This document summarizes Container Service for Kubernetes (ACK) features released in 2021, with links to related documentation.
Background
ACK supports the following Kubernetes versions: 1.24, 1.22, and 1.20.
ACK supports the following operating systems: CentOS 7.9, Alibaba Cloud Linux 3.2104, Alibaba Cloud Linux 2.1903, Windows Server 2019, and Windows Server Core 1909.
December 2021
| Feature |
Description |
Region |
References |
| ACK One |
ACK One is a distributed cloud container platform for managing cloud-native applications across hybrid cloud, multi-cluster, distributed computing, and disaster recovery scenarios. Register external Kubernetes clusters deployed in any region or on any infrastructure, then centrally manage computing, networking, storage, security, monitoring, logs, jobs, applications, and traffic. ACK One is compatible with open-source Kubernetes APIs. |
All regions |
ACK One overview |
| Kubernetes 1.22.3 |
Kubernetes 1.22.3 is now available when creating clusters. |
All regions |
Kubernetes 1.22 release notes |
| Deployment sets for node pools |
Associate a node pool with a deployment set to distribute ECS nodes across multiple physical servers. Configure pod affinity to place application pods on different nodes, improving availability and enabling disaster recovery. |
All regions |
Best practices for associating deployment sets with node pools |
| Workbench |
Log in to containers using Workbench, which offers higher stability and compatibility than the previous terminal tool. On the Pods page, find the container and click Terminal in the Actions column. |
All regions |
Connection methods |
| Custom configurations for the NGINX Ingress controller |
Configure the NGINX Ingress controller directly from the Add-ons page in the ACK console. Set resource requests and limits, enable host network mode, enable admission webhooks, and specify node selectors. Custom configurations are retained after controller updates. |
All regions |
— |
| Prometheus monitoring dashboards |
CCM (cloud controller manager) and kube-controller-manager monitoring dashboards are now available for ACK Pro clusters. View dashboards on the Prometheus Monitoring page in the Operations module of the ACK console. |
All regions |
Use Managed Service for Prometheus |
| Log center |
Collect CCM logs using the log center feature, now available in ACK Serverless Pro clusters. This improves observability for ACK Serverless clusters. |
All regions |
Collect logs of control plane components in ACK managed clusters |
| OPA-based policy governance |
The Policy Governance feature is now available, built on the Open Policy Agent (OPA) policy engine and the Gatekeeper admission controller. It provides predefined policies covering more Kubernetes scenarios than pod security policies (PSPs), with flexible and straightforward configuration. |
All regions |
Configure and enforce ACK pod security policies |
| Node pool priorities |
Assign priorities to node pools in the auto scaling policy. When multiple node pools qualify for a scale-out activity, ACK selects the node pool with the highest priority. |
All regions |
Auto scaling of nodes |
| ALB Ingress controller open-sourced on GitHub |
The ALB Ingress controller (v2.2.0) is now open-sourced. It is compatible with the NGINX Ingress controller and provides Layer 7 traffic routing through ALB instances, including complex routing, automatic certificate discovery, and HTTP, HTTPS, and QUIC (Quick UDP Internet Connection) protocol support. |
All regions |
v2.2.0 |
November 2021
| Feature |
Description |
Region |
References |
| ALB Ingress-based routing |
Create ALB Ingresses directly in the ACK console. Define Ingress rules, customize configurations, and use ALB instances for Layer 7 load balancing. |
All regions |
Create an ALB Ingress |
| Multiple route tables via CCM |
Configure multiple route tables for a virtual private cloud (VPC) using the CCM. Set this up from the Add-ons page or by modifying the CCM ConfigMap. |
All regions |
Configure multiple route tables for a VPC |
| Desired number of nodes |
Scale a node pool by setting a desired node count. Values above the current count trigger a scale-out; values below trigger a scale-in based on the configured scaling policy. |
All regions |
Create and manage node pools |
| ACK quotas |
