You can create Kubernetes clusters in the Alibaba Cloud Container Service for Kubernetes (ACK) console.
ACK, Elastic Scaling Service (ESS), and Resource Access Management (RAM) are activated.
- SLB instances created together with the ACK cluster only support the pay-as-you-go billing method.
- ACK clusters only support Virtual Private Cloud (VPC) networks.
- Each account can consume a limited amount of computing resources. If you do not have
sufficient computing resources, you cannot create clusters. When you create clusters,
make sure that you have sufficient resources. To increase the quota of computing resources
for your account, submit a ticket.
- You can create up to 50 clusters across regions for each account. You can deploy up
to 100 nodes in each cluster. To increase the quota of clusters or nodes for your
account, submit a ticket.
Notice In an ACK cluster, you can create up to 48 route entries for each Virtual Private Network (VPC) network. This means that you can configure up to 48 route entries for ACK clusters deployed in a VPC network. To increase the quota of route entries for a VPC network, submit a ticket.
- You can create up to 100 security groups for each account.
- You can create up to 60 pay-as-you-go SLB instances for each account.
- You can create up to 20 Elastic IP addresses (EIPs) for each account.
- You can create up to 50 clusters across regions for each account. You can deploy up to 100 nodes in each cluster. To increase the quota of clusters or nodes for your account, submit a ticket.
- Limits on ECS instances are as follows:
The pay-as-you-go and subscription billing methods are supported.
You must complete the following operations in the ACK console to create a Kubernetes cluster:
- Create ECS instances, configure a public key to enable Secure Shell (SSH) logon from master nodes to other nodes, and then configure the ACK cluster through CloudInit.
- Create a security group that allows access to a VPC network through Internet Control Message Protocol (ICMP).
- Create VPC routing rules.
- Create a Network Address Translation (NAT) gateway and purchase an EIP bandwidth plan (or create an EIP).
- Create a RAM user and an AccessKey pair. Grant the following permissions to the RAM user: permissions to query, create, and delete ECS instances, permissions to add and delete cloud disks, and all permissions on SLB, CloudMonitor, VPC, Log Service, and Network Attached Storage (NAS). The ACK cluster automatically creates SLB instances, cloud disks, and VPC routing rules based on your configurations.
- Create an internal SLB instance and open port 6443.
- Attach an EIP to the internal SLB instance and open port 6443. If you choose to enable SSH over the Internet when you create the cluster, port 22 is opened. Otherwise, port 22 is not opened.
- Log on to the Container Service console.
- In the left-side navigation pane, choose Clusters page appears.. The
- In the upper-right corner, click Create Kubernetes Cluster. In the Select Cluster Template dialog box that appears, select Standard Dedicated Cluster. Click Create. The Dedicated Kubernetes page appears.
- Configure the cluster.
- Configure basic settings.
Parameter Description Cluster Name Enter the name of the cluster.Note The name must be 1 to 63 characters in length and can contain digits, letters, and hyphens (-). Kubernetes Version Select the Kubernetes version. Container Runtime Dedicated Kubernetes clusters support only Docker. Region Select the region where the cluster is deployed. Resource Group Place the pointer over Account's all Resources at the top of the page, and select the resource group where the cluster is deployed. The name of the selected resource group is displayed. VPC Set the Virtual Private Cloud (VPC) network for the cluster.Note ACK clusters support only VPC networks. Select a VPC network from the drop-down list. If no VPC network is available, you can click Create VPC to create a VPC network. For more information, see Create a VPC. VSwitch Select VSwitches.
You can select up to three VSwitches deployed in different zones. If no VSwitch is available, you can click Create VSwitch to create one. For more information, see Create a VSwitch.
Network Plug-in Select and configure the network plug-in. Both Flannel and Terway are supported. For more information, see Flannel and Terway.
- Flannel: a simple and stable Container Network Interface (CNI) plug-in developed by the Kubernetes community. Flannel does not support standard Kubernetes network policies.
