All Products
Document Center

Container Service for Kubernetes:What is Container Service for Kubernetes?

Last Updated:Aug 02, 2023

Container Service for Kubernetes (ACK) is a managed service that helps you manage your containers to ensure high performance. It is also one of the first publicly offered services in the world to pass the Certified Kubernetes Conformance Program.

ACK cluster types

ACK provides three types of clusters: ACK dedicated cluster, ACK managed cluster, and serverless Kubernetes (ASK) cluster.


ACK dedicated cluster

ACK managed cluster

Cluster and node management

You are required to create and manage the control planes and worker nodes.

You are required to create worker nodes. ACK creates and manages the control planes.

You have full and fine-grained control over the cluster but you have to plan and manage the cluster and update nodes on your own.

ACK manages the control planes for you, providing a simple, cost-effective, and highly-available solution.

Billing methods

You are not charged for cluster management, but you are charged for the resources used to create the master nodes, worker nodes, and other infrastructure resources.

  • ACK basic clusters: You are not charged for cluster management, but you are charged for the resources used to create nodes and other infrastructure resources.

  • ACK Pro clusters: You are charged based on the number of clusters that you create.

Use scenarios

All scenarios

All scenarios

User profile

  • Do not overly concern about costs

  • Have knowledge about Kubernetes

  • Possess technical expertise on Kubernetes O&M

  • Have specific plans for resource allocation and deployment

  • Have customization requirements on the control planes

  • Want to manually manage clusters

  • Require cost reduction

  • Focus on application development

  • Possess a basic understanding of Kubernetes

  • Want to control O&M costs

  • Require automated maintenance for the control planes

ACK cluster architecture


ACK managed clusters are reliable, secure, and highly available. ACK manages the Kubernetes control planes of your clusters to ensure high performance. The ACK-managed Kubernetes control plane consists of at least two kube-apiserver, one kube-controller-manager, one ack-scheduler, and three etcd components. ACK scales the kube-apiserver and etcd components across zones to ensure high availability. ACK actively monitors the status of the control planes, installs vulnerability patches, and offers a service-level agreement (SLA) for the control planes.


  • Cluster Management

    • Cluster creation: You can create various types of clusters based on your business requirements. ACK allows you to customize cluster configurations and select from a rich variety of Elastic Compute Service (ECS) instance types to use as worker nodes. For more information, see Create an ACK managed cluster, and Create an ACK dedicated cluster.

    • Cluster update: You can easily update your clusters with a few clicks. ACK provides a simple and centralized method to update your system components. For more information, see Update the Kubernetes version of ACK clusters.

    • Elastic scaling: You can vertically scale your clusters directly in the console to respond to unexpected business fluctuations. You can also configure service-level affinity rules and horizontal scaling settings for your business.

    • Multi-cluster management: ACK allows you to register third-party and self-managed Kubernetes clusters and implement centralized management of all your resources.

    • Permission management: ACK integrates Resource Access Management (RAM) and role-based access control (RBAC) for permission management.

  • Node pools

    ACK enables full lifecycle management for node pools and allows you to customize the configurations of each node pool in a cluster. For example, you can configure the vSwitches, container runtime, node OS, and security groups for a node pool based on your requirements. For more information, see Overview of node pools.

  • Application management

    • Application creation: You can create various types of applications from images or templates. ACK allows you to customize application configurations, such as environment variables, health checks, disk mounting, and logging.

    • Lifecycle management: You can use ACK to manage the entire lifecycle of applications. For example, you can view, update, replace, and delete applications, roll back application versions, view application events, perform rolling updates, and use triggers to redeploy applications.

    • Pod scheduling: ACK supports pod scheduling based on pod affinity, node affinity, and pod anti-affinity.

    • Pod scaling: You can manually scale pods or automate pod scaling by using the Horizontal Pod Autoscaler (HPA).

    • Application release: ACK supports canary releases and blue-green deployments. You can use these features to better manage the application release lifecycle.

    • App catalog: App catalog is a feature that ACK provides to facilitate application deployment and cloud service integration.

    • Application center: The application center provides a centralized management panel that you can use to deploy your applications and monitor the topology of your applications. You can use the application center to implement unified version management and rollback in continuous deployment scenarios.

    • Application backup and recovery: You can back up applications and restore applications from backup data. For more information, see Back up and restore applications.

  • Volumes

    • The following volume plug-ins are supported: FlexVolume and Container Storage Interface (CSI). For more information, see CSI overview and FlexVolume overview.

    • Operations on volumes and persistent volume claims (PVCs):

      • You can create Block Storage volumes, Apsara File Storage NAS (NAS) volumes, and Object Storage Service (OSS) volumes.

      • You can bind a volume to a PVC.

      • You can dynamically create and migrate volumes.

      • You can view and update volumes and PVCs by running scripts.

