All Products
Search
Document Center

Container Service for Kubernetes:Create an ACK managed cluster with auto mode enabled

Last Updated:May 06, 2025

When creating an ACK managed cluster, you can enable auto mode for streamlined deployment of Kubernetes clusters aligned with best practices. This mode triggers automated creation of a managed node pool with Container Service for Kubernetes (ACK) handling the full lifecycle management.

Before you enable auto mode, we recommend that you understand its features and scenarios. For more information, see Clusters.

Preparations

Planning and design

Before you create a cluster, we recommend that you plan and design the cluster configurations based on your requirements to ensure that the cluster runs in a stable, efficient, and secure manner.

  • Region: Services deployed in a region that is geographically closer to your users are more responsive when your users access the services.

  • Zone: We recommend that you configure multiple zones to ensure high availability of the cluster.

  • Plan the network of an ACK cluster: Configure the virtual private cloud (VPC) CIDR block, vSwitch CIDR block, container CIDR block, and Service CIDR block based on your business scenario and cluster size. Then, specify the IP address range of the cluster and the number of available IP addresses for pods and nodes.

  • Access to Internet: Specifies whether the nodes in the cluster can access the Internet. The cluster must have Internet when pulling public images.

Activation and authorization

Before you create a cluster, make sure that you activated ACK and assigned the ACK system role to your Alibaba Cloud account or RAM user. In addition, make sure that you activated cloud services such as VPC, Server Load Balancer (SLB), and NAT gateway. For more information, see Quickly create an ACK managed cluster.

Note

If you purchase services such as CLB based on the pay-as-you-go billing method, make sure that the balance of your Alibaba Cloud account is sufficient to avoid overdue payments.

Procedure

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click Create Kubernetes Cluster. On the ACK Managed Cluster page, enable Auto Mode. Configure the cluster based on the Configuration description section and the on-screen instructions. After clicking Confirm, confirm the cluster configurations and dependency check status, and read the service agreement.

    Only ACK managed Pro clusters support Auto Mode. Cluster management fees and related cloud service fees are generated (such as Service A). You can view the total fees at the bottom of the cluster creation page. You can also view the billing documentation of ACK and other services. For more information, see Billing overview and Cloud resource fee.

    You can click Generate API Request Parameters in the upper-left corner of the page to generate Terraform or SDK sample parameters for the cluster configurations.
  3. After the cluster is created, the system automatically creates an intelligent managed node pool. This node pool automatically scales in and out based on the workloads. ACK manages the lifecycle of the nodes and is responsible for O&M tasks, such as operating system version upgrades, software version upgrades, and vulnerability fixes.

  4. When ACK creates the cluster, ACK installs components based on the cluster configurations. The components may occupy compute resources in the cluster. The intelligent managed node pool automatically scales out to meet the resource requirements of the components.

Configuration description

You can create a cluster based on the default configuration or adjust the configuration based on your business requirements and account resources. In the Modifiable column of the table, 错 indicates that the parameter cannot be modified after the cluster is created, and 对 indicates that the parameter can be modified. Pay attention to the parameters that cannot be modified.

Basic information

Parameter

Description

Modifiable

Cluster Name

The name of the cluster. The name must be 1 to 63 characters in length, and can contain digits, letters, hyphens (-), and underscores (_). The name must start with a letter or digit.

对

Region

The region of the cluster.

错

Maintenance Window

ACK automatically updates the cluster and performs automated O&M operations on managed node pools within the maintenance window. The operations include runtime updates and automatic fixes for CVE vulnerabilities. You can click Set to configure the detailed maintenance policies.

对

Network configurations

Parameter

Description

Modifiable

VPC

Configure the VPC of the cluster. You can specify a zone to automatically create a VPC. You can also select an existing VPC in the VPC list.

错

Configure SNAT

If the VPC that you created or selected cannot access the Internet, you can select this check box. This way, ACK automatically creates a NAT gateway and configures SNAT rules.

If you do not select this check box, you can manually configure a NAT gateway and configure SNAT rules to ensure that instances in the VPC can access the Internet. For more information, see Create and manage an Internet NAT gateway.

对

vSwitch

Select an existing vSwitch from the vSwitch list or click Create vSwitch to create a vSwitch. The control plane and the default node pool use the vSwitch that you select. We recommend that you select multiple vSwitches in different zones to ensure high availability.

对

Access to API Server

Create a pay-as-you-go internal-facing Classic Load Balancer (CLB) instance for the API server to serve as the internal endpoint of the API server in the cluster. The API server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources such as pods and Services.

You can select or clear Expose API server with EIP.

  • If you select this check box, an elastic IP address (EIP) is associated with the internal-facing CLB instance used to expose the API server of the cluster. This way, you can access the API server of the cluster over the Internet.

