Container Service for Kubernetes:Configuration items for ACK managed clusters

• Pro Edition: Provides an SLA guarantee and is suitable for enterprise production and testing environments.

• Basic Edition: Has quotas (each account can create up to two clusters) and is intended only for personal learning and testing.

The region where cluster resources (such as ECS instances and cloud disks) are located. The closer the region is to your location and where your resources are deployed, the lower the network latency.

Only the latest three minor versions are supported. We recommend using the latest available version. For details about ACK version support, see ACK version support overview.

Enable automatic upgrades to keep the control plane and node pools periodically updated.

For upgrade policies and instructions, see Automatically upgrade clusters.

ACK performs automated O&M tasks—such as automatic cluster upgrades and OS CVE vulnerability fixes—only during the defined maintenance window.

Required only for Flannel.

The IP address pool for assigning pod IPs. This CIDR block must not overlap with the VPC or any existing ACK cluster CIDR blocks in the VPC, and must not overlap with the Service CIDR.

Required only for Flannel.

Defines the maximum number of pods allowed on a single node.

Required only when using the Terway plugin.

Also known as Service CIDR, this is the IP address pool for assigning IPs to internal cluster services. This CIDR block must not overlap with the VPC or any existing cluster CIDR blocks in the VPC, and must not overlap with the Container CIDR Block.

Do not select this option when using a shared VPC.

Select this option if nodes need public network access (to pull public images or access external services). ACK automatically configures a NAT Gateway and SNAT rules to enable public network access for cluster resources.

• VPC has no NAT Gateway: ACK automatically creates a NAT Gateway, purchases a new EIP, and configures SNAT rules for the cluster's vSwitches.

• VPC already has a NAT Gateway: ACK determines whether to purchase additional EIPs or configure SNAT rules. If no EIP is available, a new EIP is purchased. If no VPC-level SNAT rule exists, SNAT rules are configured for the cluster's vSwitches.

If you do not select this option, you can manually configure a NAT Gateway and SNAT rules after cluster creation. For details, see Public NAT Gateway.

Cloud resource and billing information: NAT Gateway, EIP

We recommend enabling this to prevent accidental cluster deletion via the console or OpenAPI.

Assign the cluster to the selected resource group for easier permission management and cost allocation.

A resource can belong to only one resource group.

The time zone used by the cluster. Defaults to the browser's configured time zone.

By default, the SAN (Subject Alternative Name) field in the API Server certificate includes the cluster local domain, private IP, public EIP, and other fields. To access the cluster through a proxy server, custom domain, or special network environment, add those access addresses to the SAN field.

To enable this later, see Customize the cluster API Server certificate SAN.

In traditional mode, pod identity credentials are permanently valid and shared among multiple pods, posing a security risk. When enabled, each pod receives its own temporary identity credentials with configurable expiration and permission limits.

To enable this later, see Use ServiceAccount Token volume projection.

Supported only for Pro Edition clusters.

Uses keys created in Alibaba Cloud KMS to provide professional-grade encryption for Secret keys, enhancing data security.

To enable this later, see Use Alibaba Cloud KMS for Secret encryption at rest.

Cloud resource and billing information: KMS

The cluster creates an OIDC Provider. Using temporary OIDC tokens from its ServiceAccount, application pods can call Alibaba Cloud RAM services and assume specified RAM roles, securely obtaining temporary authorization to access cloud resources and implementing least-privilege permission management at the pod level.

To enable this later, see Use RRSA to configure ServiceAccount RAM permissions for pod-level permission isolation.

Enter a custom node pool name.

Enable managed node pool to use ACK's automated O&M capabilities.

If your business is sensitive to underlying node changes and cannot tolerate node restarts or application pod migrations, we do not recommend enabling this.

To enable this later, you can edit the node pool.

ACK automatically monitors node status and performs self-healing tasks when nodes become abnormal. If you select Restart Faulty Node, node self-healing may involve draining nodes and replacing disks. For trigger conditions and related events, see Enable node self-healing.

Fix CVE vulnerabilities in node pool OS, supporting configurable vulnerability fix levels.

Cloud resource and billing information: Security Center

ACK performs automated O&M operations on managed node pools only during the defined maintenance window.

When scaling out, nodes are allocated from the configured ECS instance families. To improve scale-out success rates, select multiple instance types across multiple zones to avoid unavailability or insufficient inventory. The specific instance type used for scaling is determined by the configured Scaling Policy.

To ensure business stability and accurate resource scheduling, do not mix GPU and non-GPU instance types in the same node pool.

