This topic describes how to create a managed Kubernetes cluster that supports confidential computing in the Container Service for Kubernetes (ACK) console.
Prerequisites
ACK and Resource Access Management (RAM) are activated.
You can log on to the ACK to activate ACK and the RAM console to activate RAM.
Note the following limits when you use ACK:
- SLB instances that are created together with the ACK cluster support only the pay-as-you-go billing method.
- ACK clusters support only Virtual Private Cloud (VPC) networks.
- Each account can consume only a limited amount of computing resources. You fail to
create clusters if you do not have sufficient computing resources. When you create
clusters, make sure that you have sufficient resources. To increase the quota of computing
resources for your account, submit a ticket.
- You can create up to 50 clusters across regions for each account. You can deploy up
to 100 nodes in each cluster. To increase the quota of clusters or nodes for your
account, submit a ticket.
Notice By default, you can add up to 48 route entries to each VPC network in an ACK cluster. This means that you can deploy up to 48 nodes in an ACK cluster that uses Flannel. An ACK cluster that uses Terway is not subject to this limit. To increase the quota of route entries for a VPC network, submit a ticket.
- You can create up to 100 security groups under each account.
- You can create up to 60 pay-as-you-go SLB instances under each account.
- You can create up to 20 elastic IP addresses (EIPs) under each account.
- You can create up to 50 clusters across regions for each account. You can deploy up
to 100 nodes in each cluster. To increase the quota of clusters or nodes for your
account, submit a ticket.
- To create a confidential computing cluster, you must set the parameters based on the
information in the following table. Otherwise, you cannot run Intel (R) Software Guard
Extensions (SGX) applications in the cluster.
Parameter Description Zone Only ECS Bare Metal instances of the ecs.ebmhfg5.2xlarge type support confidential computing clusters. Make sure that this instance type is available in the selected zone. Container Runtime Docker 18.09.2 Instance Type Select ecs.ebmhfg5.2xlarge of the ECS Bare Metal instance family. Operating System AliyunLinux 2.xxxx Network Plug-in Flannel Custom Image Do not use custom images. Otherwise, confidential computing may be unavailable.
Procedure
Result
- After you create the cluster, you can view the created cluster on the Clusters page in the console.
-
Click View Logs in the Actions column. On the Log information page, you can view cluster logs. To view detailed log information, click Stack events.
-
On the Clusters page, find the created cluster and click Details in the Actions column. You can click the Basic Information tab to view the basic information about the cluster and click the Connection Information tab to view the information about how to connect to the cluster.
The following information is displayed.- API Server Public Endpoint: the IP address and port that the Kubernetes API Server uses to provide services
over the Internet. It allows you to manage the cluster by using kubectl or other tools
on the client.
Bind EIP and Unbind EIP: These options are available to only managed Kubernetes clusters.
- Bind EIP: You can select an existing EIP or create one.
The API server restarts after you bind an EIP to the API server. We recommend that you do not perform operations on the cluster during the restart process.
- Unbind EIP: You cannot access the API server over the Internet after you unbind the
EIP.
The API server restarts after you unbind the EIP from the API server. We recommend that you do not perform operations on the cluster during the restart process.
- Bind EIP: You can select an existing EIP or create one.
- API Server Internal Endpoint: the IP address and port that the Kubernetes API server uses to provide services within the cluster.
- Testing Domain: the domain name that is used for service testing. The suffix of the domain is
<cluster_id>.<region_id>.alicontainer.com
.Note To rebind the domain name, click Rebind Domain Name.
- API Server Public Endpoint: the IP address and port that the Kubernetes API Server uses to provide services
over the Internet. It allows you to manage the cluster by using kubectl or other tools
on the client.
-
You can use kubectl and run the
kubectl get node
command to connect to the cluster and view the information about the nodes in the cluster. For more information, see Use kubectl to connect to an ACK cluster.