Technical trends of ACK Anywhere and ASM products
public cloud
Container Service ACK>>
【Elastic stretch】
feature: Node pool supports enabling/disabling automatic elastic scaling
The node pool already supports enabling or disabling the automatic elastic scaling function at any time. You can enable or disable automatic auto scaling on the node pool editing page. Note that you need to complete the cluster automatic scaling configuration in advance to enable the automatic scaling function. And when turned on, you need to set the maximum and minimum number of instances.
[Cluster Operation and Maintenance]
feature: The cluster overview page supports the display of security inspection and configuration inspection results
The cluster overview page now supports information disclosure of security inspection results and configuration inspection results to help you better understand potential cluster risks and repair them in advance. For security inspection, please refer to the documentation for details. For configuration inspection, please refer to the documentation for details.
feature: policy management component policy-template-controller released
The policy-template-controller component is a controller developed to implement the new container security policy management function, which can help you better manage template-based policy instances and the overall governance status of the cluster. For configuring container security policies, please refer to the documentation for details.
feature: ACK managed cluster supports enabling RRSA feature
The full name of RRSA is RAM Roles for Service Accounts, which is a RAM role authorization function applicable to service accounts, which can realize the OpenAPI permission isolation of the Pod dimension in the cluster. The RRSA function currently only supports clusters of version 1.22 and above (including ACK Standard Edition, ACK Pro Edition, ASK Standard Edition, and ASK Pro Edition). Please refer to the documentation for details.
feature: storage declaration supports cloud disk online expansion
ACK supports online expansion of CSI cloud disks in Kubernetes 1.16 and above. You can directly adjust the size of the cloud disk on the interface to expand the capacity of the cloud disk and its file system without suspending the business Pod. Please refer to the documentation for details.
【operating system】
feature: custom image support to select alinux3 image
When creating a node pool and selecting a custom image, you can choose the Alibaba Cloud Linux 3 series image. For Alibaba Cloud Linux, please refer to the documentation for details.
[GPU scheduling]
feature: ACK dedicated version cluster supports configuration of shared GPU computing power allocation strategy
The ACK dedicated version cluster supports shared GPU capabilities, provides video memory isolation and computing power isolation functions for shared GPU instances, and supports configuration of shared GPU computing power allocation strategies to achieve computing power distribution with different effects. Please refer to the documentation for details.
[Container Security]
feature: cluster policy management supports risk image deployment blocking
Integrated with cloud security active defense functions, cluster policy management supports risk image deployment identification, supports interception, alarm, release and other policy implementation, strengthens dynamic security policy governance capabilities, and ensures that application images started in the cluster meet your security requirements. Please refer to the documentation for details.
feature: safe operation
● CVE-2021-25745: This vulnerability allows an attacker to obtain the key certificate of the Nginx Ingress Controller through the spec.rules[].http.paths[].path field in the customized Ingress instance, thereby obtaining the Secret instance in the cluster without authorization Sensitive information, help documentation. Has been added to the policy management template, which can automatically identify and block deployment
● CVE-2021-25746: This vulnerability allows attackers to obtain the key credentials of the Nginx Ingress Controller through the metadata.annotations field in the customized Ingress instance, thereby obtaining sensitive information such as the Secret instance in the cluster beyond authority. The help document has been added to the policy management Templates that automatically identify and block deployments
Distributed cloud container platform ACK One>>
【Product Entry】
feature: The product details page is officially launched on the domestic and international websites. You can search through the search bar or navigate the product category on the official website to enter the details page entry of the distributed cloud container platform ACK One:
● Domestic website: https://www.aliyun.com/product/aliware/adcp
● International website: https://www.alibabacloud.com/zh/product/ack-one
【Region of opening server】
feature: ACK One is launched on the international station, open beta testing in Japan and Hong Kong, China, supports cross-regional multi-cluster distribution of applications, and dynamically schedules multi-cluster jobs, etc.
[Cluster Operation and Maintenance]
feature: ACK One multi-cluster management function supports secondary navigation, conveniently switching the basic information of the master instance, associated sub-clusters, namespaces, etc.
