Create a managed Kubernetes cluster that supports confidential computing

This topic describes how to create a managed Kubernetes cluster that supports confidential computing in the Container Service for Kubernetes (ACK) console.

1. Log on to the Container Service for Kubernetes (ACK) console.
2. In the left-side navigation pane, click Clusters.
3. In the upper-right corner of the Clusters page, click Create Kubernetes cluster.
4. In the Select Cluster Template dialog box, find Confidential Computing Cluster in the Managed Clusters section and click Create.
5. On the ACK managed edition tab, configure the cluster.
   1. Configure basic settings of the cluster.

      Parameter	Description
      Cluster Name	Enter a name for the ACK cluster. Note The name must be 1 to 63 characters in length. It can contain digits, letters, and hyphens (-).
      Cluster Specification	Select a cluster type. Standard edition and Professional are supported.
      Region	Select a region to deploy the ACK cluster.
      Resource Group	Move the pointer over All Resources at the top of the page and select the resource group to which the ACK cluster belongs. The name of the selected resource group appears on the page.
      Kubernetes Version	Select a Kubernetes version.
      Confidential Computing	Select Enable.
      Container Runtime	You must select Docker.
      VPC	Select a virtual private cloud (VPC) to deploy the ACK cluster. Shared VPCs and standard VPCs are supported. Shared VPC: The owner of a VPC (resource owner) can share vSwitches in the VPC under the account of the owner with other accounts in the same organization. Standard VPC: The owner of a VPC (resource owner) cannot share vSwitches in the VPC under the account of the owner with other accounts. Note ACK clusters support only VPCs. You can select a VPC from the drop-down list. If no VPC is available, click Create VPC to create one. For more information, see Create a VPC.
      VSwitch	Select vSwitches. You can select up to three vSwitches that are deployed in different zones. If no vSwitch is available, click Create VSwitch to create one. For more information, see Create a VSwitch.
      Network Plug-in	Confidential computing clusters support only the Flannel plug-in.
      Pod CIDR Block	If you select Flannel, you must set Pod CIDR Block. The CIDR block that is specified by Pod CIDR Block cannot overlap with that of the VPC or existing ACK clusters in the VPC. The CIDR block cannot be modified after it is specified. The Service CIDR block cannot overlap with the pod CIDR block. For more information about subnetting for ACK clusters, see Assign CIDR blocks to resources in a Kubernetes cluster under a VPC.
      Service CIDR	Set Service CIDR. The CIDR block that is specified by Service CIDR cannot overlap with that of the VPC or existing ACK clusters in the VPC. The CIDR block cannot be modified after it is specified. The Service CIDR block cannot overlap with the pod CIDR block. For more information about subnetting for ACK clusters, see Assign CIDR blocks to resources in a Kubernetes cluster under a VPC.
      IP Addresses per Node	If you select Flannel, you must set the number of IP addresses per node. Note IP Addresses per Node specifies the maximum number of IP addresses that can be assigned to each node. We recommend that you use the default value.
      Configure SNAT	By default, an ACK cluster cannot be accessed over the Internet. If the VPC that you select for the ACK cluster cannot access the Internet, you can select Configure SNAT for VPC. Then, ACK creates a Network Address Translation (NAT) gateway and configures Source Network Address Translation (SNAT) entries to enable Internet access for the VPC.
      Public Access	By default, an internal-facing SLB instance is created for the API server. You can modify the specifications of the SLB instance. For more information, see Specification. Notice If you delete the SLB instance, you cannot access the API server.
      RDS Whitelist	Set the Relational Database Service (RDS) whitelist. Add the IP addresses of nodes in the ACK cluster to the RDS whitelist. Note To enable an RDS instance to access the ACK cluster, you must deploy the RDS instance in the VPC where the ACK cluster is deployed.
      Security Group	You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group. For more information, see Overview.
      Secret Encryption	Specify whether to enable Key Management Service (KMS) based on your requirements.

   2. Configure advanced settings of the cluster.

      Parameter	Description
      Kube-proxy Mode	IPVS and iptables are supported. iptables is a kube-proxy mode. It uses iptables rules to conduct service discovery and load balancing. The performance of this mode is restricted by the size of the ACK cluster. This mode is suitable for ACK clusters that manage a small number of Services. IPVS is a high-performance kube-proxy mode. It uses Linux Virtual Server (LVS) to conduct service discovery and load balancing. This mode is suitable for ACK clusters that manage a large number of Services. We recommend that you use this mode in scenarios where high-performance load balancing is required.
      Labels	Add labels to nodes. Enter a key and a value, and then click Add. Note Key is required. Value is optional. Keys are not case-sensitive. A key must be 1 to 64 characters in length, and cannot start with aliyun, http://, or https://. Values are not case-sensitive. A value must be 1 to 128 characters in length and cannot start with http:// or https://. This parameter can be empty. The keys of labels that are added to the same resource must be unique. If you add a label with a used key, the label overwrites the one that uses the same key. You can add up to 20 labels to each resource. If you add more than 20 labels to a resource, all labels become invalid. You must remove unused labels for the remaining labels to take effect.
      Cluster Domain	Set the domain name of the ACK cluster. Note The default domain name is cluster.local. You can enter a custom domain name. A domain name consists of two parts. Each part must be 1 to 63 characters in length and can contain only letters and digits. You cannot leave these parts empty.
      Custom Certificate SANs	You can enter custom subject alternative names (SANs) for the API server certificate of the cluster to accept requests from specified IP addresses or domain names.
      Service Account Token Volume Projection	Service account token volume projection reduces security risks when pods use service accounts to access the API server. This feature enables kubelet to request and store the token on behalf of the pod. This feature also allows you to configure token properties, such as the audience and validity duration. For more information, see Deploy service account token volume projection.
      Deletion Protection	Specify whether to enable deletion protection. If you select this check box, the ACK cluster cannot be deleted in the console or by calling the API. This prevents user errors.

