You can associate an Elastic IP Address (EIP) with a Container Service for Kubernetes (ACK) cluster to enable Internet access for the API server. This allows you to access the cluster over the Internet. You can associate an EIP when you create a cluster or after a cluster is created. You can control public access to the API server by associating or disassociating an EIP.
Billing
When you associate an EIP with a cluster, you are charged for the EIP. For more information, see What is an Elastic IP Address? and Pay-as-you-go.
Usage notes
After you associate an EIP with the API server of a cluster, make sure that the EIP is in the normal state. If you disassociate the EIP, the API server cannot be accessed over the Internet.
Associate an EIP
You can associate an EIP with the API server when you create a cluster or after a cluster is created to enable Internet access for the API server.
Associate an EIP with the API server when you create a cluster
You can select Expose API server with EIP when you create a cluster to enable Internet access for the API server. For more information about how to create a cluster, see Create an ACK managed cluster, Create an ACK Serverless cluster, and Create an ACK Edge cluster.
Associate an EIP with the API server after a cluster is created
If you do not select Expose API server with EIP when you create a cluster, you can perform the following steps to associate an EIP with the API server after the cluster is created.
Only ACK managed Basic clusters, ACK managed Pro clusters, ACK Serverless clusters, and ACK Edge clusters support associating an EIP with the API server after a cluster is created.
The API server restarts after you associate an EIP with the API server. We recommend that you do not perform operations on the cluster during the restart process.
ACK dedicated clusters do not support associating an EIP with the API server after a cluster is created. You can perform hot migration from ACK dedicated clusters to ACK managed Pro clusters and then enable Internet access for the API server of the ACK managed Pro cluster.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, click Cluster Information.
On the Cluster Information page, click the Basic Information tab. In the Network section, click Associate EIP on the right side of API server Public Endpoint.
In the Associate EIP dialog box, select an existing EIP or apply for EIPs as prompted. When you create an EIP, you must select the same region as the cluster. Then, click OK.
After the EIP is associated, the public IP address is displayed in the API server Public Endpoint field.
Configure access control policies for the API server
After you enable Internet access for the API server, we recommend that you configure access control policies for the API server. You can configure blacklists and whitelists to manage access permissions for the Classic Load Balancer (CLB) instance. This allows you to implement precise access control and security protection for the API server.
Disassociate or change an EIP
After you associate an EIP with the API server, you can change or disassociate the EIP. After you disassociate the EIP, the API server can be accessed only over the internal network. This does not affect the applications that run in the cluster.
Only ACK managed Pro clusters, ACK managed Basic clusters, and ACK Serverless clusters support the Change EIP and Disassociate EIP features.
The API server restarts after you disassociate or change an EIP. We recommend that you do not perform operations on the cluster during the restart process.
References
If services in the cluster need to access resources over the Internet, such as pulling images from the Internet or updating dependency libraries, you can Enable an existing ACK cluster to access the Internet.
If you have configured interception rules in security groups, make sure that the security group rules allow the protocols and ports that are required by the cluster. For more information, see Configure security groups for clusters.