You can use the P2P acceleration feature in Alibaba Cloud Container Service for Kubernetes (ACK) clusters to accelerate container image pulls and reduce application deployment times. This topic describes how to install the P2P acceleration agent in an ACK cluster.
Prerequisites
A Standard or Advanced Edition of an ACR Enterprise Edition instance has been created.
An ACK managed cluster or dedicated cluster, or an ACK Serverless Pro cluster has been created.
You have configured network access control for the ACR Enterprise Edition instance to allow access from the VPC of your ACK cluster. For more information, see Configure access control for a VPC.
Image usage limitations
If you use very large container images, such as those for large models, you must meet one of the following requirements to ensure efficient P2P pulls: the nodes in the node pool have data disks of the AutoPL type, or the nodes have at least 8 GB of free memory for P2P data caching.
Step 1: Enable P2P acceleration
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
On the Overview page, record the Instance ID. Then, in the Component Settings section, turn on P2P Acceleration and click OK in the confirmation dialog box.
WarningBefore you disable the P2P acceleration agent, you must stop using the P2P feature and uninstall the agent from all clusters where it is installed. To re-enable the feature, you must reinstall the agent.
Step 2: Install the P2P agent
You can use one of the following methods to grant the P2P acceleration agent access to your ACR Enterprise Edition instance.
Use a worker RAM role for authorization and installation.
Limitation: The ACR Enterprise Edition instance and the ACK cluster must belong to the same Alibaba Cloud account.
Use the AccessKey ID and AccessKey Secret of a RAM user for authorization and installation.
Use RAM Roles for Service Accounts (RRSA) for authorization and installation.
Limitation: This method is supported only for ACK managed clusters that run Kubernetes 1.22 or later.
Use a worker RAM role
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Cluster Information.
On the Cluster Information page, click the Basic Information tab. In the Cluster Resources section, copy the name of the worker RAM role and click the link to go to the Resource Access Management (RAM) console to grant permissions to the role.
Create the following custom permission policy. For more information, see Create a custom permission policy.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cr:GetInstanceVpcEndpoint", "cr:ListInstanceEndpoint" ], "Resource": "*" } ] }On the Roles page, find the worker RAM role and attach the custom permission policy that you created. For more information, see Grant permissions to a RAM role.
Log on to the ACK console. In the left navigation pane, click .
On the App Catalog page, enter ack-acr-acceleration-p2p in the search box, find the component, and then click its card.
On the component details page, click Deploy in the upper-right corner.
In the Create panel, select a Cluster and namespace, specify a release name, and then click Next.
On the Parameters panel, select the latest chart version and set the acrInstances parameter to your ACR Enterprise Edition instance ID. If you have multiple instances, separate their IDs with commas (
,).# The IDs of your ACR Enterprise Edition instances. To specify multiple IDs, separate them with commas (,). Example: "cri-xxx,cri-yyy" acrInstances: "" # The region of the ACR Enterprise Edition instance. The default value is the region of the cluster. # You must set this parameter if the cluster and the instance are in different regions, or if you access the instance from a self-managed cluster in a data center. region: "" # The VPC that is connected to the VPC of the ACR Enterprise Edition instance. The default value is the VPC of the cluster. # You must set this parameter if the cluster and the instance are in different regions, or if you access the instance from a self-managed cluster in a data center through a VPC. vpcId: "" p2p: # The port used by the P2P agent in the host network. port: 65001NoteBy default, the agent uses port 65001 on nodes. If a port conflict occurs, change the port number.
If the ACK cluster and the ACR Enterprise Edition instance are in the same region, you can leave the
regionandvpcIdparameters empty. If they are in different regions, you must set theregionparameter to the region of the ACR Enterprise Edition instance and thevpcIdparameter to the ID of the VPC associated with the instance.If you use very large container images, such as those for large models, you must adjust the P2P data caching mode based on your node configuration:
Data disk-based caching mode (Default): Ensure that the data disk type on the node is AutoPL. Set
p2p.v2.cache.modetodisk.Memory-based caching mode: Ensure that the node has at least 8 GB of free memory, and then set the value of
p2p.v2.cache.modetomemory.
Use a RAM user AccessKey pair
Create a RAM user. For more information, see Create a RAM user.
Grant the following permissions to the RAM user. Then, create an AccessKey pair and record the AccessKey ID and AccessKey Secret.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cr:GetInstanceVpcEndpoint", "cr:ListInstanceEndpoint" ], "Resource": "*" } ] }Log on to the ACK console. In the left navigation pane, click .
On the App Catalog page, enter ack-acr-acceleration-p2p in the search box, find the component, and then click its card.
