All Products
Search

This Product

    Cloud Firewall:ACK cluster synchronization node

    Document Center

    Cloud Firewall:ACK cluster synchronization node

    Last Updated:Apr 08, 2025

    In Container Service for Kubernetes (ACK) clusters, the IP addresses of nodes frequently change due to the dynamic scaling of nodes. You can create ACK cluster synchronization nodes to automatically synchronize the IP addresses of nodes in ACK clusters to an address book of Cloud Firewall. This reduces the workload of manual updates and improves security.

    Usage notes

    • Only ACK clusters that use the Terway network plug-in are supported. For more information about the supported network plug-in types, see FAQs about container networks.

    • Synchronization nodes need to obtain information about pods in ACK clusters. Therefore, when you create a synchronization node, you must grant role-based access control (RBAC) permissions to the service-linked role of Cloud Firewall on the ACK cluster to which the synchronization node belongs.

    Procedure

    1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Prevention Configuration > Synchronization Nodes. On the ACK cluster tab, click Create Sync Node to go to the Create Sync Node panel.

      image

    2. Grant permissions to the AliyunServiceRoleForCloudFW service-linked role based on the on-screen instructions. To go to the authorization page, click Container Service-authorization management-RAM role or Ready, go to authorization.

      image

      Important

      • The first time you create a synchronization node in an ACK cluster, you must grant the service-linked role of Cloud Firewall at least the Restricted User RBAC permission on the ACK cluster.

      • You can select a specific namespace or all namespaces for access control based on your business requirements.

      • If the required permissions are incorrectly configured, the health check fails. As a result, the synchronization node fails to be created.

      • For more information, see Use RBAC to manage the operation permissions on resources in a cluster.

      After the authorization is complete, go back to the Cloud Firewall console and click Authorization completed to proceed to the next step.

      If the authorization fails, click Unauthorized.

      image

    3. In the Create a synchronization node step, configure the following parameters.

      Parameters for creating a synchronization node

      Parameter

      Description

      Synchronization Node Name

      Specify a name for the ACK cluster synchronization node. We recommend that you specify an informative name to help you identify and use the synchronization node.

      Note

      The name can be up to 64 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

      ACK cluster type

      Only ACK managed clusters are supported.

      Account of ACK Cluster

      Select the account to which the ACK cluster belongs. Subsequent data is loaded based on the account that you select.

      Note

      If you perform an operation on the ACK cluster such as removing a member or disassociating the ACK cluster from the account, the synchronization node is also deleted.

      Region

      Select the region where the ACK cluster is deployed.

      Cluster

      Select the ACK cluster for which you want to create the synchronization node. If the required ACK cluster is not displayed, click the image icon on the right side.

      Zone and vSwitch

      Select a zone and vSwitch for the synchronization node. After you select a zone and vSwitch, the corresponding CIDR block is displayed.

      image

      Note

      • If you have strict requirements for network planning, you can specify an IP address for the synchronization node. If you do not specify an IP address, a random IP address is automatically assigned.

      • If you have requirements for disaster recovery, you can specify two zones and vSwitches. If you do not have the requirements, click the trash can icon on the right side to delete the second row.

        image

      Synchronization Cycle

      Specify the schedule on which the synchronization node obtains the IP addresses of pods in the ACK cluster. The minimum value is 10 seconds.

    4. After you configure the parameters, click OK. Then, the system checks the specified information and creates the synchronization node.

      Important

      If the Authorize Cloud Firewall RBAC permissions do not meet the requirements, the synchronization node fails to be created.

    More operations

    After the synchronization node is created, the node is displayed in the synchronization node list.

    image

    Operations:

    • Details: You can view the details of the synchronization node.

    • Modify: You can modify the information about the synchronization node.

      Note

      You can modify only the values of Synchronization Node Name and Synchronization Cycle. To modify other information, delete the synchronization node and create a synchronization node.

    • Delete: You can delete the synchronization node.

      Note

      If the synchronization node is referenced by an address book, you must first delete the address book before you can delete the synchronization node.

    Status:

    • Status: the status of the synchronization node.

    • Health Status: the working status of the synchronization node. If the value of Health Status is Unhealthy, you can move the pointer over the related icon to view the cause. image

    Usage:

    After the synchronization node is created, you can reference the node in an ACK address book. For more information, see Create a custom address book.