Create a managed Kubernetes cluster for confidential computing

This topic describes how to create a managed Kubernetes cluster for confidential computing in the Container Service for Kubernetes (ACK) console. Managed Kubernetes clusters for confidential computing run in Trusted Execution Environments (TEEs).

1. Log on to the ACK console.
2. In the left-side navigation pane of the ACK console, click Clusters.
3. In the upper-right corner of the Clusters page, click Cluster Template.
4. In the Select Cluster Template dialog box, find Confidential Computing Cluster in the Managed Clusters section and click Create.
5. On the Managed Kubernetes tab, configure the cluster.
   1. Configure basic settings for the cluster.

      Parameter	Description
      Cluster Name	Enter a name for the ACK cluster. Note The name must be 1 to 63 characters in length, and can contain digits, letters, and hyphens (-).
      Cluster Specification	Select a cluster type. You can select Standard edition or Professional.
      Region	Select a region to deploy the cluster.
      Billing Method	The pay-as-you-go and subscription billing methods are supported. If you select the subscription billing method, you must set the following parameters: Note If you set Billing Method to Subscription, only Elastic Compute Service (ECS) instances and Server Load Balancer (SLB) instances are billed on a subscription basis. Other cloud resources are billed on a pay-as-you-go basis. For more information about the billing rules of Alibaba Cloud resources, see Billing of cloud services. Duration: You can select 1, 2, 3, or 6 months. If you require a longer duration, you can select 1 to 3 years. Auto Renewal: Specify whether to enable auto-renewal.
      All Resources	Move the pointer over All Resources at the top of the page and select the resource group that you want to use. After you select a resource group, virtual private clouds (VPCs) and vSwitches are filtered based on the selected resource group. When you create a cluster, only the VPCs and vSwitches that belong to the selected resource group are displayed in the console.
      Kubernetes Version	The Kubernetes versions supported by ACK are displayed on the page.
      Confidential Computing	Select Enable.
      Container Runtime	Only the containerd runtime is supported. For more information, see Comparison of Docker, containerd, and Sandboxed-Container.
      VPC	Select a VPC to deploy the cluster. Standard VPCs and shared VPCs are supported. Shared VPC: The owner of a VPC (resource owner) can share the vSwitches in the VPC with other accounts in the same organization. Standard VPC: The owner of a VPC (resource owner) cannot share the vSwitches in the VPC with other accounts. Note ACK clusters support only VPCs. You can select a VPC from the drop-down list. If no VPC is available, click Create VPC to create one. For more information, see Create and manage a VPC.
      vSwitch	Select vSwitches. You can select up to three vSwitches that are deployed in different zones. If no vSwitch is available, click Create vSwitch to create one. For more information, see Work with vSwitches.
      Network Plug-in	You must select the Flannel plug-in if you want to enable confidential computing.
      Pod CIDR Block	If you select Flannel as the network plug-in, you must set Pod CIDR Block. The CIDR block specified by Pod CIDR Block cannot overlap with that of the VPC or those of the existing clusters in the VPC. The CIDR block cannot be modified after the cluster is created. The Service CIDR block cannot overlap with the pod CIDR block. For more information about how to plan CIDR blocks for an ACK cluster, see Plan CIDR blocks for an ACK cluster.
      Service CIDR	Set Service CIDR. The CIDR block specified by Service CIDR cannot overlap with that of the VPC or those of the existing clusters in the VPC. The CIDR block cannot be modified after the cluster is created. The Service CIDR block cannot overlap with the pod CIDR block. For more information about how to plan CIDR blocks for an ACK cluster, see Plan CIDR blocks for an ACK cluster.
      IP Addresses per Node	If you select Flannel as the network plug-in, you must set IP Addresses per Node. Note IP Addresses per Node specifies the maximum number of IP addresses that can be assigned to each node. We recommend that you use the default value. After you select the VPC and specify the number of IP addresses per node, recommended values are automatically generated for Pod CIDR Block and Service CIDR. The system also provides the maximum number of nodes that can be deployed in the cluster and the maximum number of pods that can be deployed on each node. You can modify the values based on your business requirements.
      Configure SNAT	By default, an ACK cluster cannot access the Internet. If the VPC that you select for the cluster cannot access the Internet, you can select Configure SNAT for VPC. This way, ACK will create a NAT gateway and configure SNAT rules to enable Internet access for the VPC.
      Access to API Server	By default, an internal-facing SLB instance is created for the cluster API server. You can modify the specification of the SLB instance. For more information, see Instance types and specifications. Notice If you delete the SLB instance, you cannot access the cluster API server. Select or clear Expose API Server with EIP. The ACK API server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and watch resources, such as pods and Services. If you select this check box, an elastic IP address (EIP) is created and associated with an SLB instance. Port 6443 used by the API server is opened on master nodes. You can connect to and manage the cluster by using kubeconfig files over the Internet. If you clear this check box, no EIP is created. You can connect to and manage the cluster by using kubeconfig files from only within the VPC.
      RDS Whitelist	Configure the whitelist of the ApsaraDB RDS instance. Add the IP addresses of nodes in the cluster to the ApsaraDB RDS whitelist. Note To enable an ApsaraDB RDS instance to access the cluster, you must make sure that the instance is deployed in the VPC where the cluster is deployed.
      Security Group	You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group. For more information about security groups, see Overview. Note To select Select Existing Security Group, Submit a ticket to apply to be added to a whitelist.
      Deletion Protection	Specify whether to enable deletion protection. Deletion protection prevents the cluster from being accidentally deleted in the console or by calling the API. This prevents user errors.
      Resource Group	The resource group that owns the cluster to be created. Each resource can belong only to one resource group. You can regard a resource group as a project, an application, or an organization based on your business scenarios. For more information, see Resource groups.

