Review parameters, recommended settings, and cloud resources for creating an ACK managed cluster in the console.
-
In the Modifiable column, ✓ = modifiable after creation; ✗ = not modifiable, plan carefully.
-
Cloud resource icons such as
ECS instance indicate that the configuration creates or uses other Alibaba Cloud resources. Click a resource name for billing details.
Cluster configuration
Define the cluster's global properties, including version and network configuration. Plan carefully — some options cannot be changed after creation.
Basic configuration
|
Parameter |
Description |
Modifiable |
|
Cluster Name |
Enter a custom cluster name. |
✓ |
|
Cluster Specification |
For comparison, see Cluster. |
✓ Only upgrades from Basic Edition to Pro Edition are supported. |
|
Region |
The region where cluster resources (such as ECS instances and cloud disks) are located. The closer the region is to your location and where your resources are deployed, the lower the network latency. |
✗ |
|
Kubernetes Version |
Only the latest three minor versions are supported. We recommend using the latest available version. For details about ACK version support, see ACK version support overview. |
✓ Supports both manual cluster upgrades and automatic cluster upgrades. |
|
Automatic Update |
Enable automatic upgrades to keep the control plane and node pools periodically updated. For upgrade policies and instructions, see Automatically upgrade clusters. |
✓ |
|
Maintenance Window |
ACK performs automated O&M tasks—such as automatic cluster upgrades and OS CVE vulnerability fixes—only during the defined maintenance window. |
✓ |
The parameter order in the tables below may differ slightly from the console.
Network boundary and high availability
Configure the VPC, vSwitches, and security group to establish the cluster's network boundary, high availability, and security policies.
|
Parameter |
Description |
Modifiable |
|
VPC |
The VPC for the cluster. To ensure high availability, we recommend selecting two or more zones.
We recommend using standard private CIDR blocks for the cluster VPC (for example, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). If you have special requirements, apply at the Quota Center (Create a cluster using a public CIDR block VPC). Cloud resource and billing information: |
✗ |
|
Security Group |
When using an existing VPC, you can select Select Existing Security Group This security group applies to the cluster control plane, default node pool, and any node pool without a custom security group. Compared with basic security groups, enterprise security groups can accommodate a larger number of private IP addresses but do not support intra-group connectivity. For more information, see Security Group Classification.
|
✓ |
Network model and Pod address planning
Configure the network plugin (CNI), which affects network performance, feature availability (like NetworkPolicy), and IP address management. Plan the address ranges for Pods and Services.
Plan CIDR blocks in advance. See Plan CIDR blocks for an ACK managed cluster.
|
Parameter |
Description |
Modifiable |
|
Network Plug-in |
The network plugin provides the foundation for pod-to-pod communication in the cluster. For a detailed comparison, see Compare Terway and Flannel container network plugins.
|
✗ |
|
Container CIDR Block |
Required only for Flannel. The IP address pool for assigning pod IPs. This CIDR block must not overlap with the VPC or any existing ACK cluster CIDR blocks in the VPC, and must not overlap with the Service CIDR. |
✗ |
|
Number of Pods per Node |
Required only for Flannel. Defines the maximum number of pods allowed on a single node. |
✗ |
|
Pod vSwitch |
Required only when using the Terway plugin. The vSwitch used to assign IP addresses to pods. Each pod vSwitch corresponds to a worker node vSwitch, and both must be in the same zone. Important For the Pod virtual switch, use a subnet mask no larger than /19. The maximum allowed subnet mask is /25. If you use a larger subnet mask, the number of Pod IP addresses that can be allocated in the cluster is severely limited, which affects the cluster’s normal operation. |
✓ |
|
Service CIDR |
Also known as Service CIDR, this is the IP address pool for assigning IPs to internal cluster services. This CIDR block must not overlap with the VPC or any existing cluster CIDR blocks in the VPC, and must not overlap with the Container CIDR Block. |
✗ |
|
IPv6 Dual-stack |
Supported only for Kubernetes 1.22 or later, only with Terway, and cannot be used together with eRDMA. The cluster supports both IPv4 and IPv6 protocols, but communication between worker nodes and the control plane still uses IPv4 addresses. Ensure the following:
|
✗ |
|
IPv6 Service CIDR Block |
Requires IPv6 dual-stack to be enabled. Configure an IPv6 address range for the Service CIDR block. Use a ULA address (within the |
✗ |
|
Forwarding Mode |
Select the kube-proxy proxy mode, which determines how cluster Services distribute requests to backend pods.
