To create a Container Service for Kubernetes (ACK) managed cluster, you only need to create worker nodes. You do not need to configure master nodes or maintain the control plane. The control planes are created and managed by ACK. This reduces O&M costs and allows you to focus on application development. This topic describes how to create an ACK managed cluster in the ACK console.
Prerequisites
ACK is activated and authorized to access Alibaba Cloud services. For more information, see Activate and grant permissions to ACK.
Limits
Item | Limit | Links for increasing quota limits/references | |
Networks | ACK clusters support only VPCs. | ||
Cloud resources | ECS | The pay-as-you-go and subscription billing methods are supported. After an ECS instance is created, you can change its billing method from pay-as-you-go to subscription in the ECS console. | Change the billing method of an ECS instance from pay-as-you-go to subscription |
VPC route entries | By default, you can add at most 200 route entries to the VPC of an ACK cluster that runs Flannel. VPCs of ACK clusters that run Terway do not have this limit. If you want to add more route entries to the VPC of your ACK cluster, request a quota increase for the VPC. | ||
Security groups | By default, you can create at most 100 security groups with each account. | ||
SLB instances | By default, you can create at most 60 pay-as-you-go SLB instances with each account. | ||
EIP | By default, you can create at most 20 EIPs with each account. |
Step 1: Log on to the ACK console
Log on to the ACK console. In the left-side navigation pane, click Clusters.
Move the pointer over All Resources at the top of the page and select the resource group that you want to use. After you select a resource group, virtual private clouds (VPCs) and vSwitches that belong to the resource group are displayed. When you create a cluster, only VPCs and vSwitches that belong to the specified resource group are displayed.
On the Clusters page, click Create Kubernetes Cluster.
Step 2: Configure a cluster
On the ACK Managed Kubernetes tab, configure the basic, network and advanced settings of the cluster.
Basic settings
Parameter | Description |
Cluster Name | The name of the cluster. The name must be 1 to 63 characters in length, and can contain digits, letters, hyphens (-), and underscores (_). The name must start with a letter or digit. |
Cluster Specification | Select a cluster type. You can select Professional or Basic. We recommend that you use Container Service for Kubernetes (ACK) Pro clusters in the production environment and test environment. ACK Basic clusters can meet the learning and testing needs of individual users. |
Region | The region of the cluster. |
Kubernetes Version | The supported Kubernetes versions. For more information, see Kubernetes versions supported by ACK. |
Automatic Update | Enable the auto update feature for the cluster to ensure periodic automatic updates of control plane components and node pools. ACK automatically updates the cluster within the maintenance window based on your configurations. For more information about the auto update policy and usage method, see Automatically update a cluster. |
Maintenance Window | ACK automatically updates the cluster and performs automated O&M operations on managed node pools within the maintenance window. The operations include runtime updates and automatic fixes for CVE vulnerabilities. You can click Set to configure the detailed maintenance policies. |
Network settings
Parameter | Description |
IPv6 Dual-stack | This feature is in public preview. To use it, submit an application in the Quota Center console. If you enable IPv4/IPv6 dual-stack, a dual-stack cluster is created. Important
|
VPC | Configure the VPC of the cluster. You can specify a zone to automatically create a VPC. You can also select an existing VPC in the VPC list. |
Configure SNAT | If the VPC that you created or selected cannot access the Internet, you can select this check box. This way, ACK automatically creates a NAT gateway and configures SNAT rules. If you do not select this check box, you can manually configure a NAT gateway and configure SNAT rules to ensure that instances in the VPC can access the Internet. For more information, see Create and manage an Internet NAT gateway. |
vSwitch | Select an existing vSwitch from the vSwitch list or click Create vSwitch to create a vSwitch. The control plane and the default node pool use the vSwitch that you select. We recommend that you select multiple vSwitches in different zones to ensure high availability. |
Security Group | Only users in the whitelist can select the Select Existing Security Group option. To apply to be added to the whitelist, log on to the Quota Center console and submit an application. You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group.
