Alibaba Cloud Container Service for Kubernetes@Edge (ACK@Edge) is an edge cluster management solution that applies to edge computing scenarios. It aims to manage edge clusters by using management nodes in the cloud. This topic describes the background and features of ACK@Edge, the framework of edge network autonomy, and the O&M tunnels for an edge cluster.


As the fifth generation technology standard for cellular networks (5G) and Internet of Things (IoT) emerge, the number of smart end devices skyrockets over the Internet. Centralized storage and computing provided by traditional cloud computing centers cannot meet the needs of end devices in terms of timeliness, capacity, and computing capabilities. Edge computing technologies allow you to deliver cloud computing capabilities to end devices and edges while delivering, maintaining, and controlling services in the cloud. This is the next step in the evolution of cloud computing.

ACK@Edge provides a standard, secure, and highly available Kubernetes cluster in the cloud. This solution integrates the virtualization, storage, network, and security capabilities of Alibaba Cloud, and simplifies the cluster O&M. This allows you to focus on developing and managing containerized applications. ACK@Edge has the following features:

  • Manages edge devices in the cloud and helps you build the cloud-native infrastructure for edge computing.
  • Supports fast integration of various edge computing resources, such as IoT gateway devices, end devices, content delivery network (CDN) resources, and resources in on-premises data centers.
  • Supports the x86 and Advanced RISC Machine (ARM) architectures.
  • Supports a wide range of application scenarios, such as edge intelligence, smart buildings, smart factories, live audio and video streaming, online education, and CDN.

ACK@Edge adds a plugin to open source Kubernetes to provide enhanced features, including edge autonomy, edge units, edge traffic management, and native O&M APIs. This service provides centralized lifecycle management and resource scheduling for applications in edge computing scenarios in a native manner.


Edge cluster architecture

ACK@Edge provides centralized lifecycle management for container applications and resources in edge computing scenarios. ACK@Edge has the following features:

  • Allows you to create high-availability edge Kubernetes clusters within a few clicks and provides lifecycle O&M capabilities, such as cluster scaling, upgrading, logging, and monitoring. You can perform the operations in the Container Service console.
  • Supports various types of edge node resources, including resources in on-premises data centers, IoT devices, and x86 and ARM architectures. These resources can be combined and scheduled to provide services.
  • Supports node autonomy and network autonomy to ensure the reliability of edge nodes and services in case of weak network connections.
  • Provides reverse SSL tunnels for cluster O&M.
  • Provides edge unit management, unitized node deployment, and unit traffic management.

Edge network autonomy

By default, after an edge node connects to a cloud cluster, the network between the node and the cloud automatically recovers if an error occurs.

  • On an edge node, each pod IP address corresponds to a pod name. The restart of the application or the node does not change the pod IP address. The MAC address of the VXLAN tunnel end point (VTEP) for each node is bound to the node. The restart of the flannel container or the node does not change the MAC address of the VTEP.
  • If an error occurs in the network between an edge node and the management node in the cloud, all network connections related to the applications on the edge node are restored automatically after you restart the edge node or the applications. This feature is applicable to cross-node communication in edge computing scenarios where the network connection is weak.

No matter whether a pod shares a network with the host, the application on the pod supports edge network autonomy. This ensures that the network communications between applications can be restored automatically after applications are restored from exceptions. The following figure shows the architecture.

Edge network autonomy
Note If a pod is deleted or migrated to another node, the pod IP address changes.

O&M tunnels for an edge cluster

In a native Kubernetes cluster, cloud management components such as kube-apiserver must access kubelet on the edge nodes to run O&M commands, for example, kubectl logs/exec. O&M monitoring components such as metrics-server must pull edge monitoring data from the cloud. However, in managed edge clusters, direct access to edge nodes from the cloud may fail due to network conditions. For example, edge nodes may be deployed on a virtual private cloud (VPC).

To optimize the managed Kubernetes cluster services, ACK@Edge allows you to access edge nodes from the cloud. By default, after you create a managed Kubernetes cluster, ACK@Edge deploys the edge-tunnel-server and edge-tunnel-agent components to provide an O&M tunnel for the edge cluster.

  • The edge-tunnel-server component is deployed on the cloud nodes by using the Deployment model.

    When you create a cluster, you must purchase at least one Elastic Compute Service (ECS) instance to deploy the component.

  • The edge-tunnel-agent component is deployed on the edge nodes by using the Daemonset model.

To create a secure and encrypted O&M tunnel over the Internet, ACK@Edge prepares a Server Load Balancer (SLB) instance for edge-tunnel-server. The edge-tunnel-agent component on each edge node uses the SLB instance to establish an O&M tunnel that connects to the cloud. The following figure shows the architecture.

  • When edge nodes disconnect from the cloud or the network connection is weak, the O&M tunnel may fail to function properly.
  • The tunnel fails to function if you delete or stop the SLB instance that is used by the tunnel.