Create a dedicated Kubernetes cluster that runs sandboxed containers - Container Service for Kubernetes

This topic describes how to create a dedicated Kubernetes cluster that runs sandboxed containers in the Container Service for Kubernetes (ACK) console.

Prerequisites

Related Alibaba Cloud services are activated. For more information, see Quick start for first-time users.

Limits

ACK clusters support only virtual private clouds (VPCs).
By default, each account has specific quotas on cloud resources that can be created. You cannot create clusters if the quota is reached. For more information about quotas, see Limits.
- By default, you can add at most 200 route entries to the virtual private cloud (VPC) where an ACK cluster is deployed. This means that you can configure at most 200 route entries for an ACK cluster deployed in a VPC. To increase the quota on the number of route entries for a VPC, Go to the Quota Center page to submit a ticket.
- By default, you can create at most 100 security groups with each account.
- By default, you can create at most 60 pay-as-you-go SLB instances with each account.
- By default, you can create at most 20 elastic IP addresses (EIPs) with each account.

To create an ACK cluster that runs sandboxed containers, you must set the parameters as described in the following table. Otherwise, the cluster cannot run sandboxed containers.


Parameter	Description
Zone	Only Elastic Compute Service (ECS) bare metal instances support sandboxed containers. Make sure that ECS bare metal instances are available for purchase in the selected zone.
Kubernetes Version	Select 1.14.6-aliyun.1 or later.
Container Runtime	Select Sandboxed-Container.
Worker Instance	Create Instance
Instance Type	Select ECS Bare Metal Instance.
Mount Data Disk	Mount a data disk of at least 200 GiB. We recommend that you mount a data disk of at least 1 TB.
Operating System	Sandboxed-Container supports only the Alibaba Cloud Linux operating system.

Procedure

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
In the upper-right corner of the Clusters page, click Cluster Template.
In the Select Cluster Template dialog box, find Standard Dedicated Cluster in the Other Clusters section and click Create.

On the Dedicated Kubernetes tab, configure the cluster.

Configure basic settings of the cluster.


