All Products
Search
Document Center

Container Service for Kubernetes:Create an ACK managed cluster

Last Updated:Jan 17, 2025

To create a Container Service for Kubernetes (ACK) managed cluster, you only need to create worker nodes. You do not need to configure master nodes or maintain the control plane. The control planes are created and managed by ACK. This reduces O&M costs and allows you to focus on application development. This topic describes how to create an ACK managed cluster in the ACK console.

Prerequisites

ACK is activated and authorized to access Alibaba Cloud services. For more information, see Activate and grant permissions to ACK.

Limits

Item

Limit

Links for increasing quota limits/references

Networks

ACK clusters support only VPCs.

What is a VPC?

Cloud resources

ECS

The pay-as-you-go and subscription billing methods are supported. After an ECS instance is created, you can change its billing method from pay-as-you-go to subscription in the ECS console.

Change the billing method of an ECS instance from pay-as-you-go to subscription

VPC route entries

By default, you can add at most 200 route entries to the VPC of an ACK cluster that runs Flannel. VPCs of ACK clusters that run Terway do not have this limit. If you want to add more route entries to the VPC of your ACK cluster, request a quota increase for the VPC.

Quota Center

Security groups

By default, you can create at most 100 security groups with each account.

View and increase resource quotas

SLB instances

By default, you can create at most 60 pay-as-you-go SLB instances with each account.

Quota Center

EIP

By default, you can create at most 20 EIPs with each account.

Quota Center

Step 1: Log on to the ACK console

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. Move the pointer over All Resources at the top of the page and select the resource group that you want to use. After you select a resource group, virtual private clouds (VPCs) and vSwitches that belong to the resource group are displayed. When you create a cluster, only VPCs and vSwitches that belong to the specified resource group are displayed.资源组

  3. On the Clusters page, click Create Kubernetes Cluster.

Step 2: Configure a cluster

On the ACK Managed Kubernetes tab, configure the basic, network and advanced settings of the cluster.

Basic settings

Parameter

Description

Cluster Name

The name of the cluster. The name must be 1 to 63 characters in length, and can contain digits, letters, hyphens (-), and underscores (_). The name must start with a letter or digit.

Cluster Specification

Select a cluster type. You can select Professional or Basic. We recommend that you use Container Service for Kubernetes (ACK) Pro clusters in the production environment and test environment. ACK Basic clusters can meet the learning and testing needs of individual users.

Region

The region of the cluster.

Kubernetes Version

The supported Kubernetes versions. For more information, see Kubernetes versions supported by ACK.

Automatic Update

Enable the auto update feature for the cluster to ensure periodic automatic updates of control plane components and node pools. ACK automatically updates the cluster within the maintenance window based on your configurations. For more information about the auto update policy and usage method, see Automatically update a cluster.

Maintenance Window

ACK automatically updates the cluster and performs automated O&M operations on managed node pools within the maintenance window. The operations include runtime updates and automatic fixes for CVE vulnerabilities. You can click Set to configure the detailed maintenance policies.

Network settings

Parameter

Description

IPv6 Dual-stack

This feature is in public preview. To use it, submit an application in the Quota Center console.

If you enable IPv4/IPv6 dual-stack, a dual-stack cluster is created.

Important
  • Only clusters that run Kubernetes 1.22 and later support this feature.

  • IPv4 addresses are used for communication between worker nodes and the control plane.

  • You must select Terway as the network plug-in.

  • If you use the shared ENI mode of Terway, the ECS instance type must support IPv6 addresses. To add ECS instances of the specified type to the cluster, the number of IPv4 addresses supported by the ECS instance type must be the same as the number of IPv6 addresses. For more information about ECS instance types, see Overview of instance families.

  • The VPC used by the cluster must support IPv4/IPv6 dual-stack.

  • You must disable IPv4/IPv6 dual stack if you want to use Elastic Remote Direct Memory Access (eRDMA) in an cluster.

VPC

Configure the VPC of the cluster. You can specify a zone to automatically create a VPC. You can also select an existing VPC in the VPC list.

Configure SNAT

If the VPC that you created or selected cannot access the Internet, you can select this check box. This way, ACK automatically creates a NAT gateway and configures SNAT rules.

If you do not select this check box, you can manually configure a NAT gateway and configure SNAT rules to ensure that instances in the VPC can access the Internet. For more information, see Create and manage an Internet NAT gateway.

vSwitch

Select an existing vSwitch from the vSwitch list or click Create vSwitch to create a vSwitch. The control plane and the default node pool use the vSwitch that you select. We recommend that you select multiple vSwitches in different zones to ensure high availability.