|
✗ |
Public network ingress and egress
Configure public ingress for cluster management (via the API server) and public egress for nodes and applications to access external resources such as public images.
|
Parameter |
Description |
Modifiable |
|
Configure SNAT for VPC |
Do not select this option when using a shared VPC. Select this option if nodes need public network access (to pull public images or access external services). ACK automatically configures a NAT Gateway and SNAT rules to enable public network access for cluster resources.
If you do not select this option, you can manually configure a NAT Gateway and SNAT rules after cluster creation. For details, see Public NAT Gateway. Cloud resource and billing information: |
✓ |
|
Access to API Server |
ACK automatically creates a pay-as-you-go private CLB instance as the internal endpoint for the API Server. This CLB instance cannot be reused or deleted. If deleted, the API Server becomes inaccessible and cannot be restored. To use an existing CLB instance, submit a ticket. After selecting Use Existing Gateway for the VPC, you can set the SLB Source to Use Existing Gateway. You can optionally enable Expose API server with EIP.
To enable this later, see Enable public network access to API Server. Starting December 1, 2024, newly created CLB instances will incur instance fees. For details, see Adjustment announcement for Classic Load Balancer CLB billing items. |
✗ |
Advanced configuration
Expand Advanced Options (Optional) to configure cluster deletion protection, resource groups, and other settings.
|
Parameter |
Description |
Modifiable |
|
Cluster Deletion Protection |
We recommend enabling this to prevent accidental cluster deletion via the console or OpenAPI. |
✓ |
|
Resource Group |
Assign the cluster to the selected resource group for easier permission management and cost allocation. A resource can belong to only one resource group. |
✓ |
|
Label |
Bind key-value tags to the cluster as cloud resource identifiers. |
✓ |
|
Time Zone |
The time zone used by the cluster. Defaults to the browser's configured time zone. |
✓ |
|
Cluster Domain |
The top-level domain (standard suffix) used by Services in the cluster. Defaults to For example, a Service named my-service in the default namespace has the DNS domain name |
✗ |
|
Custom Certificate SANs |
By default, the SAN (Subject Alternative Name) field in the API Server certificate includes the cluster local domain, private IP, public EIP, and other fields. To access the cluster through a proxy server, custom domain, or special network environment, add those access addresses to the SAN field. To enable this later, see Customize the cluster API Server certificate SAN. |
✓ |
|
Service Account Token Volume Projection |
In traditional mode, pod identity credentials are permanently valid and shared among multiple pods, posing a security risk. When enabled, each pod receives its own temporary identity credentials with configurable expiration and permission limits. To enable this later, see Use ServiceAccount Token volume projection. |
✗ |
|
Secret Encryption |
Supported only for Pro Edition clusters. Uses keys created in Alibaba Cloud KMS to provide professional-grade encryption for Secret keys, enhancing data security. To enable this later, see Use Alibaba Cloud KMS for Secret encryption at rest. Cloud resource and billing information: |
✓ |
|
RRSA OIDC |
The cluster creates an OIDC Provider. Using temporary OIDC tokens from its ServiceAccount, application pods can call Alibaba Cloud RAM services and assume specified RAM roles, securely obtaining temporary authorization to access cloud resources and implementing least-privilege permission management at the pod level. To enable this later, see Use RRSA to configure ServiceAccount RAM permissions for pod-level permission isolation. |
✗ |
Node pool configuration
A node pool is a group of identically configured ECS instances for running workloads. Some parameters are immutable after creation, but you can create additional node pools with different configurations.
You can skip this step. After creation, create more node pools with different configurations, such as operating systems, CPU architectures, billing methods, or instance types. See Create and manage a node pool. You can also add existing ECS instances to the cluster. See Add existing nodes.