Container Mirroring Service ACR>>
【Region of service opening】ACR EE, the enterprise version of the container mirroring service, opened its service in Hohhot
From now on, you can create enterprise container images in the Alibaba Cloud Hohhot region.
[Cost Optimization] Security Policy Enhancement for Cloud Native Application Delivery Chain
Supports specified CVE vulnerability blocking, and supports global vulnerability exemption whitelist. A more convenient and flexible security policy judgment mechanism improves the delivery efficiency and quality of your business container DevSecOps. Document details
Service Mesh ASM>>
【Product Billing】
feature: The commercial version will be officially launched in April 2022, supporting two charging models under different specifications: Enterprise Edition and Ultimate Edition. It supports SLB specifications and can be selected by users. Document details
【new features】
feature: EnvoyFilter plug-in market - functionally supports end-to-end EnvoyFilter plug-in template integration Workload binding, implements custom EnvoyFilter extension, document details
feature: Support ASM API Server bind/unbind EIP
After the intranet API Server is bound to EIP, add the public network API Server address, and support re-binding EIP for API Server
【Function optimization】
feature: Enhance multiple capabilities of the ASM gateway, including graceful connection interruption, IPv6 support, certificate management, and multiple operation and maintenance management capabilities, involving how to retain the SLB of the gateway, how to obtain the real IP for gateway access, and use different types of SLB to expose gateway services wait. Please refer to Document Details 1, Document Details 2, etc.
【Safe Operation】
feature: Enhance multiple security capabilities
● Newly added RBAC role, converging grid management permissions, and adding an authorization information page in the grid information to display the users who have permissions to the current grid.
● Enhance the external authorization capability, support HTTP external authorization service to override Header when authentication passes and override Header when authentication fails
● Supports fine-grained RAM authorization to meet the diverse authorization requirements of users. Please refer to Document Details 1 and Document Details 2
feature: Enhanced operation and maintenance capabilities, the ASM console can detect the alarm rules configured by users for Pilot load balancing, and users can directly navigate to the monitoring page of Pilot load balancing in the ASM console.
【Best Practices】
feature: Based on common scenarios, several new best practice documents have been added, such as external database service connection, OSS mount, CORS cross-domain configuration, etc., document details
hybrid cloud
Container Service ACK distribution ACK distro>>
[Cluster Operation and Maintenance]
feature: ARM64 is supported, and new functions such as deployment pre-check, cluster inspection, cluster backup, and cluster audit have been added.
Supports x86/ARM64 dual architecture; the deployment pre-check tool can check out hidden dangers that may affect the stability of the cluster before cluster deployment; the cluster inspection tool can check whether the cluster is healthy with one click; the etcd periodic backup tool defaults to etcd at 2 am every day Backup; cluster audit log, which only records write operations. For a 3m+3w cluster, 1GiB space can be used to record about 72h of cluster write operations.
Container Service ACK Agile Edition (v1.4.0) >>
[Multi-cluster management and control]
feature: supports distribution and deployment of applications across multiple clusters, and more flexibly adapts to network requirements
Based on the OCM framework, ACK Agile supports the management of multi-cloud and hybrid cloud multi-clusters. After accessing v1.16 and later versions of Kubernetes cluster compatibility tests, it supports rapid distribution and deployment of applications to multiple clusters, and can configure differentiated strategies to achieve override. Cluster management supports the push mode from managed cluster to hub cluster to adapt to more complex network requirements.
[Cluster Operation and Maintenance]
feature: optimize cluster life cycle management white screen interaction
Added support for expanding the Worker node through the white screen interface, optimizing the white screen to create a guest cluster interactive experience, including supporting the writing of the IP segment of the Worker node, etc., and enriching the core components of the Kubernetes cluster to monitor the dashboard.
feature: Added support for cluster management and control service endpoint load balancing and high availability
The self-developed soft load component provides the LoadBalacer type of service in the native way of K8s to achieve high availability of access product management and control services outside the cluster, such as high availability of cross-cluster services in multi-cluster management and control scenarios.