Security Group

Only users in the whitelist can select the Select Existing Security Group option. To apply to be added to the whitelist, log on to the Quota Center console and submit an application.

You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group.

  • By default, automatically created security groups allow all outbound traffic. When you modify the security group for business purposes, make sure that traffic destined for 100.64.0.0/10 is allowed. This CIDR block is used to access other Alibaba Cloud services to pull images and query basic ECS information.

  • If you select an existing security group, the system does not automatically configure security group rules. This may cause errors when you access the nodes in the cluster. You must manually configure security group rules. For more information, see Configure security groups for clusters.

Access to API Server

Create a pay-as-you-go internal-facing Classic Load Balancer (CLB) instance for the API server to serve as the internal endpoint of the API server in the cluster.

Important
  • If you delete the default CLB instance, you cannot access the API server.

  • Starting from December 1, 2024, an instance fee will be charged for newly created CLB instances. For more information, see CLB billing adjustments.

You can select or clear Expose API server with EIP. The API server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources such as pods and Services.

  • If you select this check box, an elastic IP address (EIP) is created and associated with an CLB instance. Port 6443 used by the API server is opened on master nodes. You can connect to and manage the cluster over the Internet by using a kubeconfig file.

  • If you clear this check box, no EIP is created. You can use a kubeconfig file to connect to the cluster only from within the VPC and then manage the cluster.

Network Plug-in

Flannel and Terway are supported. For more information about the comparison between Terway and Flannel, see Comparison between Terway and Flannel.

  • Flannel: a simple and stable Container Network Interface (CNI) plug-in that is developed by open source Kubernetes. Flannel offers a few simple features and does not support standard Kubernetes network policies.

  • Terway: a network plug-in developed by Alibaba Cloud Container Service. Terway allows you to assign Alibaba Cloud Elastic Network Interfaces (ENIs) to containers. Terway also allows you to customize network policies of Kubernetes to control intercommunication among containers, and implement bandwidth throttling on individual containers.

    Note
    • The number of pods that can be deployed on a node depends on the number of ENIs that are attached to the node and the maximum number of secondary IP addresses that are provided by these ENIs.

    • If you select Terway, an ENI is shared among multiple pods. A secondary IP address of the ENI is assigned to each pod.

    • If you select a shared VPC for a cluster, you must select Terway as the network plug-in.

    When you set the Network Plug-in parameter to Terway, you can configure the following parameters:

    • DataPathV2

      You can enable the DataPath V2 acceleration mode only when you create a cluster. After you enable the DataPath V2 acceleration mode for Terway in inclusive ENI mode, Terway adopts a different traffic forwarding path to accelerate network communication. For more information, see Network acceleration.

      Note

      If this feature is enabled, the container with Terway policies is expected to consume an additional 0.5 cores and 512 MB of resources on each worker node, and this consumption will increase as the cluster size grows. In the default configuration of Terway, the CPU limit for the container is set to 1 core, and no restrictions are specified on memory.

    • Support for NetworkPolicy

      If you select this check box, Kubernetes-native NetworkPolicies are supported.

      The feature of managing NetworkPolicies by using the console is in public preview. If you want to use the feature, log on to the Quota Center console and submit an application.

    • Support for ENI Trunking

      The Terway Trunk ENI feature allows you to specify a static IP address, a separate vSwitch, and a separate security group for each pod. This allows you to manage and isolate user traffic, configure network policies, and manage IP addresses in a fine-grained manner. For more information, see Configure static IP addresses, separate vSwitches, and separate security groups for a pod.

      Note
      • You can select the Support for ENI Trunking option for an ACK managed cluster without the need to submit an application. If you want to enable the Trunk ENI feature in an ACK dedicated cluster, log on to the Quota Center console and submit an application.

      • By default, the Trunk ENI feature is enabled for newly created ACK managed clusters that run Kubernetes 1.31 or later versions.

Container CIDR Block

Configure this parameter only if you select Flannel as the network plug-in.

The container CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the Service CIDR block. The container CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster.

Number of Pods per Node

Configure this parameter only if you select Flannel as the network plug-in.

The maximum number of pods that can be stored on a single node.

Pod vSwitch

Configure this parameter only if you select Terway as the network plug-in.

