In an ACK cluster, dynamic node scaling causes frequent changes to IP addresses. You can use an ACK cluster synchronization node to automatically synchronize the node IP addresses within your ACK cluster to a Cloud Firewall address book. This reduces manual updates and enhances security.
Prerequisites
Only ACK clusters that use the Terway network plugin are supported. To check the network plugin type, see Container network FAQ.
Because a synchronization node needs to retrieve Pod information from the cluster, you must grant the Cloud Firewall service-linked role RBAC permissions to the cluster when you create a synchronization node.
Supported regions and zones
Public cloud regions and zones
Region | Region ID | Zone |
China (Chengdu) | cn-chengdu | Zone A, Zone B |
China (Guangzhou) | cn-guangzhou | Zone A, Zone B |
China (Shenzhen) | cn-shenzhen | Zone D, Zone E, Zone F |
China (Beijing) | cn-beijing | Zone F, Zone G, Zone H, Zone I, Zone L |
China (Shanghai) | cn-shanghai | Zone B, Zone G, Zone M, Zone N |
China (Hangzhou) | cn-hangzhou | Zone H, Zone I, Zone J, Zone K |
China (Hong Kong) | cn-hongkong | Zone B, Zone C |
Singapore | ap-southeast-1 | Zone A, Zone B, Zone C |
South Korea (Seoul) | ap-northeast-2 | Zone A, Zone B |
Procedure
Log on to the Cloud Firewall console. In the left-side navigation pane, choose . On the page that appears, click the ACK cluster tab, and then click Create Sync Node. The Create Sync Node panel appears.
Follow the on-screen instructions to grant permissions to the Cloud Firewall service-linked role (AliyunServiceRoleForCloudFW). You can click the link or button to go to the authorization page.
ImportantWhen you create a synchronization node for a cluster for the first time, you must grant the Cloud Firewall service-linked role at least the Restricted User or higher RBAC permissions to the cluster.
You can grant permissions for specific namespaces that require access control or for all namespaces, based on your requirements.
Incorrect permission settings in this step will cause the final health check to fail, preventing the node from being created.
For more information about authorization, see Use RBAC to authorize operations on cluster resources.
After successful authorization, return to the node creation panel and click Authorization completed to proceed to the next step.
If an issue occurs during authorization, click Unauthorized to remain on the current page.
Enter the synchronization node information to complete the creation.
After you enter the synchronization node information, click OK. The system then automatically detects the settings and creates the synchronization node.
ImportantIf the Authorize Cloud Firewall RBAC permissions do not meet the requirements, this step will fail.
Other operations
After the synchronization node is created, it appears in the list.
The synchronization node instance list includes the following columns: Synchronization node instance ID/name, VPC, ACK cluster's account, ACK cluster ID/name, Creation time, Instance status, Health status, and Actions.
Actions
Details: View the configuration details of the synchronization node.
Modify: Edit the information of the synchronization node.
NoteCurrently, you can modify only the Synchronization Node Name and Synchronization Cycle. To modify other settings, you must delete and recreate the node.
Delete: Delete the current synchronization node.
NoteIf an address book references a synchronization node, you must delete the address book before you can delete the node.
Statuses
Instance status: Indicates the current state of the synchronization node instance.
Health status: Indicates the operational state of the synchronization node. If the node is unhealthy, you can hover over the status icon to view the cause. For example, if the instance status is abnormal, an error message such as "The specified ACK cluster does not exist" is displayed, and the health status is Unhealthy. You can click the question mark icon next to Unhealthy to view detailed information.
Usage
After you successfully create a synchronization node, you can reference it in an ACK address book. For more information, see Create an address book.