ASK overview - Container Service for Kubernetes - Alibaba Cloud Documentation Center

Introduction

ASK is a serverless Kubernetes service provided by Alibaba Cloud. ASK clusters allow you to deploy containerized applications without the need to purchase nodes. You do not need to perform capacity planning or operations and maintenance (O&M) tasks on the nodes. You are charged based on the CPU and memory resources that are configured for your applications. ASK clusters are compatible with Kubernetes and make it easy to get started with Kubernetes. You can focus on the design and development of your applications instead of the underlying infrastructure.

Each pod in an ASK cluster runs in a secure and isolated container runtime that is built on an elastic container instance. The underlying computing resources of each elastic container instance are isolated by lightweight virtual sandboxes. Elastic container instances do not affect each other.

ASK clusters are classified into ASK standard clusters and ASK Pro clusters. ASK Pro clusters are developed based on ASK standard clusters and provide higher reliability and security in large-scale production environments for enterprise users. ASK Pro clusters are also covered by SLAs that include compensation clauses. For more information about ASK Pro clusters, see ASK Pro cluster overview.

Benefits


Benefit	Description
Out-of-the-box	You can quickly create ASK clusters and deploy applications in ASK clusters without the need to manage Kubernetes nodes and servers.
Ultralarge capacity	You can create more than 20,000 pods in an ASK cluster without the need to add additional configurations or design the size of the cluster.
Second-level scaling	You can create thousands of pods within a short period of time to handle traffic spikes.
Predictive scaling	ASK can predict resource demand based on historical data and then scale resources promptly during peak hours.
Compatibility with cloud-native services	ASK is fully compatible with Kubernetes and supports Kubernetes-native applications and ecosystems. You can seamlessly migrate Kubernetes applications to ASK.
Security isolation	You can deploy pods on elastic container instances. Instances on which pods are deployed are isolated from each other by using the lightweight virtual sandbox technology.
Cost savings	Pods are created on demand. You are charged based on the resources used by your applications. The serverless architecture helps avoid resource waste and reduce O&M costs.
Service integration	You can seamlessly integrate containerized applications with the fundamental services of Alibaba Cloud. Containers can communicate with applications deployed on virtual machines.
ASK Pro clusters	Compared with ASK standard clusters, ASK Pro clusters are more reliable, ensure higher service uptime, and allow you to deploy more pods. You can seamlessly upgrade ASK standard clusters to ASK Pro clusters.

Comparison between ASK and ACK

The following figure compares an ACK cluster with an ASK cluster.

Use scenarios


Use scenario	Description
Application hosting	In ASK clusters, you do not need to manage or maintain nodes, or perform cluster sizing. This reduces the costs of infrastructure management and O&M.
Traffic spikes	For workloads that periodically fluctuate, such as online education and e-commerce applications, ASK clusters can automatically scale resources based on workload requirements. This prevents resource waste, reduces computing costs, and ensures a smooth user experience when traffic spikes occur. For more information, see Auto scaling overview.
Data computing	To meet the computing requirements of applications such as Spark, ASK clusters can start a large number of pods within a short period of time to process tasks. When the tasks are terminated, the pods are automatically released to stop billing. This greatly reduces the computing costs. For more information, see Use ASK to create Spark tasks.
CI/CD	You can use ASK clusters to build continuous integration (CI) environments by using tools such as Jenkins or GitLab-Runner. You can set up an application delivery pipeline that covers stages such as source code compilation, image building and pushing, and application deployment. The continuous integration tasks are isolated from each other for enhanced security. You do not need to maintain specific resource pools. This reduces computing costs. For more information, see Elastic and cost-effective CI/CD based on ASK.
CronJobs	You can run CronJobs in ASK clusters. Billing automatically stops when the jobs are terminated. You do not need to maintain specific resource pools. This avoids resource waste. For more information, see CronHPA.

Key features

ASK is fully compatible with Kubernetes and supports all features of Kubernetes. In addition to these features, you also need to take note of the following features when you deploy applications in ASK clusters.

ECI Profile

ASK deploys pods on elastic container instances and allows you to configure the Elastic Container Instance (ECI) profile to control the behavior of a cluster and the pods in the cluster in a fine-grained manner. The ECI profile is a ConfigMap named eci-profile that belongs to the kube-system namespace. The following table describes the parameters included in the ECI profile.


