All Products
Search

This Product

    Container Service for Kubernetes:Create an ACK managed cluster for confidential computing

    Document Center

    Container Service for Kubernetes:Create an ACK managed cluster for confidential computing

    Last Updated:Nov 12, 2024

    This topic describes how to create a Container Service for Kubernetes (ACK) managed cluster for confidential computing in the ACK console. ACK managed clusters for confidential computing run in Trusted Execution Environments (TEEs).

    Table of contents

    Prerequisites

    Resource Access Management (RAM) is activated.

    Limits

    Item

    Limit

    Links for increasing quota limits/references

    Networks

    ACK clusters support only VPCs.

    What is a VPC?

    Cloud resources

    ECS

    The pay-as-you-go and subscription billing methods are supported. After an ECS instance is created, you can change its billing method from pay-as-you-go to subscription in the ECS console.

    Change the billing method of an ECS instance from pay-as-you-go to subscription

    VPC route entries

    By default, you can add at most 200 route entries to the VPC of an ACK cluster that runs Flannel. VPCs of ACK clusters that run Terway do not have this limit. If you want to add more route entries to the VPC of your ACK cluster, request a quota increase for the VPC.

    Quota Center

    Security groups

    By default, you can create at most 100 security groups with each account.

    View and increase resource quotas

    SLB instances

    By default, you can create at most 60 pay-as-you-go SLB instances with each account.

    Quota Center

    EIP

    By default, you can create at most 20 EIPs with each account.

    Quota Center

    Configure the parameters as required in the following table when you create an ACK managed cluster for confidential computing. Otherwise, the cluster does not support Intel SGX 2.0 applications.

    Parameter

    Description

    Zone

    Only the following instance families support ACK managed clusters for confidential computing: c7t security-enhanced compute-optimize, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized. Make sure that the selected zones support these instance families. For more information about the ECS instance types available in different regions and zones, see Instance Types Available for Each Region.

    Container Runtime

    Select containerd 1.4.4 or later.

    Instance Type

    Select instances types from the following instance families: c7t security-enhanced compute-optimized, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized.

    Note

    Intel Ice Lake supports the remote attestation service only based on Intel Software Guard Extensions Data Center Attestation Primitives (SGX DCAP). Remote attestation services based on Intel Enhanced Privacy Identification (EPID) are not supported. You must adapt your applications before you can use the remote attestation service. For more information about the remote attestation service, see attestation-services.

    Operating System

    Select Alibaba Cloud Linux 2.xxxx 64-bit (UEFI).

    Network Plug-in

    Flannel

    Step 1: Log on to the ACK console

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click Create Kubernetes Cluster.

    3. On the Clusters page, click Cluster Templates in the upper-right corner, find Confidential Computing Cluster, and click Create.

    Step 2: Configure the cluster

    On the Managed Kubernetes page, configure the basic settings and advanced settings of the cluster.

    Basic settings

    Parameter

    Description

    All Resources

    Move the pointer over All Resources at the top of the page and select the resource group that you want to use. After you select a resource group, virtual private clouds (VPCs) and vSwitches that belong to the resource group are displayed. When you create a cluster, only VPCs and vSwitches that belong to the specified resource group are displayed.资源组

    Cluster Name

    The name of the cluster. The name must be 1 to 63 characters in length, and can contain digits, letters, hyphens (-), and underscores (_). The name must start with a letter or digit.

    Cluster Specification

    Select a cluster type. You can select Professional or Basic. We recommend that you use ACK Pro clusters in the production environment and test environment. ACK Basic clusters can meet the learning and testing needs of individual users.

    Region

    The region of the cluster.

    Billing Method

    These billing methods are supported: Pay-As-You-Go and Subscription. If you select the subscription billing method, you must set the following parameters:

    Note

    If you set Billing Method to Subscription, only Elastic Compute Service (ECS) instances and Server Load Balancer (SLB) instances are billed on a subscription basis. Other cloud resources are billed on a pay-as-you-go basis. For more information about the billing of cloud resources, see Billing of cloud services.

    • Duration: You can select 1, 2, 3, or 6 months. If you require a longer duration, you can select 1 year, 2 years, or 3 years.

    • Auto Renewal: Specify whether to enable auto-renewal.

    Kubernetes Version

    The supported Kubernetes versions.

    Confidential Computing

    Select Enable.

    IPv6 Dual-stack

    If you enable IPv4/IPv6 dual-stack, a dual-stack cluster is created. This feature is in public preview. To use this feature, submit an application in the Quota Center console.

    Important

    • Only clusters that run Kubernetes 1.22 and later support IPv4/IPv6 dual-stack.

    • IPv4 addresses are used for communication between worker nodes and the control plane.

    • You must select Terway as the network plug-in.