The vSwitch that is used to assign IP addresses to pods. Each pod vSwitch corresponds to a vSwitch of a worker node. The vSwitch of the pod and the vSwitch of the worker node must be in the same zone.

Important

We recommend that you set the subnet mask of the CIDR block of a pod vSwitch to no longer than 19 bits, but the subnet mask must not exceed 25 bits. Otherwise, the cluster network has only a limited number of IP addresses that can be allocated to the pods. As a result, the cluster may not function as expected.

Service CIDR

The Service CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the pod CIDR block. The Service CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster.

IPv6 Service CIDR Block

Configure this parameter only if you enable IPv4/IPv6 dual stack.

Configure an IPv6 CIDR block for Services. You must specify a Unique Local Unicast Address (ULA) space within the address range fc00::/7. The prefix must be 112 bits to 120 bits in length. We recommend that you specify an IPv6 CIDR block that has the same number of IP addresses as the Service CIDR block.

For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster.

Advanced settings

Click Advanced Options (Optional) to configure the Forwarding Mode.

Parameter

Description

Forwarding Mode

iptables and IP Virtual Server (IPVS) are supported.

  • iptables is a mature and stable kube-proxy mode. In this mode, service discovery and load balancing for Kubernetes Services are configured by using iptables rules. The performance of this mode depends on the size of the Kubernetes cluster. This mode is suitable for Kubernetes clusters that manage a small number of Services.

  • IPVS is a high-performance kube-proxy mode. In this mode, service discovery and load balancing for Kubernetes Services are configured by the IPVS module of Linux. This mode is suitable for clusters that manage a large number of Services. We recommend that you use this mode in scenarios where high-performance load balancing is required.

Click Advanced Options (Optional) to configure advanced settings such as Deletion Protection and Resource Group.

Show advanced settings

Parameter

Description

Deletion Protection

We recommend that you enable deletion protection in the console or by using API to prevent clusters from being accidentally released.

Resource Group

The resource group to which the cluster belongs. Each resource can belong to only one resource group. You can regard a resource group as a project, an application, or an organization based on your business scenarios.

Labels

Enter a key and a value to add a label to the cluster. Keys are required and must be unique. A key must not exceed 64 characters in length. Values are optional. A value must not exceed 128 characters in length.

  • A key or a value cannot start with aliyun, acs:, https://, or http://. Keys and values are not case-sensitive.

  • The keys of labels that are added to the same resource must be unique. If you add a label with a used key, the label overwrites the label that uses the same key.

  • If you add more than 20 labels to a resource, all labels become invalid. You must remove the excessive labels so that the remaining labels can take effect.

Time Zone

The time zone of the cluster. By default, the time zone of your browser is selected.

Cluster Domain

Configure the cluster domain. The default domain name is cluster.local. You can enter a custom domain name. The cluster domain is the top-level domain name (standard suffix) used by all Services in the cluster. For example, the DNS name of the Service named my-service in the default namespace is my-service.default.svc.cluster.local.

Custom Certificate SANs

You can enter custom subject alternative names (SANs) for the API server certificate of the cluster to accept requests from specified IP addresses or domain names. This allows you to control access from clients. For more information, see Customize the SANs of the API server certificate when you create an ACK cluster.

Service Account Token Volume Projection

ACK provides service account token volume projection to reduce security risks when pods use service accounts to access the Kubernetes API server. This feature enables kubelet to request and store the token on behalf of a pod. This feature also allows you to configure token properties, such as the audience and validity period. For more information, see Use ServiceAccount token volume projection.

Secret Encryption

If you select Select Key for an ACK Pro cluster, you can use a key that is created in the Key Management Service (KMS) console to encrypt Kubernetes Secrets. For more information, see Use KMS to encrypt Kubernetes Secrets.

RRSA OIDC

You can enable the RAM Roles for Service Accounts (RRSA) feature for the cluster to implement access control on different pods that are deployed in a cluster. This implements fine-grained API permission control on pods. For more information, see Use RRSA to authorize different pods to access different cloud services.

Step 3: Configure the node pool

Click Next:Node Pool Configurations to configure the basic settings and advanced settings of the node pool.

Basic settings

Parameter

Description

Node Pool Name

Specify a node pool name.

Container Runtime

Specify the container runtime based on the Kubernetes version. For more information about how to select a container runtime, see Comparison among Docker, containerd, and Sandboxed-Container.

  • containerd: containerd is recommended for all Kubernetes versions.