Parameter	Description
vpcId	The unique identifier of the virtual private cloud (VPC) in which the pod is deployed.
securityGroupId	The unique identifier of the security group of the VPC.
vSwitchIds	The unique identifier of the vSwitch in the VPC. Multiple vSwitch IDs are separated by commas (,). Virtual nodes are generated based on vSwitches.
selectors	The pod selector. The pod selector can select pods based on namespaces or labels, and automatically add annotations or labels.
enableClusterIp	Specifies whether to use the ClusterIP. Default value: true.
enableLogController	Specifies whether to enable the Alibaba Cloud log controller. Default value: false.
enablePVCController	Specifies whether to enable the persistent volume claim (PVC) controller. Default value: false.
enablePrivateZone	Specifies whether to enable the service discovery feature of PrivateZone. Default value: false.
featureGates	Specifies whether to enable feature gates.

For more information, see Elastic Container Instance overview.

Virtual nodes

You do not need to manage nodes when you use ASK clusters. To ensure compatibility with Kubernetes, ASK allows you to view the virtual nodes in an ASK cluster. Virtual nodes provide large amounts of compute resources to allow ASK clusters to scale on demand and handle traffic spikes Virtual nodes are generated based on the vSwitch IDs specified in the eci-profile ConfigMap. Virtual nodes do not occupy compute resources. ask

Pod configurations

When you create pods in an ASK cluster, you can customize the pods by adding annotations to the pods. The following table describes the annotations that you can add.

Important

The annotations described in the following table are applicable only to the pods that are scheduled to virtual nodes. These pods run on elastic container instances. The annotations cannot be added to the pods that are scheduled to regular nodes.
Add annotations to the metadata field of the pods. For example, when you configure a Deployment, add annotations in the spec.template.metadata field.
Pod annotations have a higher priority than the settings that correspond to the same feature in the ECI profile.