    • If you use the shared ENI mode of Terway, the ECS instance type must support IPv6 addresses. To add ECS instances of the specified type to the cluster, the number of IPv4 addresses supported by the ECS instance type must be the same as the number of IPv6 addresses. For more information about ECS instance types, see Overview of instance families.

    • You must use a VPC and ECS instances that support IPv4/IPv6 dual stack.

    • You must disable IPv4/IPv6 dual stack if you want to use Elastic Remote Direct Memory Access (eRDMA) in an cluster.

    VPC

    Select a VPC to deploy the cluster. Standard VPCs and shared VPCs are supported.

    • Shared VPC: The owner of a VPC (resource owner) can share the vSwitches in the VPC with other accounts in the same organization.

    • Standard VPC: The owner of a VPC (resource owner) cannot share the vSwitches in the VPC with other accounts.

    Note

    ACK clusters support only VPCs. You can select a VPC from the drop-down list. If you do not have a VPC, click Create VPC to create one. For more information, see Create and manage a VPC.

    Network Plug-in

    You must select the Flannel plug-in if you want to enable confidential computing.

    vSwitch

    Select vSwitches.

    You can select up to three vSwitches that are deployed in different zones. If no vSwitch is available, click Create vSwitch. For more information, see Create and manage vSwitches.

    Container CIDR Block

    If you select Flannel, you must set Container CIDR Block.

    The container CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the Service CIDR block. The container CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster.

    Number of Pods per Node

    If you set Network Plug-in to Flannel, you must configure the Number of Pods per Node parameter.

    Service CIDR

    Set Service CIDR. The Service CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the pod CIDR block. The Service CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster.

    IPv6 Service CIDR

    If you enable IPv4/IPv6 dual stack, you must specify an IPv6 CIDR block for Services. When you set this parameter, take note of the following items:

    • You must specify a Unique Local Unicast Address (ULA) space within the address range fc00::/7. The prefix must be 112 bits to 120 bits in length.

    • We recommend that you specify an IPv6 CIDR block that has the same number of IP addresses as the Service CIDR block.

    For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster.

    Configure SNAT

    By default, the check box is selected. If the VPC that you select for the cluster cannot access the Internet, you can select Configure SNAT for VPC. This way, ACK will create a NAT gateway and configure SNAT rules to enable Internet access for the VPC.

    Access to API Server

    By default, ACK automatically creates an internal-facing SLB instance that uses the pay-as-you-go billing method for the API server.

    Important

    • If you delete the default SLB instance, you cannot access the Kubernetes API server of the cluster.

    • You can manually change the billing method. For more information, see Pay-as-you-go.

    Select or clear Expose API Server with EIP. The ACK API server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources such as pods and Services.

    • If you select this check box, an elastic IP address (EIP) is created and associated with an SLB instance. Port 6443 used by the API server is opened on master nodes. You can connect to and manage the cluster over the Internet by using a kubeconfig file.

    • If you clear this check box, no EIP is created. You can use a kubeconfig file to connect to the cluster only from within the VPC and then manage the cluster.

    Security Group

    You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group. For more information about security groups, see Overview.

    Note

    • Only users in the whitelist can select the Select Existing Security Group option. To apply to be added to the whitelist, log on to the Quota Center console and submit an application.

    • If you select an existing security group, the system does not automatically configure security group rules. This may cause errors when you access the nodes in the cluster. You must manually configure security group rules. For more information about how to manage security group rules, see Configure security group rules to enforce access control on ACK clusters.

    • By default, the security group used by ACK permits all outbound traffic. When you modify the security group due to business purposes, make sure that traffic destined for 100.64.0.0/10 is permitted. This CIDR block is used to pull images and query basic ECS information.

    Deletion Protection

    Specify whether to enable deletion protection for the cluster. We recommend that you enable deletion protection to prevent clusters from being accidentally released by using the console or API.

    Resource Group

    The resource group to which the cluster belongs. Each resource can belong to only one resource group. You can regard a resource group as a project, an application, or an organization based on your business scenarios.

    Advanced settings

    Click Show Advanced Options to configure the advanced settings of the cluster.

    Click to view advanced settings

    Parameter

    Description

    Time Zone

    The time zone of the cluster. By default, the time zone of your browser is selected.

    Kube-proxy Mode

    iptables and IPVS are supported.

    • iptables is a mature and stable kube-proxy mode. In this mode, service discovery and load balancing for Kubernetes Services are configured by using iptables rules. The performance of this mode depends on the size of the Kubernetes cluster. This mode is suitable for Kubernetes clusters that manage a small number of Services.

    • IPVS is a high-performance kube-proxy mode. In this mode, service discovery and load balancing for Kubernetes Services are configured by the IP Virtual Server (IPVS) module of Linux. This mode is suitable for clusters that manage a large number of Services. We recommend that you use this mode in scenarios where high-performance load balancing is required.