- Terway: a network plug-in developed by Alibaba Cloud Container Service. Terway allows
you to assign Alibaba Cloud Elastic Network Interfaces (ENIs) to containers. It also
allows you to customize network policies of Kubernetes to control intercommunication among containers, and implement bandwidth
throttling on individual containers.
Note The number of pods that can be deployed in a node depends on the number of ENIs that are attached to the node and the maximum number of secondary IP addresses provided by these ENIs.
Pod CIDR Block If you select Flannel, you must specify Pod CIDR Block.
The CIDR block specified by Pod CIDR Block cannot overlap with that of the VPC network or existing ACK clusters in the VPC network. The CIDR Block cannot be modified after it is specified. The Service CIDR block cannot overlap with the Pod CIDR block. For more information about network segmentation of ACK clusters, see Plan Kubernetes CIDR blocks under a VPC.
Terway Mode If you select Terway, you must set Terway Mode.When you set Terway Mode, select or clear the Assign One ENI to Each Pod check box based on your needs.
- If you select the check box, an ENI is assigned to each pod.
- If you clear the check box, an ENI is shared among multiple pods. A secondary IP address of the ENI is assigned to each pod.
Pod VSwitch If you select Terway, you must set Pod VSwitch. Pod VSwitch specifies a VSwitch for the pods if you select Terway as the network plug-in. ENIs must be deployed in the zone where the ENI devices are located. Therefore, you must select another VSwitch for the pods in the cluster. When the cluster provides services, the VSwitch assigns IP addresses to the pods. To ensure that there are sufficient IP addresses for all pods, we recommend that you set the mask length of the CIDR block to a value no greater than 19 for the VSwitch. Service CIDR Specify Service CIDR. The CIDR block specified by Service CIDR cannot overlap with that of the VPC network or existing ACK clusters in the VPC network. The CIDR Block cannot be modified after it is specified. The Service CIDR block cannot overlap with the Pod CIDR block. For more information about network segmentation of ACK clusters, see Plan Kubernetes CIDR blocks under a VPC. IP Addresses per Node If you select Flannel, you must select IP Addresses per Node.Note IP Addresses per Node specifies the maximum number of IP addresses that can be assigned to each node. We recommend that you keep the default value. Configure SNAT Specify whether to configure Source Network Address Translation (SNAT) rules for the VPC network.
- ACK automatically selects an existing NAT gateway in the VPC network.
- If the VPC network does not have a NAT gateway, the system automatically creates one. If you do not want the system to create a NAT gateway, clear the Configure SNAT for VPC check box. Then, you must manually create a NAT gateway or configure SNAT rules to enable instances in the VPC network to access the Internet. Otherwise, the system fails to create the ACK cluster.
Public Access Specify whether to open API Server with EIP.The ACK API Server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources such as pods and services.
- If you select this check box, an Elastic IP address is created and attached to an internal SLB instance. Port 6443 used by the API Server is opened on master nodes. You can connect and manage the cluster by using kubeconfig over the Internet.
- If you clear this check box, no EIP is created. You can only connect to and manage the cluster through kubeconfig from within the VPC network.
To enable SSH, you must first select the Expose API Server with EIP check box in advance.
- If you select this check box, you can access the cluster through SSH.
- If you clear this check box, you cannot access the cluster through SSH or kubectl. If you want to access an ECS instance in the cluster through SSH, you must manually attach an EIP to the instance and configure security group rules to open SSH port 22. For more information, seeUse SSH to connect to a cluster.
RDS Whitelist Set the Relational Database Service (RDS) whitelist. Add the IP addresses of nodes to the RDS whitelist. Custom Security Group Select a security group. Click Select a security group. In the dialog box that appears, select a security group, and click OK.
For more information, see Security group overview.Note This feature is only available to users in the whitelist. If you are not in the whitelist, you can submit a ticket.
- Configure advanced settings.
Parameter Description Kube-proxy Mode
iptables and IPVS are supported.