   2. Configure advanced settings of the cluster.

      Parameter	Description
      Kube-proxy Mode	iptables and IPVS are supported. iptables is a mature and stable kube-proxy mode. It uses iptables rules to conduct service discovery and load balancing. The performance of this mode is restricted by the size of the Kubernetes cluster. This mode is suitable for Kubernetes clusters that manage a small number of Services. IPVS is a high-performance kube-proxy mode. It uses Linux Virtual Server (LVS) to conduct service discovery and load balancing. This mode is suitable for clusters that manage a large number of Services. We recommend that you use this mode in scenarios where high-performance load balancing is required.
      Labels	Add labels to the cluster. Enter a key and a value, and click Add. Note Key is required. Value is optional. Keys are not case-sensitive. A key must be 1 to 64 characters in length, and cannot start with aliyun, http://, or https://. Values are not case-sensitive. A value can be empty and can contain up to 128 characters in length. It cannot be http:// or https://. The keys of labels that are added to the same resource must be unique. If you add a label with a used key, the label overwrites the label that uses the same key. If you add more than 20 labels to a resource, all labels become invalid. You must remove excess labels for the remaining labels to take effect.
      Cluster Domain	Set the domain name of the cluster. Note The default domain name is cluster.local. You can enter a custom domain name. A domain name consists of two parts. Each part must be 1 to 63 characters in length and can contain only letters and digits. You cannot leave these parts empty.
      Custom Certificate SANs	You can enter custom subject alternative names (SANs) for the API server certificate of the cluster to accept requests from specified IP addresses or domain names. For more information, see Customize the SAN of the API server certificate when you create an ACK cluster.
      Service Account Token Volume Projection	Service account token volume projection reduces security risks when pods use service accounts to access the API server. This feature enables kubelet to request and store the token on behalf of the pod. This feature also allows you to configure token properties, such as the audience and validity duration. For more information, see Enable service account token volume projection.
      Secret Encryption	Select or clear Select Key based on your requirements.

6. Click Next:Worker Configurations to configure worker nodes.
   1. Select instances as worker nodes.
      Note In confidential computing scenarios, only instance types of the following instance families support Intel Software Guard Extensions (SGX) 2.0 applications: c7t security-enhanced compute-optimized, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized.

      • If you select Create Instance, you must set the parameters that are listed in the following table.

        Parameter	Description
        Instance Type	Only instance types of the following instance families support Intel Software Guard Extensions (SGX) 2.0 applications: c7t security-enhanced compute-optimized, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized.
        Selected Types	The selected instance types. You can select multiple instance types.
        Quantity	Specify the number of worker nodes (ECS instances) to be created.
        System Disk	Enhanced SSDs, standard SSDs, and ultra disks are supported. Note You can select Enable Backup to back up disk data. If you select enhanced SSD as the system disk type, you can set a custom performance level for the system disk. You can select higher performance levels for enhanced SSDs with larger storage capacities. For example, you can select performance level 2 for an enhanced SSD with a storage capacity of more than 460 GiB. You can select performance level 3 for an enhanced SSD with a storage capacity of more than 1,260 GiB. For more information, see Capacity and PLs.
        Mount Data Disk	Enhanced SSDs, standard SSDs, and ultra disks are supported. You can enable disk encryption and disk backup when you mount a data disk. If you enable disk encryption, only the default customer master key (CMK) can be used.
        Operating System	Only the AliyunLinux 2.xxxx 64-bit (UEFI) operating system is supported.
        Logon Type	Key pair logon Key Pair: Select an SSH key pair from the drop-down list. create a key pair: Create an SSH key pair if none is available. For more information about how to create an SSH key pair, see Create an SSH key pair. After the key pair is created, set it as the credential that is used to log on to the cluster. Password logon Password: Enter the password that is used to log on to the nodes. Confirm Password: Enter the password again.
        Key Pair

      • If you select Add Existing Instance, you must add at least two worker nodes. You must set Operating System, Logon Type, and Key Pair as described in the preceding steps.
   2. Configure advanced settings of the worker nodes.