    Labels

    Add labels to cluster nodes. Enter a key and a value, and then click Add.

    Note

    • Keys are required and values are optional.

    • Keys are not case-sensitive. A key must not exceed 64 characters in length, and cannot start with aliyun, http://, or https://.

    • Values are not case-sensitive. A value cannot exceed 128 characters in length, and cannot start with http:// or https://.

    • The keys of labels that are added to the same resource must be unique. If you add a label with a used key, the label overwrites the label that uses the same key.

    • If you add more than 20 labels to a resource, all labels become invalid. You must remove the excessive labels so that the remaining labels can take effect.

    Cluster Domain

    Set the cluster domain.

    Note

    The default domain name is cluster.local. You can enter a custom domain name. A domain name consists of two parts. Each part must be 1 to 63 characters in length and can contain only letters and digits. You cannot leave these parts empty.

    Custom Certificate SANs

    You can enter custom subject alternative names (SANs) for the API server certificate of the cluster to accept requests from specified IP addresses or domain names. This allows you to control access from clients.

    For more information, see Customize the SANs of the API server certificate when you create an ACK cluster.

    Service Account Token Volume Projection

    ACK provides service account token volume projection to reduce security risks when pods use service accounts to access the Kubernetes API server. This feature enables kubelet to request and store the token on behalf of a pod. This feature also allows you to configure token properties, such as the audience and validity period. For more information, see Use ServiceAccount token volume projection.

    Secret Encryption

    If you select Select Key for an ACK Pro cluster, you can use a key that is created in the Key Management Service (KMS) console to encrypt Kubernetes Secrets. For more information, see Use KMS to encrypt Kubernetes Secrets.

    Step 3: Configure the node pool

    Click Next:Node Pool Configurations to configure the basic settings and advanced settings of the node pool.

    Basic settings

    Parameter

    Description

    Node Pool Name

    Specify a node pool name.

    Managed Node Pool

    Specify whether to enable the managed node pool feature.

    Maintenance Window

    This parameter is available after you select Enable for the managed node pool feature.

    Image updates, runtime updates, and Kubernetes version updates are automatically performed during the maintenance window. For more information, see Overview of managed node pools.

    Click Set. In the Maintenance Window dialog box, set the Cycle, Started At, and Duration parameters and click OK.

    Container Runtime

    Specify the container runtime based on the Kubernetes version.

    • containerd: containerd is recommended for all Kubernetes versions.

    • Sandboxed-Container: supports Kubernetes 1.24 and earlier.

    • Docker: supports Kubernetes 1.22 and earlier.

    For more information, see Comparison among Docker, containerd, and Sandboxed-Container.

    Instance Type and Selected Type

    Only instance types of the following instance families support Intel Software Guard Extensions (SGX) 2.0 applications: c7t security-enhanced compute-optimized, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized.

    Expected Nodes

    The expected number of nodes in the node pool. You can modify the Expected Nodes parameter to adjust the number of nodes in the node pool. If you do not want to create nodes in the node pool, set this parameter to 0. For more information, see Scale a node pool.

    Note

    We recommend that you configure at least two worker nodes. After the cluster is created, you can adjust the number of worker nodes to meet your business requirements. If the cluster has only one worker node or contains low-specification worker nodes, cluster components may not run as expected.

    System Disk

    ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, Standard SSD, and Ultra Disk are supported.

    The types of system disks that you can select depend on the instance types that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select. For more information about disks, see Overview of Block Storage. For more information about disk types supported by different instance types, see Overview of instance families.

    Note

    • If you select Enterprise SSD (ESSD) as the system disk type, you can set a custom performance level for the system disk. You can select higher PLs for ESSDs with larger storage capacities. For example, you can select PL 2 for an ESSD with a storage capacity of more than 460 GiB. You can select PL 3 for an ESSD with a storage capacity of more than 1,260 GiB. For more information, see Capacities and performance levels.

    • You can select Encryption only if you set the system disk type to Enterprise SSD (ESSD). By default, the default service CMK is used to encrypt the system disk. You can also use an existing CMK generated by using BYOK in KMS.

    You can select More System Disk Types and select a disk type other than the current one in the System Disk section to improve the success rate of system disk creation. The system will attempt to create a system disk based on the specified disk types in sequence.

    Data Disk

    ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, SSD, and Ultra Disk are supported. The disk types that you can select depend on the instance types that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select. For more information about disks, see Overview of Block Storage. For more information about disk types supported by different instance types, see Overview of instance families.

    • ESSD AutoPL disks provide the following features:

      • Performance provision: The performance provision feature allows you to configure provisioned performance settings for ESSD AutoPL disks to meet storage requirements that exceed the baseline performance without the need to extend the disks.