Quota display and quota increase requests are now optimized in the ACK console for all cluster types, including ACK managed clusters, ACK dedicated clusters, ACK Serverless clusters, ACK edge clusters, and registered clusters. The console also provides an entry point to Quota Center. |
All regions |
Quotas and limits |
| IPv4/IPv6 dual stack for ACK Serverless clusters |
Enable IPv4/IPv6 dual stack when creating an ACK Serverless cluster to allow clients to access services using IPv6 addresses. Prerequisites: Kubernetes version 1.20.11-aliyun.1 or later, and a VPC with dual stack enabled. |
All regions |
Create an ACK Serverless cluster |
| ContainerOS |
ContainerOS is an Alibaba Cloud operating system for containerized workloads, fully compatible with Kubernetes. Built on Alibaba Cloud Linux 3, it provides enhanced security, faster startup, and simplified system services. ContainerOS comes with cloud-native components preinstalled and is available in managed node pools. Free technical support is included. |
All regions |
ContainerOS |
October 2021
| Feature |
Description |
Region |
References |
| Kubernetes 1.20.11 |
CVE-2021-25741 is a high-severity vulnerability that allows attackers to access host directories by exploiting symbolic links with subPath volume mounts. This vulnerability is fixed in Kubernetes 1.20.11. Upgrade from Kubernetes 1.20 to 1.20.11 is supported. |
All regions |
Vulnerability CVE-2021-25741 in Kubernetes and (Discontinued) Kubernetes 1.20 release notes |
| ClusterRole management |
Manage the full lifecycle of ClusterRoles directly from the ACK console to improve cluster administration efficiency. |
All regions |
Use custom RBAC roles to restrict resource operations in a cluster |
| ARMS monitoring integration |
The network topology feature of Application Real-Time Monitoring Service (ARMS) is now integrated with ACK. View network topologies for Services, workloads, and Alibaba Cloud resources directly in the ACK console. |
All regions |
— |
| Cost analysis: application dashboards |
Application dashboards in cost analysis now show cost trends, correlation analysis results, and cost-saving suggestions and plans. |
All regions |
Enable cost insights |
| Cloud-native AI component set |
The cloud-native AI component set now supports model management, model evaluation, and login with non-Alibaba Cloud accounts to AI Dashboard and AI Developer Console. Fluid applications using JindoRuntime can also be monitored with Prometheus Monitoring. |
All regions |
Cloud-native AI suite O&M guide, Cloud-native AI component set user guide, Manage models in MLflow Model Registry, Evaluate a model, and Log on to AI Developer Console |
| ALB Ingress controller |
The ALB Ingress controller is now available. It supports complex routing, automatic certificate discovery, and HTTP, HTTPS, and QUIC protocols for Layer 7 load balancing. Compatible with NGINX Ingresses. |
All regions |
ALB Ingress overview |
| ACK Serverless Pro cluster (public preview) |
ACK Serverless Pro clusters are now in public preview. They offer higher reliability and security than standard ACK Serverless clusters and are covered by an SLA with compensation clauses. Designed for enterprise workloads that require strict stability and security at scale. |
All regions |
ACK Serverless Pro cluster overview |
September 2021
| Feature |
Description |
Region |
References |
| ARM node pools |
Create ARM node pools in ACK clusters using ECS instances from the g6r and c6r instance families. ARM instances reduce costs in general-purpose computing scenarios (NGINX, Redis, SQL) and deliver high concurrency and throughput for big data workloads. |
All regions |
Create and manage node pools |
| Auto scaling for Windows node pools |
Enable auto scaling for Windows node pools to improve application elasticity. |
All regions |
Create a Windows node pool |
| Custom Windows images for node pools |
Specify Windows images when creating node pools. Custom images based on Windows Server 2019 with kernel versions later than 1809 are supported. |
All regions |
Create a Windows node pool |
| Multiple security groups for a node pool |
Assign more than one security group to a node pool for fine-grained access control. |
All regions |
Create and manage node pools |
| IPv4/IPv6 dual stack for ACK managed clusters |
