This topic describes how to create a managed Kubernetes cluster for confidential computing in the Container Service for Kubernetes (ACK) console.

Prerequisites

ACK and Resource Access Management (RAM) are activated.

ACK is activated in the ACK console and RAM is activated in the RAM console.

Note

When you create a managed Kubernetes cluster for confidential computing, take note of the following limits:

  • SLB instances that are created together with the ACK cluster support only the pay-as-you-go billing method.
  • ACK clusters support only Virtual Private Cloud (VPC) networks.
  • Each account can consume only a limited amount of computing resources. You fail to create clusters if you do not have sufficient computing resources. When you create clusters, make sure that you have sufficient resources. To increase the quota of computing resources for your account, submit a ticket.
    • You can create up to 50 clusters across regions for each account. You can deploy up to 100 nodes in each cluster. To increase the quota of clusters or nodes for your account, submit a ticket.
      Notice By default, you can add up to 48 route entries to each VPC network in an ACK cluster. This means that you can deploy up to 48 nodes in an ACK cluster that uses Flannel. An ACK cluster that uses Terway is not subject to this limit. To increase the quota of route entries for a VPC network, submit a ticket.
    • You can create up to 100 security groups under each account.
    • You can create up to 60 pay-as-you-go SLB instances under each account.
    • You can create up to 20 elastic IP addresses (EIPs) under each account.
  • To create a managed Kubernetes cluster for confidential computing, you must set the parameters as described in the following table. Otherwise, you cannot run Intel (R) Software Guard Extensions (SGX) applications in the cluster.
    Parameter Description
    Zone Only ECS Bare Metal instances of the ecs.ebmhfg5.2xlarge type support confidential computing clusters. Make sure that you can purchase instances of this type in the selected zone.
    Container Runtime Docker 18.09.2
    Instance Type Select ecs.ebmhfg5.2xlarge of the ECS Bare Metal instance family.
    Operating System AliyunLinux 2.xxxx
    Network Plug-in Flannel
    Custom Image Do not use custom images. Some images may not support confidential computing.

Procedure

  1. Log on to the ACK console.
  2. In the left-side navigation pane, click Clusters.
  3. In the upper-right corner of the Clusters page, click Cluster Templates.
  4. In the Select Cluster Template dialog box, find Confidential Computing Cluster in the Managed Clusters section and click Create.
  5. On the Managed Kubernetes tab, configure the cluster.
    1. Configure basic settings of the cluster.
      Parameter Description
      Cluster Name
      Enter a name for the ACK cluster.
      Note The name must be 1 to 63 characters in length, and can contain digits, letters, and hyphens (-).
      Cluster Specification

      Select a cluster type. You can select Standard edition or Professional.

      Region

      Select a region to deploy the cluster.

      Resource Group
      Move the pointer over All Resources at the top of the page and select the resource group to which the cluster belongs. The name of the selected resource group is displayed, as shown in the following figure. Resource Group
      Kubernetes Version

      The Kubernetes versions that are supported by ACK.

      Confidential Computing Select Enable.
      Container Runtime
      Only the containerd and Docker runtimes are supported. For more information, see How do I choose between Docker and Sandboxed-Container?.
      Note The containerd runtime is in public preview. To use containerd, Submit a ticket to apply for it to be available for your account.
      VPC
      Select a virtual private cloud (VPC) to deploy the cluster. Standard VPCs and shared VPCs are supported.
      • Shared VPC: The owner of a VPC (resource owner) can share the vSwitches in the VPC with other accounts in the same organization.
      • Standard VPC: The owner of a VPC (resource owner) cannot share vSwitches in the VPC with other accounts.
      Note ACK clusters support only VPCs. You can select a VPC from the drop-down list. If no VPC is available, click Create VPC to create one. For more information, see Work with VPCs.
      VSwitch

      Select vSwitches.

      You can select up to three vSwitches that are deployed in different zones. If no vSwitch is available, click Create VSwitch to create one. For more information, see Create a vSwitch.