|
Access to API Server | Create a pay-as-you-go internal-facing Classic Load Balancer (CLB) instance for the API server to serve as the internal endpoint of the API server in the cluster. Important
You can select or clear Expose API server with EIP. The API server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources such as pods and Services.
|
Network Plug-in | Flannel and Terway are supported. For more information about the comparison between Terway and Flannel, see Comparison between Terway and Flannel.
|
Container CIDR Block | Configure this parameter only if you select Flannel as the network plug-in. The container CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the Service CIDR block. The container CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster. |
Number of Pods per Node | Configure this parameter only if you select Flannel as the network plug-in. The maximum number of pods that can be stored on a single node. |
Pod vSwitch | Configure this parameter only if you select Terway as the network plug-in. The vSwitch that is used to assign IP addresses to pods. Each pod vSwitch corresponds to a vSwitch of a worker node. The vSwitch of the pod and the vSwitch of the worker node must be in the same zone. Important We recommend that you set the subnet mask of the CIDR block of a pod vSwitch to no longer than 19 bits, but the subnet mask must not exceed 25 bits. Otherwise, the cluster network has only a limited number of IP addresses that can be allocated to the pods. As a result, the cluster may not function as expected. |
Service CIDR | The Service CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the pod CIDR block. The Service CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster. |
IPv6 Service CIDR Block | Configure this parameter only if you enable IPv4/IPv6 dual stack. Configure an IPv6 CIDR block for Services. You must specify a Unique Local Unicast Address (ULA) space within the address range For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster. |
Advanced settings
Click Advanced Options (Optional) to configure the Forwarding Mode.
Parameter | Description |
Forwarding Mode | iptables and IP Virtual Server (IPVS) are supported.
|
Click Advanced Options (Optional) to configure advanced settings such as Deletion Protection and Resource Group.
Step 3: Configure the node pool
Click Next:Node Pool Configurations to configure the basic settings and advanced settings of the node pool.
Basic settings
Parameter | Description | |
Node Pool Name | Specify a node pool name. | |
Container Runtime | Specify the container runtime based on the Kubernetes version. For more information about how to select a container runtime, see Comparison among Docker, containerd, and Sandboxed-Container.
| |
Managed node pool settings | Managed Node Pool | Managed node pools provided by ACK support auto repair and auto CVE patching. This significantly reduces your O&M workload and improves node security. You can click Set to configure the detailed maintenance policies. |
Auto Recovery Rule | This parameter is available after you select Enable for the managed node pool feature. After you select Restart Faulty Node, the system automatically restarts relevant components to repair nodes in the NotReady state and drains the nodes before the nodes are restarted. | |
Auto Update Rule | This parameter is available after you select Enable for the managed node pool feature. After you select Automatically Update Kubelet and Containerd, the system automatically updates the kubelet when a new version is available. For more information, see Update a node pool. | |
Auto CVE Patching (OS) | This parameter is available after you select Enable for the managed node pool feature. You can configure ACK to automatically patch high-risk, medium-risk, and low-risk vulnerabilities. For more information, see Enable auto repair for nodes and Patch OS CVE vulnerabilities for node pools. Some patches take effect only after you restart the ECS instances. After you enable Restart Nodes if Necessary to Patch CVE Vulnerabilities, ACK automatically restarts nodes on demand. If you do not select this option, you must manually restart nodes. | |
Maintenance Window | This parameter is available after you select Enable for the managed node pool feature. Image updates, runtime updates, and Kubernetes version updates are automatically performed during the maintenance window. Click Set. In the Maintenance Window dialog box, set the Cycle, Started At, and Duration parameters and click OK. |
Instance and Image settings
Parameter | Description | |
Billing Method | The default billing method used when ECS instances are scaled in a node pool. You can select Pay-As-You-Go, Subscription, or Preemptible Instance.