  • Sandboxed-Container: supports Kubernetes 1.31 and earlier.

  • Docker (deprecated): supports Kubernetes 1.22 and earlier.

Managed node pool settings

Managed Node Pool

Managed node pools provided by ACK support auto repair and auto CVE patching. This significantly reduces your O&M workload and improves node security. You can click Set to configure the detailed maintenance policies.

Auto Recovery Rule

This parameter is available after you select Enable for the managed node pool feature.

After you select Restart Faulty Node, the system automatically restarts relevant components to repair nodes in the NotReady state and drains the nodes before the nodes are restarted.

Auto Update Rule

This parameter is available after you select Enable for the managed node pool feature.

After you select Automatically Update Kubelet and Containerd, the system automatically updates the kubelet when a new version is available. For more information, see Update a node pool.

Auto CVE Patching (OS)

This parameter is available after you select Enable for the managed node pool feature.

You can configure ACK to automatically patch high-risk, medium-risk, and low-risk vulnerabilities. For more information, see Enable auto repair for nodes and Patch OS CVE vulnerabilities for node pools.

Some patches take effect only after you restart the ECS instances. After you enable Restart Nodes if Necessary to Patch CVE Vulnerabilities, ACK automatically restarts nodes on demand. If you do not select this option, you must manually restart nodes.

Maintenance Window

This parameter is available after you select Enable for the managed node pool feature.

Image updates, runtime updates, and Kubernetes version updates are automatically performed during the maintenance window.

Click Set. In the Maintenance Window dialog box, set the Cycle, Started At, and Duration parameters and click OK.

Instance and Image settings

Parameter

Description

Billing Method

The default billing method used when ECS instances are scaled in a node pool. You can select Pay-As-You-Go, Subscription, or Preemptible Instance.

  • If you select the Subscription billing method, you must configure the Duration parameter and choose whether to enable Auto Renewal.

  • Preemptible Instance: ACK supports only Preemptible Instance with a protection period. You must also configure the Upper Price Limit of Current Instance Spec parameter.

    If the real-time market price of an instance type that you select is lower than the value of this parameter, a preemptible instance of this instance type is created. After the protection period (1 hour) ends, the system checks the spot price and resource availability of the instance type every 5 minutes. If the real-time market price exceeds your bid price or if the resource inventory is insufficient, the preemptible instance is released. For more information, see Best practices for preemptible instance-based node pools.

To ensure that all nodes in a node pool use the same billing method, ACK does not allow you to change the billing method of a node pool from pay-as-you-go or subscription to preemptible instances. For example, you cannot switch the billing method of a node pool between pay-as-you-go or subscription and preemptible instances.

Instance-related parameters

Select the ECS instances used by the worker node pool based on instance types or attributes. You can filter instance families by attributes such as vCPU, memory, instance family, and architecture. For more information about how to configure nodes, see Suggestions on choosing ECS specifications for ACK clusters.

When the node pool is scaled out, ECS instances of the selected instance types are created. The scaling policy of the node pool determines which instance types are used to create new nodes during scale-out activities. Select multiple instance types to improve the success rate of node pool scale-out operations.

If the node pool fails to be scaled out because the instance types are unavailable or the instances are out of stock, you can specify more instance types for the node pool. The ACK console automatically evaluates the scalability of the node pool. You can check the scalability of the node pool when you create the node pool or after you create the node pool.

If you select only GPU-accelerated instances, you can select Enable GPU Sharing on demand. For more information, see cGPU overview.

Operating System

Alibaba Cloud Marketplace images is in canary release.
Note
  • After you change the OS image of the node pool, the change takes effect only on newly added node. The existing nodes in the node pool still use the original OS image. For more information about how to update the OS images of existing nodes, see Node pool updates.

  • To ensure that all nodes in the node pool use the same OS image, ACK allows you to only update the node OS image to the latest version. ACK does not allow you to change the type of OS image.

Security Hardening

Enable security hardening for the cluster. You cannot modify this parameter after the cluster is created.

  • Disable: disables security hardening for ECS instances.

  • MLPS Security Hardening: Alibaba Cloud provides baselines and the baseline check feature to help you check the compliance of Alibaba Cloud Linux 2 images and Alibaba Cloud Linux 3 images with the level 3 standards of Multi-Level Protection Scheme (MLPS) 2.0. MLPS Security Hardening enhances the security of OS images to meet the requirements of GB/T 22239-2019 Information Security Technology - Baseline for Classified Protection of Cybersecurity without compromising the compatibility and performance of the OS images. For more information, see ACK security hardening based on MLPS.