      Network Plug-in You must select the Flannel plug-in if you want to enable confidential computing.
      Pod CIDR Block

      If you select Flannel as the network plug-in, you must set Pod CIDR Block.

      The CIDR block specified by Pod CIDR Block cannot overlap with that of the VPC or those of the existing clusters in the VPC. The CIDR block cannot be modified after the cluster is created. The Service CIDR block cannot overlap with the pod CIDR block. For more information about subnetting for ACK clusters, see Plan CIDR blocks for an ACK cluster.

      Service CIDR

      Set Service CIDR. The CIDR block specified by Service CIDR cannot overlap with that of the VPC or those of the existing clusters in the VPC. The CIDR block cannot be modified after the cluster is created. The Service CIDR block cannot overlap with the pod CIDR block. For more information about subnetting for ACK clusters, see Plan CIDR blocks for an ACK cluster.

      IP Addresses per Node
      If you select Flannel as the network plug-in, you must set IP Addresses per Node.
      Note
      • IP Addresses per Node specifies the maximum number of IP addresses that can be assigned to each node. We recommend that you use the default value.
      • After you select the VPC and specify the number of IP addresses per node, recommended values are automatically generated for Pod CIDR block and Service CIDR block. Based on these configurations, the system also provides the maximum number of nodes that can be deployed in the cluster and the maximum number of pods that can be deployed on each node. You can modify the values based on your business requirements.
      Configure SNAT

      By default, an ACK cluster cannot access the Internet. If the VPC that you select for the ACK cluster cannot access the Internet, you can select Configure SNAT for VPC. This way, ACK will create a NAT gateway and configure Source Network Address Translation (SNAT) entries to enable Internet access for the VPC.

      Access to API Server
      By default, an internal-facing Server Load Balancer (SLB) instance is created for the cluster API server. You can modify the specifications of the SLB instance. For more information, see Instance types and specifications.
      Notice If you delete the SLB instance, you cannot access the API server.
      Select or clear Expose API Server with EIP. The ACK API server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources, such as pods and Services.
      • If you select this check box, an elastic IP address (EIP) is created and associated with an Internet-facing SLB instance. Port 6443 used by the API server is opened on master nodes. You can connect to and manage the ACK cluster by using kubeconfig over the Internet.
      • If you clear this check box, no EIP is created. You can connect to and manage the ACK cluster only by using kubeconfig from within the VPC.
      RDS Whitelist
      Set the Relational Database Service (RDS) whitelist. Add the IP addresses of the nodes in the cluster to the RDS whitelist.
      Note To enable an RDS instance to access the cluster, you must deploy the RDS instance in the VPC where the cluster is deployed.
      Security Group

      You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group. For more information, see Overview.

      Secret Encryption Select or clear Select Key.
    2. Configure advanced settings of the cluster.
      Parameter Description
      Kube-proxy Mode
      iptables and IPVS are supported.
      • iptables is a mature and stable kube-proxy mode. It uses iptables rules to conduct service discovery and load balancing. The performance of this mode is restricted by the size of the ACK cluster. This mode is suitable for ACK clusters that manage a small number of Services.
      • IPVS is a high-performance kube-proxy mode. It uses Linux Virtual Server (LVS) to conduct service discovery and load balancing. This mode is suitable for ACK clusters that manage a large number of Services. We recommend that you use this mode in scenarios where high-performance load balancing is required.
      Labels
      Add labels to the nodes in the cluster. Enter a key and a value, and click Add.
      Note
      • Key is required. Value is optional.
      • Keys are not case-sensitive. A key must be 1 to 64 characters in length, and cannot start with aliyun, http://, or https://.
      • Values are not case-sensitive. A value can be empty and can contain up to 128 characters in length. It cannot be http:// or https://.
      • The keys of labels that are added to the same resource must be unique. If you add a label with a used key, the label overwrites the one that uses the same key.
      • You can add up to 20 labels to each resource. If you add more than 20 labels to a resource, all labels become invalid. You must remove excess labels for the remaining labels to take effect.
      Cluster Domain
      Set the domain name of the cluster.
      Note The default domain name is cluster.local. You can enter a custom domain name. A domain name consists of two parts. Each part must be 1 to 63 characters in length and can contain only letters and digits. You cannot leave these parts empty.
      Custom Certificate SANs

      You can enter custom subject alternative names (SANs) for the API server certificate of the cluster to accept requests from specified IP addresses or domain names.

