All Products
Search

This Product

    Container Service for Kubernetes:Create an ACK One registered cluster

    Document Center

    Container Service for Kubernetes:Create an ACK One registered cluster

    Last Updated:Sep 18, 2025

    An ACK One registered cluster connects Kubernetes clusters from your data center or other cloud providers to Container Service for Kubernetes (ACK) for unified management.

    Important

    Before you begin, read Overview of registered clusters to learn about the concepts and common scenarios of ACK One registered clusters.

    Procedure

    Create an ACK One registered cluster and connect a target cluster in the console

    Create an ACK One registered cluster

    1. Log on to the ACK console. In the navigation pane on the left, click Clusters.

    2. In the navigation bar on the top, select the resource group and region where your target resource resides.

    3. On the Clusters page, click Create Kubernetes Cluster.

    4. Click the ACK One Registered Cluster tab and configure the cluster parameters.

      Configuration item

      Description

      Cluster Name

      The custom name of the cluster.

      Region

      The region of the cluster. The closer the selected region is to the user and the deployed resources, the lower the network latency and the faster the access speed.

      IPv6 Dual-stack

      If you enable IPv4/IPv6 dual-stack, a dual-stack cluster is created.

      Important

      • Only clusters that run Kubernetes 1.22 and later support this feature.

      • IPv4 addresses are used for communication between worker nodes and the control plane.

      • You must select Terway as the network plug-in.

      • If you use the shared elastic network interface (ENI) mode of Terway, the ECS instance type must support IPv6 addresses. To add ECS instances of the specified type to the cluster, the number of IPv4 addresses supported by the ECS instance type must be the same as the number of IPv6 addresses. For more information about ECS instance types, see Overview of instance families.

      • The VPC used by the cluster must support IPv4/IPv6 dual-stack.

      • You must disable IPv4/IPv6 dual stack if you want to use Elastic Remote Direct Memory Access (eRDMA) in an cluster.

      VPC

      Configure the VPC of the cluster. You can specify a zone to automatically create a VPC. You can also select an existing VPC in the VPC list.

      VSwitch

      Select an existing vSwitch from the vSwitch list or click Create vSwitch to create a vSwitch. The control plane and the default node pool use the vSwitch that you select. We recommend that you select multiple vSwitches in different zones to ensure high availability.

      Security Group

      When VPC is set to Select Existing VPC, you can select the Select Existing Security Group option.

      You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group.

      • By default, automatically created security groups allow all outbound traffic. When you modify the security group for business purposes, make sure that traffic destined for 100.64.0.0/10 is allowed. This CIDR block is used to access other Alibaba Cloud services to pull images and query basic ECS information.

      • If you select an existing security group, the system does not automatically configure security group rules. This may cause errors when you access the nodes in the cluster. You must manually configure security group rules. For more information, see Configure security groups for clusters.

      Access to API Server

      The API server provides various HTTP REST interfaces for managing resource objects (such as pods and Services), including create, read, update, delete, and watch operations.

      • By default, the system creates a pay-as-you-go internal-facing Classic Load Balancer (CLB) instance for the API server to serve as the internal endpoint of the API server in the cluster.

      • To use an existing CLB instance, you must first submit a ticket to request whitelist access. After configuring to use existing VPCs, you can use existing CLB instances as the load balancer source.

      Specify whether to Expose API server with EIP:

      • If you select this check box, an elastic IP address (EIP) is associated with the internal-facing CLB instance used to expose the API server of the cluster. This way, you can access the API server of the cluster over the Internet.

      • If you clear this check box, no EIP is created. You can use a kubeconfig file to connect to the cluster only from within the VPC and then manage the cluster.

      Important

      • If you delete the default CLB instance, you cannot access the API server.

      • After binding an EIP to a CLB instance, the API server can receive requests from the public network. However, resources within the cluster cannot access the public network. To allow resources within the cluster to access the public network to pull public images, select the Configure SNAT check box for the VPC.

