All Products
Search

This Product

    Container Service for Kubernetes:Customize ACK API server certificate SANs

    Document Center

    Container Service for Kubernetes:Customize ACK API server certificate SANs

    Last Updated:Jun 21, 2026

    An ACK cluster's API server certificate contains a Subject Alternative Name (SAN) field. By default, this field includes the cluster's internal domain, the private IP address of the Server Load Balancer (SLB) instance for the API server, the local IP address of the API server service, and the elastic IP address (EIP). For special requirements, such as proxy-based or cross-domain access, you can add custom SANs for a new or existing cluster in the ACK console.

    Prerequisites

    You have created an ACK managed cluster, an ACK dedicated cluster, or an ACK Serverless cluster. For more information, see Create an ACK managed cluster, Create an ACK dedicated cluster (discontinued), or Create an ACK Serverless cluster.

    Important

    • ACK Serverless clusters do not support customizing SANs during cluster creation. You can only update the SANs for existing clusters.

    • ACK dedicated clusters support customizing SANs only during cluster creation. You cannot update the SANs for existing clusters.

    SAN overview

    A Subject Alternative Name (SAN) is an extension to the X.509 standard that lets you associate multiple values, such as IP addresses, domain names, URIs, and email addresses, with an SSL certificate by using the subjectAltName field.

    Add custom SANs to an API server certificate

    New cluster

    This section uses an ACK managed cluster as an example to show how to add custom SANs during cluster creation. The procedure is similar for other cluster types.

    When you create a cluster, in the Cluster Configurations section, click Show Advanced Options. In the Custom Certificate SANs setting, enter the configuration fields. For more information, see Create an ACK managed cluster.

    Note

    In the Custom Certificate SANs field, you can enter valid IP addresses, domain names, and URIs. Separate multiple entries with commas.

    Custom Certificate SANs

    Existing cluster

    Important

    Updating or modifying custom SANs triggers a brief restart of the cluster's API server. Perform this operation during off-peak hours.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Cluster Information.

    3. On the Cluster Information page, click the Basic Information tab, and then in the Network section, click Edit to the right of Custom Certificate SANs.

    4. In the Update Custom SAN dialog box, enter the custom values in the Custom Certificate SANs field and then click OK.

    Related documents

    API server audit logs record and trace user operations. For more information, see Use the cluster API server auditing feature.