Basic configuration
Configure basic information and automated O&M features for the node pool. Enable automated O&M in production to reduce operational overhead and improve stability.
|
Parameter |
Description |
Modifiable |
|
|
Node Pool Name |
Enter a custom node pool name. |
✓ |
|
|
Container Runtime |
For selection guidance, see Compare containerd, sandboxed container, and Docker runtimes.
|
✗ |
|
|
Managed node pool configuration |
Managed Node Pool |
Enable managed node pool to use ACK's automated O&M capabilities. If your business is sensitive to underlying node changes and cannot tolerate node restarts or application pod migrations, we do not recommend enabling this. To enable this later, you can edit the node pool. |
✓ |
|
Auto Repair |
ACK automatically monitors node status and performs self-healing tasks when nodes become abnormal. If you select Restart Faulty Node, node self-healing may involve draining nodes and replacing disks. For trigger conditions and related events, see Enable node self-healing. |
✓ |
|
|
Auto CVE Patching |
Fix CVE vulnerabilities in node pool OS, supporting configurable vulnerability fix levels. Cloud resource and billing information: |
✓ |
|
|
Maintenance Window |
ACK performs automated O&M operations on managed node pools only during the defined maintenance window. |
✓ |
|
Instance and image configuration
Configure ECS instance types and operating system for nodes based on performance and cost requirements.
|
Parameter |
Description |
Modifiable |
|
|
Billing Method |
The default billing method used when scaling out nodes in the node pool.
To maintain node pool consistency, you cannot change a Pay-As-You-Go or Subscription node pool to a Preemptible Instance node pool, or vice versa. |
✓ |
|
|
Instance-related configuration items |
When scaling out, nodes are allocated from the configured ECS instance families. To improve scale-out success rates, select multiple instance types across multiple zones to avoid unavailability or insufficient inventory. The specific instance type used for scaling is determined by the configured Scaling Policy. To ensure business stability and accurate resource scheduling, do not mix GPU and non-GPU instance types in the same node pool. Configure instance types for scaling in one of two ways:
Refer to the console's elasticity strength recommendations for configuration, or view node pool elasticity strength after creation. For ACK-unsupported instance types and node configuration recommendations, see ECS instance type configuration recommendations. Cloud resource and billing information: |
✓ |
|
|
Operating System |
Marketplace Image is in phased release. The default operating system image used when scaling out nodes in the node pool.
To upgrade or change the operating system later, see Change operating system. Alibaba Cloud Linux 2 and CentOS 7 are no longer maintained. Use supported operating systems. We recommend Alibaba Cloud Linux 3 container-optimized or ContainerOS. |
✓ |
|
|
Security Hardening |
When creating nodes, ACK applies the selected security baseline policy.
|
✗ |
|
|
Logon Type |
When selecting MLPS Security Hardening, only Password is supported. ContainerOS supports only Key Pair or Later. If using a key pair, you must start an administrative container after configuration to use it. For details, see Manage ContainerOS nodes. When creating nodes, ACK pre-configures the specified key pair or password on the instance.
|
✓ |
|
Storage configuration
Configure storage for nodes: the system disk for the operating system and data disks for container runtime data.
|
Parameter |
Description |
Modifiable |
|
|
System Disk |
Select a cloud disk type based on your business needs, including ESSD AutoPL, ESSD, ESSD Entry, and previous-generation disks (SSD and ultra disk). Configure capacity, IOPS, and other parameters. Available system disk types depend on the selected instance family. Disk types not displayed are unsupported. Supports selecting More Disk Categories to configure disk types different from the primary System Disk, improving scale-out success rates. When creating nodes, ACK selects the first matching disk type from the specified order. Cloud resource and billing information: |
✓ |
|
|
Data Disk |
Select a cloud disk type based on your business needs, including ESSD AutoPL, ESSD, ESSD Entry, and previous-generation disks (SSD and ultra disk). Configure capacity, IOPS, and other parameters. Available data disk types depend on the selected instance family. Disk types not displayed are unsupported.