      • Starting from December 1, 2024, an instance fee will be charged for newly created CLB instances. For more information, see CLB billing adjustments.

      Advanced options (optional)

      Expand Advanced Options (optional) to configure parameters such as cluster deletion protection and resource groups.

      Configuration item

      Description

      Cluster Deletion Protection

      We recommend that you enable deletion protection in the console or by using API to prevent clusters from being accidentally released.

      Resource Group

      Assign the cluster to the selected resource group for easier permission management and cost allocation.

      Tags

      Add a label to the cluster. Labels are used to identify cloud resources. A label is a key-value pair.

    5. After you complete the configuration, click Create Cluster. The new cluster appears in the cluster list.

      image

    Connect the target cluster to the ACK One registered cluster

    1. Find the newly created ACK One registered cluster and click Details in the Actions column.

    2. On the Cluster Information page, click the Connection Information tab. On the Connection Information tab, select Public or Private based on your requirements, and then click Copy on the right.image

    3. Save the copied content as a file named agent.yaml. Then, run the kubectl apply -f agent.yaml command in the target cluster to register the target cluster with the new ACK One registered cluster.

    4. Check the status of the proxy in the target cluster.

      kubectl -n kube-system get pod |grep ack-cluster-agent

      Expected output:

      ack-cluster-agent-5f7d568f6-6fc4k              1/1     Running   0          9s
ack-cluster-agent-5f7d568f6-tf6fp              1/1     Running   0          9s

      After the registration is successful, the cluster status is Running on the Cluster List page of the Container Service for Kubernetes console.

    Results

    On the Cluster List page, find the ACK One registered cluster, and then click Details in the Actions column to view the Basic Information and Connection Information of the cluster.

    You can use this kubeconfig file to connect to the target cluster and deploy applications. For more information, see Connect to a Kubernetes cluster using kubectl.

    Create an ACK One registered cluster and connect a target cluster using onectl

    1. Install and configure onectl. For more information, see Manage a registered cluster using onectl.

    2. onectl supports the following two methods to create an ACK One registered cluster.

      Important

      When you create an ACK One registered cluster, you must specify parameters such as the VPC, vSwitch, and region.

      • Non-interactive creation:

        onectl cluster create --region **** --vpc **** --vswitch ****

      • Interactive creation:

        onectl cluster create -i

      Run the following command to view detailed parameter descriptions:

      onectl cluster create -h

      After the cluster is created, a series of initialization operations are performed, and the cluster enters the initial state. The expected output is as follows:

      Registered cluster test-registered-cluster created successfully, information of the cluster:
name         = test-registered-cluster
state        = initial
cluster id   = c3c277f2fc10f45c1b86473**********
region id    = cn-zhangjiakou
node numbers = 0
vpc id       = vpc-8vb95w2o172**********
vswitch id   = vsw-8vbv8bxhput**********

    3. After the cluster is initialized, it enters the waiting state. Run the following command to view the cluster status:

      onectl cluster describe --cluster-id ****

      Expected output:

      name  = test-registered-cluster
state = waiting
...

    4. When the cluster is in the waiting state, run the following command to connect the target cluster to the ACK One registered cluster.

      onectl cluster connect --cluster-id **** --kubeconfig ~/.kube/config --restricted true

      Parameter

      Required

      Description

      cluster-id

      Yes

      The ID of the ACK One registered cluster created in Step 2.

      kubeconfig

      No

      The path to the kubeconfig file of the target cluster. If not specified, the configuration file pointed to by the KUBECONFIG environment variable is used.

      restricted

      No

      Specifies whether to connect to the ACK One registered cluster in restricted mode. For more information, see RBAC permissions for the ack-cluster-agent component of a registered cluster.

      You can also run the following command to view detailed parameter descriptions:

      onectl cluster connect -h

    5. Run the following command to verify that the target cluster is connected:

      onectl cluster describe --cluster-id ****

      Expected output:

      name  = test-registered-cluster
state = running
...

      The output shows that the cluster status is Running, which indicates that the ACK One registered cluster is connected.