ACK cluster synchronization node - Cloud Firewall - Alibaba Cloud Documentation Center

In Container Service for Kubernetes (ACK) clusters, node IP addresses frequently change due to dynamic scaling. You can create ACK cluster synchronization nodes to automatically synchronize the IP addresses of nodes in your ACK clusters to a Cloud Firewall address book. This reduces the manual workload of updating IP addresses and improves security.

Usage notes

Only ACK clusters that use the Terway network plug-in are supported. For more information about how to check the network plug-in type, see Container network FAQs.
Synchronization nodes must retrieve information about pods in ACK clusters. Therefore, when you create a synchronization node, you must grant the Cloud Firewall service-linked role the required RBAC permissions on the cluster.

Supported regions and zones

Supported regions and zones on the public cloud

Region	Region ID	Zone
China (Chengdu)	cn-chengdu	Zone A, Zone B
China (Guangzhou)	cn-guangzhou	Zone A, Zone B
China (Shenzhen)	cn-shenzhen	Zone D, Zone E, Zone F
China (Beijing)	cn-beijing	Zone F, Zone G, Zone H, Zone I, Zone L
China (Shanghai)	cn-shanghai	Zone B, Zone G, Zone M, Zone N
China (Hangzhou)	cn-hangzhou	Zone H, Zone I, Zone J, Zone K
China (Hong Kong)	cn-hongkong	Zone B, Zone C
Singapore	ap-southeast-1	Zone A, Zone B, Zone C

Procedure

Log on to the Cloud Firewall console. In the navigation pane on the left, choose Prevention Configuration > Synchronization Nodes. On the page that appears, click the ACK cluster tab, and then click Create Sync Node. The Create Sync Node page opens.
Follow the on-screen instructions to grant permissions to the Cloud Firewall service-linked role, AliyunServiceRoleForCloudFW. You can click the link or button to go to the authorization page.
Important
- When you create a synchronization node in a cluster for the first time, you must grant the Cloud Firewall service-linked role at least the Restricted User RBAC permission on the cluster.
- For access control, you can grant permissions on a specific namespace or on all namespaces.
- If the permissions are incorrectly configured in this step, the health check will fail and prevent the node from being created.
- For more information, see Use RBAC to grant operation permissions on resources in a cluster.
After the authorization is successful, return to the node creation page and click Authorization completed to proceed.
If an authorization issue occurs, you can click Unauthorized to remain on the current page.

Enter the synchronization node information to create the node.

Synchronization node parameters

Configuration item	Description
Synchronization Node Name	The name of the ACK synchronization node. We recommend that you enter a name that is easy to understand to identify and use the synchronization node. Note The name can be up to 64 characters in length and can contain Chinese characters, uppercase and lowercase letters, digits, and the following special characters: . _ -.
ACK cluster type	Only ACK managed clusters are supported.
Account of ACK Cluster	Select the account to which the cluster to be synchronized belongs. Subsequent data is loaded based on your selection. Note If you remove a member account or detach the cluster, the ACK cluster synchronization node is deleted.
Region	Select the region where the cluster is deployed.
Cluster	Select a specific cluster. If the newly created cluster is not displayed in the list, you can click the icon on the right.
Zone and vSwitch	Select the zone and vSwitch for the node. After the selection, the corresponding IP address segment is displayed. Note If you have strict requirements for network planning, you can specify an IP address for the synchronization node. If you leave this parameter empty, an IP address is automatically assigned. If you have disaster recovery requirements, you can configure two zones and vSwitches. If not required, you can click the trash can icon on the right to delete this row.
Synchronization Cycle	The interval at which the synchronization node scrapes the IP address information of pods in the cluster. The minimum interval is 10 seconds.

After you enter the synchronization node information, click OK. The system automatically detects the settings and creates the synchronization node.
Important
If the Authorize Cloud Firewall RBAC permissions is insufficient, the node creation fails.

Other operations

After a synchronization node is created, it appears in the list.

Operations:

Details: View the configuration details of the synchronization node.
Modify: Modify the information about the synchronization node.
Note
In the current version, you can modify only the Synchronization Node Name and Synchronization Cycle. To modify other information, you must delete the node and create a new one.
Delete: Delete the synchronization node.
Note
If the synchronization node is referenced by an address book, you must first delete the address book before you can delete the synchronization node.

Status:

Instance Status: The status of the synchronization node instance.
Health Status: The operational status of the synchronization node. If the node is unhealthy, you can move the pointer over the status icon to view the cause. For example:

Usage:

After the synchronization node is created, you can reference it in an ACK address book. For more information, see Create a custom address book.