This topic describes how to create a Kubernetes cluster that supports confidential computing in the Container Service console.

Prerequisites

Container Service for Kubernetes and Resource Access Management (RAM) are activated.

You can log on to the Container Service console and the RAM console to activate the services.

Note

Note the following limits when you use Container Service for Kubernetes:

  • SLB instances that are created along with the cluster support only the pay-as-you-go billing method.
  • Kubernetes clusters support only Virtual Private Cloud (VPC) networks.
  • By default, each account has specific quotas on the amount of cloud resources that can be created. You cannot create clusters if the quota limit is exceeded. Make sure that you have sufficient quotas before you create a cluster. To request a quota increase, submit a ticket.
    • You can create up to 50 clusters across all regions for each account. A cluster can contain up to 100 nodes. To create more clusters or nodes, submit a ticket.
      Notice In a Kubernetes cluster, you can create up to 48 route entries per VPC by default. This means that a VPC-connected cluster can contain up to 48 route entries. To create more route entries, submit a ticket.
    • You can create up to 100 security groups for each account.
    • You can create up to 60 pay-as-you-go SLB instances for each account.
    • You can create up to 20 Elastic IP addresses for each account.
  • To create a confidential computing cluster, you must set the parameters based on the following table. Otherwise, you cannot run Intel SGX applications in the cluster.
    Parameter Description
    Zone Only ECS Bare Metal instances of the ecs.ebmhfg5.2xlarge type support confidential computing clusters. Make sure that this instance type is available in the selected zone.
    Container Runtime Docker 18.09.2
    Instance Type Select ecs.ebmhfg5.2xlarge of the ECS Bare Metal instance family.
    Operating System AliyunLinux 2.xxxx
    Network Plug-in Flannel
    Custom Image Do not use custom images. Otherwise, confidential computing may not be available.

Procedure

  1. Log on to the ACK console.
  2. In the left-side navigation pane, choose Clusters > Clusters.
  3. On the Select Cluster Template page that appears, select Confidential Computing Cluster and click Create. The confidential computing feature is in the public preview phase.
  4. On the Managed Kubernetes page, complete cluster configurations.
    1. Configure basic parameters.
      Parameter Description
      Cluster Name Enter the name of the cluster.
      Note The name must be 1 to 63 characters in length and can contain digits, Chinese characters, letters, and hyphens (-).
      Kubernetes Version Select the Kubernetes version.
      Confidential Computing Select Enable.
      Container Runtime You must select Docker as the container runtime.
      Region Select the region where the cluster resides.
      Resource Group Move the pointer over Account's all Resources at the top of the page and select the resource group where the cluster resides. The name of the selected resource group appears in the Resource Group field.
      VPC Set the Virtual Private Cloud (VPC) of the cluster.
      Note Kubernetes clusters support VPCs only. You can select a VPC from the drop-down list. If no VPCs are available, click Create VPC. For more information, see Create a VPC network.
      VSwitch Set the VSwitch.
      Note Select one to three VSwitches. We recommend that you select VSwitches in different zones. If no VSwitch is available, click Create VSwitch. For more information, see Create a VSwitch.
      Network Plug-in Confidential computing clusters support the Flannel plug-in only.
      Pod CIDR Block Set Pod CIDR Block and Service CIDR. You must specify Service CIDR. Make sure that the specified CIDR block does not overlap with the VPC CIDR block or the CIDR block used by an existing Kubernetes cluster in the VPC. You cannot modify the CIDR block after the cluster is created. The service CIDR block cannot overlap with the pod CIDR block. For more information, see Plan Kubernetes CIDR blocks under a VPC.
      Service CIDR
      IP Addresses per Node Set the number of IP addresses allowed for each node.
      Note IP Addresses per Node specifies the maximum number of IP addresses that can be assigned to each node. We recommend that you use the default value.
      Configure SNAT Set whether to configure source network address translation (SNAT) rules for the VPC.
      Note
      • If the VPC that you select has a network address translation (NAT) gateway, Container Service for Kubernetes uses this NAT gateway.
      • Otherwise, the system automatically creates a NAT gateway. If you do not want the system to create a NAT gateway, clear the Configure SNAT for VPC check box. In this case, you must manually create a NAT gateway or configure SNAT rules to enable instances in the VPC to access the Internet. Otherwise, the cluster creation fails.
      Public Access Select whether to enable Expose API Server with EIP.
      Note
      The Kubernetes API server provides multiple HTTP-based RESTful APIs that can be used to create, delete, modify, query, and watch resource objects such as pods and services.
      • If you select this check box, an Elastic IP address is created and bound to the internal Server Load Balancer (SLB) instance. Port 6443 used by the API server is enabled on master nodes. You can use a kubeconfig file to connect to the cluster from the Internet.
      • If you clear this check box, no Elastic IP addresses are created, and you can use a kubeconfig file to connect to the cluster over the VPC only.
      RDS Whitelist Configure the whitelist of the ApsaraDB for Relational Database Service (RDS) instance. Add the IP addresses of nodes to the RDS whitelist.
      Custom Security Group Select a security group. Click Select a security group. In the dialog box that appears, select a security group and click OK.
      For more information, see Overview.
      Note This feature is available to users in the whitelist only. To use this feature, submit a ticket.
    2. Configure advanced options.
      Parameter Description
      Kube-proxy Mode