- iptables is a kube-proxy mode. It uses iptables rules to conduct service discovery and load balancing. The performance of this mode is restricted by the size of the cluster. This mode is suitable for clusters that runs a small number of services.
- IPVS is a high-performance kube-proxy mode. It uses Linux Virtual Server (LVS) to conduct service discovery and load balancing. This mode is suitable for clusters running a large number of services. We recommend that you use this mode in scenarios where high-performance load balancing is required.
Attach labels to the cluster. Enter the keys and values, and then click Add.Note
- Key is required. Value is optional.
- Keys are not case-sensitive. A key must be 1 to 64 characters in length and cannot start with aliyun, http://, and https://.
- Values are not case-sensitive. A value must be 1 to 128 characters in length and cannot start with http:// or https://.
- The keys of labels attached to the same resource must be unique. If you add a label with a used key, the label overwrites the one using the same key.
- You can attach up to 20 labels to each resource. If you attach more than 20 labels to a resource, all labels become invalid. You must detach unused labels for the remainings to take effect.
Cluster Domain Specify the cluster domain.Note The default cluster domain is cluster.local. You can enter a custom domain. A domain consists of two parts. Each part must be 1 to 63 characters in length and can only contain letters and digits. Cluster CA If you select this check box, upload a CA certificate for the ACK cluster to protect data transmission between the server and client.
Service Account Token Volume Projection: You can enable service account token volume projection to enhance security when you use service accounts. For more information, see Deploy service account token volume projection.
Deletion Protection Specify whether to enable Deletion Protection. If you select this check box, the cluster cannot be deleted in the console or through the API. This avoids user errors.
- Configure basic settings.
- Click Next:Master Configurations , and then configure master nodes.
Parameter Description Billing Method ACK supports the Pay-As-You-Go and Subscription billing methods. Duration If you select Subscription, you must select the duration of the subscription. Valid values: 1, 2, 3, 6, or 12 months Auto Renewal If you select Subscription, you specify whether to Auto Renewal. Master Node Quantity Select the number of master nodes. You can create three or five master nodes. Instance Type Select the instance type for each master node. For more information, see Instance families. System Disk By default, system disks are mounted to master nodes. SSDs and ultra disks are supported.Note You can select the Enable Backup check box to back up disk data.
- Click Next:Worker Configurations to configure worker nodes.
- Select a worker instance type.
- If you select Create Instance, you need to set the following parameters:
Parameter Description Instance Type You can select multiple instance types. For more information, see Instance families. Selected Types Selected instance types are displayed. Quantity Select the number of worker nodes to be created. System Disk SSDs and ultra disks are supported.Note You can select the Enable Backup check box to back up disk data. Mount Data Disk SSDs and ultra disks are supported.Note You can enable disk encryption and backup when you add data disks. Operating System CentOS 7.6 and AliyunLinux 2.1903 are supported. Logon Type
- Key pair:
If you choose to use a key pair, click create a key pair to create a key pair in the ECS console. For more information, see Create an SSH key pair. After the key pair is created, set it as the credential to log on to the cluster.
- Password: Enter the password.
- Confirm Password: Enter the password again.
- Key pair:
- If you select Add Existing Instance, make sure that you have created ECS instances in the specified region. Then, configure Operating System, Logon Type, and Key Pair based on the preceding settings.
- If you select Create Instance, you need to set the following parameters:
- Configure advanced settings.
Parameter Description Node Protection Specify whether to enable node protection.Note This check box is selected by default. Cluster nodes cannot be deleted in the console or through the API. This avoids user errors. User Data For more information, see Prepare user data. Custom Image You can select a custom ECS image, which can be used to deploy all nodes in the cluster. For more information about how to create a custom image, see Create a cluster by using a custom image. Operating System Unlimited for Custom Images If you select this option, the operating system of your custom image is not limited.Note This feature is only available for users in the whitelist. If you are not in the whitelist, submit a ticket. Custom Node Name Select or clear the check box to determine whether to enable Custom Node Name.A node name consists of a prefix, an IP substring, and a suffix.