6. Click Next:Worker Configurations to configure worker nodes.
   1. Select instances as worker nodes.
      Note Only ECS Bare Metal instances can be used as worker nodes for confidential computing clusters. The instance type is ecs.ebmhfg5.2xlarge.

      • If you select Create Instance, you must set the following parameters.

        Parameter	Description
        Billing Method	The pay-as-you-go and subscription billing methods are supported. If you select pay-as-you-go, you must set the following parameters: Duration: You can select 1, 2, 3, or 6 months. If you require a longer duration, you can select 1 to 5 years. Auto Renewal: Specify whether to enable auto-renewal. The pay-as-you-go and subscription billing methods are supported.
        Instance Type	Only ECS Bare Metal instances support confidential computing. The instance type ecs.ebmhfg5.2xlarge supports Intel (R) SGX applications.
        Selected Types	The selected instance types. You can select multiple instance types.
        Quantity	Specify the number of worker nodes to be created.
        System Disk	Enhanced SSDs, SSDs, and ultra disks are supported. Note You can select Enable Backup to back up disk data.
        Mount Data Disk	Enhanced SSDs, SSDs, and ultra disks are supported. You can enable disk encryption and backup when you mount data disks.
        Operating System	Only the AliyunLinux 2.xxxx operating systems are supported.
        Logon Type	Key pair logon. Key Pair: Select an SSH key pair from the drop-down list. create a key pair: Create an SSH key pair if no SSH key pair is available. For more information about how to create an SSH key pair, see Create an SSH key pair. After the key pair is created, set it as the credential that is used to log on to the ACK cluster. Password logon. Password: Enter the password that is used to log on to the nodes. Confirm Password: Enter the password again.
        Key Pair

      • If you select Add Existing Instance, you must add at least two worker nodes. You must also set Duration, Auto Renewal, Operating System, Logon Type, and Key Pair based on the preceding settings.
   2. Configure advanced settings of the worker nodes

      Parameter	Description
      Node Protection	Specify whether to enable node protection. Note By default, this check box is selected. The nodes in the ACK cluster cannot be deleted in the console or by calling the API. This prevents user errors.
      User Data	You can enter custom scripts. Custom scripts are automatically run after the nodes are initialized. Note Nodes that run Windows support Batch and PowerShell scripts. Before you encode the content in Base64, make sure that the first line includes [bat] or [powershell]. Nodes that run Linux support shell scripts. For more information about the supported formats, see cloud-init and Prepare user data. If your script file is larger than 1 KB, we recommend that you upload the script to an Object Storage Service (OSS) bucket and pull the script from the internal endpoint of the OSS bucket.
      Custom Image	Notice Do not use custom images. Otherwise, confidential computing may be unavailable.
      Custom Node Name	Specify whether to use a custom node name. A node name consists of a prefix, an IP substring, and a suffix. Both the prefix and suffix can contain one or more parts that are separated with periods (.). These parts can contain lowercase letters, digits, and hyphens (-), and must start and end with a lowercase letter or digit. The IP substring length specifies the number of digits to be truncated from the end of the returned node IP address. Valid values: 5 to 12.
      CPU Policy	Set the CPU policy. none: This policy indicates that the default CPU affinity is used. This is the default policy. static: This policy allows pods with specific resource characteristics on the node to be granted with enhanced CPU affinity and exclusivity.
      Taints	Add taints to worker nodes in the ACK cluster.

7. Click Next:Component Configurations to configure components.

   Parameter	Description
   Ingress	Specify whether to install Ingress controllers. By default, Install Ingress Controllers is selected. For more information, see Configure an Ingress. Note If you want to create Ingress dashboard, you must first activate Log Service.
   Cloud Monitor Agent	Select whether to install the Cloud Monitor agent. After the Cloud Monitor agent is installed on ECS instances, you can view monitoring information about the instances in the Cloud Monitor console.
   Log Service	Specify whether to enable Log Service. You can select an existing Log Service project or create a new one. By default, Enable Log Service is selected. When you create an application, you can perform a few steps to enable Log Service. For more information, see Use Log Service to collect container logs. You can also select or clear Collect Logs of Control Plane Components. If you select this check box, logs of components on the ACK control plane are collected to the Log Service project under your account. For more information, see 收集托管集群控制平面组件日志. Note By default, Collect Logs of Control Plane Components is selected for a professional managed Kubernetes cluster.
   Workflow Engine	Specify whether to enable Alibaba Cloud Genomics Compute Service (AGS). If you select this check box, the system automatically installs the AGS workflow plug-in when the system creates the ACK cluster. If you clear this check box, you must manually install the AGS workflow plug-in. For more information, see Introduction to AGS CLI.

8. Click Next:Confirm Order to confirm the cluster configurations and select terms of service.
9. Click Create Cluster to start the deployment.
   You can also view logs that record cluster creation events.

   Note It takes about 10 minutes to create an ACK cluster that consists of multiple nodes.