    Important

    After you enable MLPS Security Hardening, remote logons through SSH are prohibited for root users. You can use Virtual Network Computing (VNC) to log on to the OS from the ECS console and create regular users that are allowed to log on through SSH. For more information, see Connect to an instance by using VNC.

  • OS Security Hardening: You can enable Alibaba Cloud Linux Security Hardening only when the system image is an Alibaba Cloud Linux 2 or Alibaba Cloud Linux 3 image.

Logon Type

If you select MLPS Security Hardening, only the Password option is supported.

Valid values: Key Pair, Password, and Later.

  • Configure the logon type when you create the node pool:

    • Key Pair: Alibaba Cloud SSH key pairs provide a secure and convenient method to log on to ECS instances. An SSH key pair consists of a public key and a private key. SSH key pairs support only Linux instances.

      Configure the Username (select root or ecs-user as the username) and the Key Pair parameters.

    • Password: The password must be 8 to 30 characters in length, and can contain letters, digits, and special characters.

      Configure the Username (select root or ecs-useras the username) and the Password parameters.

  • Later: Bind a key pair or reset the password after the instance is created. For more information, see Bind an SSH key pair to an instance and Reset the logon password of an instance.

Volumes settings

Parameter

Description

System Disk

ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, Standard SSD, and Ultra Disk are supported. The types of system disks that you can select vary based on the instance families that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select.

ESSD custom performance and encryption

  • If you select Enterprise SSD (ESSD), you can set a custom performance level. You can select higher performance levels (PLs) for ESSDs with larger storage capacities. For example, you can select PL 2 for an ESSD with a storage capacity of more than 460 GiB. You can select PL 3 for an ESSD with a storage capacity of more than 1,260 GiB. For more information, see Capacity and PLs.

  • You can select Encryption only if you set the system disk type to Enterprise SSD (ESSD). By default, the default service CMK is used to encrypt the system disk. You can also use an existing CMK generated by using Bring Your Own Key (BYOK) in KMS.

You can select More System Disk Types and select a disk type other than the current one in the System Disk section to improve the success rate of system disk creation. The system will attempt to create a system disk based on the specified disk types in sequence.

Data Disk

ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, SSD, and Ultra Disk are supported. The data disk types that you can select vary based on the instance families that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select.

ESSD AutoPL Disk

  • Performance provision: The performance provision feature allows you to configure provisioned performance settings for ESSD AutoPL disks to meet storage requirements that exceed the baseline performance without the need to extend the disks.

  • Performance burst: The performance burst feature allows ESSD AutoPL disks to burst their performance when spikes in read/write workloads occur and reduce the performance to the baseline level at the end of workload spikes.

Enterprise SSD (ESSD)

Configure a custom performance level. You can select higher PLs for ESSDs with larger storage capacities. For example, you can select PL 2 for an ESSD with a storage capacity of more than 460 GiB. You can select PL 3 for an ESSD with a storage capacity of more than 1,260 GiB. For more information, see Capacity and PLs.

  • You can select Encryption for all disk types when you specify the type of data disk. By default, the default service CMK is used to encrypt the data disk. You can also use an existing CMK generated by using BYOK in KMS.

  • You can also use snapshots to create data disks in scenarios where container image acceleration and fast loading of large language models (LLMs) are required. This improves the system response speed and enhances the processing capability.

  • Make sure that a data disk is mounted to /var/lib/container on each node, and /var/lib/kubelet and /var/lib/containerd are mounted to the /var/lib/container. For other data disks on the node, you can perform the initialization operation and customize their mount directories. For more information, see Can I mount a data disk to a custom directory in an ACK node pool?

Note

You can attach up to 64 data disks to an ECS instance. The maximum number of disks that can be attached to an ECS instance varies based on the instance type. To query the maximum number of disks that you can attach to an ECS instance of a specific instance type, call the DescribeInstanceTypes operation and check the DiskQuantity parameter in the response.

Instances settings

Parameter

Description

Expected Number of Nodes

The expected number of nodes in the node pool. We recommend that you configure at least two nodes to ensure that cluster components run as expected. You can configure the Expected Nodes parameter to adjust the number of nodes in the node pool. For more information, see Scale a node pool.

If you do not want to create nodes in the node pool, set this parameter to 0. You can manually modify this parameter to add nodes later.