On the component details page, click Deploy in the upper-right corner.
In the Create panel, select a Cluster and namespace, specify a release name, and then click Next.
On the Parameters panel, select the latest chart version. Set the acrInstances parameter to your ACR Enterprise Edition instance ID. If you have multiple instances, separate their IDs with commas (
,). Then, enter the AccessKey ID and AccessKey Secret that you recorded.# The IDs of your ACR Enterprise Edition instances. To specify multiple IDs, separate them with commas (,). Example: "cri-xxx,cri-yyy" acrInstances: "" # If your Kubernetes cluster is self-managed in a data center, you must specify the following parameters. accessKey: "" accessKeySecret: "" # The region of the ACR Enterprise Edition instance. The default value is the region of the cluster. # You must set this parameter if the cluster and the instance are in different regions, or if you access the instance from a self-managed cluster in a data center. region: "" # The VPC that is connected to the VPC of the ACR Enterprise Edition instance. The default value is the VPC of the cluster. # You must set this parameter if the cluster and the instance are in different regions, or if you access the instance from a self-managed cluster in a data center through a VPC. vpcId: "" p2p: # The port used by the P2P agent in the host network. port: 65001NoteBy default, the agent uses port 65001 on nodes. If a port conflict occurs, change the port number.
If the ACK cluster and the ACR Enterprise Edition instance are in the same region, you can leave the
regionandvpcIdparameters empty. If they are in different regions, you must set theregionparameter to the region of the ACR Enterprise Edition instance and thevpcIdparameter to the ID of the VPC associated with the instance.If you use very large container images, such as those for large models, you must adjust the P2P data caching mode based on your node configuration:
Data disk-based caching mode (Default): Ensure that the data disk type on the node is AutoPL. Set
p2p.v2.cache.modetodisk.Memory-based caching mode: Ensure that the node has at least 8 GB of free memory, and then set the value of
p2p.v2.cache.modetomemory.
Use RRSA
The RAM Roles for Service Accounts (RRSA) feature allows you to enforce fine-grained permission control at the Pod level.
The RRSA feature is supported only in clusters that run Kubernetes 1.22 or later.
To use RRSA, you must upgrade the agent to version 0.3.6 or later.
To enable RRSA for the P2P acceleration agent, you must first enable RRSA for the cluster and then configure the RRSA settings for the agent. If you perform these steps in the wrong order, you must uninstall and reinstall the agent for the RRSA configuration to take effect.
Enable the RRSA feature for your cluster. For more information, see Associate a RAM role with a service account to implement fine-grained, Pod-level permission management by using RRSA.
Configure the RAM role to access Container Registry resources.
Scenario 1: The ACK cluster and ACR Enterprise Edition instance are in the same account.
Assume Account A owns both the ACK cluster and the ACR Enterprise Edition instance. Create a RAM role in Account A. For more information, see Create a RAM role for a trusted Alibaba Cloud account. Then, attach the following permission policy to the role.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cr:GetInstanceVpcEndpoint", "cr:ListInstanceEndpoint" ], "Resource": "*" } ] }NoteReplace <oidc_issuer_url> with the URL of the OIDC provider for your cluster. You can find this URL on the Basic Information tab of the cluster details page in the ACK console.
Replace <oidc_provider_arn> with the ARN of the OIDC provider for your cluster. You can find this ARN on the Basic Information tab of the cluster details page in the ACK console.
{ "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "oidc:aud": [ "sts.aliyuncs.com" ], "oidc:iss": "<oidc_issuer_url>", "oidc:sub": [ "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-job-sa", "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-sa" ] } }, "Effect": "Allow", "Principal": { "Federated": [ "<oidc_provider_arn>" ] } } ], "Version": "1" }Scenario 2: The ACK cluster and ACR Enterprise Edition instance are in different accounts.
Assume Account A owns the ACK cluster, and Account B owns the ACR Enterprise Edition instance. You need to grant the ACK cluster in Account A permission to access the Container Registry resources in Account B.
In Account A, create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account. Attach the AliyunSTSAssumeRoleAccess permission policy to grant the role permission to assume other roles. Then, modify its trust policy.
NoteReplace <oidc_issuer_url> with the URL of the OIDC provider for your cluster. You can find this URL on the Basic Information tab of the cluster details page in the ACK console.
Replace <oidc_provider_arn> with the ARN of the OIDC provider for your cluster. You can find this ARN on the Basic Information tab of the cluster details page in the ACK console.
