All Products
Search
Document Center

Container Service for Kubernetes:Cluster creation

Last Updated:Mar 26, 2024

This topic provides answers to some frequently asked questions about cluster creation.

Which network plug-in should I select?

You can select Flannel or Terway as the network plug-in.

  • Flannel

    When you create a Container Service for Kubernetes (ACK) cluster, you must specify CIDR blocks for the virtual private cloud (VPC), vSwitches, pods, and Services. The VPC CIDR block and vSwitch CIDR block are used by IaaS resources. The vSwitch CIDR block must fall within the VPC CIDR block. The pod CIDR block assigns IP addresses to pods on Elastic Compute Service (ECS) instances in your cluster and cannot overlap with the Service CIDR block. IP addresses are signed from the Service CIDR block to Services in your cluster for internal communication. The Service CIDR block cannot overlap with the VPC CIDR block or the pod CIDR block.1

    The following limits apply to these CIDR blocks:

    • The pod CIDR block cannot overlap with the VPC CIDR block.

    • The pod CIDR block cannot overlap with the Service CIDR block.

    • The IP address of a Service is effective only within the cluster.

    • The Service CIDR block cannot overlap with the VPC CIDR block.

    • The Service CIDR block cannot overlap with the pod CIDR block.

    If you want to create multiple ACK clusters, configure their CIDR blocks with caution to prevent network errors. For more information, see Plan CIDR blocks for an ACK cluster.

  • Terway

    In Terway mode, you must configure CIDR blocks for node vSwitches and pod vSwitches in addition to the preceding CIDR blocks.

    2

    When you create a cluster that uses Terway, you must create two vSwitches in the same zone within the VPC.

    • The node vSwitch that is used to assign IP addresses to nodes in the zone.

    • The pod vSwitch that is used to assign IP addresses to pods that are deployed on nodes in the zone.

    The following table shows sample CIDR blocks that you can use to create a cluster.

    VPC CIDR block

    Node vSwitch CIDR block

    Pod vSwitch CIDR block

    Service CIDR block

    192.168.0.0/16

    192.168.0.0/19

    192.168.32.0/19

    172.21.0.0/20

    For more information, see Work with Terway and Overview.

Why are two SLB instances created after I create an ACK cluster? Should I install an Ingress controller?

The two Server Load Balancer (SLB) instances are created for the API server of the cluster and the Ingress controller in the cluster.

  • API Server

    The API server is a key component that is deployed on master nodes in a Kubernetes cluster. The API server is the core of the Kubernetes system and interacts with worker nodes and other components on master nodes.

    The API server serves as a router in the cluster. ACK creates an internal-facing SLB instance of the minimum specifications. The SLB instance is billed on a pay-as-you-go basis. You can change the specifications of the SLB instance on demand. The SLB instance used by the API server must be created by ACK. Otherwise, the cluster cannot work as expected.

    Note
    • If you want to access the cluster over the Internet, you must select Expose API Server with EIP when you create the cluster. This way, an elastic IP address (EIP) is associated with the API server. The EIP is billed on a pay-as-you-go basis.

    • If you do not select Expose API Server with EIP when you create the cluster, you must manually associate an EIP with the API server after the cluster is created.

    For more information, see Control public access to the API server of a cluster.

  • Ingress

    • When you create an ACK cluster, we recommend that you install an Ingress controller. ACK provides the NGINX Ingress controller and creates an SLB instance to work together with the NGINX Ingress controller. When you create a cluster, you can use the default SLB instance specification and network type for the NGINX Ingress controller. By default, the SLB instance is billed on a pay-as-you-go basis. For more information, see Ingress overview.

      Note

      You can manually change the configuration of the SLB instance that is associated with the NGINX Ingress controller. For more information, see Considerations for configuring a LoadBalancer type Service.

    • If you do not install the NGINX Ingress controller when you create the cluster, you can go the cluster details page in the ACK console and choose Operations > Add-ons to install the NGINX Ingress controller. For more information, see Manage components.

How do I configure the whitelist of an ApsaraDB RDS instance to allow access from pods?

How do I add an existing ECS instance to an ACK cluster?

You can add an existing ECS instance to an ACK cluster or enable the cluster to create a new ECS instance. To add an existing ECS instance, you must make sure that the ECS instance is deployed in the same VPC as the cluster. For more information, see Add existing ECS instances to an ACK cluster.

Note

When you add an existing ECS instance to a cluster, you must manually add the ECS instance to the security group of the cluster. We recommend that you add the ECS instance to the default security group of the cluster, which is automatically created when you create the cluster. For more information about how to change between basic security groups and advanced security groups, see Replace the security groups of ECS instances.

How do I create a Docker image that can be used to deploy applications in ACK clusters?

Container Registry allows you to create a container image in a convenient manner. For more information about how to build Docker images, see Build an image for a Java application by using a Dockerfile with multi-stage builds. You can also use the open source tool Derrick to simplify the steps to containerize your application.

How do I deploy applications in ACK clusters if I cannot create images?

ACK allows you to deploy applications by using your images hosted in Container Registry. You can also use Docker official images, your favorite images in Container Registry, or public images provided by Container Registry. For more information, see Deploy a stateless application from an image.

How do I plan the network when I create a cluster?

Before you create a cluster, make sure that the CIDR block of the VPC where you want to deploy the cluster, the Service CIDR block, and the pod CIDR block do not overlap with one another. You can select an existing VPC to deploy the cluster and use the default CIDR blocks. In some complex scenarios, you must plan the IP addresses of ECS instances, pods, and Services. For more information, see Plan CIDR blocks for an ACK cluster.

How do I choose between Terway and Flannel when I create a cluster?

Flannel is a simple and stable Container Network Interface (CNI) plug-in provided by the Kubernetes community. However, Flannel provides only basic features and does not support standard Kubernetes network policies. Terway is a network plug-in developed by Alibaba Cloud. Terway supports standard Kubernetes network policies and bandwidth throttling on containers. Terway outperforms Flannel in terms of network performance. For more information, see Work with Terway.

What do I do if I fail to create a cluster?

You can check the cluster log to locate issues and fix the issues based on the instructions provided by ACK. For more information, see FAQ about cluster management.

How do I pull private images from Container Registry?

We recommend that you use the aliyun-acr-credential-helper component. By default, aliyun-acr-credential-helper is installed in each ACK cluster. You can use this component to pull private images from Container Registry without a password. For more information, see Use the aliyun-acr-credential-helper component to pull images without using a password.