Enable IPv4/IPv6 dual stack when creating an ACK managed cluster to allow clients to connect to cluster applications via IPv6 addresses. |
All regions |
Create an ACK managed cluster |
| CIS Kubernetes V1.20 Benchmark v1.0.0 |
The cluster inspection feature now supports CIS Kubernetes V1.20 Benchmark v1.0.0 for clusters running Kubernetes 1.20 and later. |
All regions |
: None
|
| Node pool scale-out policy and scale-in settings |
Configure the node pool scale-out policy (least-waste or random) and allow or disallow scale-in activities when setting up auto scaling. The scale-out policy determines which node pools are prioritized during scale-out. |
All regions |
Auto scaling of nodes |
| Backup center (public preview) |
Back up, restore, and migrate stateless and stateful applications across ACK clusters and self-managed clusters. The backup center (formerly the application backup feature) supports disaster recovery and migration for stateful applications in hybrid cloud and multi-cluster environments. |
All regions |
Backup center overview |
| Model evaluation for AI project acceleration |
Manage and evaluate models trained with the AI component set. Control model versions and evaluate models using metrics such as accuracy and recall rate to identify the best model for your workload. |
All regions |
Manage models in MLflow Model Registry and Evaluate a model |
August 2021
| Feature |
Description |
Region |
References |
| ACK Scheduler V1.20-ack-4.0: load-aware and elastic container instance-based scheduling |
Load-aware scheduling places pods on nodes with lower historical load to prevent overloaded nodes. Elastic container instance-based scheduling lets you annotate workloads to use only ECS instances, only elastic container instances, or a mix — falling back to elastic container instances when ECS resources are insufficient. |
All regions |
Use load-aware pod scheduling and Use elastic resources to implement Elastic Container Instance-based scheduling (discontinued) |
| CCM 2.0.1: weighted routing and vServer group reuse |
CCM 2.0.1 adds four new annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-vgroup-port to reuse an existing vServer group on an SLB instance; service.beta.kubernetes.io/alicloud-loadbalancer-weight to set per-service weights when multiple services share an SLB instance; and service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain and service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout to configure connection draining (TCP and UDP only). |
All regions |
CCM |
| Subscription clusters |
Create clusters with the subscription billing method. ECS nodes and the SLB instance attached to the Kubernetes API server are billed under subscription. Purchase resource plans for elastic IP addresses (EIPs), NAT gateways, and Log Service projects to consolidate cluster payments at creation time. |
All regions |
— |
| Reuse an existing SLB instance for the NGINX Ingress controller |
When creating a subscription cluster, associate a previously created subscription SLB instance with the NGINX Ingress controller to consolidate all cluster payments at creation time. |
All regions |
— |
| Intelligent O&M: cluster diagnostics and global check |
Run a global check on cluster resources, components, and configurations with a single click to get issue-fix suggestions without configuring parameters. Use cluster diagnostics to troubleshoot nodes, pods, and networks in an ACK cluster. |
All regions |
Work with cluster check and Work with cluster diagnostics |
| ACK Serverless Ingress ALB controller |
Install the ALB Ingress controller when creating an ACK cluster or from the Add-ons page after creation. It supports complex routing, automatic certificate discovery, and HTTP, HTTPS, and QUIC protocols, and is compatible with the NGINX Ingress controller. |
All regions |
ALB Ingress overview |
| Windows Server 2019 for ACK edge clusters |
Select Windows Server 2019 when creating cloud node pools in ACK edge clusters, improving cloud-edge coordination for Windows applications. |
All regions |
— |
| CNFS: shared NAS volumes and auto expansion |
Mount a File Storage NAS (NAS) volume in sharepath mode to share it across multiple applications or pods. Configure auto expansion policies so NAS volumes expand automatically when usage exceeds a threshold. |
All regions |