  • Networks

    • You can set up container networks by using the Flannel or Terway plug-in. For more information, see Network overview.

    • You can specify CIDR blocks for Services and pods.

    • You can use the NetworkPolicy feature of Kubernetes to control access to specific applications. For more information, see Use network policies.

    • You can use Ingresses for traffic routing.

    • You can implement DNS-based service discovery. For more information, see DNS overview.

  • O&M and security

    • Observability:

      • Monitoring: ACK integrates Managed Service for Prometheus for your clusters, nodes, applications, and pods.

      • Logging: ACK integrates Log Service for log collection and storage for your clusters and containers.

      • Alerting: ACK enables alerting based on cluster events and container metrics. For more information, see Alert management.

    • Cost analysis: ACK visualizes the resource usage and cost distribution of your clusters, providing you with easily understandable resource utilization metrics.

    • Security center: ACK actively inspects your applications for security risks, and provides security policies for runtime monitoring and alerting.

    • Sandboxed-Container: Sandboxed-Container is a container runtime developed by ACK for enhancing container security. You can use Sandboxed-Container to run an application in a sandboxed and lightweight VM, which has a dedicated kernel. Sandboxed-Container is suitable for isolating untrusted applications, unhealthy applications, low-performance applications, and workloads among users.

    • TEE-based confidential computing: ACK provides a cloud-native, all-in-one solution for confidential computing based on Intel Software Guard Extensions (Intel SGX). This solution ensures data security, integrity, and confidentiality when you develop, manage, and deliver trusted applications and confidential computing tasks. The confidential computing capabilities provided by ACK allow you to isolate sensitive data and code by using a trusted execution environment.

Service architecture

The following figure shows the architecture of the ACK product portfolio.

  • Container Registry provides secure hosting and lifecycle management for cloud-native assets. Container Registry is seamlessly integrated with ACK to provide an all-in-one solution for image distribution in cloud-native scenarios.

  • Service Mesh (ASM) is a managed service mesh platform for unified traffic management of applications that use the microservices architecture. ASM is compatible with open source Istio and supports multi-cluster traffic management. ASM also allows you to centrally manage communication among containerized applications and applications that run on VMs.

  • ASK clusters run elastic and serverless computing tasks. You can create containerized applications without the need to manage or maintain clusters.

  • ACK Edge is a Kubernetes-based edge computing solution that is developed by ACK for coordinating application delivery and O&M among the cloud, edge, and terminal. This service enhances node autonomy at the edge.

  • Distributed Cloud Container Platform for Kubernetes (ACK One) is an enterprise-class cloud-native container platform that is developed by ACK to meet container management requirements in hybrid cloud, multi-cluster, distributed computing, and disaster recovery scenarios. You can register third-party and self-managed Kubernetes clusters that are deployed in all regions or on all types of infrastructure with ACK One. ACK One is compatible with the APIs of open source Kubernetes. This allows you to centrally manage and maintain computing resources, networks, storage, security, monitoring data, logs, jobs, applications, and traffic.

  • The cloud-native AI suite is used to orchestrate and manage AI-related tasks and to schedule and maintain various heterogeneous resources in containerized environments. The component set can significantly accelerate the delivery of AI projects and improve resource utilization for clusters that consist of heterogeneous resources, such as GPUs and NPUs. ACK provides multiple components, extensions, and customizable configurations to support cloud-native AI capabilities.

Services that work with ACK

The following figure describes the Alibaba Cloud services that can be integrated with ACK.周边产品图

The following table provides details about the cloud services listed in the preceding figure.




ECS: provides ECS instances that act as worker nodes.

Elastic Container Instance: provides elastic container instances for ASK clusters.

Auto Scaling: automates the scaling of node pools.


Virtual Private Cloud (VPC): provides private networks in the cloud.

Server Load Balancer (SLB): exposes the Kubernetes API server and applications.

NAT Gateway: provides IP address translation services for the cluster so that node pools in the cluster can access the Internet.

Elastic IP Address (EIP): provides public IP addresses for individual nodes to communicate with the Internet.

Alibaba Cloud DNS PrivateZone: provides DNS resolution services for internal domain names of ASK clusters.


EBS: provides data disks that you can mount to worker nodes to expand storage.

NAS: provides file storage for your workloads.

OSS: provides shared storage for your workloads.


RAM: a permission management service that can work with RBAC.

Security Center: detects security risks for containers.

Key Management Service (KMS): provides encryption for Secrets in your ACK clusters.


Managed Service for Prometheus: provides Prometheus monitoring services for your ACK clusters and monitors the topology of your clusters.

Log Service: collects and stores ACK cluster logs.

Cloud-native assets

Container Registry: hosts container images.


Resource Orchestration Service (ROS): uses templates to facilitate resource orchestration.


To use ACK, click ACK console.


Kubernetes official website