【Cost Optimization】
feature: GPU graphics resource sharing and isolation
GPU graphics card sharing refers to running multiple computing tasks on one GPU at the same time. Compared with the mainstream single-container exclusive GPU, its main benefit is to improve
GPU utilization, reducing resource waste, thereby reducing financial costs, ACK agile version supports GPU graphics card sharing and isolation, supports exclusive graphics card, and shared graphics card, and allocates a certain quota of video memory. GPU resource isolation.
feature: application resource portrait
Added CPU and memory indicators, application resource specification portraits, and resource specification recommendations at container granularity, which can effectively simplify the complexity of administrators configuring Request and Limit for Pods.
feature: Support HPA elastic scaling based on custom monitoring indicators
HPA (Horizontal Pod Autoscaler) refers to automatically adjusting the number of workload Pod copies according to the rules, so as to realize the horizontal automatic expansion and contraction of the deployment, so that the scale of the deployment is close to the actual service load. The ACK agile version supports the configuration of custom indicator rules , to trigger the HPA to scale horizontally.
feature: simulation scheduling
● Realize simulation scheduling through the self-developed open source component Open-Simulator, thereby optimizing resource arrangement and maximizing cluster resource utilization. Open-Simulator is a cluster simulation component under Kubernetes. Through the simulation scheduling capability of Open-Simulator, users can create virtual Kubernetes clusters and deploy Workload resources on them. Open-Simulator will simulate Kube-Controller-Manager to generate Pod instances of Workload resources in the virtual cluster, and simulate Kube-Scheduler to schedule Pods.
feature: support conversion of ordinary clusters to edge clusters
Through openyurt-operator, the standard K8s cluster can be converted into an edge cluster, that is, the management and control cluster can be converted into an edge cluster, and output in the form of an independent edge cluster, instead of forcing the management and control components to monopolize the cluster, so as to compress the initial deployment of the center to a greater extent cost.
Container Service ACK>>
【Elastic stretch】
feature: Node pool supports enabling/disabling automatic elastic scaling
The node pool already supports enabling or disabling the automatic elastic scaling function at any time. You can enable or disable automatic auto scaling on the node pool editing page. Note that you need to complete the cluster automatic scaling configuration in advance to enable the automatic scaling function. And when turned on, you need to set the maximum and minimum number of instances.
[Cluster Operation and Maintenance]
feature: The cluster overview page supports the display of security inspection and configuration inspection results
The cluster overview page now supports information disclosure of security inspection results and configuration inspection results to help you better understand potential cluster risks and repair them in advance. For security inspection, please refer to the documentation for details. For configuration inspection, please refer to the documentation for details.
feature: policy management component policy-template-controller released
The policy-template-controller component is a controller developed to implement the new container security policy management function, which can help you better manage template-based policy instances and the overall governance status of the cluster. For configuring container security policies, please refer to the documentation for details.
feature: ACK managed cluster supports enabling RRSA feature
The full name of RRSA is RAM Roles for Service Accounts, which is a RAM role authorization function applicable to service accounts, which can realize the OpenAPI permission isolation of the Pod dimension in the cluster. The RRSA function currently only supports clusters of version 1.22 and above (including ACK Standard Edition, ACK Pro Edition, ASK Standard Edition, and ASK Pro Edition). Please refer to the documentation for details.
feature: storage declaration supports cloud disk online expansion
ACK supports online expansion of CSI cloud disks in Kubernetes 1.16 and above. You can directly adjust the size of the cloud disk on the interface to expand the capacity of the cloud disk and its file system without suspending the business Pod. Please refer to the documentation for details.
【operating system】
feature: custom image support to select alinux3 image
When creating a node pool and selecting a custom image, you can choose the Alibaba Cloud Linux 3 series image. For Alibaba Cloud Linux, please refer to the documentation for details.
[GPU scheduling]
feature: ACK dedicated version cluster supports configuration of shared GPU computing power allocation strategy
The ACK dedicated version cluster supports shared GPU capabilities, provides video memory isolation and computing power isolation functions for shared GPU instances, and supports configuration of shared GPU computing power allocation strategies to achieve computing power distribution with different effects. Please refer to the documentation for details.
