This topic describes how to create a Kubernetes cluster in the console.

Prerequisites

You have activated Container Service, Auto Scaling (ESS), and Resource Access Management (RAM).

You can log on to the Container Service console, RAM console, and ESS console to activate these services respectively.

Background information

Container Service performs the following operations to create a Kubernetes cluster:

  • Creates ECS instances, configures a public key to enable SSH logon from master nodes to other nodes, and configures the Kubernetes cluster through CloudInit.
  • Creates a security group that allows access to the VPC network over ICMP.
  • Creates VPC routing rules.
  • Creates a NAT gateway and ElPs.
  • Creates a RAM role and grants it permissions to query, create, and delete ECS instances, permissions to add and delete cloud disks, and all permissions on SLB, CloudMonitor, VPC, Log Service, and NAS. The Kubernetes cluster dynamically creates SLB instances, cloud disks, and VPC routing rules based on your settings.
  • Creates an internal SLB instance and opens port 6443.
  • Attaches an EIP to the internal SLB instance and opens port 6443. If you choose to enable SSH logon when you create the cluster, port 22 is enabled. Otherwise, port 22 is not enabled.

Note the following limits when you use a cluster:

  • SLB instances that are created along with the cluster only support the pay-as-you-go billing method.
  • Kubernetes clusters only support VPC networks.
  • By default, each account has specific quotas on the amount of cloud resources that can be created. You cannot create clusters if the quota limit is exceeded. Make sure that you have sufficient quotas before you create a cluster. To request a quota increase, submit a ticket.
    • An account can create up to 50 clusters in all regions. A cluster can contain up to 40 nodes. To create more clusters or nodes, submit a ticket.
      Note In a Kubernetes cluster, you can create up to 48 route entries per VPC. This means that a cluster can contain up to 48 nodes. To increase the number of nodes, submit a ticket to increase the number of route entries first.
    • An account can create up to 100 security groups.
    • An account can create up to 60 pay-as-you-go SLB instances.
    • An account can create up to 20 EIPs.
  • The limits on ECS instances are as follows:

    The pay-as-you-go and subscription billing methods are supported.

Procedure

  1. Log on to the Container Service console.
  2. In the left-side navigation pane, choose Clusters > Clusters to go to the Clusters page.
  3. In the upper-right corner, click Create Kubernetes Cluster. In the Select Cluster Template dialog box that appears, select Standard Dedicated Cluster and click Create.
    You are redirected to the Dedicated Kubernetes tab.
    Create a Kubernetes cluster
  4. Enter the name of the cluster.

    The name must be 1 to 63 characters in length and can contain digits, Chinese characters, letters, and hyphens (-).