      Parameter	Description
      Node Protection	Specify whether to enable node protection. Note By default, this check box is selected. Node protection prevents nodes from being accidentally deleted in the console or by calling the API. This prevents user errors.
      User Data	You can enter custom scripts. Custom scripts are automatically executed after the nodes are initialized. Note Windows nodes support Batch and PowerShell scripts. Before you encode the content in Base64, make sure that the first line includes [bat] or [powershell]. Linux nodes support shell scripts. For more information about the supported formats, see cloud-init and Overview of ECS instance user data. If your script file is larger than 1 KB, we recommend that you upload the script to an Object Storage Service (OSS) bucket and pull the script from the internal endpoint of the OSS bucket.
      Custom Image	Notice Do not use custom images. Custom images may not support confidential computing.
      Custom Node Name	Specify whether to use a custom node name. A node name consists of a prefix, an IP substring, and a suffix. Both the prefix and suffix can contain one or more parts that are separated by periods (.).These parts can contain lowercase letters, digits, and hyphens (-), and must start and end with a lowercase letter or digit. The IP substring length specifies the number of digits to be truncated from the end of the returned node IP address. The IP substring length ranges from 5 to 12.
      CPU Policy	Set the CPU policy. none: This policy indicates that the default CPU affinity is used. This is the default policy. static: This policy allows pods with specific resource characteristics on the node to be granted with enhanced CPU affinity and exclusivity.
      Taints	Add taints to the worker nodes in the cluster.

7. Click Next:Component Configurations to configure components.

   Parameter	Description
   Ingress	Specify whether to install Ingress controllers. By default, Do Not Install is selected. If you select Nginx Ingress, Install NGINX Ingress Controller is automatically selected. For more information about the NGINX Ingress controller, see Advanced Ingress configurations. If you select ALB Ingress (Public Preview), the Application Load Balancer (ALB) Ingress controller is automatically installed. For more information about how to access cluster services by using ALB Ingresses, see Access Services by using an ALB Ingress. Note If you want to select Create Ingress Dashboard, you must first enable Log Service.
   Service Discovery	Specify whether to install NodeLocal DNSCache. By default, NodeLocal DNSCache is installed. NodeLocal DNSCache runs a Domain Name System (DNS) caching agent to improve the performance and stability of DNS resolution. For more information about NodeLocal DNSCache, see Use NodeLocal DNSCache in an ACK cluster.
   Volume Plug-in	Select a volume plug-in. FlexVolume and CSI are supported. ACK clusters can be automatically bound to Alibaba Cloud disks, Apsara File Storage NAS (NAS) file systems, and Object Storage Service (OSS) buckets that are mounted to pods. For more information, see Storage management-FlexVolume and Storage management-CSI.
   Monitoring Agents	Specify whether to install the CloudMonitor agent. By default, Install CloudMonitor Agent on ECS Instance and Enable Prometheus Monitoring are selected. After the CloudMonitor agent is installed on ECS nodes, you can view monitoring data about the nodes in the CloudMonitor console.
   Alerts	Select Use Default Alert Template to enable the alerting feature and use the default alert rules. For more information, see Alert management.
   Log Service	Specify whether to enable Log Service. You can select an existing Log Service project or create one. By default, Enable Log Service is selected. When you create an application, you can enable Log Service through a few steps. For more information, see Collect log files from containers by using Log Service. By default, Install node-problem-detector and Create Event Center is selected. You can specify whether to enable the Kubernetes event center in the Log Service console. For more information, see Create and use a Kubernetes event center.
   Workflow Engine	Specify whether to enable Alibaba Cloud Genomics Service (AGS). Note To use this feature, submit a ticket to apply to be added to a whitelist. If you select this check box, the system automatically installs the AGS workflow plug-in when the system creates the cluster. If you clear this check box, you must manually install the AGS workflow plug-in. For more information, see Introduction to AGS CLI.

8. Click Next:Confirm Order to confirm the cluster configurations and select Terms of Service.
9. Click Create Cluster to deploy the cluster.
   You can also view detailed information about how the cluster is created in the log.

   Note It requires about 10 minutes to create a managed Kubernetes cluster that consists of multiple nodes.