This topic provides answers to some frequently asked questions about cluster management.

Can I add nodes that support Intel Software Guard Extensions (Intel SGX) to an existing cluster?

To add nodes that support Intel SGX to an existing cluster, the cluster must meet the following conditions:
  • The Kubernetes version is 1.14.0 or later.
  • The network plug-in is Flannel.
  • The operating system is set to AliyunLinux 2.xxxx when you create the cluster. Do not select custom images when you add nodes to the cluster.
Log on to the Container Service for Kubernetes (ACK) console. On the Clusters page, find a cluster that meets the preceding requirements and choose More > Upgrade System Components in the Actions column. On the Add-ons page, install Intel SGX Architectural Enclave Service Manager (Intel SGX AESM) and sgx-device-plugin.

Are ACK clusters that run Alibaba Cloud Linux 2 compatible with container images that are based on CentOS?

Yes, ACK clusters that run Alibaba Cloud Linux 2 are fully compatible with container images that are based on CentOS. For more information, see Use Alibaba Cloud Linux 2.

Can I change the container runtime after a cluster is created?

Issue: I created a cluster that uses containerd as the container runtime and I want to change the container runtime to Docker.

Solution: After a cluster is created, you cannot change the container runtime used by the cluster. However, you can create node pools that use different container runtimes in the cluster. The container runtimes used by node pools in the cluster can be different. For more information, see Node pool overview.

What are the differences between Docker and Sandboxed-Container?

Sandboxed-Container is an alternative to the Docker runtime. Sandboxed-Container allows you to run applications in a sandboxed and lightweight virtual machine that has a dedicated kernel. This enhances resource isolation and improves security. Sandboxed-Container is suitable in scenarios such as untrusted application isolation, fault isolation, performance isolation, and load isolation among multiple users. Sandboxed-Container improves security and has minor impacts on application performance. In addition, Sandboxed-Container provides the same user experience as Docker in terms of logging, monitoring, and elastic scaling. Sandboxed-Container supports only Elastic Compute Service (ECS) bare metal instances. Other ECS instance types are not supported.

For more information about Docker and Sandboxed-Container, see Comparison of Docker, containerd, and Sandboxed-Container.

Is ACK certified for Level 3 Cybersecurity?

ACK and other Alibaba Cloud services have been certified for Level 3 Cybersecurity. However, Alibaba Cloud does not have limits on the use of these cloud services. You must bear responsibility for any lost profits arising from the improper use of Alibaba Cloud services. The following lists describe the items for which Alibaba Cloud and you must bear responsibility to guarantee the security of Alibaba Cloud services and your business:
  • Items for which Alibaba Cloud bears responsibility:
    • The security of infrastructure resources for Alibaba Cloud services.
    • The security of etcd and nodes in the cluster control plane.
    • The security compliance of components in the cluster control plane. Alibaba Cloud also accepts security inspections from third parties.
  • Items for which you bear responsibility:
    • Security configurations of the data plane, including the configurations of security groups of virtual private clouds (VPCs).
    • Configurations of nodes and pods.
    • Operating systems of nodes, including upgrades and security patches.
    • Other related software.
    • Access control on devices and networks, such as firewall rules.
    • Platform-level identity verification and access control by using Resource Access Management (RAM) or other services.
    • Security of sensitive data.

Can I upgrade a dedicated Kubernetes cluster after I accidentally delete a master node of the cluster?

No. After a master node of a dedicated Kubernetes cluster is deleted, you cannot add another master node or upgrade the Kubernetes version of the cluster.

How do I collect the diagnostic data of an ACK cluster?

ACK provides the cluster diagnostics feature that you can use to diagnose clusters with a few clicks. This feature helps you troubleshoot cluster issues and node anomalies. For more information, see Work with cluster diagnostics. You can also collect diagnostic data from control planes and worker nodes for further analysis. The following section describes how to collect diagnostic data from Linux nodes and Windows nodes.

Collect diagnostic data from Linux nodes

Worker nodes support Linux and Windows, whereas control planes support only Linux. The following steps apply to control planes and worker nodes that run Linux. The following example describes how to collect diagnostic data from a control plane:

  1. Log on to the control plane and run the following command to download a diagnostic script:
    curl -o /usr/local/bin/
    Note You can download the diagnostic script only from the China (Hangzhou) region.
  2. Run the following command to grant execute permissions on the diagnostic script:
    chmod u+x /usr/local/bin/
  3. Run the following command to go to a specified directory:
    cd /usr/local/bin
  4. Run the following command to run the diagnostic script:

    The following output is returned. Each time you run the diagnostic script, a log file with a different name is generated. In this example, the log file is named diagnose_1514939155.tar.gz. The name is subject to the actual conditions.

    + echo 'please get diagnose_1514939155.tar.gz for diagnostics'
    please get diagnose_1514939155.tar.gz for diagnostics
    + echo 'Upload diagnose_1514939155.tar.gz'
    Upload diagnose_1514939155.tar.gz
  5. Run the following command to query the log file that stores the diagnostic data:
    ls -ltr | grep diagnose_1514939155.tar.gz
    Note Replace diagnose_1514939155.tar.gz with the actual name of the generated log file.

Collect diagnostic data from Windows nodes

To collect diagnostic data from a Windows worker node, perform the following steps to download and run a diagnostic script:

Note Windows can run only on worker nodes.
  1. Log on to an abnormal node. Open the Run command window, enter cmd, and then click OK to open Command Prompt.
  2. Run the following command to switch to PowerShell:
  3. Run the following command to download and run a diagnostic script:
    Invoke-WebRequest -UseBasicParsing -Uri http://aliacs-k8s-[$Region_ID].oss-[$Region_ID] | Invoke-Expression
    Note The diagnostic script for a Windows node can be downloaded only from the region where the node resides. Replace the region ID in the command with the actual region ID of the node.

    If the following output is returned, the diagnostic data of the node is collected.

    INFO: Compressing diagnosis clues ...
    INFO: ...done
    INFO: Please get for diagnostics
    Note The file is stored in the directory where the diagnostic script is run.