Advanced Options (Optional)

Click Advanced Options (Optional) to configure the Scaling Policy.

Parameter

Description

Scaling Policy

  • Priority: The system scales the node pool based on the priorities of the vSwitches that you select for the node pool. The vSwitches that you select are displayed in descending order of priority. If Auto Scaling fails to create ECS instances in the zone of the vSwitch with the highest priority, Auto Scaling attempts to create ECS instances in the zone of the vSwitch with a lower priority.

  • Cost Optimization: The system creates instances based on the vCPU unit prices in ascending order.

    If the Billing Method of the node pool is set to Preemptible Instance, preemptible instances are preferentially created. You can also set the Percentage of Pay-as-you-go Instances parameter. If preemptible instances cannot be created due to reasons such as insufficient stocks, pay-as-you-go instances are automatically created as supplement.

  • Distribution Balancing: The even distribution policy takes effect only when you select multiple vSwitches. This policy ensures that ECS instances are evenly distributed among the zones (the vSwitches) of the scaling group. If ECS instances are unevenly distributed across the zones due to reasons such as insufficient stocks, you can perform a rebalancing operation.

Use Pay-as-you-go Instances When Preemptible Instances Are Insufficient

You must set the Billing Method parameter to Preemptible Instance.

After this feature is enabled, if enough preemptible instances cannot be created because of price or inventory constraints, ACK automatically creates pay-as-you-go instances to meet the required number of ECS instances.

Enable Supplemental Preemptible Instances

You must set the Billing Method parameter to Preemptible Instance.

After this feature is enabled, when a system message that indicates preemptible instances are reclaimed is received, the node pool with auto scaling enabled attempts to create new instance to replace the reclaimed the preemptible instances.

Click Advanced Options (Optional) to configure advanced settings such as ECS Label and Taints.

Show advanced settings

Parameter

Description

ECS Tags

Add tags to the ECS instances that are automatically added during auto scaling. Tag keys must be unique. A key cannot exceed 128 characters in length. Keys and values cannot start with aliyun or acs:. Keys and values cannot contain https:// or http://.

An ECS instance can have up to 20 tags. To increase the quota limit, submit an application in the Quota Center console. The following tags are automatically added to an ECS node by ACK and Auto Scaling. Therefore, you can add at most 17 tags to an ECS node.

  • The following two ECS tags are added by ACK:

    • ack.aliyun.com:<Cluster ID>

    • ack.alibabacloud.com/nodepool-id:<Node pool ID>

  • The following label is added by Auto Scaling: acs:autoscaling:scalingGroupId:<Scaling group ID>.

Note
  • After you enable auto scaling, the following ECS tags are added to the node pool by default: k8s.io/cluster-autoscaler:true and k8s.aliyun.com:true.

  • The auto scaling component simulates scale-out activities based on node labels and taints. To meet this purpose, the format of node labels is changed to k8s.io/cluster-autoscaler/node-template/label/Label key:Label value and the format of taints is changed to k8s.io/cluster-autoscaler/node-template/taint/Taint key/Taint value:Taint effect.

Taints

Add taints to nodes. A taint consists of a key, a value, and an effect. A taint key can be prefixed. If you want to specify a prefixed taint key, add a forward slash (/) between the prefix and the remaining content of the key. For more information, see Taints and tolerations. The following limits apply to taints:

  • Key: A key must be 1 to 63 characters in length, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). A key must start and end with a letter or digit.

    If you want to specify a prefixed key, the prefix must be a subdomain name. A subdomain name consists of DNS labels that are separated by periods (.), and cannot exceed 253 characters in length. It must end with a forward slash (/). For more information about subdomain names, see DNS subdomain names.

  • Value: A value cannot exceed 63 characters in length, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). A value must start and end with a letter or digit. You can also leave a value empty.

  • You can specify the following effects for a taint: NoSchedule, NoExecute, and PreferNoSchedule.

    • NoSchedule: If a node has a taint whose effect is NoSchedule, the system does not schedule pods to the node.

    • NoExecute: Pods that do not tolerate this taint are evicted after this taint is added to a node. Pods that tolerate this taint are not evicted after this taint is added to a node.

    • PreferNoSchedule: The system attempts to avoid scheduling pods to nodes with taints that are not tolerated by the pods.

Node Labels

Add labels to nodes. A label is a key-value pair. A label key can be prefixed. If you want to specify a prefixed label key, add a forward slash (/) between the prefix and the remaining content of the key. The following limits apply to labels:

  • Key: The name must be 1 to 63 characters in length, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). It must start and end with a letter or a digit.