Configure instance types for scaling in one of two ways:

• Specific types: Specify exact instance types based on vCPU, memory, family, architecture, and other dimensions.

• Generalized configuration: Select instance types to use or exclude based on attributes (vCPU, memory, etc.) to further improve scale-out success rates. For details, see Configure node pools using specified instance attributes.

Refer to the console's elasticity strength recommendations for configuration, or view node pool elasticity strength after creation.

For ACK-unsupported instance types and node configuration recommendations, see ECS instance type configuration recommendations.

Cloud resource and billing information: ECS instance, GPU instance

The total number of nodes the node pool should maintain. We recommend configuring at least two nodes to ensure normal operation of cluster components. Adjust the desired node count to scale the node pool in or out. For details, see Scale node pools.

If you do not need to create nodes, enter 0 and adjust manually later or add existing nodes.

Configure how the node pool selects instances during scaling.

• Priority-based Policy: Scales based on the vSwitch priority configured in the cluster (vSwitch order from top to bottom indicates decreasing priority). If instances cannot be created in the higher-priority zone, the next priority vSwitch is used automatically.

• Cost Optimization: Scales from lowest to highest vCPU unit price.

  When the node pool uses Preemptible Instance, spot instances are prioritized. You can configure the Percentage of pay-as-you-go instances (%) to automatically supplement with pay-as-you-go instances when spot instances cannot be created due to inventory or other reasons.

• Distribution Balancing: Distributes ECS instances evenly across multiple zones, but only in multi-zone scenarios. If zone distribution becomes unbalanced due to inventory shortages, you can rebalance.

Requires selecting spot instances as the billing method.

When enabled, if sufficient spot instances cannot be created due to price or inventory reasons, ACK automatically attempts to create pay-as-you-go instances as a supplement.

Cloud resource and billing information: ECS instance

Requires selecting spot instances as the billing method.

Add tags to ECS instances automatically created by ACK as cloud resource identifiers. Each ECS instance can have up to 20 tags. To increase this limit, apply on the Quota Platform. Because ACK and ESS occupy some tags, you can specify up to 17 custom tags per instance.

Newly added nodes are set as unschedulable by default when registered to the cluster. Manually adjust the node scheduling status in the node list.

This setting applies only to clusters running Kubernetes versions earlier than 1.34. For details, see Kubernetes 1.34 version notes.

Supported only for containerd runtime version 1.6.34 or later.

Newly added nodes automatically detect whether container images support on-demand loading. If supported, containers start faster by default using on-demand loading, reducing application startup time. For details, see Use on-demand loading to accelerate container startup.

Node names consist of a prefix, node IP address, and suffix. When enabled, node names, ECS instance names, and ECS instance hostnames change accordingly.

Example: Node IP address is 192.XX.YY.55, prefix is aliyun.com, suffix is test.

• Linux node: Node name, ECS instance name, and ECS instance hostname are all aliyun.com192.XX.YY.55test.

• Windows node: Hostname is fixed as the IP address, with - replacing . in the IP address, and no prefix or suffix included.

  Thus, the ECS instance hostname is 192-XX-YY-55, while the node name and ECS instance name are aliyun.com192.XX.YY.55test.

Supported only for ACK managed clusters

Specifiable only when creating a new node pool.

Specify a Worker RAM role at the node pool level to reduce security risks from sharing a single Worker RAM role across all nodes.

• Default Role: Uses the default Worker RAM role created for the cluster.

• Custom: Uses the specified role as the Worker RAM role. If left empty, the default role is used. For details, see Use a custom Worker RAM role.

Supported only for clusters running Kubernetes 1.28 or later.

Configure the ECS instance metadata access mode. Inside the ECS instance, access the metadata service to obtain instance metadata, including instance ID, VPC information, NIC information, and other instance properties. For details, see Instance metadata.

• Normal Mode and Security Hardening Mode: Supports accessing the metadata service using both normal and reinforced modes.

• Security Hardening Mode: Supports accessing the metadata service using only reinforced mode. For details, see Use reinforced mode only to access ECS instance metadata.

Before nodes join the cluster, run the specified instance pre-user User-Data script.

Example: If the pre-user data is touch /tmp/pre-script, the combined script execution order on the node is as follows.

#!/bin/bash
# Input instance pre-user data executes here
touch /tmp/pre-script

# ACK node initialization script executes here

For the execution logic of this configuration during node initialization, see Node initialization process overview.

Specify a basic or enterprise security group for the node pool. ACK does not add extra access rules to the security group. You must manage security group rules yourself to avoid access issues. For details, see Configure cluster security groups.

