Enable public access to an API server
When you create an ACK cluster, a private CLB instance is automatically created for the API server. You can bind an Elastic IP Address (EIP) to this CLB instance to make the API server publicly accessible.
Usage notes
-
After you bind an EIP, you are charged on a pay-as-you-go basis.
-
After you bind an EIP, do not unbind or release it. Doing so will disrupt public access to the API server.
Bind and manage an EIP
You can bind an EIP to enable public access to the API server for both new and existing clusters. You can also change or unbind the EIP later.
Updating an EIP (binding, unbinding, or changing) triggers a rolling update of the cluster's API server. Do not perform operations on the cluster during this process.
Bind an EIP
New cluster
When you create a cluster, select Expose API server with EIP.
In the API Server Access section, select the Expose API server with EIP option to bind an EIP to the private CLB instance of the API server. This makes the API server publicly accessible.
For detailed steps, see Create an ACK managed cluster, Create an ACK Serverless cluster, and Create an ACK Edge cluster.
Existing cluster
You can bind an EIP to existing ACK managed clusters, ACK Serverless clusters, and ACK Edge clusters.
To bind an EIP to an existing ACK dedicated cluster, you must perform a live migration of the ACK dedicated cluster to an ACK managed Pro cluster.
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Cluster Information.
-
On the Cluster Information page, click the Basic Information tab. In the Network section, click Associate EIP to the right of API server public endpoint. Follow the on-screen instructions to select an existing EIP or create an EIP in the same region as the cluster, and then click OK.
After you bind the EIP, the public IP address is displayed for the API server public endpoint.
Unbind or change an EIP
-
Unbind an EIP: After you unbind the EIP, you can only access the API server from the internal network. This does not affect access to applications within the cluster.
-
Change an EIP: After you change the EIP, the public endpoint of the API server updates.
The Change EIP and Unbind EIP features are supported only on ACK managed clusters and ACK Serverless clusters.
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Cluster Information.
-
On the Cluster Information page, click the Basic Information tab. In the Network section, click Change or Unbind to the right of the API server Public Endpoint and follow the on-screen instructions.
Configure API server access control
After you enable public access to the API server, we strongly recommend that you configure an access control policy for the API server. Use a whitelist/blacklist to control access to the CLB instance and prevent unauthorized access to the API server.
Related topics
-
If services within your cluster need to access public resources on the internet, such as pulling public images or updating dependencies, you can use an SNAT Gateway to enable outbound internet access for the cluster.
-
If you have configured deny rules in a security group, make sure the security group rules allow traffic on the protocols and ports that the cluster requires. For more information, see Configure security groups for a cluster.