    Cluster Name
  5. Select the region where the cluster is deployed.
    Region
  6. Set the network type of the cluster. Kubernetes clusters only support VPC networks.
    You can select a VPC network from the drop-down list. If no VPC network is available, you can also click Create VPC to create one. For more information, see Create a VPC.
    VPC
  7. Set the VSwitch.
    You can select one to three VSwitches from the VSwitch list, which varies with the selected zone. If no VSwitch is available, click Create VSwitch to create one. For more information, see Create a VSwitch.VSwitch
  8. Set the node type. Both pay-as-you-go and subscription are supported.
  9. Configure master nodes.
    Select the instance type of master nodes.
    Master node settings
    Note
    • Currently, CentOS and Windows are supported.
    • You can create three or five master nodes.
    • By default, system disks are mounted to master nodes. SSD disk and ultra disk are supported.
  10. Configure worker nodes. You can choose to create instances or add existing instances to the cluster.
    • If you choose to create instances, you need to configure the following settings:
      Worker node configuration
      • Instance Type: You can select multiple instance types. For more information, see Instance families.
      • Selected Types: The selected instance types.
      • Quantity: The number of worker nodes to be created.
      • System Disk: SSD disk and ultra disk are supported.
      • Mount Data Disk: SSD disk, ultra disk, and basic disk are supported.
        Note You can choose to encrypt data disks.
    • To add existing instances, you must create ECS instances in the selected region in advance.
      Worker instances
  11. Select the Kubernetes version and container runtime.Kubernetes version
  12. Select the operating system.
    CentOS 7.6 and AliyunLinux 2.1903 are supported.
  13. Set the logon type.
    • Set the key pair.
      Select the key pair logon type. If no key pair is available, you can click create a key pair to create one in the ECS console. For more information, see Create an SSH key pair. After the key pair is created, choose it as the credential to log on to the cluster.
      Logon type
    • Set the password.
      • Password: Set the logon password.
      • Confirm Password: Enter the logon password again.
  14. Select the network plug-in and configure the plug-in based on your needs. Both Flannel and Terway are supported. For more information, see Flannel and Terway. Network Plug-in
    • Flannel: A simple and stable CNI plug-in developed by the community. Flannel offers a few simple features and does not support standard Kubernetes network policies.
      If you select Flannel, you must set the Pod CIDR block, which cannot overlap with the VPC CIDR block or CIDR blocks used by existing Kubernetes clusters in the VPC network. After the cluster is created, you cannot modify the Pod CIDR block. Besides, the Pod CIDR block cannot overlap with the Service CIDR block. For more information, see Plan Kubernetes CIDR blocks under a VPC.CIDR blocks
    • Terway: A network plug-in developed by Alibaba Cloud Container Service. It enables you to assign Alibaba Cloud ENIs to containers, and define access policies between containers based on standard Kubernetes network policies. Terway also supports bandwidth throttling on individual containers.
      If you select Terway, you need to set the Terway Mode. You can select the Assign One ENI to Each Pod check box based on your needs.
      • If this check box is selected, an ENI will be assigned to each Pod.
      • If this check box is not selected, an ENI will be shared among multiple Pods. A secondary IP address of the ENI will be assigned to each Pod.
      The number of Pods supported by a node depends on the number of ENIs that are attached to the node and the number of secondary IP addresses provided by these ENIs.
      If you select Terway, you also need to select VSwitches for Pods. The ENIs assigned to Pods need to be in the same zone as the nodes. For Pods that run on each node, you need to select a VSwitch that is in the same zone as the VSwitch that has been assigned to the node. The Pod VSwitch will assign an IP address to each Pod. The prefix length of the VSwitch CIDR is recommended to be no greater than 19 bits.Network Plug-in
  15. Set the Service CIDR.
    The Service CIDR cannot overlap with the VPC CIDR block or CIDR blocks used by existing Kubernetes clusters in the VPC network. After the cluster is created, you cannot modify the Service CIDR block. Besides, the Service CIDR block cannot overlap with the Pod CIDR block. For more information, see Plan Kubernetes CIDR blocks under a VPC.Service CIDR
  16. Select whether to configure SNAT rules for the VPC network.
    • If the VPC network that you select already has a NAT gateway, Container Service will use this NAT gateway.
    • Otherwise, the system automatically creates a NAT gateway. If you do not want the system to automatically create a NAT gateway, clear the Configure SNAT for VPC check box. In this case, you need to manually create a NAT gateway or configure SNAT rules to enable Internet access for the VPC network. Otherwise, the cluster cannot be created.
  17. Select whether to Expose API Server with EIP.
    The Kubernetes API Server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and watch resource objects such as Pods and Services.
    Public Access
    • If this check box is selected, an EIP is created and attached to the internal SLB instance. The 6443 port used by the API Server is enabled on master nodes. You can use kubeconfig to configure access to the cluster from the Internet.
    • If this check box is not selected, no EIP is created. You can use kubeconfig to configure access to the cluster from within the VPC network only.
  18. Select whether to enable SSH logon.
    Note To enable SSH logon, you must select the Expose API Server with EIP check box first.
    SSH
    • If this check box is selected, you can use SSH to access the cluster.
    • If this check box is not selected, you cannot use SSH or kubectl to access the cluster. If you need to use SSH to access an ECS instance in the cluster, you can manually attach an EIP to the instance and configure security group rules to open the SSH port 22. For more information, see Use SSH to connect to a cluster.
  19. Select whether to install the CloudMonitor agent.
    You can install the CloudMonitor agent on ECS nodes. This enables you to view monitoring information about the nodes through the CloudMonitor console.
    CloudMonitor agent
  20. Select whether to install Ingress controllers.
    The Install Ingress Controllers check box is selected by default. For more information, see Support for Ingress.
    Ingress
    Note If you select the Create Ingress Dashboard check box, you must also enable Log Service.
  21. Select whether to enable Log Service. You can select an existing project or create a project.
    If you select the Enable Log Service check box, the Log Service agent is automatically installed in the cluster. You can set up Log Service through a few simple steps when you create an application. For more information, see Use Log Service to collect Kubernetes cluster logs.Log Service
  22. Set the storage plug-in. Currently, Flexvolume and CSI are supported.
    Kubernetes clusters can automatically bind with cloud disks, NAS, and OSS through Pods. For more information, see Storage management-Flexvolume and Storage management-CSI.
  23. Set whether to enable Deletion Protection.
    Note The Deletion Protection check box is selected by default. This protects the cluster from deletion through the console and API operations.
  24. Set the RDS whitelist.
    Add the IP addresses of nodes to the RDS whitelist.RDS whitelist
  25. Set whether to enable Node Protection.
    Node protection
    Note The Node Protection check box is selected by default. This protects the nodes from deletion through the console and API operations.
  26. Add labels to the cluster.

    Enter the key and value, and click Add.

