The benefits of ACK and the disadvantages of self-managed Kubernetes - Container Service for Kubernetes

This topic describes the benefits of Alibaba Cloud Container Service for Kubernetes (ACK) and the disadvantages of self-managed Kubernetes clusters.

Benefits of ACK

Benefit	Description
Powerful cluster management	Three types of clusters: ACK dedicated clusters, ACK managed clusters, and ACK Serverless clusters. By default, the management nodes of an ACK managed cluster are deployed across three zones for high availability. A single cluster supports thousands of Elastic Compute Service (ECS) nodes. For more information about quota limits, see Quota limits. Supports cross-zone clusters and registered clusters.
Highly elastic resource scaling	Automatically and quickly adjusts the number of containers based on resource usage. Scales out to thousands of nodes within minutes. If you use ACK Serverless and Elastic Container Instance (ECI), you can start 500 pods in 30 seconds. Supports one-click vertical scaling. Supports horizontal application scaling and resource affinity policies. Provides standard community features such as Horizontal Pod Autoscaler (HPA), Vertical Pod Autoscaler (VPA), and Cluster Autoscaler. Provides scheduled scaling similar to CronHPA and serverless elastic scaling similar to vk-autoscaler. Provides fine-grained elastic scheduling for online services based on elastic workloads. Provides the alibaba-metrics-adapter for different scaling scenarios to optimize application layer scaling, such as for Ingress gateways and Sentinel-based microservice throttling.
All-in-one container management	Application management: Supports phased releases, blue-green deployments, application monitoring, and automatic application scaling. Provides a built-in application marketplace that supports one-click deployment of Helm applications. Container Registry (ACR): High availability and supports high concurrency. Image acceleration is supported. Supports large-scale peer-to-peer (P2P) distribution. It can automatically run and optimize the basic image distribution process, distributing to a maximum of 10,000 nodes with a 4x increase in efficiency. When you use a self-managed image repository, the repository may crash if millions of clients pull images at the same time. ACR improves the reliability of the image repository and reduces O&M and upgrade workloads. Logging: Supports log collection and integration with Simple Log Service. Supports integration with third-party open source logging solutions. Monitoring: Supports container-level and virtual machine (VM)-level monitoring. Supports integration with third-party open source monitoring solutions.
Variety of worker nodes	By resource type: x86 computing resources: ECS instances of x86 instance families. Heterogeneous computing resources: GPU-accelerated, Field-Programmable Gate Array (FPGA)-accelerated, and Application-Specific Integrated Circuit (ASIC)-accelerated ECS instances. Bare metal computing resources: ECS Bare Metal Instances. Serverless computing resources: ACK virtual nodes. Edge nodes: ACK Edge clusters support unified management of cloud and edge nodes, and unified application publishing. This improves publishing efficiency by 3 times. For more information, see What is ACK Edge?. By billing method: Spot instances Subscription Pay-as-you-go
Optimized IaaS layer capabilities	Networking: Provides high-performance Virtual Private Cloud (VPC)/elastic network interface (ENI) network plugins that improve performance by 20% compared with common network solutions. Supports container access policies and throttling. Storage: Supports Alibaba Cloud disks, File Storage NAS (NAS), and Object Storage Service (OSS), and provides standard Container Storage Interface (CSI) drivers. Supports dynamic creation and migration of persistent volumes (PVs). Load balancing: Supports the creation of public and internal-facing Server Load Balancer (SLB) instances. If you use a self-managed Ingress in a self-managed Kubernetes cluster, frequent service releases may increase the configuration pressure on the Ingress and the probability of errors. The SLB solution of ACK supports native, highly available Alibaba Cloud SLB and can automatically modify and update network configurations. This solution has been used by many users for a long time and is much more stable and reliable than self-managed Ingress solutions.
Enterprise-grade security and stability	ACK integrates multi-layer security protection features from the beginning of the development lifecycle. It provides comprehensive protection for cloud-native architectures, from the underlying infrastructure and intermediate software supply chain to the top-level runtime environment. End-to-end security capabilities: Infrastructure security: Supports comprehensive network security isolation and control, and end-to-end data encryption. It integrates Alibaba Cloud accounts and RAM users with the Kubernetes Role-Based Access Control (RBAC) permission system, and supports fine-grained permission management and complete auditing. Software supply chain security: Supports a complete DevSecOps pipeline that consists of image scanning, secure cloud-native delivery chains, image signing, and image synchronization. Runtime security: Provides defense-in-depth capabilities for runtimes, such as application-level security policy management, configuration inspection, runtime monitoring and alerting, and secret key encryption and management. Default security: Provides container-optimized operating system images, and stable, security-hardened versions of Kubernetes and containerd. Hardens the security compliance of cluster configurations and system components/images based on ACK security hardening and container security best practices. Minimizes the default cloud resource permissions for nodes. Sandboxed containers: Sandboxed-Container is a container runtime developed by ACK to enhance container security. You can use Sandboxed-Container to run an application in a sandboxed and lightweight VM, which has a dedicated kernel. Sandboxed-Container is suitable for isolating untrusted applications, unhealthy applications, low-performance applications, and workloads among users. TEE-based confidential computing: ACK provides a cloud-native, all-in-one solution for confidential computing based on Intel Software Guard Extensions (Intel SGX). This solution ensures data security, integrity, and confidentiality when you develop, manage, and deliver trusted applications and confidential computing tasks. The confidential computing capabilities provided by ACK allow you to isolate sensitive data and code by using a trusted execution environment.
24/7 technical support	Provides 24/7 professional technical support through a ticket system.

Disadvantages of self-managed Kubernetes clusters

Cluster setup is complex.
You must manually configure various Kubernetes components, configuration files, certificates, keys, plugins, and tools. The entire cluster setup process can take an experienced engineer several days to weeks to complete.
Integrating with public cloud products is costly.
You are responsible for the costs of integrating with other Alibaba Cloud products, such as Simple Log Service, monitoring services, and storage management.
Containerization is a complex undertaking that involves various technologies, such as networking, storage, operating systems, and orchestration. This process requires dedicated personnel.
Container technology evolves rapidly. This requires continuous experimentation, upgrades, and testing.