When you use Container Service for Kubernetes (ACK) for the first time, you must assign default roles to ACK with your Alibaba Cloud account. Only after you assign these roles to ACK, ACK can use resources in other cloud services to create clusters or save log files. These cloud services include Elastic Compute Service (ECS), Object Storage Service (OSS), Apsara File Storage NAS (NAS), and Server Load Balancer (SLB). This topic describes how to assign default roles to ACK and activate the associated cloud services when you use ACK for the first time.
Step 1: Activate ACK
ACK is available for commercial use. You must activate ACK before you can create an ACK cluster. Perform the following steps:
Go to the Container Service for Kubernetes page.
Read and select Container Service for Kubernetes Terms of Service.
Click Activate Now.
If you have not activated ACK before, you are prompted to activate ACK in the Dependency Check section of the cluster creation page when you create an ACK cluster.
Step 2: Assign default roles to ACK
When you use ACK for the first time, you must assign default roles to ACK with your Alibaba Cloud account. To do this, perform the following operations:
You can use Alibaba Cloud accounts or Resource Access Management (RAM) users that have administrator permissions to assign default roles to ACK.
Log on to the ACK console.
Click Go to RAM console to go to the Cloud Resource Access Authorization page. Then, click Confirm Authorization Policy.
After you assign the RAM roles to ACK, log on to the ACK console again to get started with ACK.
Step 3: Activate the associated cloud services
Some features provided by ACK are reliant on or associated with other cloud services. Therefore, you must activate the cloud services before you can use these features.
You must use your Alibaba Cloud account to activate cloud services. RAM users are not allowed to activate cloud services.
Log on to the Alibaba Cloud official website with your Alibaba Cloud account and activate the following cloud services based on your requirements.
Required: the cloud services that you must activate. These services must be activated so that ACK clusters can function as normal.
Recommended: the cloud services that we recommend you to activate. You can choose to use these services when you create ACK clusters and manage applications.
Optional: the cloud services that you can activate based on your business architecture and O&M requirements.
Cloud service | Service link | Activation | Description |
Virtual Private Cloud (VPC) | Required | This service allows you to build networks and create route entries for ACK clusters. | |
Server Load Balancer (SLB) | Required | This service allows you to create SLB instances for ACK clusters. | |
Auto Scaling | Required | This service allows ACK to automatically create worker nodes and enables ACK clusters to automatically scale in or out. | |
NAT Gateway | Recommended | This service enables ACK clusters to communicate with the Internet and pull images over the Internet. | |
Container Registry | Recommended | This service provides secure and full lifecycle management for cloud-native assets. | |
Elastic Container Instance | https://www.alibabacloud.com/products/elastic-container-instance | Recommended | This service allows you to deploy ACK Serverless clusters. |
Alibaba Cloud Service Mesh (ASM) | Recommended | This service allows you to manage the network traffic of applications that are deployed across multiple ACK clusters by using service meshes. | |
Log Service | Recommended | This service allows you to collect and query the logs of components and applications in ACK clusters. | |
CloudMonitor | Recommended | This service allows you to monitor the status of nodes and applications in ACK clusters. | |
Prometheus Service | Recommended | This service allows you to monitor ACK clusters and generate alerts when anomalies are detected. | |
Security Center (SAS) | Optional | This service allows you to monitor the security events of application runtimes in ACK clusters and generate alerts when anomalies are detected. | |
Apsara File Storage NAS (NAS) | Optional | This service allows you to store application data in NAS file systems. | |
Object Storage Service (OSS) | Optional | This service allows you to store application data in OSS buckets. | |
Key Management Service (KMS) | Optional | This service allows you to manage application Secrets and encrypt Secrets for ACK Pro clusters. | |
Alibaba Cloud DNS PrivateZone | Optional | This service is intended for resolving private domain names in VPCs. You can use this service to resolve the domain names of applications in ACK Serverless clusters. | |
Hybrid Backup Recovery (HBR) | Optional | This service provides data backup, disaster recovery, and policy-based archive management. |
ACK default roles
Role | Description |
ACK assumes this role to access your resources in other cloud services when ACK manages clusters. These cloud services include ECS, VPC, SLB, Auto Scaling, and Resource Orchestration Service (ROS). | |
By default, an ACK managed cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Container Registry. | |
By default, an ACK Serverless cluster assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, SLB, and Alibaba Cloud DNS PrivateZone. | |
The auditing feature of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Log Service. | |
The network plug-in of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in ECS and VPC. | |
The volume plug-in of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in ECS and NAS. | |
The monitoring component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in CloudMonitor and Log Service. | |
The Log Service component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Log Service. | |
The Virtual Node component of ACK Serverless clusters assumes this role to access your resources in other cloud services. These cloud services include ECS, VPC, and Elastic Container Instance. | |
The application monitoring component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Application Real-Time Monitoring Service (ARMS). | |
The aliyun-acr-credential-helper component of ACK managed clusters and ACK Serverless clusters assumes this role to pull images from Container Registry. | |
The node pool control component of ACK managed clusters assumes this role to access resources on ECS instances and in node pools. | |
The auto scaling component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Auto Scaling and ECS. | |
The Secret encryption component of ACK managed clusters and ACK Serverless clusters assumes this role to access your resources in Key Management Service (KMS). | |
The cost analysis component of ACK managed clusters and ACK Serverless clusters assumes this role to access resources in Billing Management (BSS) API, ECS, and Elastic Container Instance. | |
The network component of ACK Lingjun managed clusters assumes this role to access resources in Intelligent Computing Lingjun. | |
The backup center component of ACK managed clusters assumes this role to access resources in Hybrid Backup Recovery (HBR) and OSS. | |
The control plane components of ACK edge clusters assume this role to access resources in Smart Access Gateway (SAG), Virtual Private Cloud (VPC), and Cloud Enterprise Network (CEN). |