    Labels
    Note
    • key is required. value is optional.
    • The key cannot start with any of the following strings: "aliyun", "http://", and "https://". It is case insensitive and can be up to 64 characters in length.
    • The value cannot start with "http://" or "https://". It is optional, case-insensitive, and can be up to 63 characters in length.
    • The key must be unique among the labels attached to the same resource. If you specify a duplicate key when you create a label, the existing label will be overwritten.
    • You can attach up to 20 labels to each resource. To attach more labels, you must remove existing labels first.
  27. Select whether to enable advanced options.
    1. If you select Flannel as the network plug-in, you can set the maximum number of Pods that can be running on a single node. We recommend that you use the default value.
      Pods on each node
    2. Select the security group.
      Click Select a security group. In the dialog box that appears, select a security group and click OK.

      For more information, see Security group overview.

    3. Select the kube-proxy mode. iptables and IPVS are supported.
      Kube-proxy mode
      • iptables is a mature and stable service that uses iptables rules to configure service discovery and load balancing. It provides average performance and is significantly affected by cluster size. This mode is suitable for clusters that run a small number of services.
      • IPVS provides high performance and uses IP Virtual Server (IPVS) to configure service discovery and load balancing. This mode is suitable for clusters that run a large number of services. We recommend that you use this mode in scenarios where high load balancing performance is required.
    4. Select whether to enable Custom Node Name.
      Custom node nameA node name consists of a prefix, an IP substring, and a suffix.
      • Both the prefix and suffix can contain one or multiple parts that are separated by periods (.). A part can contain lowercase letters, digits, and hyphens (-), and must start and end with a lowercase letter or digit.
      • The IP substring length specifies the number of digits at the end of the node IP address that is returned. Valid values: [5, 12].
      For example, if the node IP address is 192.168.0.55, the prefix is aliyun.com, the IP substring length is 5, and the suffix is test, the node name will be aliyun.com00055test.
    5. Set the node port range.
      The default port range is 30000 to 32767.Service node
    6. Set the CPU policy.
      CPU policy
      • none: The default policy, which represents the existing scheduling behavior.
      • static: This policy allows Pods with certain resource characteristics to be granted increased CPU affinity and exclusivity on the node.
    7. Set the cluster domain.

      The default cluster domain is cluster.local. Custom domains are supported.

      A domain consists of two parts. Each part must be 1 to 63 characters in length and only contain lower and uppercase letters, and digits.
    8. Set whether to use Custom Cluster CA. If this check box is selected, the CA certificate is added to the Kubernetes cluster, which secures the communication between the server and client.
      Cluster CA
    9. Set whether to use AGS.
      • If this check box is selected, the system automatically installs the AGS workflow plug-in when it creates the cluster.
      • If this check box is not selected, you need to manually install the AGS workflow plug-in. For more information, see Introduction to AGS CLI.
  28. Click Create Cluster. In the Confirm dialog box that appears, click OK.
    Note It takes about 10 minutes to create a Kubernetes cluster that contains multiple nodes.

Result

After the cluster is created, you can view the cluster on the Clusters page in the Container Service console.
Clusters
  • Click View Logs in the Actions column. On the Log Information page that appears, you can view cluster logs. To view more log information, click Stack events.
    Cluster logs
  • On the Clusters page, find the newly created cluster and click Manage in the Actions column. On the page that appears, you can view basic information about the cluster.
    Cluster basic information
    The following information is displayed:
    • API Server Public Endpoint: The IP address and port that the Kubernetes API server uses to provide services to the Internet. It allows you to manage the cluster by using kubectl or other tools on your terminal.
    • API Server Internal Endpoint: The IP address and port that the Kubernetes API server uses to provide services within the cluster. The IP address is the IP address of the SLB instance. Three master nodes provide services in the backend.
    • Pod CIDR Block: The CIDR block of the Pods in the cluster. You cannot modify the Pod CIDR block after the cluster is created. The Pod CIDR block cannot overlap with the Service CIDR block.
    • Service CIDR: The CIDR block of the services that are exposed externally from the cluster. You cannot modify the Service CIDR block after the cluster is created. The Service CIDR block cannot overlap with the Pod CIDR block.
    • Master Node IP Address for SSH Logon: You can use SSH to log on to master nodes and perform routine maintenance on the cluster.
    • Testing Domain: The domain name that is used for service testing. The suffix of the domain is <cluster_id>.<region_id>.alicontainer.com.
    • kube-proxy Mode: The proxy mode that is used to implement service discovery and load balancing. The iptables and IPVS modes are supported.
    • Pods on Each Node: The maximum number of Pods that can be running on a single node. Default is 128.
    You can Connect to Kubernetes clusters through kubectl and run the kubectl get node command to view information about nodes in the cluster.
    Node information

    As shown in the preceding figure, the cluster has 10 nodes, including 5 master nodes and 5 worker nodes.