To ensure that all nodes in a node pool use the same billing method, ACK does not allow you to change the billing method of a node pool from pay-as-you-go or subscription to preemptible instances. For example, you cannot switch the billing method of a node pool between pay-as-you-go or subscription and preemptible instances. | |
Instance-related parameters | Select the ECS instances used by the worker node pool based on instance types or attributes. You can filter instance families by attributes such as vCPU, memory, instance family, and architecture. For more information about how to configure nodes, see Suggestions on choosing ECS specifications for ACK clusters. When the node pool is scaled out, ECS instances of the selected instance types are created. The scaling policy of the node pool determines which instance types are used to create new nodes during scale-out activities. Select multiple instance types to improve the success rate of node pool scale-out operations. If the node pool fails to be scaled out because the instance types are unavailable or the instances are out of stock, you can specify more instance types for the node pool. The ACK console automatically evaluates the scalability of the node pool. You can check the scalability of the node pool when you create the node pool or after you create the node pool. If you select only GPU-accelerated instances, you can select Enable GPU Sharing on demand. For more information, see cGPU overview. | |
Operating System | Alibaba Cloud Marketplace images is in canary release.
Note
| |
Security Hardening | Enable security hardening for the cluster. You cannot modify this parameter after the cluster is created.
| |
Logon Type | If you select MLPS Security Hardening, only the Password option is supported. Valid values: Key Pair, Password, and Later.
|
Volumes settings
Parameter | Description | |
System Disk | ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, Standard SSD, and Ultra Disk are supported. The types of system disks that you can select vary based on the instance families that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select. You can select More System Disk Types and select a disk type other than the current one in the System Disk section to improve the success rate of system disk creation. The system will attempt to create a system disk based on the specified disk types in sequence. | |
Data Disk | ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, SSD, and Ultra Disk are supported. The data disk types that you can select vary based on the instance families that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select.
Note You can attach up to 64 data disks to an ECS instance. The maximum number of disks that can be attached to an ECS instance varies based on the instance type. To query the maximum number of disks that you can attach to an ECS instance of a specific instance type, call the DescribeInstanceTypes operation and check the DiskQuantity parameter in the response. |
Instances settings
Parameter | Description |
Expected Number of Nodes | The expected number of nodes in the node pool. We recommend that you configure at least two nodes to ensure that cluster components run as expected. You can configure the Expected Nodes parameter to adjust the number of nodes in the node pool. For more information, see Scale a node pool. If you do not want to create nodes in the node pool, set this parameter to 0. You can manually modify this parameter to add nodes later. |
Advanced Options (Optional)
Click Advanced Options (Optional) to configure the Scaling Policy.
Parameter | Description |
Scaling Policy |
|
Use Pay-as-you-go Instances When Preemptible Instances Are Insufficient | You must set the Billing Method parameter to Preemptible Instance. After this feature is enabled, if enough preemptible instances cannot be created because of price or inventory constraints, ACK automatically creates pay-as-you-go instances to meet the required number of ECS instances. |
Enable Supplemental Preemptible Instances | You must set the Billing Method parameter to Preemptible Instance. After this feature is enabled, when a system message that indicates preemptible instances are reclaimed is received, the node pool with auto scaling enabled attempts to create new instance to replace the reclaimed the preemptible instances. |
Click Advanced Options (Optional) to configure advanced settings such as ECS Label and Taints.
Step 4: Configure cluster components
Click Next:Component Configurations to configure the basic settings and advanced settings of cluster components.