      Service Account Token Volume Projection

      Service account token volume projection reduces security risks when pods use service accounts to access the API server. This feature enables kubelet to request and store the token on behalf of the pod. This feature also allows you to configure token properties, such as the audience and validity duration. For more information, see Enable service account token volume projection.

      Deletion Protection

      Specify whether to enable deletion protection. If you select this check box, the ACK cluster cannot be deleted in the console or by calling the API. This prevents user errors.

  6. Click Next:Worker Configurations to configure worker nodes.
    1. Set worker nodes.
      Note Only ECS Bare Metal instances can be used as worker nodes in clusters for confidential computing. The instance type must be ecs.ebmhfg5.2xlarge.
      • If you select Create Instance, you must set the parameters that are listed in the following table.
        Parameter Description
        Billing Method
        The pay-as-you-go and subscription billing methods are supported. If you select the subscription billing method, you must set the following parameters:
        • Duration: You can select 1, 2, 3, or 6 months. If you require a longer duration, you can select 1 to 5 years.
        • Auto Renewal: Specify whether to enable auto-renewal.
        The following billing methods are supported: Pay-As-You-Go and Subscription.
        Instance Type Only ECS Bare Metal instances support confidential computing and only the ecs.ebmhfg5.2xlarge instance type supports Intel (R) SGX applications.
        Selected Types The selected instance types. You can select multiple instance types.
        Quantity

        Specify the number of worker nodes (ECS instances) to be created.

        System Disk
        Enhanced SSDs, SSDs, and ultra disks are supported.
        Note
        • You can select Enable Backup to back up disk data.
        • If you select an enhanced SSD as the system disk, you can also set a custom performance level for the disk.

          You can select higher performance levels for enhanced SSDs with larger storage capacities. For example, you can select performance level 2 for an enhanced SSD with a storage capacity of more than 460 GiB. You can select performance level 3 for an enhanced SSD with a storage capacity of more than 1,260 GiB. For more information, see Capacity and PLs of ESSDs.

        Mount Data Disk

        Enhanced SSDs, SSDs, and ultra disks are supported. You can enable disk encryption and disk backup when you mount a data disk.

        Operating System Only the AliyunLinux 2.xxxx operating systems are supported.
        Logon Type
        • Key pair logon.
          • Key Pair: Select an SSH key pair from the drop-down list.
          • create a key pair: Create an SSH key pair if none is available. For more information about how to create an SSH key pair, see Create an SSH key pair. After the key pair is created, set it as the credential that is used to log on to the cluster.
        • Password logon.
          • Password: Enter the password that is used to log on to the nodes.
          • Confirm Password: Enter the password again.
        Key Pair
      • If you select Add Existing Instance, you must add at least two worker nodes. You must also set Duration, Auto Renewal, Operating System, Logon Type, and Key Pair based on the preceding settings.
    2. Configure advanced settings of the worker nodes.
      Parameter Description
      Node Protection
      Specify whether to enable node protection.
      Note By default, this check box is selected. This way, the nodes in the cluster cannot be deleted in the console or by calling the API. This prevents user errors.
      User Data You can enter custom scripts. Custom scripts are automatically executed after the nodes are initialized.
      Note Windows nodes support Batch and PowerShell scripts. Before you encode the content in Base64, make sure that the first line includes [bat] or [powershell]. Linux nodes support shell scripts. For more information about the supported formats, see cloud-init and Prepare user data.