  • If you clear this check box, no EIP is created. You can use a kubeconfig file to connect to the cluster only from within the VPC and then manage the cluster.

Important
  • If you delete the default CLB instance, you cannot access the API server.

  • After you associate an EIP with the CLB instance created for the API server, the API server can receive requests sent over the Internet. However, resources in the cluster cannot access the Internet. If you want to enable the resources in the cluster to access the Internet, select Configure SNAT for VPC. For example, after you select this check box, the cluster can pull public images over the Internet.

  • Starting from December 1, 2024, an instance fee will be charged for newly created CLB instances. For more information, see CLB billing adjustments.

错

Network Plug-in

Flannel and Terway are supported. For more information about the comparison between Terway and Flannel, see Comparison between Terway and Flannel.

  • Flannel is an open source network plug-in provided by the community. Flannel uses the Virtual Private Cloud (VPC) of Alibaba Cloud in ACK. Packets are forwarded based on the VPC route table. Flannel is suitable for scenarios that require smaller nodes, simplified network configuration, and no requirements for custom control over the container network.

  • Terway is a network plug-in developed by Alibaba Cloud. The plug-in builds networks based on elastic network interfaces (ENIs). Terway supports the use of extended Berkeley Packet Filter (eBPF) to accelerate network traffic. Terway also supports network policies and pod-level switches and security groups. Terway is suitable for scenarios such as high-performance computing, gaming, and microservices that require large nodes, and high network performance and security.

    Important
    • In Terway mode, each pod uses a secondary IP address provided by the ENIs on the node. The maximum number of secondary IP addresses that can be provided by each ENI depends on the instance type of the node. Therefore, the number of pods that can be deployed on a node depends on the number of ENIs that are attached to the node and the maximum number of secondary IP addresses that are provided by these ENIs.

    • If you select a shared VPC for the cluster, you must select Terway as the network plug-in.

    • If you select Flannel as the network plug-in, Appication Load Balancer (ALB) Ingresses in the cluster can route requests only to NodePort Services and LoadBalancer Services.

    When you set the Network Plug-in parameter to Terway, you can configure the following parameters:

    • DataPathV2

      You can enable the DataPath V2 acceleration mode only when you create a cluster. After you enable the DataPath V2 acceleration mode for Terway in inclusive ENI mode, Terway adopts a different traffic forwarding path to accelerate network communication. For more information, see Network acceleration.

      Note

      If this feature is enabled, the container with Terway policies is expected to consume an additional 0.5 cores and 512 MB of resources on each worker node, and this consumption will increase as the cluster size grows. In the default configuration of Terway, the CPU limit for the container is set to 1 core, and no restrictions are specified on memory.

    • Support for NetworkPolicy

      If you select this check box, Kubernetes-native NetworkPolicies are supported.

      The feature of managing NetworkPolicies by using the console is in public preview. If you want to use the feature, log on to the Quota Center console and submit an application.

    • Support for ENI Trunking

      The Terway Trunk ENI feature allows you to specify a static IP address, a separate vSwitch, and a separate security group for each pod. This allows you to manage and isolate user traffic, configure network policies, and manage IP addresses in a fine-grained manner. For more information, see Configure static IP addresses, separate vSwitches, and separate security groups for a pod.

      Note
      • You can select the Support for ENI Trunking option for an ACK managed cluster without the need to submit an application. If you want to enable the Trunk ENI feature in an ACK dedicated cluster, log on to the Quota Center console and submit an application.

      • By default, the Trunk ENI feature is enabled for newly created ACK managed clusters that run Kubernetes 1.31 or later versions.

错

Pod vSwitch

Configure this parameter only if you select Terway as the network plug-in.

The vSwitch that is used to assign IP addresses to pods. Each pod vSwitch corresponds to a vSwitch of a worker node. The vSwitch of the pod and the vSwitch of the worker node must be in the same zone.

Important

We recommend that you set the subnet mask of the CIDR block of a pod vSwitch to no longer than 19 bits, but the subnet mask must not exceed 25 bits. Otherwise, the cluster network has only a limited number of IP addresses that can be allocated to the pods. As a result, the cluster may not function as expected.

对

Container CIDR Block

Configure this parameter only if you select Flannel as the network plug-in.

The container CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the Service CIDR block. The container CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Network planning of an ACK managed cluster.

错

Number of Pods per Node

Configure this parameter only if you select Flannel as the network plug-in.

The maximum number of pods that can be stored on a single node.

错

Service CIDR

Specify the CIDR block of Services in the cluster. The Service CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the pod CIDR block. The Service CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Network planning of an ACK managed cluster.

