This topic describes how to get started with Container Service for Kubernetes (ACK) in steps and provides answers to some frequently asked questions about ACK.


The following flowchart shows how to get started with ACK in steps.
Flowchart for ACK
  1. Assign roles to your Alibaba Cloud account. For more information, see ACK default roles.
    For more information about how to create a Resource Access Management (RAM) permission policy and assign role-based access control (RBAC) roles to a RAM user, see Create a custom RAM policy and Assign RBAC roles to RAM users.
  2. Create a standard managed Kubernetes cluster. For more information, see Create a managed Kubernetes cluster.
  3. Deploy an application by using an image or orchestration template.
    For more information, see Create a stateless application by using a Deployment.
    Note If your application consists of multiple Services created from different images, we recommend that you use a YAML file to deploy the application.
  4. Perform O&M operations on the cluster and the application.


  • How do I create a Docker image for an application that runs on an ACK cluster?

    Container Registry allows you to create a container image within a few clicks. For more information about how to create a Docker image for an application, see Build an image for a Java application by using a Dockerfile with multi-stage builds. You can also use the open source tool Derrick to simplify how to containerize your application.

  • If I cannot create an image, how do I deploy an application to an ACK cluster?

    ACK allows you to create applications by using images of the following types: images stored in Container Registry, official images, favorite images, and public images. For more information, see Deploy a stateless application from an image.

  • How do I plan the network before I create a cluster?

    Before you create a cluster, make sure that the CIDR block of the virtual private cloud (VPC) where you want to deploy the cluster, CIDR blocks of Services, and CIDR blocks of pods do not overlap. You can select an automatically created VPC. In this case, use the default IP addresses when you create a cluster. However, in some complex scenarios, you must plan the IP address of each Elastic Compute Service (ECS) instance, pod CIDR blocks, and Service CIDR blocks. For more information, see Plan CIDR blocks for an ACK cluster.

  • Which network plug-in should I choose when I create a cluster, Terway or Flannel?

    Flannel is a simple and stable container network interface (CNI) plug-in developed by the Kubernetes community. However, Flannel provides only basic features and does not support standard Kubernetes network policies. Terway is a network plug-in developed by Alibaba Cloud. Terway supports standard Kubernetes network policies and bandwidth throttling on containers. Terway outperforms Flannel in terms of network performance. For more information, see Use the Terway plug-in.

  • What can I do if I failed to create a cluster?

    You can view the cluster logs for troubleshooting. For more information, see Failed to create a Kubernetes cluster.

  • How do I access Kubernetes workloads over the Internet?
    ACK allows you to use the following methods to access workloads over the Internet:
  • If multiple workloads exist in a cluster, how can a workload be accessed by other workloads in the cluster?

    To access a workload from other workloads in the same cluster, use the internal domain name or a ClusterIP Service.

    Assume that Workload A and Workload B exist in the same cluster. To allow Workload A to access Workload B, create a ClusterIP Service for Workload B. For more information, see Manage Services. After you create a ClusterIP Service, Workload A can access Workload B by using the following connect strings:
    • <The name of the ClusterIP Service>. <The namespace to which Workload B belongs>.svc.cluster.local:<Port number>
    • ClusterIP:<Port number>
  • What are the considerations when I expose Services through SLB instances?

    If you create a LoadBalancer Service, cloud controller manager (CCM) automatically creates and configures an SLB instance for the Service. We recommend that you do not configure the SLB instance in the SLB console. Otherwise, the Service may be unavailable. For more information, see Considerations for configuring a LoadBalancer type Service.

  • How do I pull private images from Container Registry?

    We recommend that you use the aliyun-acr-credential-helper component. By default, each cluster has aliyun-acr-credential-helper installed. You can use this component to pull private images from Container Registry without a password. For more information, see Use aliyun-acr-credential-helper to pull images without a password.