Cluster creation - Container Service for Kubernetes - Alibaba Cloud Documentation Center

Which network plug-in should I select?
Why are two SLB instances created after I create an ACK cluster? Should I install an Ingress controller?
How do I configure the whitelist of an ApsaraDB RDS instance to allow access from pods?
How do I add an existing ECS instance to an ACK cluster?

Which network plug-in should I select?

You can select Flannel or Terway as the network plug-in.

Flannel
When you create a Container Service for Kubernetes (ACK) cluster, you must specify CIDR blocks for the virtual private cloud (VPC), vSwitches, pods, and Services. The VPC CIDR block and vSwitch CIDR block are used by IaaS resources. The vSwitch CIDR block must fall within the VPC CIDR block. The pod CIDR block assigns IP addresses to pods on ECS instances in your cluster and cannot overlap with the Service CIDR block. The Service CIDR block assigns IP addresses to Services in your cluster for internal communication and cannot overlap with the pod CIDR block.
The following limits apply to these CIDR blocks:
- The pod CIDR block cannot overlap with the VPC CIDR block.
- The pod CIDR block cannot overlap with the Service CIDR block.
- The IP address of a Service is effective only within the cluster.
- The Service CIDR block cannot overlap with the VPC CIDR block.
- The Service CIDR block cannot overlap with the pod CIDR block.
If you want to create multiple ACK clusters, configure their CIDR blocks with caution to prevent network errors. For more information, see Plan CIDR blocks for an ACK cluster.

Terway

In Terway mode, you must configure CIDR blocks for node vSwitches and pod vSwitches in addition to the preceding CIDR blocks.

When you create a cluster that uses Terway, you must create two vSwitches in the same zone within the VPC.

The node vSwitch that is used to assign IP addresses to nodes in the zone.
The pod vSwitch that is used to assign IP addresses to pods that are deployed on nodes in the zone.

The following table shows sample CIDR blocks that you can use to create a cluster.


VPC CIDR block	Node vSwitch CIDR block	Pod vSwitch CIDR block	Service CIDR block
192.168.0.0/16	192.168.0.0/19	192.168.32.0/19	172.21.0.0/20

For more information, see Work with Terway and Overview.

Why are two SLB instances created after I create an ACK cluster? Should I install an Ingress controller?

The two Server Load Balancer (SLB) instances are created for the API server of the cluster and the Ingress controller in the cluster.

API Server
The API server is a key component that is deployed on master nodes in a Kubernetes cluster. The API server is the core of the Kubernetes system and interacts with worker nodes and other components on master nodes.
The API server serves as a router in the cluster. ACK creates an internal-facing SLB instance of the minimum specifications. The SLB instance is billed on a pay-as-you-go basis with a monthly cost of about CNY 15. You can change the specifications of the SLB instance. The SLB instance used by the API server must be created by ACK. Otherwise, the cluster cannot work as expected.
Note
- If you want to access the cluster over the Internet, you must select Expose API Server with EIP when you create the cluster. This way, an elastic IP address (EIP) is associated with the API server. The EIP is billed on a pay-as-you-go basis.
- If you do not select Expose API Server with EIP when you create the cluster, you must manually associate an EIP with the API server after the cluster is created.
For more information, see Control public access to the API server of a cluster.
Ingress controller
- When you create an ACK cluster, we recommend that you install an Ingress controller. ACK provides the NGINX Ingress controller and creates an SLB instance to work together with the NGINX Ingress controller. When you create a cluster, you can use the default SLB instance specification and network type for the NGINX Ingress controller. By default, the SLB instance is billed on a pay-as-you-go basis. For more information, see Ingress overview.
  
  Note You can manually change the configuration of the SLB instance that is associated with the NGINX Ingress controller. For more information, see Considerations for configuring a LoadBalancer type Service.
- If you do not install the NGINX Ingress controller when you create the cluster, you can go the cluster details page in the ACK console and choose Operations > Add-ons to install the NGINX Ingress controller. For more information, see Manage system components.

How do I configure the whitelist of an ApsaraDB RDS instance to allow access from pods?

Go to the Cluster Configurations wizard page in the ACK console, click Show Advanced Options, and then set the RDS Whitelist parameter.
If you use an existing cluster, you must manually configure a whitelist in the ApsaraDB RDS console.
- If your cluster uses Flannel, add the IP addresses of the ECS instances in your cluster to the whitelist. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for SQL Server instance.
- If your cluster uses Terway, add the IP addresses of pods in your cluster to the whitelist. For more information, see Dynamically add the IP addresses of pods to the whitelists of Alibaba Cloud services.

How do I add an existing ECS instance to an ACK cluster?

You can add an existing ECS instance to an ACK cluster or enable the cluster to create a new ECS instance. To add an existing ECS instance, you must make sure that the ECS instance is deployed in the same VPC as the cluster. For more information, see Add existing ECS instances to an ACK cluster.

Note When you add an existing ECS instance to a cluster, you must manually add the ECS instance to the security group of the cluster. We recommend that you add the ECS instance to the default security group of the cluster, which is automatically created when you create the cluster. For more information about how to change between basic security groups and advanced security groups, see Replace the security groups of ECS instances.