You must configure two types of internal domain name resolution for the ACK One registered cluster — the internal domain name address of the ACR Personal Edition and ACR Enterprise Edition (which are eventually converted to ACR Enterprise Edition).
Please see Configure Access to Cloud Services on CEN for more information about how to configure access to cloud services on the Cloud Enterprise Network.
Please see the Comparison Table between Internal Domain Names and Route CIDR Blocks of ACR Personal Edition for more information about the comparison table between internal domain names and route CIDR blocks of ACR Personal Edition.
An example of the internal domain names of ACR Personal Edition:
registry-vpc.cn-hangzhou.aliyuncs.com
Please see Access an ACR Enterprise Edition Instance from a Data Center for more information about how to configure the internal domain names and route CIDR blocks of ACR Enterprise Edition.
An example of internal domain names of ACR Enterprise Edition:
registry-cn-hangzhou-vpc.ack.aliyuncs.com
You can select an addon component for the off-cloud cluster through the ACK One registered cluster. The addon component deployed off the cloud must use an AccessKey pair (AK) to access cloud services on the cloud. Therefore, you must create a sub-account and grant the RAM permissions, generate AK, and use it to configure permissions for addon components.
Please see Configure Registered Cluster with Onectl for more information.
Take the log collection component as an example. Before you choose Cluster Details -> Operations Management -> Log Center -> Application Logs to install the component, you must perform the following operations:
(1) Create a RAM sub-account and grant the required RAM permissions to the log component
Please see Create a RAM user for more information about how to create a RAM sub-account.
(2) Create a permission policy. Please see Create a custom policy for more information.
The following RAM permissions are required for the log component:
{
"Version": "1",
"Statement": [
{
"Action": [
"log:CreateProject",
"log:GetProject",
"log:DeleteProject",
"log:CreateLogStore",
"log:GetLogStore",
"log:UpdateLogStore",
"log:DeleteLogStore",
"log:CreateConfig",
"log:UpdateConfig",
"log:GetConfig",
"log:DeleteConfig",
"log:CreateMachineGroup",
"log:UpdateMachineGroup",
"log:GetMachineGroup",
"log:DeleteMachineGroup",
"log:ApplyConfigToGroup",
"log:GetAppliedMachineGroups",
"log:GetAppliedConfigs",
"log:RemoveConfigFromMachineGroup",
"log:CreateIndex",
"log:GetIndex",
"log:UpdateIndex",
"log:DeleteIndex",
"log:CreateSavedSearch",
"log:GetSavedSearch",
"log:UpdateSavedSearch",
"log:DeleteSavedSearch",
"log:CreateDashboard",
"log:GetDashboard",
"log:UpdateDashboard",
"log:DeleteDashboard",
"log:CreateJob",
"log:GetJob",
"log:DeleteJob",
"log:UpdateJob",
"log:PostLogStoreLogs",
"log:CreateSortedSubStore",
"log:GetSortedSubStore",
"log:ListSortedSubStore",
"log:UpdateSortedSubStore",
"log:DeleteSortedSubStore",
"log:CreateApp",
"log:UpdateApp",
"log:GetApp",
"log:DeleteApp",
"cs:DescribeTemplates",
"cs:DescribeTemplateAttribute"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
(3) Add permissions to the RAM user. Please see Grant permissions to a RAM user for more information.
(4) Create an AccessKey pair for a RAM user. Please see Create an AccessKey pair for more information.
(5) Use the AccessKey pair to create a Secret resource named alibaba-addon-secret
in the registered cluster.
Run the following command to create a Secret resource for the log component. (If the Secret resource already exists, skip this step, but make sure the AK has been granted the required RAM permissions.)
kubectl -n kube-system create secret generic alibaba-addon-secret --from-literal='access-key-id=<your AccessKey ID>' --from-literal='access-key-secret=<your AccessKey Secret>'
After you configure the AK, the installed log component can use the AK to transmit data with the log service on the cloud. The log component uses the AK by mounting a Secret resource. The details are listed below:
- name: ALICLOUD_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: access-key-id
name: alibaba-addon-secret
- name: ALICLOUD_ACCESS_KEY_SECRET
valueFrom:
secretKeyRef:
key: access-key-secret
name: alibaba-addon-secret
Name | Whether it is required to configure the AK Secret | Namespace | Others |
Log Center (logtail-ds) | Yes | kube-system | Connect Log Service to the Registered Cluster |
Event Center (ack-node-problem-detector) | Yes | kube-system | Connect the Event Center to the Registered Cluster |
Prometheus Monitoring (ack-arms-promethues) | Yes | arms-prom | Connect Prometheus Service to the Registered Cluster |
Alert Configuration (alibabacloud-monitor-controller) | Yes | kube-system | Connect the Alert Configuration Feature to the Registered Cluster |
Cost Analysis (ack-cost-exporter) | Yes | kube-system | Cluster Cost Analysis |
Application Backup (migrate-controller) | Yes | csdr | Install Backup Service Components and Configure Permissions |
ack-virtual-node | Yes | kube-system | Scale out Elastic Container Instance |
aliyun-acr-credential-helper | Yes | kube-system | Pull Container Images with Password-free Components |
terway-eniip | Yes | kube-system | Deploy and Configure the Terway Network Plug-in |
csi | Yes | kube-system | Use the CSI in the Registered Cluster |
How to Provide Production-level Stable Diffusion Services Based on Knative
190 posts | 33 followers
FollowAlibaba Container Service - August 2, 2023
Alibaba Container Service - November 21, 2024
Alibaba Container Service - August 10, 2023
Alibaba Cloud Native - October 16, 2023
Alibaba Container Service - October 30, 2024
Alibaba Container Service - February 19, 2025
190 posts | 33 followers
FollowA unified, efficient, and secure platform that provides cloud-based O&M, access control, and operation audit.
Learn MoreManaged Service for Grafana displays a large amount of data in real time to provide an overview of business and O&M monitoring.
Learn MoreA secure image hosting platform providing containerized image lifecycle management
Learn MoreAlibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn MoreMore Posts by Alibaba Container Service