    If you want to specify a prefixed label key, the prefix must be a subdomain name. A subdomain name consists of DNS labels that are separated by periods (.), and cannot exceed 253 characters in length. It must end with a forward slash (/).

    The following prefixes are used by key Kubernetes components and cannot be used in node labels:

    • kubernetes.io/

    • k8s.io/

    • Prefixes that end with kubernetes.io/ or k8s.io/. Example: test.kubernetes.io/.

      However, you can still use the following prefixes:

      • kubelet.kubernetes.io/

      • node.kubernetes.io

      • Prefixes that end with kubelet.kubernetes.io/.

      • Prefixes that end with node.kubernetes.io.

  • Value: A value cannot exceed 63 characters in length, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). A value must start and end with a letter or digit. You can also leave a value empty.

Set to Unschedulable

After you select this option, new nodes added to the cluster are set to unschedulable. You can change the status in the node list. This setting takes effect only on nodes newly added to the node pool. It does not take effect on existing nodes.

CPU Policy

The CPU management policy for kubelet nodes.

  • None: The default CPU management policy.

  • Static: This policy allows pods with specific resource characteristics on the node to be granted enhanced CPU affinity and exclusivity.

Custom Node Name

Specify whether to use a custom node name. If you choose to use a custom node name, the name of the node, name of the ECS instance, and hostname of the ECS instance are changed.

Note

If a Windows instance uses a custom node name, the hostname of the instance is fixed to an IP address. You need to use hyphens (-) to replace the periods (.) in the IP address. In addition, no prefix or suffix is allowed in the IP address.

A custom node name consists of a prefix, an IP substring, and a suffix.

  • A custom node name must be 2 to 64 characters in length. The name must start and end with a lowercase letter or digit.

  • The prefix and suffix can contain letters, digits, hyphens (-), and periods (.). The prefix and suffix must start with a letter and cannot end with a hyphen (-) or period (.). The prefix and suffix cannot contain consecutive hyphens (-) or periods (.).

  • The prefix is required due to ECS limits and the suffix is optional.

For example, the node IP address is 192.XX.YY.55, the prefix is aliyun.com, and the suffix is test.

  • If the node is a Linux node, the node name, ECS instance name, and ECS instance hostname are aliyun.com192.XX.YY.55test.

  • If the node is a Windows node, the ECS instance hostname is 192-XX-YY-55 and the node name and ECS instance name are aliyun.com192.XX.YY.55test.

Worker RAM Role

ACK managed clusters that run Kubernetes 1.22 or later are supported.

You can assign a worker Resource Access Management (RAM) role to a node pool to reduce the potential risk of sharing a worker RAM role among all nodes in the cluster.

  • Default Role: The node pool uses the default worker RAM role created by the cluster.

  • Custom: The node pool uses the specified role as the worker RAM role. The default role is used when this parameter is left empty. For more information, see Use custom worker RAM roles.

Pre-defined Custom Data

To use this feature, submit an application in the Quota Center console.

Nodes automatically run predefined scripts before they are added to the cluster. For more information about user-data scripts, see User-data scripts.

For example, if you enter echo "hello world", a node runs the following script:

#!/bin/bash
echo "hello world"
[Node initialization script]

User Data

Nodes automatically run user-data scripts after they are added to the cluster. For more information about user-data scripts, see User-data scripts.

For example, if you enter echo "hello world", a node runs the following script:

#!/bin/bash
[Node initialization script]
echo "hello world"
Note

After you create a cluster or add nodes, the execution of the user-data script on a node may fail. We recommend that you log on to a node and run the grep cloud-init/var/log/messages command to view the execution log and check whether the execution succeeds or fails on the node.

CloudMonitor Agent

After you install CloudMonitor, you can view the monitoring information about the nodes in the CloudMonitor console.

This parameter takes effect only on newly added nodes and does not take effect on existing nodes. If you want to install the CloudMonitor agent on an existing ECS node, go to the CloudMonitor console.

Public IP

Specify whether to assign an IPv4 address to each node. If you clear the check box, no public IP address is allocated. If you select the check box, you must configure the Bandwidth Billing Method and Peak Bandwidth parameters.

This parameter takes effect only on newly added nodes and does not take effect on existing nodes. If you want to enable an existing node to access the Internet, you must create an EIP and associate the EIP with the node. For more information, see Associate an EIP with an ECS instance.