Parameter	Description
Cluster Name	Enter a name for the cluster. Note The name must be 1 to 63 characters in length, and can contain digits, letters, hyphens (-), and underscores (_). The name cannot start with an underscore (_).
Region	Select a region to deploy the cluster.
Billing Method	The pay-as-you-go and subscription billing methods are supported. If you select the subscription billing method, you must set the following parameters: Note If you set Billing Method to Subscription, only Elastic Compute Service (ECS) instances and Server Load Balancer (SLB) instances are billed on a subscription basis. Other cloud resources are billed on a pay-as-you-go basis. For more information about the billing rules of Alibaba Cloud resources, see Billing of cloud services. Duration: You can select 1, 2, 3, or 6 months. If you require a longer duration, you can select 1 year, 2 years, or 3 years. Auto Renewal: Specify whether to enable auto-renewal.
Resource group	Move the pointer over All Resources at the top of the page and select the resource group that you want to use. After you select a resource group, virtual private clouds (VPCs) and vSwitches are filtered based on the selected resource group. When you create a cluster, only the VPCs and vSwitches that belong to the selected resource group are displayed in the console.
Kubernetes Version	Select a Kubernetes version.
Container Runtime	Select Sandboxed-Container.
VPC	Select a VPC to deploy the cluster. Standard VPCs and shared VPCs are supported. Shared VPC: The owner of a VPC (resource owner) can share the vSwitches in the VPC with other accounts in the same organization. Standard VPC: The owner of a VPC (resource owner) cannot share the vSwitches in the VPC with other accounts. Note ACK clusters support only VPCs. You can select a VPC from the drop-down list. If no VPC is available, click Create VPC to create one. For more information, see Create and manage a VPC.
vSwitch	Select vSwitches. You can select up to three vSwitches that are deployed in different zones. If no vSwitch is available, click Create vSwitch to create one. For more information, see Create and manage a vSwitch.
Network Plug-in	Select a network plug-in. Flannel and Terway are supported. For more information, see Terway and Flannel. Flannel: a simple and stable Container Network Interface (CNI) plug-in that is developed by open source Kubernetes. Flannel provides a few simple features. However, it does not support standard Kubernetes network policies. Terway: a network plug-in that is developed by ACK. Terway allows you to assign elastic network interfaces (ENIs) of Alibaba Cloud to containers. It also allows you to customize Kubernetes network policies to regulate how containers communicate with each other and implement bandwidth throttling on individual containers. Note The number of pods that can be deployed on a node depends on the number of ENIs that are attached to the node and the maximum number of secondary IP addresses that are provided by these ENIs. If you select a shared VPC for a cluster, you must select Terway as the network plug-in. If you select Terway, an ENI is shared among multiple pods. A secondary IP address of the ENI is assigned to each pod.
IP Addresses per Node	If you select Flannel as the network plug-in, you must set IP Addresses per Node. Note IP Addresses per Node specifies the maximum number of IP addresses that can be assigned to each node. We recommend that you use the default value. After you select the VPC and specify the number of IP addresses per node, recommended values are automatically generated for Pod CIDR Block and Service CIDR. The system also provides the maximum number of nodes that can be deployed in the cluster and the maximum number of pods that can be deployed on each node. You can modify the values based on your business requirements.
Pod CIDR Block	If you select Flannel as the network plug-in, you must set Pod CIDR Block. The CIDR block specified by Pod CIDR Block cannot overlap with that of the VPC or those of the existing clusters in the VPC. The CIDR block cannot be modified after the cluster is created. The Service CIDR block cannot overlap with the pod CIDR block. For more information about how to plan CIDR blocks for an ACK cluster, see Plan CIDR blocks for an ACK cluster.
Pod vSwitch	If you select Terway as the network plug-in, you must allocate vSwitches to pods. For each vSwitch that allocates IP addresses to worker nodes, you must select a vSwitch in the same zone to allocate IP addresses to pods. The elastic network interface (ENI) used by a pod must be deployed in the zone where the node that hosts the pod is deployed. Therefore, you must select another vSwitch in the zone where the node vSwitch is deployed. This vSwitch assigns IP addresses to pods. To ensure sufficient IP addresses for all pods, we recommend that you set the mask length of the CIDR block to a value no greater than 19 for the vSwitch.
Service CIDR	Set Service CIDR. The CIDR block specified by Service CIDR cannot overlap with that of the VPC or those of the existing clusters in the VPC. The CIDR block cannot be modified after the cluster is created. The Service CIDR block cannot overlap with the pod CIDR block. For more information about how to plan CIDR blocks for an ACK cluster, see Plan CIDR blocks for an ACK cluster.
Configure SNAT	By default, an ACK cluster cannot access the Internet. If the VPC that you select for the cluster cannot access the Internet, you can select Configure SNAT for VPC. This way, ACK will create a NAT gateway and configure SNAT rules to enable Internet access for the VPC.
Access to API Server	By default, an internal-facing SLB instance is created for the Kubernetes API server of the cluster. You can modify the specification of the SLB instance. For more information, see Instance specifications. Important If you delete the SLB instance, you cannot access the Kubernetes API server of the cluster. Specify whether to enable Expose API Server with EIP. The ACK API server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources, such as pods and Services. If you select this check box, an elastic IP address (EIP) is created and associated with an SLB instance. Port 6443 used by the API server is opened on master nodes. You can connect to and manage the cluster by using kubeconfig files over the Internet. If you clear this check box, no EIP is created. You can connect to and manage the cluster by using kubeconfig files only from within the VPC.
SSH Logon	To enable SSH logon, you must first select Expose API Server with EIP. If you enable SSH logon over the Internet, you can access the cluster by using SSH. If you disable SSH logon over the Internet, you cannot access the cluster by using SSH or kubectl. If you want to access an Elastic Compute Service (ECS) instance in the cluster by using SSH, you must manually associate an elastic IP address (EIP) with the instance and configure security group rules to open SSH port 22. For more information, see Use SSH to connect to the master nodes of a dedicated Kubernetes cluster.
RDS Whitelist	Configure the whitelist of the ApsaraDB RDS instance. Add the IP addresses of nodes in the cluster to a whitelist of the ApsaraDB RDS instance. Note To enable an ApsaraDB RDS instance to access the cluster, you must make sure that the instance is deployed in the VPC where the cluster is deployed.
Security Group	You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group. For more information about security groups, see Overview. Note To enable the Select Existing Security Group option, apply to be added to the whitelist in Quota Center. If you select an existing security group, the system does not automatically configure security group rules. This may cause errors when you access the nodes in the cluster. You must manually configure security group rules. For more information, see Configure security group rules to enforce access control on ACK clusters.