Annotation	Example	Description	Reference
k8s.aliyun.com/eci-security-group	sg-bp1dktddjsg5nktv****	The ID of the security group.	Configure a security group
k8s.aliyun.com/eci-vswitch	vsw-bp1xpiowfm5vo8o3c****	The IDs of the vSwitches. You can specify multiple vSwitches across zones.	Specify multiple zones to create an elastic container instance-based pod
k8s.aliyun.com/eci-schedule-strategy	VSwitchOrdered	The multi-zone scheduling policy. Valid values: VSwitchOrdered: Resources in the specified zones are scheduled based on the order in which the vSwitches are specified. VSwitchRandom: Resources in the specified zones are randomly scheduled.
k8s.aliyun.com/eci-ram-role-name	AliyunECIContainerGroupRole	The Resource Access Management (RAM) role that ECI assumes to access other Alibaba Cloud services.	Configure RAM roles
k8s.aliyun.com/eci-use-specs	2-4Gi,4-8Gi,ecs.c6.xlarge	The specifications of elastic container instances. You can specify multiple specifications, such as the number of vCPUs and the memory size. You can also specify an ECS instance type.	Specify multiple instance specifications to create an elastic container instance
k8s.aliyun.com/eci-spot-strategy	SpotAsPriceGo	The bidding policy of the preemptible instance. Valid values: SpotAsPriceGo: The instance is billed at the market price at the time of purchase. SpotWithPriceLimit: You must specify the highest price that you want to pay for the preemptible instance.	Create a preemptible instance
k8s.aliyun.com/eci-spot-price-limit	0.5	The highest price of the preemptible instance. Note This parameter is valid only when k8s.aliyun.com/eci-spot-strategy is set to SpotWithPriceLimit.	Create a preemptible instance
k8s.aliyun.com/eci-cpu-option-core	2	The number of physical CPU cores.	Custom CPU options
k8s.aliyun.com/eci-cpu-option-ht	1	The number of threads per core.	Custom CPU options
k8s.aliyun.com/eci-reschedule-enable	"true"	Specifies whether to enable rescheduling for elastic container instances.	Configure rescheduling for elastic container instances
k8s.aliyun.com/pod-fail-on-create-err	"true"	Specifies whether to set the status of the elastic container instances to Failed if pods fail to be created on the elastic container instances.	Set the status of elastic container instances to Failed when pods fail to be created
k8s.aliyun.com/eci-image-snapshot-id	imc-2zebxkiifuyzzlhl****	The ID of the image cache. Note To use an image cache to create an elastic container instance, you can specify the image cache that you want to use or enable automatic matching for image caches. We recommend that you enable automatic matching for image caches.	Use image caches to accelerate the creation of pods
k8s.aliyun.com/eci-image-cache	"true"	Specifies whether to enable automatic matching for image caches. Note To use an image cache to create an elastic container instance, you can specify the image cache that you want to use or enable automatic matching for image caches. We recommend that you enable automatic matching for image caches.	Use image caches to accelerate the creation of pods
k8s.aliyun.com/acr-instance-id	cri-j36zhodptmyq****	The ID of the Container Registry Enterprise Edition instance. You can specify a Container Registry Enterprise Edition instance that resides in a region different from the region of the elastic container instance. To do this, you must add the region name of the Container Registry Enterprise Edition instance before the ID of the Container Registry Enterprise Edition instance. Example: "cn-beijng:cri-j36zhodptmyq****".	Pull images from a Container Registry Enterprise Edition instance without using passwords
k8s.aliyun.com/eci-eip-instanceid	eip-bp1q5n8cq4p7f6dzu****	The ID of the elastic IP address (EIP).	Associate an EIP with an elastic container instance
k8s.aliyun.com/eci-with-eip	"true"	Specifies whether to automatically create an EIP and associate the EIP with the elastic container instance.
k8s.aliyun.com/eip-bandwidth	5	The bandwidth value for the EIP.
k8s.aliyun.com/eip-common-bandwidth-package-id	cbwp-2zeukbj916scmj51m****	The ID of the EIP bandwidth plan.
k8s.aliyun.com/eip-isp	BGP	The line type of the EIP. This annotation is applicable only to pay-as-you-go EIPs. Valid values: BGP: BGP (Multi-ISP) lines BGP_PRO: BGP (Multi-ISP) Pro lines
k8s.aliyun.com/eip-internet-charge-type	PayByBandwidth	The metering method of the EIP. Valid values: PayByBandwidth: pay-by-bandwidth PayByTraffic: pay-by-data-transfer
k8s.aliyun.com/eci-enable-ipv6	"true"	Specifies whether to assign an IPv6 address to the instance.	Assign an IPv6 address to an elastic container instance
k8s.aliyun.com/eci-ipv6-bandwidth-enable	"true"	Specifies whether to enable IPv6 Internet communication for the elastic container instance.
k8s.aliyun.com/eci-ipv6-bandwidth	100M	The peak public bandwidth of the IPv6 address.
kubernetes.io/ingress-bandwidth	40M	The inbound bandwidth.	Limit the bandwidth of an elastic container instance
kubernetes.io/egress-bandwidth	20M	The outbound bandwidth.	Limit the bandwidth of an elastic container instance
k8s.aliyun.com/eci-extra-ephemeral-storage	50Gi	The temporary storage capacity.	Customize the temporary storage capacity
k8s.aliyun.com/eci-eviction-enable	"true"	Specifies whether to automatically evict pods that do not have sufficient temporary storage space from elastic container instances.	Automatically evict pods that do not have sufficient temporary storage space from elastic container instances
k8s.aliyun.com/eci-core-pattern	/pod/data/dump/core	The directory in which core dump files are stored.	View core dump files
k8s.aliyun.com/eci-ntp-server	100.100..	The IP address of the Network Time Protocol (NTP) server.	Configure the NTP service for pods
k8s.aliyun.com/plain-http-registry	"harbor*.pre.com,192.168.XX.XX:5000,reg*.test.com:80"	The IP address of the self-managed image repository. When you create an elastic container instance by using an image in a self-managed image repository that uses the HTTP protocol, you must specify this parameter. This allows Elastic Container Instance to pull the image over HTTP. This avoids image pull failures due to the use of different protocols.	Use self-managed image repositories
k8s.aliyun.com/insecure-registry	"harbor*.pre.com,192.168.XX.XX:5000,reg*.test.com:80"	The domain name of the self-managed image repository. When you create an elastic container instance by using an image in a self-managed image repository that uses a self-signed certificate, you must add this annotation to the instance to skip the certificate authentication. This avoids image pull failures due to certificate authentication failures.	Use self-managed image repositories

For more information, see Annotations supported by Elastic Container Instance.

Network management

By default, Elastic Container Instance-based pods use the host network mode. Each pod must be assigned an elastic network interface (ENI) by the vSwitch. This enables communications with the Elastic Compute Service (ECS) instances and Relational Database Service (RDS) instances in the virtual private cloud (VPC) where the cluster is deployed.


