This topic describes how to create a managed Alibaba Cloud Container Service for Kubernetes (ACK) cluster in the ACK console.

Prerequisites

ACK, Elastic Scaling Service (ESS), and Resource Access Management (RAM) are activated.

Log on to the ACK console, RAM console, and ESS console to activate these services.

Note

When you create an ACK cluster, note the following limits:

  • SLB instances created together with the ACK cluster support only the pay-as-you-go billing method.
  • ACK clusters support only Virtual Private Cloud (VPC) networks.
  • Each account can consume only a limited amount of computing resources. You fail to create clusters if you do not have sufficient computing resources. Before you create clusters, make sure that you have sufficient resources. To increase the quota of computing resources for your account, submit a ticket.
    • You can create up to 50 clusters across regions for each account. You can deploy up to 100 nodes in each cluster. To increase the quota of clusters or nodes, submit a ticket.
      Note In an ACK cluster, you can add up to 48 route entries to each Virtual Private Cloud (VPC) network by default. This means that you can configure up to 48 route entries for ACK clusters deployed in a VPC network. To increase the quota of route entries for a VPC network, submit a ticket.
    • You can create up to 100 security groups for each account.
    • You can create up to 60 pay-as-you-go SLB instances for each account.
    • You can create up to 20 Elastic IP addresses for each account.

Procedure

  1. Log on to the Container Service console.
  2. In the left-side navigation pane, choose Clusters > Clusters.
  3. Click Create Kubernetes Cluster in the upper-right corner of the page. In the Select Cluster Template dialog box that appears, find Standard Managed Cluster, and click Create. The cluster configuration page appears.
    Cluster configuration page
  4. Configure the cluster.
    1. Configure basic settings.
      Parameter Description
      Cluster Name Enter the name of the cluster.
      Note The name must be 1 to 63 characters in length and can contain digits, letters, and hyphens (-).
      Kubernetes version Select the Kubernetes version. 1.14.8-aliyun.1 and 1.16.9-aliyun.1 are supported.
      Container Runtime Docker and Sandboxed-Containers are supported.
      Region Select the region where the cluster is deployed.
      Resource Group Move the pointer over All Resources at the top of the page and select the resource group where the cluster is deployed. The name of the selected resource group is displayed.
      VPC Set the Virtual Private Cloud (VPC) network for the cluster.
      Note ACK clusters support only VPC networks. Select a VPC network from the drop-down list. If no VPC network is available, you can click Create VPC to create one. For more information, see Create a VPC network.
      VSwitch Select one or more VSwitches for the cluster.

      You can select up to three VSwitches deployed in different zones. If no VSwitch is available, you can click Create VSwitch to create one. For more information, see Create a VSwitch.

      Network plug-in Select the network plug-in. Both Flannel and Terway are supported. For more information, see Flannel and Terway.
      • Flannel: a simple and stable Container Network Interface (CNI) plug-in developed by the Kubernetes community. Flannel does not support standard Kubernetes network policies.
      • Terway: A network plug-in developed by Alibaba Cloud Container Service. Terway allows you to assign Alibaba Cloud Elastic Network Interfaces (ENIs) to containers. It also allows you to customize network policies of Kubernetes to control intercommunication among containers, and implement bandwidth throttling on individual containers.
        Note The number of pods that can be deployed in a node depends on the number of ENIs that are attached to the node and the maximum number of secondary IP addresses provided by these ENIs.
      Pod CIDR Block If you select Flannel, you must specify Pod CIDR Block.

      The CIDR block specified by Pod CIDR Block cannot overlap with that of the VPC network or existing ACK clusters in the VPC network. The CIDR Block cannot be modified after it is specified. The Service CIDR block cannot overlap with the Pod CIDR block. For more information about network segmentation of ACK clusters, see Plan Kubernetes CIDR blocks under a VPC.