Configure advanced settings of the cluster.


Parameter	Description
Time Zone	Select a time zone for the cluster. By default, the time zone of your browser is selected.
Kube-proxy Mode	iptables and IPVS are supported. iptables is a mature and stable kube-proxy mode. It uses iptables rules to conduct service discovery and load balancing. The performance of this mode is restricted by the size of the Kubernetes cluster. This mode is suitable for Kubernetes clusters that manage a small number of Services. IPVS is a high-performance kube-proxy mode. It uses Linux Virtual Server (LVS) to conduct service discovery and load balancing. This mode is suitable for clusters that manage a large number of Services. We recommend that you use this mode in scenarios where high-performance load balancing is required.
Labels	Add labels to nodes in the cluster. Enter a key and a value, and then click Add. Note Key is required. `Value` is optional. Keys are not case-sensitive. A key must be 1 to 64 characters in length and cannot start with aliyun, http://, or https://. `Values` are not case-sensitive. A value cannot exceed 128 characters in length and cannot contain http:// or https://. A value can be empty. The keys of labels that are added to the same resource must be unique. If you add a label with a used key, the label overwrites the label that uses the same key. If you add more than 20 labels to a resource, all labels become invalid. You must remove excess labels for the remaining labels to take effect.
Cluster Domain	Set the domain name of the cluster. Note The default domain name is cluster.local. You can enter a custom domain name. A domain name consists of two parts. Each part must be 1 to 63 characters in length and can contain only letters and digits. You cannot leave these parts empty.
Custom Certificate SANs	You can enter custom subject alternative names (SANs) for the API server certificate of the cluster to accept requests from specified IP addresses or domain names.
Service Account Token Volume Projection	Service account token volume projection reduces security risks when pods use service accounts to access the API server. This feature enables kubelet to request and store the token on behalf of the pod. This feature also allows you to configure token properties, such as the audience and validity duration. For more information, see Enable service account token volume projection.
Cluster CA	If you select this check box, upload a certification authority (CA) certificate for the cluster to ensure secure data transmission between the server and client.
Deletion Protection	Specify whether to enable deletion protection for the cluster. Deletion protection prevents the cluster from being deleted in the console or by calling the API. This prevents user errors.
Resource Group	The resource group that owns the cluster to be created. Each resource can belong only to one resource group. You can regard a resource group as a project, an application, or an organization based on your business scenarios. For more information, see Resource groups.

Click Next:Master Configurations to configure master nodes.


Parameter	Description
Master Node Quantity	Specify the number of master nodes. You can create three or five master nodes.
Instance Type	Select the instance type for the master nodes. For more information, see Overview of instance families.
System Disk	By default, system disks are mounted to master nodes. Standard SSDs and ultra disks are supported. Note You can select Enable Backup to back up disk data.

Click Next:Node Pool Configurations to configure worker nodes.

Configure basic settings of worker nodes.