Feature	Description
Service	You can create ClusterIP and LoadBalancer Services. You cannot create NodePort Services because ASK clusters do not support node-relevant features.
Ingress	SLB Ingress: supports Layer 7 traffic forwarding based on Server Load Balancer (SLB) instances without controllers. For more information, see Ingress demo. NGINX Ingress: allows you to create NGINX Ingresses after nginx-ingress-controller is deployed. For more information, see ingress-nginx demo.
Service discovery	To use the service discovery feature within a cluster, enable PrivateZone or CoreDNS when you create the cluster. You can also use the ECI profile to enable PrivateZone or install the CoreDNS component from the Add-ons page of the ACK console after the cluster is created.
EIPs	You can associate EIPs with Elastic Container Instance-based pods. You can automatically create an EIP for an Elastic Container Instance-based pod or associate an existing EIP with an Elastic Container Instance-based pod.

Storage management

You can mount block storage or Apsara File Storage NAS (NAS) file systems to pods.


Storage	Description
Block storage (disks)	To mount a disk by using FlexVolume, you do not need to install FlexVolume. You can mount a disk by specifying the disk ID. For more information, see disk-flexvolume-static.yaml demo. You can also dynamically provision disks as volumes. For more information, see disk-flexvolume-dynamic.yaml demo. To dynamically provision disks by creating persistent volumes (PVs) and persistent volume claims (PVCs), you must first install disk-controller. For more information, see disk-pvc-dynamic.yaml demo.
Apsara File Storage NAS (NAS)	To use NFS volumes, you can mount NAS file systems by using NFS. For more information, see nas-nfsvolume.yaml demo. To statically provision NAS file systems as volumes by using FlexVolume, you can directly specify the mount target without the need to install FlexVolume. For more information, see nas-flexvolume.yaml demo. To statically provision NAS file systems as volumes by creating PVs and PVCs, you must first install disk-controller. For more information, see nas-pvc.yaml demo.

Observability


Method	Description
Logs	You can modify the eci-profile ConfigMap to enable Log Service for an ASK cluster. Then, the ASK cluster can collect pod logs. For more information, see Use Log Service to collect application logs.
Monitoring	You can install the arms-prometheus component to enable cluster monitoring for an ASK cluster. For more information, see Enable ARMS Prometheus.

Image management

ASK allows you to use image caches to accelerate the creation of pods. This reduces the response time of applications. For more information about how to enable the image cache feature for pods, see Use image caches to accelerate the creation of pods.
If you want to pull images from Container Registry to create pods in ASK clusters, you can choose to pull images from a Container Registry Enterprise Edition instance without a password.

Auto scaling

ASK clusters do not contain real nodes. You do not need to be concerned about node capacity planning or cluster expansion by using cluster-autoscaler. You only need to scale applications to meet your business requirements. We recommend that you configure Horizontal Pod Autoscaler (HPA) or CronHPA policies to adjust the number of pods on demand. For more information, see Auto scaling overview.

Authorization management

If your application pods need to access Alibaba Cloud services, you can configure RAM Roles for Service Accounts (RRSA) to complete authorization.

Cluster management


Feature	Description
Intelligent O&M	You can use the intelligent O&M feature to periodically check the health status of ASK clusters, or run prechecks on clusters to be upgraded or migrated.
Upgrade	You can upgrade ASK clusters without service interruptions.
ASK Pro	ASK pro clusters are more reliable, ensure higher service uptime, and allow you to create more pods.
Migration	You can upgrade trial ASK clusters or ASK standard clusters to ASK Pro clusters for higher service availability.

Component management

ASK provides a variety of components and extended cluster features. You can deploy, update, or uninstall components on demand. For more information, see Manage components.

Application management

You can install Helm charts from the Marketplace page in the Container Service for Kubernetes (ACK) console and then manage them on the Helm page. For more information, see Use Helm to simplify application deployment.

Billing

ASK clusters are classified into ASK standard clusters and ASK Pro clusters. The billable items and billing rules vary based on the type of ASK clusters. For more information, see ASK Billing.

Limits

ASK clusters have the following limits:

ASK clusters do not support DaemonSets. You can replace DaemonSets with sidecar containers.
You cannot specify HostPath or HostNetwork in pod manifests.
ASK clusters do not support privileged containers. You can use a security context to add capabilities to a pod.
ASK clusters do not support NodePort Services.
ASK clusters cannot retrieve ECS metadata.
ASK clusters do not support the China East Finance, China South Finance, or Alibaba Gov Cloud regions.

Contact us

If you have questions about ASK clusters, join the DingTalk group 31544226.