错

Service Discovery Mode

iptables and IP Virtual Server (IPVS) are supported.

  • iptables is a mature and stable kube-proxy mode. In this mode, service discovery and load balancing for Kubernetes Services are configured by using iptables rules. The performance of this mode depends on the size of the Kubernetes cluster. This mode is suitable for Kubernetes clusters that manage a small number of Services.

  • IPVS is a high-performance kube-proxy mode. In this mode, service discovery and load balancing for Kubernetes Services are configured by the IPVS module of Linux. This mode is suitable for clusters that manage a large number of Services. We recommend that you use this mode in scenarios where high-performance load balancing is required.

错

Advanced options

The following configurations are provided based on Kubernetes cluster best practices. You can keep the default settings. If you want to adjust the settings, see the parameter description and follow the instructions on the page.

Parameter

Description

Modifiable

Kubernetes Version

The supported Kubernetes versions. For more information, see Kubernetes versions supported by ACK.

对

You can manually upgrade ACK clusters or automatically update a cluster

Automatic Update

Enable the auto update feature for the cluster to ensure periodic automatic updates of control plane components and node pools. ACK automatically updates the cluster within the maintenance window based on your configurations. For more information about the auto update policy and usage method, see Automatically update a cluster.

对

IPv6 Dual-stack

This feature is in public preview. To use it, submit an application in the Quota Center console.

If you enable IPv4/IPv6 dual-stack, a dual-stack cluster is created.

Important
  • Only clusters that run Kubernetes 1.22 and later support this feature.

  • IPv4 addresses are used for communication between worker nodes and the control plane.

  • You must select Terway as the network plug-in.

  • If you use the shared ENI mode of Terway, the ECS instance type must support IPv6 addresses. To add ECS instances of the specified type to the cluster, the number of IPv4 addresses supported by the ECS instance type must be the same as the number of IPv6 addresses. For more information about ECS instance types, see Overview of instance families.

  • The VPC used by the cluster must support IPv4/IPv6 dual-stack.

  • You must disable IPv4/IPv6 dual stack if you want to use Elastic Remote Direct Memory Access (eRDMA) in an cluster.

错

Security Group

When VPC is set to Select Existing VPC, you can select the Select Existing Security Group option.

You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group.

  • By default, automatically created security groups allow all outbound traffic. When you modify the security group for business purposes, make sure that traffic destined for 100.64.0.0/10 is allowed. This CIDR block is used to access other Alibaba Cloud services to pull images and query basic ECS information.

  • If you select an existing security group, the system does not automatically configure security group rules. This may cause errors when you access the nodes in the cluster. You must manually configure security group rules. For more information, see Configure security groups for clusters.

对

Log Service

You can select an existing Simple Log Service (SLS) project or create a project to collect cluster logs. For more information about how to quickly configure SLS when you create an application, see Collect log data from containers by using Simple Log Service.

对

Alerts

Enable the alert management feature. You can specify contacts and contact groups. The default is Default Contact Group.

对

What to do next

Deploy workloads and configure load balancing

Appendix

Shared responsibility model

The auto mode of ACK managed clusters aims to provide automated and intelligent Kubernetes cluster O&M functions to reduce your effort in Kubernetes cluster O&M. In some scenarios, you must fulfill some responsibilities.

Alibaba Cloud responsibilities

Customer responsibilities

Shared responsibilities

  • Deployment, maintenance, and upgrade of the cluster control plane.

  • Installation, configuration, and update of core cluster components.

  • Node pool operations, such as automatic scaling out, automatic scaling in, operating system upgrades, and software version upgrades (including CVE vulnerability fixes).

  • Cluster basic information configuration, such as network planning and VPC configuration.

  • Configuration and management of cluster RAM permissions and Role-Based Access Control (RBAC).

  • Deployment, maintenance, and configuration of application workloads. The configuration portion includes the number of replicas, PreStop graceful shutdown strategies, and PodDisruptionBudget policies. Ensure that nodes can be drained for maintenance without business interruption.

  • Timely reception of monitoring alerts for clusters and applications, and response based on alert information.

  • Overall cluster security. The security responsibility of the cluster applies to the shared security responsibility model. For more information, see Shared security responsibility model.

  • Troubleshooting and problem solving.

Quotas and limits

If the cluster size is large or the account has a large number of resources, follow the quotas and limits specified for ACK clusters. For more information, see Quotas and limits.

  • Limits: ACK configuration limits, such as account balance and capacity limit of a cluster, which is the maximum capacity of different Kubernetes resources in a cluster.

  • Quota limits and how to increase quotas: Quota limits for ACK clusters and the quota limits of cloud services that ACK depends on, such as ECS or VPC. If you want to increase the quota, see the related topics.