- Both the prefix and suffix can contain one or multiple parts that are separated with periods (.). These parts can contain lowercase letters, digits, and hyphens (-), and must start and end with a lowercase letter or digit.
- The IP substring length specifies the number of digits at the end of the returned node IP address. Valid values: 5 to 12.
For example, if the node IP address is 192.168.0.55, the prefix is aliyun.com, IP substring length is 5, and the suffix is test, the node name will be aliyun.com00055test.
Node Port Range Specify the node port range. The default port range is 30000 to 32767. CPU Policy Select the CPU policy.
- none: This is the default policy, which indicates that the CPU affinity policy is used.
- static: This policy allows pods with certain resource characteristics to be granted with enhanced CPU affinity and exclusivity on the node.
Taints Add taints to worker nodes in the cluster.
- Select a worker instance type.
- Click Next:Component Configurations to configure components.
Parameter Description Ingress Specify whether to install ingress controllers. The Install Ingress Controllers check box is selected by default. For more information, see Support for Ingress.Note If you select the Create Ingress Dashboard check box, you must also enable Log Service. Volume Plug-in Select the storage plug-in. Flexvolume and CSI are supported. ACK clusters can automatically bind with disks, NAS, and Object Storage Service (OSS) provided by Alibaba Cloud through pods. For more information, see Storage management-Flexvolume and Storage management-CSI. CloudMonitor Agents Specify whether to install the CloudMonitor agent. After the CloudMonitor agent is installed on ECS nodes, you can view monitoring information about the nodes in the CloudMonitor console. Log Service Specify whether to enable Log Service. You can select an existing project or create a project.
If you select the Enable Log Service check box, the Log Service plug-in is automatically installed in the cluster. For more information about how to set up Log Service when you create an application, see Use Log Service to collect Kubernetes cluster logs.
Workflow Engine Specify whether to use Alibaba Cloud Genomics Compute Service (AGS).
- If you select this check box, the system automatically installs the AGS workflow plug-in during cluster creation.
- If you clear this check box, you must manually install the AGS workflow plug-in. For more information, see Introduction to AGS CLI.
Optional Add-ons In addition to system components, you can install other components provided by Container Service.
- Click Next:Confirm Order.
- Select the Terms of Service check box and click Create Cluster.
Note It takes about 10 minutes to create an ACK cluster consisting of multiple nodes.
- After the cluster is created, you can view the created cluster on the Clusters page of the console.
- Click View Logs in the Actions column. On the log Information page that appears, you can view cluster logs. To view log details, click Stack events.
- On the Clusters page, find the newly created cluster and click Manage in the Actions column. On the page that appears, you can view basic information about
the cluster and corresponding connections.
The following information is displayed:
- API Server Public Endpoint: the IP address and port that the Kubernetes API Server uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on the client.
- API Server Internal Endpoint: the IP address and port that the Kubernetes API Server uses to provide services within the cluster. The IP address belongs to the SLB instance bound to the cluster. Three master nodes work as back-end servers.
- Pod CIDR Block: the CIDR block of the pods in the cluster. You cannot modify the service CIDR block after it is created. The service CIDR block cannot overlap with the pod CIDR block.
- Service CIDR: the CIDR block of services. You cannot modify the service CIDR block after it is created. The service CIDR block cannot overlap with the pod CIDR block.
- Master Node IP Address for SSH Logon: You can use an SSH key pair to log on to master nodes and maintain the cluster.
- Testing Domain: the domain that is used for service testing. The suffix of the domain is
- Kube-proxy Mode: the proxy mode that is used to conduct service discovery and load balancing. iptables and IPVS modes are supported.
- Pods on Each Node: the maximum number of pods that can run on each node. Default value: 128.
You can Connect to Kubernetes clusters through kubectl and run
kubectl get nodeto view the information about the nodes in the cluster.