      Terway Mode If you select Terway, you must set Terway Mode.
      When you set Terway Mode, select or clear the Assign One ENI to Each Pod check box based on your needs.
      • If you select the check box, an ENI is assigned to each pod.
      • If you clear the check box, an ENI is shared among multiple pods. A secondary IP address of the ENI is assigned to each pod.
      Note This feature is only available to users in the whitelist. To use this feature, submit a ticket.
      Service CIDR Specify Service CIDR. The CIDR block specified by Service CIDR cannot overlap with that of the VPC network or existing ACK clusters in the VPC network. The CIDR Block cannot be modified after it is specified. The Service CIDR block cannot overlap with the Pod CIDR block. For more information about network segmentation of ACK clusters, see Plan Kubernetes CIDR blocks under a VPC.
      IP Addresses per Node If you select Flannel, you must select the number of IP addresses per node.
      Note IP Addresses per Node specifies the maximum number of IP addresses that can be assigned to each node. We recommend that you use the default value.
      Configure SNAT Specify whether to configure Source Network Address Translation (SNAT) rules for the VPC network.
      • ACK automatically selects an existing NAT gateway in the VPC network.
      • If the VPC network does not have a NAT gateway, the system automatically creates one. If you do not want the system to create a NAT gateway, clear the Configure SNAT for VPC check box. Then, you must manually create a NAT gateway or configure SNAT rules to enable instances in the VPC network to access the Internet. Otherwise, the system fails to create the ACK cluster.
      Public Access Select whether to expose API server with EIP.
      The ACK API Server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources such as pods and services.
      • If you select this check box, an Elastic IP address is created and attached to an internal Server Load Balancer (SLB) instance. Port 6443 used by the API Server is opened on master nodes. You can connect to and manage the cluster by using kubeconfig over the Internet.
      • If you clear this check box, no Elastic IP address is created. You can only connect to and manage the cluster by using kubeconfig from within the VPC network.
      RDS Whitelist Set the Relational Database Service (RDS) whitelist. Add the IP addresses of nodes to the RDS whitelist.
      Security Group

      You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group. For more information, see Overview.

    2. Configure advanced settings
      Parameter Description
      Kube-proxy Mode

      iptables and IPVS are supported.

      • iptables is a kube-proxy mode. It uses iptables rules to conduct service discovery and load balancing. The performance of this mode is restricted by the size of the cluster. This mode is suitable for clusters that run a small number of services.
      • IPVS is a high-performance kube-proxy mode. It uses Linux Virtual Server (LVS) to conduct service discovery and load balancing. This mode is suitable for clusters that run a large number of services. We recommend that you use this mode in scenarios where high-performance load balancing is required.
      Labels
      Attach labels to the cluster. Enter keys and values, and click Add.
      Note
      • Key is required. Value is optional.
      • Keys are not case-sensitive. A key must be 1 to 64 characters in length. It cannot start with aliyun, http://, and https://.
      • Values are not case-sensitive. A value must be 1 to 128 characters in length. It cannot start with http:// or https://.
      • The keys of labels attached to the same resource must be unique. If you add a label with a used key, the label overwrites the one that uses the same key.
      • You can attach up to 20 labels to each resource. If you attach more than 20 labels to a resource, all labels become invalid. You must detach unused labels for the remaining labels to take effect.
      Cluster Domain Enter the cluster domain.
      Note The default cluster domain is cluster.local. You can enter a custom domain. A domain consists of two parts. Each part must be 1 to 63 characters in length and can contain only letters and digits.
      Custom Certificate SANs

      You can enter custom subject alternative names (SANs) for the API servers of the cluster. Separate multiple IP addresses or domains with commas (,).

      Service Account Token Volume Projection

      Enable Service Account Token Volume Projection to reinforce security when you use service accounts. For more information, see Deploy service account token volume projection.

      Delete Protection Select whether to enable Deletion Protection. If you select this check box, the cluster cannot be deleted in the console or by calling API operations. This allows to avoid user errors.
  5. Click Next:Worker Configurations to configure worker nodes.
    1. Select instances for worker nodes.
      • If you select Create Instance, you must set the parameters listed in the following table.
        Parameter Description
        Billing Method The pay-as-you-go and subscription billing methods are supported.
        Duration If you select Subscription, you must select the duration of the subscription. Valid values: 1, 2, 3, 6 months, 1, 2, 3, 4, 5 years.
        Auto Renewal If you select Subscription, you must specify whether to enable Auto Renewal.
        Instance Type

        You can select multiple instance types. For more information, see Instance families.

        Selected Types

        The selected instance types are displayed.

        Quantity

        Select the number of worker nodes to be created.

        System Disk Enhanced SSDs, SSDs, and ultra disks are supported.
        Note You can select the Enable Backup check box to back up disk data.
        Mount Data Disk

        Enhanced SSDs, SSDs, and ultra disks are supported. You can enable disk encryption and data backup when you mount data disks.

        Operating System The CentOS and Windows Server operating systems are supported.
        Logon Type
        • Key Pair:

          If you want to use a key pair, click create a key pair to create one in the ECS console. For more information, see Create an SSH key pair. After the key pair is created, set it as the credential for logging on to the cluster.