Use CNFS to automatically expand NAS volumes |
July 2021
| Feature |
Description |
Region |
References |
| Kubernetes version update |
Upgrade from Kubernetes 1.18 to Kubernetes 1.20 is now supported. |
All regions |
Manually update ACK clusters and (Discontinued) Kubernetes 1.20 release notes |
| CoreDNS |
CoreDNS is now supported on the Add-ons page. CoreDNS is the default DNS-based service discovery plugin in ACK and ACK edge clusters, providing domain name resolution for services within a cluster. |
All regions |
CoreDNS |
| Cost analysis by namespace |
The cost analysis feature now provides resource usage trends and per-CPU-core cost estimates for applications and pods, broken down by namespace. |
All regions |
Enable cost insights |
| Enhanced security for registered clusters |
Install security-inspector (security scanning), aliyun-acr-credential-helper (password-free image pulls), and Gatekeeper (OPA policy management) in registered clusters. |
All regions |
Overview |
| CNFS 1.0 |
CNFS is now generally available. Use CNFS to abstract NAS file systems as Kubernetes resources via Custom Resource Definition (CRD) objects. Supports creating, deleting, setting quotas for, mounting, monitoring, and expanding NAS file systems using a declarative management model. |
All regions |
CNFS |
June 2021
| Feature |
Description |
Region |
References |
| Resource group selection |
Select a resource group from a dropdown when creating a cluster or node pool. The cluster and its ECS instances are assigned to the selected group. |
All regions |
— |
| Visual network policy configuration |
Configure Kubernetes network policies through a visual interface in the ACK console to control traffic at the IP address or port level. |
All regions |
Use network policies |
| ACK Terway Hubble |
Deploy ACK Terway Hubble from App Catalog to gain observability into network traffic, network policies, and workload topology in ACK managed clusters. |
All regions |
Implement network observability by using ACK Terway and Cilium Hubble |
| Cost analysis: node pool-level reporting |
View cost allocations and trends for resources, applications, and containers at the node pool level, with cost optimization suggestions based on current costs and node pool pricing. |
All regions |
Enable cost insights |
| Auto scaling scan interval |
Set the interval at which the cluster evaluates scaling conditions: 15 seconds, 30 seconds, or 1 minute. |
All regions |
Auto scaling of nodes |
| Modifiable SANs for ACK Serverless clusters |
Update custom subject alternative names (SANs) in the API server certificate of an ACK Serverless cluster after it is created. Supports updating domain names, IP addresses, and URLs. |
All regions |
Customize the SANs of the API server certificate when you create an ACK cluster |
| Security inspection for registered clusters |
Use the inspection feature to detect security risks in the workloads of a registered cluster. |
All regions |
Use the inspection feature to check for security risks in the workloads of a registered Kubernetes cluster |
| Topology-aware CPU scheduling |
Topology-aware CPU scheduling now supports dynamically adjusting resource usage thresholds to improve utilization for workloads with different priorities, and using the Last Level Cache (L3 cache) and Memory Bandwidth Allocation (MBA) for resource isolation across priority tiers. |
All regions |
Enable CPU Suppress and Enable resource isolation based on the L3 cache and MBA |
May 2021
| Feature |
Description |
Region |
References |
| CIS reinforcement for worker nodes |
Enable CIS reinforcement to harden OS security for cluster worker nodes. CIS reinforcement supports only Alibaba Cloud Linux 2, the default OS image in ACK clusters. |
All regions |
CIS reinforcement |
| New region: China (Nanjing - Local Region) |
ACK Pro clusters are now available in the China (Nanjing - Local Region) region. |
China (Nanjing - Local Region) |
None
|
| New region: China North 2 Ali Gov |
ACK Pro clusters are now available in the China North 2 Ali Gov region on Alibaba Gov Cloud. |
China North 2 Ali Gov |
Supported regions |
| Cost analysis |
The cost analysis feature is added to help IT administrators analyze resource usage and allocate costs. Capabilities include cloud resource cost analysis, cost trend analysis, cost-saving suggestions, real-time cost forecasting, namespace-based cost allocation, and application cost optimization. |