      If your script file is larger than 1 KB, we recommend that you upload the script to an Object Storage Service (OSS) bucket and pull the script from the internal endpoint of the OSS bucket.

      Custom Image
      Notice Do not use custom images. Some images may not support confidential computing.
      Custom Node Name

      Specify whether to use a custom node name.

      A node name consists of a prefix, an IP substring, and a suffix.
      • Both the prefix and suffix can contain one or more parts that are separated with periods (.).These parts can contain lowercase letters, digits, and hyphens (-), and must start and end with a lowercase letter or digit.
      • The IP substring length specifies the number of digits to be truncated from the end of the returned node IP address. Valid values: 5 to 12.
      CPU Policy
      Set the CPU policy.
      • none: This policy indicates that the default CPU affinity is used. This is the default policy.
      • Static: allows pods with specific resource characteristics on the node to be granted with enhanced CPU affinity and exclusivity.
      Taints

      Add taints to the worker nodes in the ACK cluster.

  7. Click Next:Component Configurations to configure components.
    Parameter Description
    Ingress

    Specify whether to install Ingress controllers. By default, Install Ingress Controllers is selected. For more information, see Advanced Ingress configurations.

    Note If you want to select Create Ingress Dashboard, you must first enable Log Service.
    Monitoring Agents Select whether to install the Cloud Monitor agent. After the Cloud Monitor agent is installed on ECS instances, you can view monitoring information about the instances in the Cloud Monitor console.
    Log Service

    Specify whether to enable Log Service. You can select an existing Log Service project or create a new one. By default, Enable Log Service is selected. When you create an application, you can activate Log Service through a few steps. For more information, see Use Log Service to collect container logs.

    Workflow Engine
    Specify whether to enable Alibaba Cloud Genomics Compute Service (AGS).
    Note To use this feature, submit a ticket.
    • If you select this check box, the system automatically installs the AGS workflow plug-in when the system creates the ACK cluster.
    • If you clear this check box, you must manually install the AGS workflow plug-in. For more information, see Introduction to AGS CLI.
  8. Click Next:Confirm Order to confirm the cluster configurations and select Terms of Service.
  9. Click Create Cluster to deploy the cluster.
    You can also view detailed information about how the cluster is created in the log data.
    Note It requires approximately 10 minutes for the system to create a managed Kubernetes cluster that contains multiple nodes.

Result

  • After the cluster is created, you can view the created cluster on the Clusters page in the console.Clusters
  • Click View Logs in the Actions column. On the Log Information page, you can view the cluster log. To view detailed log data, click Stack events.Cluster log
  • On the Clusters page, find the created cluster, and click its name or click Details in the Actions column. On the details page, you can click the Basic Information tab to view basic information about the cluster and click the Connection Information tab to view information about how to connect to the cluster.

    The following information is displayed:
    • API Server Public Endpoint: the IP address and port that the API server uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on your terminal.

      Bind EIP and Unbind EIP: These options are available to only managed Kubernetes clusters.

      • Bind EIP: You can select an existing elastic IP address (EIP) or create one.

        The API server restarts after you bind an EIP to the API server. We recommend that you do not perform operations on the cluster during the restart process.

      • Unbind EIP: You cannot access the API server over the Internet after you unbind the EIP.

        The API server restarts after you unbind the EIP from the API server. We recommend that you do not perform operations on the cluster during the restart process.

    • API Server Internal Endpoint: the IP address and port that the API server uses to provide services within the cluster. The IP address belongs to the Server Load Balancer (SLB) instance that is bound to the cluster.
    • Testing Domain: the domain name that is used to test Services. The suffix of the domain name is <cluster_id>.<region_id>.alicontainer.com.
      Note To rebind the domain name, click Rebind Domain Name.
  • You can Use kubectl to connect to an ACK cluster and run the kubectl get node command to query information about the nodes in the cluster.Query cluster information