Custom Security Group

To use custom security groups, you must apply to be added to the whitelist in the Quota Center console.

You can select Basic Security Group or Advanced Security Group, but you can select only one security group type. You cannot modify the security groups of node pools or change the type of security group. For more information about security groups, see Overview.

Important
  • Each ECS instance supports up to five security groups. Make sure that the quota of security groups for your ECS instance is sufficient. For more information about security group limits and how to increase the quota limit of security groups for your ECS instance, see Security group limits.

  • If you select an existing security group, the system does not automatically configure security group rules. This may cause errors when you access the nodes in the cluster. You must manually configure security group rules. For more information about how to manage security group rules, see Configure security group rules to enforce access control on ACK clusters.

RDS Whitelist

Add node IP addresses to the whitelist of an ApsaraDB RDS instance.

Private Pool Type

Valid values: Open, Do Not Use, and Specified.

  • Open: The system automatically matches an open private pool. If no matching is found, resources in the public pool are used.

  • Do Not Use: No private pool is used. Only resources in the public pool are used.

  • Specified: Specify a private pool by ID. If the specified private pool is unavailable, ECS instances fail to start up.

For more information, see Private pools.

Step 4: Configure cluster components

Click Next:Component Configurations to configure the basic settings and advanced settings of cluster components.

Basic settings

Parameter

Description

Ingress

Specify whether to install an Ingress controller. We recommend that you install an Ingress controller if you want to expose Services.

Service Discovery

NodeLocal DNSCache runs a DNS caching agent to improve the performance and stability of DNS resolution.

Volume Plug-in

By default, CSI is installed as the volume plug-in. Dynamically Provision Volumes by Using Default NAS File Systems and CNFS, Enable NAS Recycle Bin, and Support Fast Data Restore is selected by default. ACK supports Alibaba Cloud disks, File Storage NAS (NAS) file systems, and Object Storage Service (OSS) buckets.

Monitor containers

You can select Enable Managed Service for Prometheus to provide basic monitoring and alerting services for the ACK cluster.

Cost Suite

Monitors and analyzes the costs and resource usage of the ACK cluster, namespaces, node pools, and workloads. Suggestions on cost savings are provided to improve the overall resource utilization. For more information, see Cost insights.

Log Service

You can select an existing Simple Log Service (SLS) project or create a project to collect cluster logs. For more information about how to quickly configure SLS when you create an application, see Collect log data from containers by using Simple Log Service.

Alerts

Enable the alert management feature. You can specify contacts and contact groups. The default is Default Contact Group.

Log Collection for Control Plane Components

For more information about how to collect the logs of the control plane components to your projects in SLS, see Collect logs of control plane components in ACK managed clusters.

Cluster Inspection

Specify whether to enable the cluster inspection feature for intelligent O&M. You can enable this feature to periodically check the resource quotas, resource usage, and component versions of a cluster and identify potential risks in the cluster.

Advanced settings

Expand Advanced Options (Optional) to select the types of components you want to install, such as application management, logs and monitoring, storage, networking, and security.

Step 5: Confirm the cluster configurations

Click Next:Confirm Order, confirm the configurations, read and select the terms of service, and then click Create Cluster.

After the cluster is created, you can find the cluster on the Clusters page in the ACK console.

Note

It requires about 10 minutes to create a cluster that contains multiple nodes.

Billing

For more information about resource charges incurred when you use ACK managed clusters, see Billing overview.

What to do next

  • View the basic information about the cluster

    On the Clusters page, find the created cluster and click Details in the Actions column. On the cluster details page, click the Basic Information tab to view the basic information about the cluster and click the Connection Information tab to view information about how to connect to the cluster. The following information is displayed:

    • API Server Public Endpoint: the IP address and port that the API server of the cluster uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on your client.

      Only ACK managed clusters support the Associate EIP, Change, and Unbind EIP features.

      • Associate EIP: You can select an existing EIP or create an EIP.

        The API server restarts after you associate an EIP with the API server. We recommend that you do not perform operations on the cluster during the restart process.

      • Unbind EIP: After you unbind the EIP, you can no longer access the API server over the Internet.

        The API server restarts after you unbind the EIP from the API server. We recommend that you do not perform operations on the cluster during the restart process.

    • API Server Internal Endpoint: the IP address and port that the API server uses to provide services within the cluster. The IP address belongs to the Server Load Balancer (SLB) instance that is associated with the cluster.

References