Each ECS instance has a limit on the number of security groups it can join. Ensure sufficient security group quota.

Add node IPs to the RDS instance whitelist.

After creating a deployment set in the ECS console Create deployment set, specify it for the node pool so that scaled-out nodes are distributed across different physical servers, improving high availability.

By default, a deployment set supports up to 20 * number of zones (determined by vSwitches), limiting the maximum node count in the node pool. Ensure sufficient quota in the deployment set.

To enable this later, see Node pool deployment set best practices.

The resource pool strategy used when adding nodes (supported only when Instance Configuration Mode is set to Specify Instance Type). Resource pools include private pools generated after activating elastic provisioning or capacity reservations (immediate-effect capacity reservation or scheduled-effect capacity reservation) services, along with public pools, for node startup selection.

• Private Pool First: Prioritizes using the specified private pool. If no private pool is specified or the specified private pool lacks capacity, it automatically matches open-type private pools. If no eligible private pool exists, it uses the public pool to create instances.

• Private Pool Only: Requires specifying a private pool ID. If the specified private pool lacks capacity, node startup fails.

• Do Not Use: Does not use resource pool strategies.

This configuration item is deprecated. Switch to using Resource Pool Policy to specify private pools.

The private pool resources available for the selected zone and instance type. Types include the following:

• Open: Instances automatically match open-type private capacity pools. If no eligible private pool exists, public pool resources are used for startup.

• Do Not Use: Instances do not use any private pool capacity and start directly using public pool resources.

• Specified: Requires selecting a private pool ID to restrict instances to use only that private pool capacity for startup. If the private pool is unavailable, instance startup fails.

Installs NodeLocal DNSCache to cache DNS resolution results on nodes, improving DNS resolution performance and stability and accelerating internal service calls within the cluster.

Implements persistent storage based on CSI storage plugins, supporting Alibaba Cloud cloud disks, NAS, OSS, CPFS, and other storage volumes.

When selecting default creation of NAS and CNFS, ACK automatically creates a general-purpose NAS file system and manages it using Container Network File System (CNFS).

To create CNFS later, see Manage NAS file systems through CNFS.

Cloud resource and billing information: NAS

Monitors cluster health, resource usage, and application performance through container cluster monitoring services, triggering alerts when anomalies occur.

• ACK Cluster Monitoring Pro Edition: Provides a managed container monitoring service with built-in Grafana dashboards. Data is stored for 90 days by default.

  For billing rules, see Container monitoring billing. Additional fees apply for reporting custom metrics or adjusting the base storage duration. For details, see Prometheus instance billing.

• ACK Cluster Monitoring Basic Edition: Provides a free, unmanaged container monitoring service with built-in basic monitoring dashboards. Data is stored for 7 days by default.

  The component defaults to single-replica, consuming 3 vCPUs and 4 GB memory, requiring self-maintenance. Additional fees apply for reporting custom metrics. For details, see Prometheus instance billing.

• Disable: Disables container monitoring services, preventing monitoring of container service status and alert creation.

To enable this later, see Integrate and configure Alibaba Cloud Prometheus monitoring.

Cloud resource and billing information: Prometheus

Provides cost and resource usage analysis for clusters, namespaces, node pools, and workloads to improve cluster resource utilization and reduce costs.

To enable this later, see Cost insights.

Use an existing SLS Project or create a new one to collect cluster application logs.

Also enables the cluster API Server audit feature to collect requests to the Kubernetes API and their results.

To enable this later, see Collect ACK cluster container logs, Use cluster API Server audit feature.

• Create Ingress Dashboard: Creates an Ingress Dashboard in the SLS console to collect Nginx Ingress access logs. For details, see Collect and analyze Nginx Ingress access logs.

• Install node-problem-detector and create Event Hub: Adds an Event Hub in the SLS console to collect all Kubernetes Events in real time. For details, see Create and use K8s Event Hub.

Cloud resource and billing information: SLS

Enables Container Service alert management, sending alert notifications to alert contact groups based on data sources from SLS, Managed Service for Prometheus, and Cloud Monitor when cluster anomalies occur.

Collects control plane component logs into an SLS Project for in-depth troubleshooting and root cause analysis.

To enable this later, see Collect ACK managed cluster control plane component logs.

Cloud resource and billing information: SLS

Enables the cluster inspection feature of artificial intelligence for IT operations (AIOps) to regularly scan quotas, resource usage, component versions, and other aspects within the cluster, ensuring configurations follow best practices and exposing potential risks early.