Parameter	Description
Worker Instance	By default, Create Instance is selected. You cannot select Add Existing Instance.
Node Pool Name	The name of the node pool. Note The name must be 1 to 63 characters in length, and can contain digits, letters, and hyphens (-).
Instance Type	Select ECS Bare Metal Instance. Only ECS bare metal instances are supported.
Selected Types	The selected instance type is displayed. You can select only ECS Bare Metal Instance as the instance type.
Quantity	Specify the number of worker nodes (ECS instances) to be created.
System Disk	ESSDs, standard SSDs, and ultra disks are supported. Note You can select Enable Backup to back up disk data. If you select ESSD as the system disk type, you can set a custom performance level for the system disk. You can select higher performance levels for ESSDs with larger storage capacities. For example, you can select performance level 2 for an ESSD with a storage capacity of more than 460 GiB. You can select performance level 3 for an ESSD with a storage capacity of more than 1,260 GiB. For more information, see Capacity and PLs.
Mount Data Disk	ESSDs, standard SSDs, and ultra disks are supported. The disk types that you can select depend on the instance types that you select. For more information about the disk types supported by different instance types, see Overview of instance families. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select. Note If you select ESSD as the system disk type, you can set a custom performance level for the system disk. You can select higher performance levels for ESSDs with larger storage capacities. For example, you can select performance level 2 for an ESSD with a storage capacity of more than 460 GiB. You can select performance level 3 for an ESSD with a storage capacity of more than 1,260 GiB. For more information, see Capacity and PLs. The Encrypt Disk option is available only for ESSDs. Data disks support only the aes-256 and sm4-128 encryption algorithms. The China (Nanjing - Local Region), China (Fuzhou - Local Region), Thailand (Bangkok), and South Korea (Seoul) regions support only the Default Service CMK for data disk encryption. The Bring Your Own Key (BYOK) feature is not supported by these regions. For more information about data disk encryption, see Encrypt a data disk. The maximum number of data disks that can be mounted depends on the instance types that you select. You can view the selected data disks and the remaining number of data disks that you can mount on the right side of Mount Data Disk. Important The data disk is used to store the root file systems of all containers on the node. Therefore, you must mount a data disk of at least 200 GiB. We recommend that you mount a data disk of 1 TiB or more.
Operating System	Sandboxed-Container supports only the Alibaba Cloud Linux operating system.
Logon Type	Key pair logon Key Pair: Select an SSH key pair from the drop-down list. create a key pair: Create an SSH key pair if none is available. For more information about how to create an SSH key pair, see Create an SSH key pair. After the key pair is created, set it as the credential that is used to log on to the cluster. Password logon Password: Enter the password that is used to log on to the nodes. Confirm Password: Enter the password again. Note The password must be 8 to 30 characters in length, and must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. The password cannot contain underscores (_).

Configure advanced settings.


Parameter	Description
Node Protection	Specify whether to enable node protection. Note By default, this check box is selected. Node protection prevents nodes from being accidentally deleted in the console or by calling the API. This prevents user errors.
User Data	For more information, see Overview of ECS instance user data.
Custom Node Name	Specify whether to use a custom node name. If you choose to use a custom node name, the name of the node, name of the ECS instance, and hostname of the ECS instance are changed. A custom node name consists of a prefix, an IP address, and a suffix. A custom node name must be 2 to 64 characters in length. The prefix and suffix can contain letters, digits, hyphens (-), and periods (.). The prefix and suffix must start with a letter and cannot end with a hyphen (-) or period (.). The prefix and suffix cannot contain consecutive hyphens (-) or periods (.). Due to the ECS instance limit, the prefix is required. The suffix is optional. For a Windows node that uses a custom node name, the hostname of the ECS instance is fixed to the IP address of the node. In the hostname, hyphens (-) are used to replace the periods (.) in the IP address. The hostname does not include the prefix or suffix. For example, the node IP address is 192.1xx.x.xx, the prefix is aliyun.com, and the suffix is test. If the node runs Linux, the name of the node, name of the ECS instance, and hostname of the ECS instance are aliyun.com192.1xx.x.xxtest. If the node runs Windows, the hostname of the ECS instance is 192-1xx-x-xx, and the names of the node and ECS instance are aliyun.com192.1xx.x.xxtest.
Node Port Range	Set the node port range.
CPU Policy	Set the CPU management policy. none: This policy indicates that the default CPU affinity is used. This is the default policy. static: This policy allows pods with specific resource characteristics on the node to be granted with enhanced CPU affinity and exclusivity.
Taints	Add taints to all worker nodes in the cluster.