{ "Statement": [ { "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "oidc:aud": [ "sts.aliyuncs.com" ], "oidc:iss": "<oidc_issuer_url>", "oidc:sub": [ "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-job-sa", "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-sa" ] } }, "Effect": "Allow", "Principal": { "Federated": [ "<oidc_provider_arn>" ] } } ], "Version": "1" }In Account B, create a RAM role for ACR permissions. On the trust policy tab, add the ARN of the role from Account A. Attach the following permission policy to the role in Account B.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cr:GetInstanceVpcEndpoint", "cr:ListInstanceEndpoint" ], "Resource": "*" } ] }NoteYou can set the Maximum Session Duration for this RAM role, with a valid range of 3,600 to 43,200 seconds. The session duration, configured by the expireDuration parameter in the next step, must be less than or equal to the maximum session duration. We recommend that you set expireDuration to the same value as the Maximum Session Duration.
Log on to the ACK console. In the left navigation pane, click .
On the App Catalog page, enter ack-acr-acceleration-p2p in the search box, find the component, and then click its card.
On the component details page, click Deploy in the upper-right corner.
In the Create panel, select a Cluster and namespace, specify a release name, and then click Next.
On the Parameters panel, select the latest chart version. Set the acrInstances parameter to your ACR Enterprise Edition instance ID. If you have multiple instances, separate their IDs with commas (
,). Configure the RRSA parameters as described in the following table.Parameter
Description
Value
rrsa.enable
Specifies whether to enable RRSA.
true
rrsa.rrsaRoleARN
The ARN of the RAM role created in Account A.
Example: acs:ram::aaa
rrsa.rrsaOIDCProviderRoleARN
The ARN of the OIDC provider for the cluster in Account A.
Example: acs:ram::bbb
rrsa.assumeRoleARN
The ARN of the RAM role created in Account B. This parameter is not required for same-account scenarios.
Example: acs:ram::ccc
rrsa.expireDuration
The session duration for the role created in Account B. This determines the validity period of the temporary credentials generated by the agent. This parameter is not required for same-account scenarios.
ImportantThe value of expireDuration cannot be greater than the Maximum Session Duration of the role created in Account B.
The default value is 3600. The value must be between 3600 and 43200. Unit: seconds.
You also need to set the Maximum Session Duration for the role in Account B to 43200.
For information about other parameters, see Appendix.
NoteBy default, the agent uses port 65001 on nodes. If a port conflict occurs, change the port number.
If the ACK cluster and the ACR Enterprise Edition instance are in the same region, you can leave the
regionandvpcIdparameters empty. If they are in different regions, you must set theregionparameter to the region of the ACR Enterprise Edition instance and thevpcIdparameter to the ID of the VPC associated with the instance.If you use very large container images, such as those for large models, you must adjust the P2P data caching mode based on your node configuration:
Data disk-based caching mode (Default): Ensure that the data disk type on the node is AutoPL. Set
p2p.v2.cache.modetodisk.Memory-based caching mode: Ensure that the node has at least 8 GB of free memory, and then set the value of
p2p.v2.cache.modetomemory.
# The IDs of your ACR Enterprise Edition instances. To specify multiple IDs, separate them with commas (,). Example: "cri-xxx,cri-yyy" acrInstances: "" rrsa: enable: true rrsaRoleARN: "" rrsaOIDCProviderRoleARN: "" assumeRoleARN: "" expireDuration: 3600 # The region of the ACR Enterprise Edition instance. The default value is the region of the cluster. # You must set this parameter if the cluster and the instance are in different regions, or if you access the instance from a self-managed cluster in a data center. region: "" # The VPC that is connected to the VPC of the ACR Enterprise Edition instance. The default value is the VPC of the cluster. # You must set this parameter if the cluster and the instance are in different regions, or if you access the instance from a self-managed cluster in a data center through a VPC. vpcId: "" p2p: # The port used by the P2P agent in the host network. port: 65001
Appendix
The following table describes some of the parameters for the ack-acr-acceleration-p2p component.
Parameter | Default (disk mode) | Default (memory mode) | Description |
blocksize | 256 | 256 | The size of a single data chunk requested from the source Object Storage Service (OSS). |
capacity | 4294967296 | 0 | The size of the disk cache. |
optionBlockSize | 67108864 | 8589934592 | The size of the memory cache.
|
memoryCacheCapacityGB | 1 | 8 |
|
aio | 0 | 0 | Specifies whether to enable libaio. This parameter is not applicable in memory mode.
|
DeployConfig | |||
proxyFsParallels | 128 | The number of requests that the P2P agent can process concurrently. | |
AgentConfig | |||
connectTimeout (s) | 5 | The timeout for the P2P agent to establish a connection with an upstream peer. | |
transferTimeout (s) | 15 | The data transfer timeout. A transfer is aborted if no data is received within this duration. | |