Select Add Data Disk Type to configure disk types different from the primary Data Disk, improving scale-out success rates. When creating nodes, ACK selects the first matching disk type from the specified order. An ECS instance can mount up to 64 data disks. The maximum number of disks supported varies by instance type. Query the disk quantity limit for an instance type using the DescribeInstanceTypes API (DiskQuantity). Cloud resource and billing information: |
✓ |
|
Instance quantity configuration
Set the initial number of nodes in the node pool.
|
Parameter |
Description |
Modifiable |
|
Expected Number of Nodes |
The total number of nodes the node pool should maintain. We recommend configuring at least two nodes to ensure normal operation of cluster components. Adjust the desired node count to scale the node pool in or out. For details, see Scale node pools. If you do not need to create nodes, enter 0 and adjust manually later or add existing nodes. |
✓ |
Advanced node pool configuration
Expand Advanced Options (Optional) to configure scaling policies, ECS tags, taints, and other settings.
|
Parameter |
Description |
Modifiable |
|
Scaling Policy |
Configure how the node pool selects instances during scaling.
|
✓ |
|
Use Pay-as-you-go Instances When Spot Instances Are Insufficient |
Requires selecting spot instances as the billing method. When enabled, if sufficient spot instances cannot be created due to price or inventory reasons, ACK automatically attempts to create pay-as-you-go instances as a supplement. Cloud resource and billing information: |
✓ |
|
Enable Supplemental Spot Instance |
Requires selecting spot instances as the billing method. When enabled, upon receiving a system notification that a spot instance will be reclaimed (5 minutes before reclamation), ACK attempts to scale out new instances for compensation.
Active release of spot instances may cause business disruptions. To improve compensation success rates, we recommend also enabling Use Pay-as-you-go Instances When Spot Instances Are Insufficient. Cloud resource and billing information: |
✓ |
|
ECS Tags |
Add tags to ECS instances automatically created by ACK as cloud resource identifiers. Each ECS instance can have up to 20 tags. To increase this limit, apply on the Quota Platform. Because ACK and ESS occupy some tags, you can specify up to 17 custom tags per instance. |
✓ |
|
Taints |
Add key-value taints to nodes. A valid taint key includes an optional prefix and a name. If a prefix is specified, separate it from the name with a forward slash (/). |
✓ |
|
Node Labels |
Add key-value labels to nodes. A valid key includes an optional prefix and a name. If a prefix is specified, separate it from the name with a forward slash (/). |
✓ |
|
Set to Unschedulable |
Newly added nodes are set as unschedulable by default when registered to the cluster. Manually adjust the node scheduling status in the node list. This setting applies only to clusters running Kubernetes versions earlier than 1.34. For details, see Kubernetes 1.34 version notes. |
✓ |
|
Container Image Acceleration |
Supported only for containerd runtime version 1.6.34 or later. Newly added nodes automatically detect whether container images support on-demand loading. If supported, containers start faster by default using on-demand loading, reducing application startup time. For details, see Use on-demand loading to accelerate container startup. |
✓ |
|
[Deprecated] CPU policy |
Specify the CPU management policy for kubelet nodes.
We recommend using Custom node pool kubelet configuration. We recommend that you use custom node pool kubelet configuration. |
✗ |
|
Custom Node Name |
Node names consist of a prefix, node IP address, and suffix. When enabled, node names, ECS instance names, and ECS instance hostnames change accordingly. Example: Node IP address is 192.XX.YY.55, prefix is aliyun.com, suffix is test.
Important When the custom node name format depends on truncating part of the IP address, if the VPC CIDR block is large and the truncated IP length ( Based on your VPC CIDR block, set the IP truncation length as follows:
|
✗ |
|
Worker RAM Role |
Supported only for ACK managed clusters Specifiable only when creating a new node pool. Specify a Worker RAM role at the node pool level to reduce security risks from sharing a single Worker RAM role across all nodes.
|
✗ |
|
Instance Metadata Access Mode |
Supported only for clusters running Kubernetes 1.28 or later. Configure the ECS instance metadata access mode. Inside the ECS instance, access the metadata service to obtain instance metadata, including instance ID, VPC information, NIC information, and other instance properties. For details, see Instance metadata.
