kube-apiserver is the API gateway for your ACK cluster. It exposes the Kubernetes API to all components inside and outside the cluster — kubelet, kube-proxy, and external clients all communicate with the cluster through kube-apiserver.
Overview
kube-apiserver validates and configures data for API objects, including pods, Services, and ReplicationControllers. It serves REST operations and provides a single, consistent view of cluster state to every other component.
In ACK, kube-apiserver is managed and automatically installed. No additional configuration is required.
Release notes
kube-apiserver is updated along with the Kubernetes version. For version support details, see Overview of Kubernetes versions supported by ACK.
How nodes connect to the API server
ACK has progressively moved away from fixed Classic Load Balancer (CLB) IP addresses for node-to-API-server communication. The table below maps cluster creation date to the current behavior and security group requirement.
| Cluster creation date | Kubernetes version | How nodes reach the API server | Security group requirement |
|---|---|---|---|
| After February 2023 | 1.20 or later | Elastic network interface (ENI) exposes Services in the default namespace, replacing CLB instances | If the cluster security group differs from the node/container security group, port 6443 must allow inbound traffic in the cluster security group |
| After November 2024 | 1.20 or later | ENI-provided IP address resolved from the API server domain name (apiserver.{Cluster ID}.{Region ID}.cs.aliyuncs.com) replaces the fixed CLB IP for kubelet and kube-proxy |
Port 6443 must allow inbound traffic |
Clusters created after February 2023 — ENI-based service exposure
For clusters running Kubernetes 1.20 or later that were created after February 2023, ACK uses elastic network interfaces (ENIs) instead of CLB instances to expose Services in the default namespace. This reduces the performance overhead of CLB forwarding links.
If your cluster's security group blocks inbound traffic on port 6443, and the security group for your cluster nodes and containers differs from the cluster security group, cluster components may fail to reach kube-apiserver. Make sure port 6443 allows inbound traffic in the cluster security group.
Clusters created after November 2024 — Domain-name-based API server access
To improve cluster high availability (HA) and eliminate dependency on fixed CLB IPs, ACK uses the API server domain name (apiserver.{Cluster ID}.{Region ID}.cs.aliyuncs.com) for node-to-API-server communication. kubelet and kube-proxy resolve this domain name to get the ENI IP address and use it to reach the API server, instead of using a static CLB IP.
This applies to clusters running Kubernetes 1.20 or later that were created after November 2024.
ACK creates and manages this domain name using Private DNS. View it in the Cloud Service Defined Zones section of the Alibaba Cloud DNS console.
If your cluster's security group blocks inbound traffic on port 6443, nodes may fail to reach the API server. Make sure port 6443 allows inbound traffic.
Domain name resolution depends on the default internal DNS addresses 100.100.2.136 and 100.100.2.138 configured in Alibaba Cloud virtual private cloud (VPC). If you have configured a custom DNS server IP on your nodes, make sure the API server domain name is resolved by Private DNS in the upstream VPC. Otherwise, nodes may fail to reach the API server.