Click Next:Component Configurations to configure components.


Parameter	Description
Ingress	Specify whether to install an Ingress controller. By default, Nginx Ingress is selected. If you select Nginx Ingress, Install NGINX Ingress Controller is automatically selected. For more information about how to use NGINX Ingresses, see Advanced NGINX Ingress configurations. If you select ALB Ingress, the Application Load Balancer (ALB) Ingress controller is automatically installed. For more information about how to access Services in a cluster by using ALB Ingresses, see Access Services by using an ALB Ingress.
Service Discovery	Specify whether to install NodeLocal DNSCache. By default, NodeLocal DNSCache is installed. NodeLocal DNSCache runs a Domain Name System (DNS) caching agent to improve the performance and stability of DNS resolution. For more information about NodeLocal DNSCache, see Configure NodeLocal DNSCache.
Volume Plug-in	Select CSI. Only the Container Storage Interface (CSI) plug-in is supported by ACK clusters that run sandboxed containers. An ACK cluster can be automatically bound to Alibaba Cloud disks, Apsara File Storage NAS (NAS) file systems, and Object Storage Service (OSS) buckets that are mounted to pods in the cluster. For more information, see Storage management-CSI.
Monitoring Agents	Specify whether to install the CloudMonitor agent. By default, Install CloudMonitor Agent on ECS Instance and Enable Prometheus Monitoring are selected. After the CloudMonitor agent is installed on ECS nodes, you can view monitoring data about the nodes in the CloudMonitor console.
Log Service	Specify whether to enable Log Service. You can select an existing Log Service project or create one. By default, Enable Log Service is selected. When you create an application, you can enable Log Service with a few steps. For more information, see Collect log data from containers by using Log Service. By default, Install node-problem-detector and Create Event Center is selected. You can specify whether to enable the Kubernetes event center in the Log Service console. For more information, see Create and use an event center.
Workflow Engine	Specify whether to enable Alibaba Cloud Genomics Service (AGS). Note To use this feature, submit a ticket to apply to be added to a whitelist. If you select this check box, the system automatically installs the AGS workflow plug-in when the system creates the cluster. If you clear this check box, you must manually install the AGS workflow plug-in. For more information, see Introduction to AGS CLI.

Click Next:Confirm Order.
Select Terms of Service and click Create Cluster.
Note It requires approximately 10 minutes for the system to create an ACK managed cluster that contains multiple nodes.

Result

After the cluster is created, you can find the cluster on the Clusters page in the console.
Click View Logs in the Actions column. On the page that appears, you can view the cluster log. To view detailed log information, click Stack events.
On the Clusters page, find the newly created cluster and click Details in the Actions column. On the details page of the cluster, click the Basic Information tab to view basic information about the cluster and click the Connection Information tab to view information about how to connect to the cluster.
The following information is displayed:
- API Server Public Endpoint: the IP address and port that the API server uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on the client.
- API Server Internal Endpoint: the IP address and port that the Kubernetes API server of the cluster uses to provide services within the cluster. The endpoint belongs to the Server Load Balancer (SLB) instance that is bound to the cluster. Three control planes work as the backend servers of the SLB instance.
- Testing Domain: the domain name that is used to test Services. The suffix of the domain name is <cluster_id>.<region_id>.alicontainer.com.
  Note To rebind the domain name, click Rebind Domain Name.
You can use kubectl to connect to the cluster and run the kubectl get node command to query information about the nodes in the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.