Enterprise Distributed Application Service:Best practices for Kubernetes cluster O&M

Use ACK Pro managed clusters

For production environments, use ACK Pro managed clusters instead of ACK standard clusters. ACK Pro clusters provide stronger resource isolation and higher service level agreements (SLAs).

For more information, see ACK Pro clusters overview.

Choose the Terway network plug-in

Select the Terway network plug-in when you create a production cluster. Terway assigns a dedicated elastic network interface (ENI) to each pod, which delivers optimal network performance.

For setup details, see Create an ACK Pro cluster.

Select Alibaba Cloud Linux as the operating system

Use Alibaba Cloud Linux, the default operating system for ACK. It supports reinforcement based on classified protection and provides long-term service support with performance optimizations for Alibaba Cloud infrastructure.

For more information, see Use Alibaba Cloud Linux 2.

Use advanced security groups

Select advanced security groups for production clusters. Advanced security groups support a larger node capacity than basic security groups.

If your cluster uses basic security groups and you cannot scale out nodes or pods during application scaling, check whether the security group specifications are limiting node capacity.

For more information, see Security groups overview.

Do not modify ACK or EDAS security group rules

ACK manages security group rules automatically. The initial configuration covers the Classless Inter-Domain Routing (CIDR) blocks for Elastic Compute Service (ECS) instances and pods. Modifying or deleting these rules can cause the following issues and other feature exceptions:

• The cluster cannot be imported to EDAS.

• Pods cannot be scheduled.

• Pods lose connectivity with each other.

• The kubectl logs command stops working.

Scale the Ingress controller for external traffic

If your cluster uses an ingress to expose services externally, configure enough Ingress controller pod replicas to handle the expected traffic. Insufficient replicas reduce overall throughput.

To determine the right replica count:

1. Open the Prometheus monitoring view for the Ingress controller.

2. Check CPU, memory, and request-rate metrics under load.

3. Increase replicas until resource utilization stays within acceptable thresholds.

For details on monitoring the Ingress controller, see Analyze and monitor the access log of nginx-ingress-controller.

Configure CoreDNS replicas

Enable CoreDNS and maintain a ratio of 1 CoreDNS pod for every 8 nodes in the cluster. This ratio keeps DNS-based service discovery performant as the cluster scales.

For configuration steps, see Best practices for DNS services.

Enable Prometheus monitoring

Use Prometheus to collect metrics for nodes and workloads. Configure alerts for indicators such as CPU utilization, memory pressure, and pod restart counts to detect issues before they affect your applications.

Enable CloudMonitor for nodes

Enable CloudMonitor for nodes and set up alerts for ECS instance resource usage, including CPU, memory, and disk utilization. This provides infrastructure-level visibility that complements Kubernetes-native metrics.

Collect cluster logs with Simple Log Service

Enable the cluster log collection feature to forward logs to Simple Log Service (SLS). Centralized log analysis helps you troubleshoot application errors, track access patterns, and audit cluster operations.