All regions |
Enable cost insights |
| Custom SSL certificates for ACK Serverless clusters |
Specify custom SSL certificates for SLB instances using annotations when creating Ingresses in ACK Serverless clusters. SSL certificates no longer need to be set through Kubernetes Secrets. |
All regions |
— |
| Topology-aware scheduling for AMD CPUs |
resource-controller V1.2.1-d1e280f-aliyun is released. Works with ack-scheduler for Kubernetes 1.20.4 to support topology-aware scheduling on AMD CPUs. |
All regions |
Enable topology-aware CPU scheduling |
February 2021
| Feature |
Description |
Region |
References |
| ACK Edge Pro cluster |
Create ACK Edge Pro clusters, which provide the same reliability, stability, and billing methods as ACK Pro clusters. |
All regions |
ACK Edge Pro clusters |
| Log center |
The log center is now available in the ACK console. View cluster logs and control plane component logs in one place. |
All regions |
Query the logs of control plane components and View cluster logs |
| Prometheus monitoring: CoreDNS dashboard |
A CoreDNS dashboard is now available on the Prometheus Monitoring page in the ACK console. |
All regions |
Use Managed Service for Prometheus |
| EIPs for node pools |
Associate elastic IP addresses (EIPs) with regular and managed node pools. Enable nodes to automatically attach EIPs at node pool creation, or configure a NAT gateway to provide internet access for all nodes in the cluster. |
All regions |
Create and manage node pools |
| New region: China South 1 Finance |
ACK Pro clusters are now available in the China South 1 Finance region. |
China South 1 Finance |
Overview of ACK Pro clusters |
January 2021
| Feature |
Description |
Region |
References |
| Control plane observability for ACK Pro clusters |
API server and etcd observability is now enabled in ACK Pro clusters. Monitor these components in dashboards and receive alerts on exceptions to detect risks and maintain cluster stability. |
All regions |
Use Managed Service for Prometheus |
| Custom configuration for control plane components |
Customize parameters for kube-apiserver and kube-controller-manager in ACK Pro clusters to meet production environment requirements. |
All regions |
Customize the parameters of control plane components in ACK Pro clusters |
| Log collection for control plane components |
Collect logs from kube-apiserver, kube-controller-manager, and kube-scheduler. Enable log collection by selecting Enable for Log Collection for Control Plane Components when creating a cluster. |
All regions |
Query the logs of control plane components |
| Preemptible instances for node pools |
Use preemptible instances as the billing method for a node pool to reduce computing costs. Bid for idle Alibaba Cloud resources; instances run until reclaimed by higher bids from other customers. |
All regions |
Set the ratio of preemptible instances to pay-as-you-go instances in a node pool |
| Edge node pools |
Create edge node pools in ACK edge clusters to group nodes with common attributes and manage them uniformly across regions. Edge node pools support both basic and enhanced cloud-edge coordination networks; the enhanced network uses software-defined networking (SDN) for higher network quality and security. |
All regions |
Overview of edge node pools |
| Elastic node pools for registered clusters |
Use node pools in registered clusters to manage ECS instances with identical attributes and add them to self-managed Kubernetes clusters or third-party public cloud clusters. Enables unified, flexible resource scheduling across data centers and cloud environments. |
All regions |
Configure auto scaling |
| Application backup |
Back up applications, volumes, and persistent volumes (PVs) in ACK and registered clusters, and restore backups to other clusters. Supports both stateless and stateful applications, as well as all resources in a namespace. |
All regions |
Install migrate-controller and grant permissions |
| Cost reduction policy |
Set the ratio of preemptible instances to pay-as-you-go instances in a node pool to reduce costs while maintaining performance stability. |
All regions |
Set the ratio of preemptible instances to pay-as-you-go instances in a node pool |