[Container Security]
feature: cluster policy management supports risk image deployment blocking
Integrated with cloud security active defense functions, cluster policy management supports risk image deployment identification, supports interception, alarm, release and other policy implementation, strengthens dynamic security policy governance capabilities, and ensures that application images started in the cluster meet your security requirements. Please refer to the documentation for details.
feature: safe operation
● CVE-2021-25745: This vulnerability allows an attacker to obtain the key certificate of the Nginx Ingress Controller through the spec.rules[].http.paths[].path field in the customized Ingress instance, thereby obtaining the Secret instance in the cluster without authorization Sensitive information, help documentation. Has been added to the policy management template, which can automatically identify and block deployment
● CVE-2021-25746: This vulnerability allows attackers to obtain the key credentials of the Nginx Ingress Controller through the metadata.annotations field in the customized Ingress instance, thereby obtaining sensitive information such as the Secret instance in the cluster beyond authority. The help document has been added to the policy management Templates that automatically identify and block deployments
Distributed cloud container platform ACK One>>
【Product Entry】
feature: The product details page is officially launched on the domestic and international websites. You can search through the search bar or navigate the product category on the official website to enter the details page entry of the distributed cloud container platform ACK One:
● Domestic website: https://www.aliyun.com/product/aliware/adcp
● International website: https://www.alibabacloud.com/zh/product/ack-one
【Region of opening server】
feature: ACK One is launched on the international station, open beta testing in Japan and Hong Kong, China, supports cross-regional multi-cluster distribution of applications, and dynamically schedules multi-cluster jobs, etc.
[Cluster Operation and Maintenance]
feature: ACK One multi-cluster management function supports secondary navigation, conveniently switching the basic information of the master instance, associated sub-clusters, namespaces, etc.
Container Mirroring Service ACR>>
【Region of service opening】ACR EE, the enterprise version of the container mirroring service, opened its service in Hohhot
From now on, you can create enterprise container images in the Alibaba Cloud Hohhot region.
[Cost Optimization] Security Policy Enhancement for Cloud Native Application Delivery Chain
Supports specified CVE vulnerability blocking, and supports global vulnerability exemption whitelist. A more convenient and flexible security policy judgment mechanism improves the delivery efficiency and quality of your business container DevSecOps. Document details
Service Mesh ASM>>
【Product Billing】
feature: The commercial version will be officially launched in April 2022, supporting two charging models under different specifications: Enterprise Edition and Ultimate Edition. It supports SLB specifications and can be selected by users. Document details
【new features】
feature: EnvoyFilter plug-in market - functionally supports end-to-end EnvoyFilter plug-in template integration Workload binding, implements custom EnvoyFilter extension, document details
feature: Support ASM API Server bind/unbind EIP
After the intranet API Server is bound to EIP, add the public network API Server address, and support re-binding EIP for API Server
【Function optimization】
feature: Enhance multiple capabilities of the ASM gateway, including graceful connection interruption, IPv6 support, certificate management, and multiple operation and maintenance management capabilities, involving how to retain the SLB of the gateway, how to obtain the real IP for gateway access, and use different types of SLB to expose gateway services wait. Please refer to Document Details 1, Document Details 2, etc.
【Safe Operation】
feature: Enhance multiple security capabilities
● Newly added RBAC role, converging grid management permissions, and adding an authorization information page in the grid information to display the users who have permissions to the current grid.
● Enhance the external authorization capability, support HTTP external authorization service to override Header when authentication passes and override Header when authentication fails
● Supports fine-grained RAM authorization to meet the diverse authorization requirements of users. Please refer to Document Details 1 and Document Details 2
feature: Enhanced operation and maintenance capabilities, the ASM console can detect the alarm rules configured by users for Pilot load balancing, and users can directly navigate to the monitoring page of Pilot load balancing in the ASM console.