        • Password:
          • Password: Enter the password.
          • Confirm Password: Enter the password again.
        Key Pair
      • If you select Add Existing Instance, make sure that you have created ECS instances in the target region. Then, configure Operating System, Logon Type, and Key Pair based on the preceding settings.
    2. Configure advanced settings.
      Parameter Description
      Node Protection Select whether to enable Node Protection.
      Note By default, this check box is selected. Cluster nodes cannot be deleted in the console or by calling API operations. This allows to avoid user errors.
      User Data For more information, see Prepare user data.
      Custom Image You can select a custom image, and then use the image to deploy all nodes in the cluster. For more information about how to create a custom image, see Create a cluster by using a custom image.
      Note This feature is only available to users in the whitelist. To use this feature, submit a ticket.
      Custom Node Name Specify whether to enable Custom Node Name.
      A node name consists of a prefix, an IP substring, and a suffix.
      • Both the prefix and suffix can contain one or more parts that are separated with periods (.). Each part can contain lowercase letters, digits, and hyphens (-). It must start and end with a lowercase letter or digit.
      • The IP substring length specifies the number of digits to be truncated from the end of the returned node IP address. Valid values: 5 to 12.

      For example, if the node IP address is 192.168.0.55, the prefix is aliyun.com, the IP substring length is 5, and the suffix is test, the node name is aliyun.com00055test.

      CPU Policy Select the CPU policy.
      • none: This is the default policy. This indicates that the default CPU affinity is used.
      • static: This policy allows pods with certain resource characteristics to be granted with enhanced CPU affinity and exclusivity on the node.
      Taints Add taints to worker nodes.
  6. Click Next:Component Configurations to configure components.
    Parameter Description
    Ingress Specify whether to install Ingress controllers. By default, the Install Ingress Controllers check box is selected. For more information, see Support for Ingress.
    Note If you want to select the Create Ingress Dashboard check box, you must first enable Log Service.
    Volume Plug-in Select the volume plug-in. Flexvolume and CSI are supported. ACK clusters can be automatically bound to Alibaba Cloud cloud disks, Network Attached Storage (NAS) volumes, and Object Storage Service (OSS) mounted to pods. For more information, see Storage management-Flexvolume and Storage management-CSI.
    CloudMonitor Agent

    Specify whether to install the Cloud Monitor agent. After the Cloud Monitor agent is installed on ECS instances, you can view monitoring information about the nodes in the Cloud Monitor console. The Prometheus monitoring service is available to users in the whitelist.

    Log Service

    Specify whether to enable Log Service. You can select an existing project or create a project.

    If you select the Enable Log Service check box, the Log Service plug-in is automatically installed in the cluster. For more information about how to set up Log Service when you create an application, see Use Log Service to collect Kubernetes logs.

    If you select the Enable Log Service check box, you can specify whether to create an Ingress dashboard or create an Event Center in the Log Service console.

    Workflow Engine Specify whether to enable Alibaba Cloud Genomics Compute Service (AGS).
    • If you select this check box, the system automatically installs the AGS workflow plug-in during cluster creation.
    • If you clear this check box, you must manually install the AGS workflow plug-in. For more information, see Introduction to AGS CLI.
    Optional components In addition to the system components, you can also install other components provided by ACK.
  7. Click Next:Confirm Order.
  8. Select the Terms of Service check box and click Create Cluster.
    Note It takes about 10 minutes to create an ACK cluster that contains multiple nodes.

Result

  • After the cluster is created, you can find the cluster on the Clusters page in the console.Clusters
  • Click View Logs in the Actions column. On the Log Information page, you can view cluster logs. To view log details, click Stack events.Cluster logs
  • On the Clusters page, find the newly created cluster and click Manage in the Actions column. On the page that appears, you can view basic information about the cluster and corresponding connections.Basic cluster information
    The following information is displayed.
    • API Server Public Endpoint: the IP address and port that the Kubernetes API Server uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on the client.

      Bind EIP and Unbind EIP: These options are available to only managed ACK clusters.

      • Bind EIP: You can select an existing Elastic IP address or create an Elastic IP address.

        The API server restarts after you bind it to an Elastic IP address. We recommend that you do not perform operations on the cluster during the restart process.

      • Unbind EIP: You cannot access the API server over the Internet after you unbind the Elastic IP address.

        The API server restarts after you unbind it from an Elastic IP address. We recommend that you do not perform operations on the cluster during the restart process.

    • API Server Internal Endpoint: the IP address and port that the Kubernetes API Server uses to provide services within the cluster. The endpoint belongs to the SLB instance bound to the cluster.
    • Pod CIDR Block: the CIDR block of the pods in the cluster.
    • Service CIDR: the CIDR block assigned to services in the cluster for users to access the services over the Internet.
    • Testing Domain: the domain that is used for service tests. The suffix of the domain is <cluster_id>.<region_id>.alicontainer.com.
    • Kube-proxy Mode: the proxy mode that is used to conduct service discovery and load balancing. iptables and IPVS modes are supported.
    • Pods on Each Node: the maximum number of pods that can run on each node. Default value: 128.
    • Network Plug-in: Flannel and Terway are supported.
  • You can use kubectl and run the kubectl get node command to connect to the cluster and view the information about the nodes in the cluster. For more information, see Connect to Kubernetes clusters through kubectl.Nodes information