|
✗ |
|
Pre-defined Custom Data |
Before nodes join the cluster, run the specified instance pre-user User-Data script. Example: If the pre-user data is For the execution logic of this configuration during node initialization, see Node initialization process overview. |
✓ |
|
User Data |
After nodes join the cluster, run the specified instance user User-Data script. Example: If the instance user data is For the execution logic of this configuration during node initialization, see Node initialization process overview. Successful cluster creation or node scale-out does not guarantee successful execution of the instance user script. Log on to the node and run |
✓ |
|
CloudMonitor Agent |
View and monitor node and application status in the CloudMonitor console. This setting applies only to new nodes added to the node pool, not existing nodes. To enable this for existing nodes, install it in the CloudMonitor console. Cloud resource and billing information: |
✓ |
|
Public IP |
ACK assigns an IPv4 public IP address to nodes. This setting applies only to new nodes added to the node pool, not existing nodes. To grant public network access to existing nodes, configure and bind an EIP. For details, see Bind EIP to cloud resources. Cloud resource and billing information: |
✓ |
|
Custom Security Group |
Specify a basic or enterprise security group for the node pool. ACK does not add extra access rules to the security group. You must manage security group rules yourself to avoid access issues. For details, see Configure cluster security groups. Each ECS instance has a limit on the number of security groups it can join. Ensure sufficient security group quota. |
✗ |
|
RDS Whitelist |
Add node IPs to the RDS instance whitelist. |
✓ |
|
Deployment Set |
After creating a deployment set in the ECS console Create deployment set, specify it for the node pool so that scaled-out nodes are distributed across different physical servers, improving high availability. By default, a deployment set supports up to To enable this later, see Node pool deployment set best practices. |
✓ |
|
Resource Pool Policy |
The resource pool strategy used when adding nodes (supported only when Instance Configuration Mode is set to Specify Instance Type). Resource pools include private pools generated after activating elastic provisioning or capacity reservations (immediate-effect capacity reservation or scheduled-effect capacity reservation) services, along with public pools, for node startup selection.
|
✓ |
|
[Deprecated] Private Pool Type |
This configuration item is deprecated. Switch to using Resource Pool Policy to specify private pools. The private pool resources available for the selected zone and instance type. Types include the following:
|
✓ |
Component configuration
ACK installs recommended components by default. After creation, you can install, uninstall, or upgrade components. See Manage components.
Basic configuration
|
Parameter |
Description |
||||||
|
Ingress |
Ingress manages how external traffic accesses services inside the cluster. Install it to expose cluster applications or APIs to the public network. Three instance types are available as cluster Ingress gateways.
For a detailed comparison, see Ingress management. |
||||||
|
Service Discovery |
Installs NodeLocal DNSCache to cache DNS resolution results on nodes, improving DNS resolution performance and stability and accelerating internal service calls within the cluster. |
||||||
|
Volume Plug-in |
Implements persistent storage based on CSI storage plugins, supporting Alibaba Cloud cloud disks, NAS, OSS, CPFS, and other storage volumes. When selecting default creation of NAS and CNFS, ACK automatically creates a general-purpose NAS file system and manages it using CNFS. To create CNFS later, see Manage NAS file systems through CNFS. Cloud resource and billing information: |
||||||
|
Container Monitoring |
Monitors cluster health, resource usage, and application performance through container cluster monitoring services, triggering alerts when anomalies occur.
To enable this later, see Integrate and configure Alibaba Cloud Prometheus monitoring. Cloud resource and billing information: |
||||||
|
Cost Suite |
Provides cost and resource usage analysis for clusters, namespaces, node pools, and workloads to improve cluster resource utilization and reduce costs. To enable this later, see Cost insights. |
||||||
|
Log Service |
Use an existing SLS Project or create a new one to collect cluster application logs. Also enables the cluster API Server audit feature to collect requests to the Kubernetes API and their results. To enable this later, see Collect ACK cluster container logs, Use cluster API Server audit feature.
Cloud resource and billing information: |
||||||
|
Alerts |
Enables Container Service alert management, sending alert notifications to alert contact groups based on data sources from SLS, Managed Service for Prometheus, and Cloud Monitor when cluster anomalies occur. |
||||||
|
Control Plane Logs |
Collects control plane component logs into an SLS Project for in-depth troubleshooting and root cause analysis. To enable this later, see Collect ACK managed cluster control plane component logs. Cloud resource and billing information: |
||||||
|
Cluster Inspections |
Enables the cluster inspection feature of artificial intelligence for IT operations (AIOps) to regularly scan quotas, resource usage, component versions, and other aspects within the cluster, ensuring configurations follow best practices and exposing potential risks early. |
Advanced configuration
Expand Advanced Options (Optional) to select additional components for application management, log monitoring, storage, networking, and security.