When you create a Container Service for Kubernetes (ACK) cluster, an internal-facing Classic Load Balancer (CLB) instance is automatically created for the API server of the cluster. You can associate an elastic IP address (EIP) with the CLB instance to expose the API server to the Internet.
Description
You are charged for the associated EIP. For more information about the billing rules, see Pay-as-you-go.
After an EIP is associated with the CLB instance, do not disassociate or release the EIP. Otherwise, the API server cannot be accessed over the Internet.
Associate and manage an EIP
You can associate an EIP with the API server during cluster creation or in an existing cluster. You can change the EIP associated with the API server or disassociate the EIP from the API server.
When you associate, disassociate, or change the EIP for the API server, the system performs rolling updates on the API server. Do not perform operations on the cluster during the rolling updates.
Create and Associate EIP
New clusters
When you create a cluster, select Expose API server with EIP.
For more information, see Create an ACK managed cluster, Create an ACK Serverless cluster, and Create an ACK Edge cluster.
Existing clusters
You can associate EIPs only with the API servers of existing ACK managed clusters, ACK Serverless clusters, and ACK Edge clusters.
If you want to associate an EIP with the API server of an existing ACK dedicated cluster, you must first perform a hot migration from the ACK dedicated cluster to an ACK managed Pro cluster.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
On the Cluster Information page, click the Basic Information tab. In the Network section, click Associate EIP to the right of API server Public Endpoint. Follow the on-screen instructions to select an existing EIP or create an EIP in the same region as the cluster. Then, click OK.
After the EIP is associated, it is displayed in the API server Public Endpoint field.
Disassociate or change the EIP
Disassociate the EIP: After you disassociate the EIP from the API server, the API server can be accessed only over the internal network. The applications in the cluster can still access the API server.
Change the EIP: After you change the associated EIP, the public endpoint of the API server changes.
You can change the EIPs and disassociate the EIPs only in ACK managed clusters and ACK Serverless clusters.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
On the Cluster Information page, click the Basic Information tab. In the Network section, click Associate EIP or Unbind to the right of API server Public Endpoint.
Configure a network ACL for the API server
After you expose the API server to the Internet, we recommend that you configure a network access control list (ACL) for the API server. You can configure a blacklist to forbid specific IP addresses to access the API server or configure a whitelist to allow specific IP addresses to access the API server.
References
If your applications in the cluster need to access external resources over the Internet, such as pulling images or updating dependency libraries over the Internet, refer to Enable an existing ACK cluster to access the Internet to configure SNAT rules on a NAT gateway in the VPC where the cluster resides.
If the cluster security group includes deny rules, make sure that the protocols and ports used by the cluster are not specified in the deny rules. For more information, see Configure security groups for clusters.