【Best Practices】
feature: Based on common scenarios, several new best practice documents have been added, such as external database service connection, OSS mount, CORS cross-domain configuration, etc., document details
hybrid cloud
Container Service ACK distribution ACK distro>>
[Cluster Operation and Maintenance]
feature: ARM64 is supported, and new functions such as deployment pre-check, cluster inspection, cluster backup, and cluster audit have been added.
Supports x86/ARM64 dual architecture; the deployment pre-check tool can check out hidden dangers that may affect the stability of the cluster before cluster deployment; the cluster inspection tool can check whether the cluster is healthy with one click; the etcd periodic backup tool defaults to etcd at 2 am every day Backup; cluster audit log, which only records write operations. For a 3m+3w cluster, 1GiB space can be used to record about 72h of cluster write operations.
Container Service ACK Agile Edition (v1.4.0) >>
[Multi-cluster management and control]
feature: supports distribution and deployment of applications across multiple clusters, and more flexibly adapts to network requirements
Based on the OCM framework, ACK Agile supports the management of multi-cloud and hybrid cloud multi-clusters. After accessing v1.16 and later versions of Kubernetes cluster compatibility tests, it supports rapid distribution and deployment of applications to multiple clusters, and can configure differentiated strategies to achieve override. Cluster management supports the push mode from managed cluster to hub cluster to adapt to more complex network requirements.
[Cluster Operation and Maintenance]
feature: optimize cluster life cycle management white screen interaction
Added support for expanding the Worker node through the white screen interface, optimizing the white screen to create a guest cluster interactive experience, including supporting the writing of the IP segment of the Worker node, etc., and enriching the core components of the Kubernetes cluster to monitor the dashboard.
feature: Added support for cluster management and control service endpoint load balancing and high availability
The self-developed soft load component provides the LoadBalacer type of service in the native way of K8s to achieve high availability of access product management and control services outside the cluster, such as high availability of cross-cluster services in multi-cluster management and control scenarios.
【Cost Optimization】
feature: GPU graphics resource sharing and isolation
GPU graphics card sharing refers to running multiple computing tasks on one GPU at the same time. Compared with the mainstream single-container exclusive GPU, its main benefit is to improve
GPU utilization, reducing resource waste, thereby reducing financial costs, ACK agile version supports GPU graphics card sharing and isolation, supports exclusive graphics card, and shared graphics card, and allocates a certain quota of video memory. GPU resource isolation.
feature: application resource portrait
Added CPU and memory indicators, application resource specification portraits, and resource specification recommendations at container granularity, which can effectively simplify the complexity of administrators configuring Request and Limit for Pods.
feature: Support HPA elastic scaling based on custom monitoring indicators
HPA (Horizontal Pod Autoscaler) refers to automatically adjusting the number of workload Pod copies according to the rules, so as to realize the horizontal automatic expansion and contraction of the deployment, so that the scale of the deployment is close to the actual service load. The ACK agile version supports the configuration of custom indicator rules , to trigger the HPA to scale horizontally.
feature: simulation scheduling
● Realize simulation scheduling through the self-developed open source component Open-Simulator, thereby optimizing resource arrangement and maximizing cluster resource utilization. Open-Simulator is a cluster simulation component under Kubernetes. Through the simulation scheduling capability of Open-Simulator, users can create virtual Kubernetes clusters and deploy Workload resources on them. Open-Simulator will simulate Kube-Controller-Manager to generate Pod instances of Workload resources in the virtual cluster, and simulate Kube-Scheduler to schedule Pods.
feature: support conversion of ordinary clusters to edge clusters
Through openyurt-operator, the standard K8s cluster can be converted into an edge cluster, that is, the management and control cluster can be converted into an edge cluster, and output in the form of an independent edge cluster, instead of forcing the management and control components to monopolize the cluster, so as to compress the initial deployment of the center to a greater extent cost.
Related Articles
-
A detailed explanation of Hadoop core architecture HDFS
Knowledge Base Team
-
What Does IOT Mean
Knowledge Base Team
-
6 Optional Technologies for Data Storage
Knowledge Base Team
-
What Is Blockchain Technology
Knowledge Base Team
Explore More Special Offers
-
Short Message Service(SMS) & Mail Service
50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00
