This topic provides the flowchart and some commonly asked questions (FAQ) when you use Container Service for Kubernetes (ACK).


The flowchart consists of the following steps:
Flowchart for ACK
  1. Assign roles to your Alibaba Cloud account. For more information, see Default roles.
    For more information about RAM policies and role-based access control (RBAC), see Create a custom RAM policy and Assign RBAC roles to a RAM user.
  2. Create a standard managed cluster. For more information, see Create a cluster of ACK Managed Edition.
  3. Deploy an application by using an image or orchestration template.
    For more information, see Use an image to create a stateless application and Use an orchestration template to create a Linux application.
    Note If your application consists of multiple services created from different images, we recommend that you use a YAML file to deploy the application.
  4. Perform O&M operations on the cluster and the application.


  • How do I build a Docker image for an application that runs on an ACK cluster?

    Container Registry allows you to build a container image within a few clicks. For more information about how to build a Docker image for an application, see Build an image for a Java application by using a Dockerfile with multi-stage builds. You can also use the open source tool Derrick to dockerize an application in a simplified manner.

  • If I do not want to build an image, how do I deploy an application to an ACK cluster?

    ACK allows you to create applications by using images of the following types: images stored in Container Registry, official images, favorite images, and public images. For more information, see Deploy stateless applications from images.

  • How do I plan CIDR blocks before I create a cluster?

    Before you create a cluster, make sure that the CIDR blocks of virtual private clouds (VPCs), services, and pods do not overlap. You can select to create a VPC automatically. In this case, use the default network address when you create a cluster. However, in some complex scenarios, you must plan CIDR blocks for Elastic Compute Service (ECS) instances, pods, and services. For more information, see Assign CIDR blocks to resources in a Kubernetes cluster under a VPC.

  • How do I select the Terway or Flannel plug-in when I create a cluster?

    Flannel is a simple and stable container network interface (CNI) plug-in developed by the community. However, Flannel only supports simple features and does not support standard Kubernetes network policies. Terway, a network plug-in developed by Alibaba Cloud, supports standard Kubernetes network policies and bandwidth throttling on containers. Terway outperforms Flannel in terms of network performance. For more information, see Use Terway.

  • How do I handle a cluster creation failure?

    You can view the cluster events for troubleshooting. For more information, see Failed to create a Kubernetes cluster.

  • How do I access Kubernetes workloads over the Internet?
    You can use the following methods to access workloads over the Internet:
  • If multiple workloads exist in a cluster, how can a workload be accessed by other workloads in the cluster?

    To access a workload from other workloads in the same cluster, use the internal DNS or ClusterIP service.

    Assume that Workload A and Workload B exist in a cluster. To allow Workload A to access Workload B, create a service of the ClusterIP type for Workload B. For more information, see Create a service. After you create a ClusterIP service, Workload A can use one of the following methods to access Workload B:
    • <ClusterIP service name>. <Namespace to which Workload B belongs>.svc.cluster.local:<Port number>
    • ClusterIP:<Port number>
  • What are the considerations when I access services through SLB instances?

    If you create a service of the LoadBalancer type, Cloud Controller Manager (CCM) automatically creates and configures an SLB instance for the service. We recommend that you do not configure the SLB instance in the SLB console. This may cause the unavailability of the service. For more information, see Considerations for configuring a LoadBalancer service.

  • How do I pull private images from Container Registry?

    We recommend that you use the aliyun-acr-credential-helper component. By default, each cluster has aliyun-acr-credential-helper installed. You can use this component to pull images without a password from Container Registry. For more information, see Use aliyun-acr-credential-helper to pull images without a password.