For compliance and security, Container Service for Kubernetes clusters are different from self-built Kubernetes clusters in some configurations. Read this topic carefully before using Container Service for Kubernetes.
- ECS Bare Metal Instance
ECS Bare Metal Instances are a compute service that is designed based on the state-of-the-art virtualization 2.0 technology developed by Alibaba Cloud. They combine the elasticity of virtual machines and the performance and features of physical machines. For example, ECS Bare Metal Instances provide exclusive computing resources, support chip-level security, are compatible with multiple private clouds, and support processors with heterogeneous instruction sets.
- Elastic GPU Service
Elastic GPU Service is a compute service based on GPU. It is suitable for compute-intensive applications, such as AI, deep learning, video processing, scientific computing, and image rendering.
- When you create a Container Service for Kubernetes cluster, you can set the network
type of ECS instances of the Kubernetes cluster to Virtual Private Cloud (VPC) or
- VPC: recommended.
VPCs use Layer-2 isolation and are safer and more flexible than the classic network.
- Classic network
The classic network uses Layer-3 isolation. All instances on the classic network are built on a shared base network.
- VPC: recommended.
- Pods in a Container Service for Kubernetes cluster can use the Terway or Flannel network
plug-in to communicate with each other.
- Terway: recommended.
Terway is a network plug-in developed by Alibaba Cloud. Terway allows you to assign Alibaba Cloud elastic network interfaces (ENIs) to containers, and define access policies between containers based on standard Kubernetes network policies. Terway also supports bandwidth throttling on individual containers. If you do not need to use network policies, you can select Flannel as the network plug-in. In other cases, we recommend that you select Terway.
Flannel is a simple and stable container network interface (CNI) plug-in developed by the community. When combined with Alibaba Cloud VPC, Flannel provides a high-performance and stable container network for clusters. However, Flannel only provides a few simple features and does not support standard Kubernetes network policies.
- Terway: recommended.
- Base capacity: When you create a Container Service for Kubernetes cluster, set the base capacity based on your business needs and budgets.
- Auto scaling: After a Container Service for Kubernetes cluster is created, you can
configure auto scaling to scale the cluster in a timely manner.
- Pod scaling
Container Service for Kubernetes supports Horizontal Pod Autoscaling (HPA). With HPA enabled, a Kubernetes cluster automatically increases or reduces the number of pods for a replication controller, deployment, or replica set.
- Node scaling
Container Service for Kubernetes provides the auto scaling feature by automatically scaling nodes. Standard instances, GPU instances, and preemptible instances can be automatically added to or removed from the scaling group according to your configurations. This feature is applicable to various scaling scenarios including instances across multiple regions, diverse instance types, and different scaling modes.
- Pod scaling
Relational Database Service (RDS) is a stable, reliable, and online database service that supports auto scaling. Based on the Apsara distributed file system and high-performance standard solid-state drive (SSD) storage, RDS supports a wide range of engines such as MySQL, SQL Server, PostgreSQL, Postgre Plus Advanced Server (PPAS), and MariaDB TX.
Object Storage Service (OSS) is a cloud storage service that features significant storage capacity, security, cost-effectiveness, and reliability.
- Container image
Container Registry provides a secure service for managing application images. It allows you to scan your images to precisely detect security vulnerabilities, build images directly from source code hosted on mainstream code repository websites, conveniently authorize access to your images, and manage images throughout the entire lifecycle. Container Registry is available in Default Instance Edition and Enterprise Edition.
- Infrastructure security
You can set security group rules to secure the infrastructure of a Container Service for Kubernetes cluster.
- Image security
Container Service for Kubernetes allows you to use private images and scan the images to detect vulnerabilities.
- Application security
Container Service for Kubernetes supports network policies, which can guarantee secure communications between applications.
- Monitoring: You can select CloudMonitor or Application Real-Time Monitoring Service
(ARMS) to monitor Container Service for Kubernetes clusters and applications. You
can also set metric thresholds and alert rules to receive alert notifications as needed.
- CloudMonitor is a service provided by Alibaba Cloud for you to monitor Alibaba Cloud resources. In the CloudMonitor console, you can quickly check the status and performance of the monitored resources. With CloudMonitor, you can monitor sites and Alibaba Cloud services. You can also customize metrics and alert rules. The CloudMonitor console provides monitoring statistics and charts to show the running status of monitored services. In addition, CloudMonitor allows you to set alert rules, manage the status of metrics, and get notified of exceptions.
- ARMS is an application performance management (APM) service of Alibaba Cloud, which consists of front-end monitoring, application monitoring, and Prometheus monitoring. With ARMS, you can monitor and diagnose both the front and back ends, including browsers, applets, applications, distributed applications, and containers. This improves the efficiency of application O&M.
- Log: In Container Service for Kubernetes, you can use Alibaba Cloud Log Service instead of custom log solutions to collect logs. For more information, see Log Service.