      iptables and IPVS are supported.

      • iptables is a sophisticated and stable kube-proxy mode. In this mode, iptables rules are used to configure service discovery and load balancing. This mode provides average performance and is significantly affected by the cluster size. We recommend that you select iptables if the cluster runs a small number of services.
      • IPVS is a high-performance kube-proxy mode. In this mode, IP Virtual Server (IPVS) of Linux is used to configure service discovery and load balancing. We recommend that you select this mode for clusters that run a large number of services and require high-performance load balancing.
      Labels
      Attach labels to the cluster. Enter the key and value and click Add.
      Note
      • The key is required. The value is optional.
      • The key is case insensitive and can be up to 64 characters in length. It cannot start with any of the following strings: aliyun, http://, and https://.
      • The value is optional and case insensitive, and can be up to 128 characters in length. It cannot start with string http:// or https://.
      • The keys of labels attached to the same resource must be unique. If you add a label with a used key, the label overwrites the one that uses the same key.
      • You can attach up to 20 labels to one resource. To attach more labels, you must remove existing labels first.
      Cluster Domain Set the cluster domain.
      Note The default cluster domain is cluster.local. Custom domains are supported. A domain consists of two parts. Each part can be up to 63 characters in length and can contain lowercase and uppercase letters, and digits. To customize a domain name, you must specify both parts.
      Deletion Protection Select whether to enable Deletion Protection. If you select this check box, the cluster cannot be deleted in the console or by API operations.
  5. Click Next: Worker Configuration to configure worker nodes.
    1. Select instances as worker nodes.
      Note To create a confidential computing cluster, make sure that worker nodes are ECS Bare Metal instances. The instance type is ecs.ebmhfg5.2xlarge.
      • If you select Create Instance, you must set the following parameters.
        Parameter Description
        Billing Method Two billing methods are supported: Pay-As-You-Go and Subscription.
        Duration If you select Subscription, you must set the duration of the subscription. Valid values: 1, 2, 3, 6, and 12. Unit: months.
        Auto Renewal If you select Subscription, you must set whether to enable Auto Renewal.
        Instance Type Only ECS Bare Metal instances support confidential computing. The instance type of ecs.ebmhfg5.2xlarge supports Intel SGX applications.
        Selected Types The selected instance types. You can select multiple instance types.
        Quantity Set the number of worker nodes.
        System Disk Support standard SSDs and ultra disks.
        Mount Data Disk Support standard SSDs and ultra disks.
        Operating System Only the AliyunLinux 2.xxxx systems are supported.
        Logon Type
        • Key Pair:

          If you set Logon Type to Key Pair, click create a key pair to create one in the ECS console. For more information, see Create an SSH key pair. After the key pair is created, set it as the credentials to log on to the cluster.

        • Password:
          • Password: Set the logon password.
          • Confirm Password: Enter the logon password again.
        Key Pair
      • If you select Add Existing Instance, you must add at least two worker nodes. You must also set Duration, Auto Renewal, Operating System, Logon Type, and Key Pair.
    2. Configure advanced options.
      Parameter Description
      Node Protection Select whether to enable Node Protection.
      Note This check box is selected by default. This protects cluster nodes from being deleted in the console or by API operations.
      User Data You can enter custom scripts, which are run after the node is initialized.
      Note Windows-based instances support Batch and PowerShell scripts. Before you perform Base64 encoding, make sure that the content to be encoded includes [bat] or [powershell] as the first line. Linux-based instances support shell scripts. For more information about supported formats, see cloud-init and Prepare user data.

