All Products
Search
Document Center

Container Service for Kubernetes:Benefits

Last Updated:Nov 20, 2023

This topic describes the benefits of Container Service for Kubernetes (ACK) and the disadvantages of self-managed Kubernetes clusters.

Benefits of ACK

Benefit

Description

High-performance cluster management

  • ACK provides three types of clusters: ACK dedicated cluster, ACK managed cluster, and ACK Serverless cluster.

  • By default, the control plane of an ACK managed cluster is deployed across three zones to ensure high availability.

  • ACK allows you to add thousands of Elastic Compute Service (ECS) nodes to a single cluster. For more information about resource quotas, see Resource quotas.

  • ACK allows you to deploy a cluster across different zones and register external clusters with ACK, which helps implement centralized management for your services. For more information about registered clusters, see Overview.

Ultrahigh resource elasticity

  • ACK can automate pod scaling based on the resource utilization of pods.

  • ACK can scale out to thousands of nodes within minutes.

  • ACK supports fast startup of elastic container instances in ACK Serverless clusters. You can launch up to 500 elastic container instances in an ACK Serverless cluster within 30 seconds.

  • ACK supports push-button vertical or horizontal scaling.

  • ACK allows you to configure affinity rules for services to help you better schedule your business.

  • ACK provides native support for open source Horizontal Pod Autoscaler (HPA), Vertical Pod Autoscaler (VPA), and Kubernetes Autoscaler.

  • ACK provides the scheduled scaling capability, which is similar to the function of CronHPA. ACK also supports serverless scalability, which is similar to the function of vk-autoscaler.

  • ACK provides fine-grained scheduling for online business based on the elastic workload feature.

  • ACK provides the alibaba-metrics-adapter component to meet different scaling needs. ACK also optimizes application scaling by using Ingress gateways and Sentinel-based flow control.

All-in-one container management

  • Application management:

    • ACK supports canary release, blue-green deployment, application monitoring, and application autoscaling.

    • ACK provides a built-in application marketplace that supports push-button deployment, which allows you to quickly deploy applications by using Helm.

  • Image registry based on Container Registry (What is Container Registry?):

    • Container Registry provides highly available image hosting and high-concurrency image distribution.

    • Container Registry supports image acceleration.

    • Container Registry supports large-scale P2P image distribution and can concurrently distribute images to up to 10,000 nodes through an optimized distribution procedure, delivering four times the distribution efficiency when compared with conventional methods.

    Note

    Self-managed image registries may fail to respond when millions of clients attempt to pull images at the same time. Container Registry is a more reliable alternative which is fully managed, helping you reduce maintenance workloads and keep applications up-to-date.

  • Logging:

    • ACK collects cluster logs to Log Service.

    • ACK supports integration with third-party open source logging solutions.

  • Monitoring:

    • ACK supports container-level and VM-level monitoring.

    • ACK supports integration with third-party open source monitoring solutions.

Support for a variety of nodes

  • ACK supports the following types of nodes:

    • Nodes equipped with x86-based computing resources, such as ECS instances based on the x86 architecture.

    • Nodes equipped with heterogeneous computing resources, such as GPU-accelerated ECS instances, ASIC-accelerated ECS instances, and FPGA-accelerated ECS instances.

    • Nodes equipped with bare metal computing resources, such as ECS bare metal instances.

    • Nodes equipped with serverless computing resources, such as ACK virtual nodes.

    • Edge nodes. ACK@Edge supports centralized management of nodes in the cloud and nodes at the edge, and implements unified application release. This increases application release efficiency by three times.

  • ACK supports the following billing methods:

    • Preemptible instance

    • Subscription

    • Pay-as-you-go

Optimized IaaS capabilities

  • Networking:

    • ACK provides a high-performance network plug-in that works with Virtual Private Cloud (VPC) and elastic network interfaces (ENIs), improving the network performance by 20% when compared with common networking solutions.

    • ACK supports access control and traffic throttling.

  • Storage:

    • ACK integrates Alibaba Cloud disks, Apsara File Storage NAS (NAS) file systems, and Object Storage Service (OSS) buckets, and provides standard Container Storage Interface (CSI) drivers.

    • ACK supports dynamic volume provisioning and migration.

  • Load balancing:

    ACK supports load balancing based on Internet-facing and internal-facing Server Load Balancer (SLB) instances.

    Note

    You can use Ingresses to expose your applications to the Internet. However, as your business grows and releases become more frequent, the load on Ingresses may become heavier, increasing the error rate. To solve this issue, ACK integrates with SLB to automatically modify network configurations to meet the changing requirements of your applications and ensure highly-available load balancing. This solution has been widely implemented within Alibaba Cloud and has been proven to deliver more stable and reliable services when compared with most Ingress-only solutions.

Enterprise-grade security and stability

ACK adopts a multi-layer security mechanism to protect the underlying infrastructure, intermediate software supply chains, and top-layer runtime environments.

  • Multi-layer security capabilities:

    • Infrastructure security: ACK provides complete network isolation and end-to-end data encryption, and implements an authorization system based on Alibaba Cloud Resource Access Management (RAM) and Kubernetes Role-Based Access Control (RBAC). This enables fine-grained permission management and comprehensive auditing.

    • Software supply chain security: ACK provides a secure DevSecOps pipeline that provides protection across the entire development lifecycle, including the cloud-native delivery chain, image scanning, image signing, and image synchronization.

    • Runtime security: ACK ensures runtime security based on multiple capabilities, including application-level security policies, configuration inspections, runtime monitoring and alerting, and key encryption and management.

  • Built-in security capabilities:

    • ACK provides optimized OS images and supports Kubernetes versions and Docker versions with enhanced stability and security.

    • ACK enhances the security compliance of cluster configurations, system components, and OS images based on the Center for Internet Security (CIS) Benchmark and Alibaba Cloud best practices for container security.

    • ACK grants worker nodes minimum permissions to manage cloud resources by default.

  • Sandboxed-Container: Sandboxed-Container is a container runtime developed by ACK for enhancing container security. You can use Sandboxed-Container to run an application in a sandboxed and lightweight VM, which has a dedicated kernel. Sandboxed-Container is suitable for isolating untrusted applications, unhealthy applications, low-performance applications, and workloads among users.

  • TEE-based confidential computing: ACK provides a cloud-native, all-in-one solution for confidential computing based on Intel Software Guard Extensions (Intel SGX). This solution ensures data security, integrity, and confidentiality when you develop, manage, and deliver trusted applications and confidential computing tasks. The confidential computing capabilities provided by ACK allow you to isolate sensitive data and code by using a trusted execution environment.

24/7 technical support

ACK provides 24/7 technical support through the ticketing system.

Disadvantages of self-managed Kubernetes clusters

  • The steps required to create and manage a Kubernetes cluster are complicated.

    You must manually configure Kubernetes components, configuration files, certificates, keys, plug-ins, and tools. It may take professional engineers several weeks to correctly configure a Kubernetes cluster.

  • Significant costs are required to integrate self-managed Kubernetes clusters with Alibaba Cloud services.

    Extra costs are required to integrate self-managed Kubernetes clusters with Alibaba Cloud services, such as Log Service, monitoring services, and storage services.

  • Containerization involves various technologies, such as networking, storage, node OS, and orchestration. A high level of technical expertise is required to create and manage Kubernetes clusters.

  • The container technology is under constant development. To keep up with frequent version iterations, you must continuously update and test your containerized applications.