Basic settings
Parameter | Description |
Ingress | Specify whether to install an Ingress controller. We recommend that you install an Ingress controller if you want to expose Services.
|
Service Discovery | NodeLocal DNSCache runs a DNS caching agent to improve the performance and stability of DNS resolution. |
Volume Plug-in | By default, CSI is installed as the volume plug-in. Dynamically Provision Volumes by Using Default NAS File Systems and CNFS, Enable NAS Recycle Bin, and Support Fast Data Restore is selected by default. ACK supports Alibaba Cloud disks, File Storage NAS (NAS) file systems, and Object Storage Service (OSS) buckets. |
Monitor containers | You can select Enable Managed Service for Prometheus to provide basic monitoring and alerting services for the ACK cluster. |
Cost Suite | Monitors and analyzes the costs and resource usage of the ACK cluster, namespaces, node pools, and workloads. Suggestions on cost savings are provided to improve the overall resource utilization. For more information, see Cost insights. |
Log Service | You can select an existing Simple Log Service (SLS) project or create a project to collect cluster logs. For more information about how to quickly configure SLS when you create an application, see Collect log data from containers by using Simple Log Service.
|
Alerts | Enable the alert management feature. You can specify contacts and contact groups. The default is Default Contact Group. |
Log Collection for Control Plane Components | For more information about how to collect the logs of the control plane components to your projects in SLS, see Collect logs of control plane components in ACK managed clusters. |
Cluster Inspection | Specify whether to enable the cluster inspection feature for intelligent O&M. You can enable this feature to periodically check the resource quotas, resource usage, and component versions of a cluster and identify potential risks in the cluster. |
Advanced settings
Expand Advanced Options (Optional) to select the types of components you want to install, such as application management, logs and monitoring, storage, networking, and security.
Step 5: Confirm the cluster configurations
Click Next:Confirm Order, confirm the configurations, read and select the terms of service, and then click Create Cluster.
After the cluster is created, you can find the cluster on the Clusters page in the ACK console.
It requires about 10 minutes to create a cluster that contains multiple nodes.
Billing
For more information about resource charges incurred when you use ACK managed clusters, see Billing overview.
What to do next
View the basic information about the cluster
On the Clusters page, find the created cluster and click Details in the Actions column. On the cluster details page, click the Basic Information tab to view the basic information about the cluster and click the Connection Information tab to view information about how to connect to the cluster. The following information is displayed:
API Server Public Endpoint: the IP address and port that the API server of the cluster uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on your client.
Only ACK managed clusters support the Associate EIP, Change, and Unbind EIP features.
Associate EIP: You can select an existing EIP or create an EIP.
The API server restarts after you associate an EIP with the API server. We recommend that you do not perform operations on the cluster during the restart process.
Unbind EIP: After you unbind the EIP, you can no longer access the API server over the Internet.
The API server restarts after you unbind the EIP from the API server. We recommend that you do not perform operations on the cluster during the restart process.
API Server Internal Endpoint: the IP address and port that the API server uses to provide services within the cluster. The IP address belongs to the Server Load Balancer (SLB) instance that is associated with the cluster.
View cluster logs
You can choose
in the Actions column to go to the Log Center page and view the logs of the cluster.View the information of nodes in the cluster
You can obtain the kubeconfig file of the cluster and use kubectl to connect to the cluster, and run the
kubectl get node
command to view the node information of the cluster.
References
You can also use other methods to create an ACK cluster:
For information about how to connect to a cluster, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Outdated Kubernetes versions may have security and stability issues. We recommend that you update your clusters to the latest version. For more information, see Manually update ACK clusters and Automatically update a cluster.
For more information about how to plan a virtual private cloud (VPC), vSwitches, the pod CIDR block, and Service CIDR block, see Plan the network of an ACK cluster.
We recommend that you enable workload scaling and node scaling based on your business requirements to automatically adjust the number of replicated pods in a workload and node resources in the cluster. For more information, see Auto scaling overview.
If you have storage requirements such as persistent storage of application data, storage of sensitive and configuration data, and dynamical provision of storage resources, ACK clusters provide the container storage feature based on the Container Storage Interface (CSI) plug-in. For more information, see Storage.
We recommend that you use the monitoring and logging features provided by ACK to monitor the status of the system and troubleshoot when issues arise. For more information, see Observability overview.