      If your script file is larger than 1 KB, we recommend that you upload the script to an Object Storage Service (OSS) bucket and pull the script from the internal endpoint of your OSS bucket.

      Custom Image
      Notice Do not use custom images. Otherwise, confidential computing may not be available.
      Custom Node Name Select whether to enable Custom Node Name.
      A node name consists of a prefix, a substring of the IP address, and a suffix.
      • Both the prefix and suffix can contain one or more parts that are separated with periods (.). Each part can contain lowercase letters, digits, and hyphens (-), and must start and end with a lowercase letter or digit.
      • The IP substring length specifies the number of digits at the end of the node IP address. Valid values: [5, 12].

      For example, if the node IP address is 192.168.0.55, the prefix is aliyun.com, the IP substring length is 5, and the suffix is test, the node name is aliyun.com00055test.

      CPU Policy Set the CPU policy.
      • none: This is the default policy, which indicates that the default CPU affinity is used.
      • static: This policy allows pods that have certain characteristics to be granted increased CPU affinity and exclusivity on the node.
      Taints Add taints to all worker nodes in the cluster.
  6. Click Next: Component Configuration to configure components.
    Parameter Description
    Ingress Select whether to install ingress controllers. By default, the Install Ingress Controllers check box is selected. For more information, see Support for Ingress.
    Note If you select the Create Ingress Dashboard check box, you must enable Log Service.
    CloudMonitor Agent Select whether to install the CloudMonitor agent. After the CloudMonitor agent is installed on ECS instances, you can view monitoring information about the instances in the CloudMonitor console.
    Log Service Select whether to enable Log Service. You can select an existing project or create a project.

    If you select the Enable Log Service check box, the Log Service plug-in is automatically installed in the cluster. When you create an application, you can quickly set up Log Service. For more information, see Use Log Service to collect Kubernetes cluster logs.

    Workflow Engine Select whether to use Alibaba Cloud Genomics Service (AGS).
    • If you select this check box, the system automatically installs the AGS workflow plug-in during cluster creation.
    • If you clear this check box, you must manually install the AGS workflow plug-in. For more information, see Introduction to AGS CLI.
    Optional Add-ons In addition to system components, you can install other components provided by Container Service for Kubernetes.
  7. Click Create Cluster. In the Confirm dialog box that appears, click OK to start the deployment.
    You can now view the cluster creation progress.
    Note It takes about 10 minutes to create a Kubernetes cluster that contains multiple nodes.
    Cluster creation progress

Result

  • After the cluster is created, you can find the cluster on the Clusters page in the console.Clusters
  • Click View Logs in the Actions column. On the Log Information page that appears, you can view cluster logs. To view log details, click Stack Events.Cluster log details
  • On the Clusters page, find the new cluster and click Manage in the Actions column. On the page that appears, you can view basic information about the cluster.Basic cluster information
    The cluster information includes the following parameters:
    • API Server Public Endpoint: the IP address and port that the Kubernetes API server uses to provide services to the Internet. You can visit the endpoint to manage clusters by using tools such as kubectl on your terminal.

      Bind EIP and Unbind EIP: These options are available to managed Kubernetes clusters only.

      • Bind EIP: You can select an existing EIP or create an EIP.

        The API server restarts when you bind it to an EIP. We recommend that you do not perform operations on the cluster during the process.

      • Unbind EIP: You cannot access the API server from the Internet after you unbind the EIP.

        The API server restarts when you unbind it from an EIP. We recommend that you do not perform operations on the cluster during the process.

    • API Server Internal Endpoint: the IP address and port that the Kubernetes API server uses to provide services in the cluster. The IP address belongs to the SLB instance that is connected to the cluster.
    • Pod CIDR Block: the CIDR block of the pods in the cluster.
    • Service CIDR: the CIDR block of the services that the cluster expose to provide services.
    • Testing Domain: the domain name that is used for service testing. The suffix of the domain name is <cluster_id>.<region_id>.alicontainer.com.
    • Kube-proxy Mode: the proxy mode that is used for service discovery and load balancing. The iptables and IPVS modes are supported.
    • Pods on Each Node: the maximum number of pods that can be running on a single node. Default value: 128.
    • Network Plug-in: Only Flannel is supported.
  • You can Connect to Kubernetes clusters through kubectl and run the kubectl get node command to view information about the nodes in the cluster.View node information