      • Performance burst: The performance burst feature allows ESSD AutoPL disks to burst their performance when spikes in read/write workloads occur and reduce the performance to the baseline level at the end of workload spikes.

    • ESSDs provide the following features:

      Custom Performance. You can select higher PLs for ESSDs with larger storage capacities. For example, you can select PL 2 for an ESSD with a storage capacity of more than 460 GiB. You can select PL 3 for an ESSD with a storage capacity of more than 1,260 GiB. For more information, see Capacity and PLs.

    • You can select Encryption for all disk types when you specify the type of data disk. By default, the default service CMK is used to encrypt the data disk. You can also use an existing CMK generated by using BYOK in KMS.

    • You can also use snapshots to create data disks in scenarios where container image acceleration and fast loading of large language models (LLMs) are required. This improves the system response speed and enhances the processing capability.

    • Make sure that a data disk is mounted to /var/lib/container on each node, and /var/lib/kubelet and /var/lib/containerd are mounted to the /var/lib/container. For other data disks on the node, you can perform the initialization operation and customize their mount directories. For more information, see Can I mount a data disk to a custom directory in an ACK node pool?

    Note

    You can attach up to 64 data disks to an ECS instance. The maximum number of disks that can be attached to an ECS instance varies based on the instance type. To query the maximum number of disks that you can attach to an ECS instance of a specific instance type, call the DescribeInstanceTypes operation and check the DiskQuantity parameter in the response.

    Operating System

    Only Alibaba Cloud Linux 2.xxxx 64-bit (UEFI) is supported.

    Security Reinforcement

    • Disable: disables security hardening for ECS instances.

    • Reinforcement based on classified protection: You can enable security hardening only when you select an Alibaba Cloud Linux 2 or Alibaba Cloud Linux 3 image. Alibaba Cloud provides baselines and the baseline check feature to help you check the compliance of Alibaba Cloud Linux 2 images and Alibaba Cloud Linux 3 images with the level 3 standards of Multi-Level Protection Scheme (MLPS) 2.0. For more information, see ACK reinforcement based on classified protection.

      Important

      MLPS Security Hardening enhances the security of OS images to meet the requirements of GB/T 22239-2019 Information Security Technology - Baseline for Classified Protection of Cybersecurity without compromising the compatibility and performance of the OS images.

      After you enable MLPS Security Hardening, remote logons through SSH are prohibited for root users. You can use Virtual Network Computing (VNC) to log on to the OS from the ECS console and create regular users that are allowed to log on through SSH. For more information, see Connect to a Linux instance by using VNC.

    • OS Security Hardening: You can enable Alibaba Cloud Linux Security Hardening only when the system image is an Alibaba Cloud Linux 2 or Alibaba Cloud Linux 3 image.

    Note

    After the cluster is created, you cannot modify the Security Hardening parameter.

    Logon Type

    Valid values: Key Pair, Password, and Later.

    Note

    If you select Reinforcement based on classified protection for the Security Reinforcement parameter, only the Password option is supported.

    • Configure the logon type when you create the node pool:

      • Key Pair: Alibaba Cloud SSH key pairs provide a secure and convenient method to log on to ECS instances. An SSH key pair consists of a public key and a private key. SSH key pairs support only Linux instances. For more information, see Overview.

      • Password: The password must be 8 to 30 characters in length, and can contain letters, digits, and special characters.

    • Configure the logon type after you create the node pool: For more information, see Bind an SSH key pair to an instance and Reset the logon password of an instance.

    Public IP

    Specify whether to assign an IPv4 address to each node. If you clear the check box, no public IP address is allocated. If you select the check box, you must also set the Bandwidth Billing Method and Peak Bandwidth parameters.

    Note

    This parameter takes effect only on newly added nodes and does not take effect on existing nodes. If you want to enable an existing node to access the Internet, you must create an EIP and associate the EIP with the node. For more information, see Associate an EIP with an ECS instance.

    CloudMonitor Agent

    Specify whether to install the CloudMonitor agent. After you install the CloudMonitor agent on ECS nodes, you can view the monitoring information about the nodes in the CloudMonitor console.

    Note

    This parameter takes effect only on newly added nodes and does not take effect on existing nodes. If you want to install the CloudMonitor agent on an existing ECS node, go to the CloudMonitor console.

    Advanced settings

    Click Show Advanced Options to configure advanced settings.

    Click to view advanced settings

    Parameter

    Description

    Node Protection

    Specify whether to enable node protection.

    Note

    By default, this check box is selected. Node protection prevents nodes from being accidentally deleted in the console or by calling the API. This prevents user errors.

    ECS Tags

    Add tags to the ECS instances that are automatically added during auto scaling. Tag keys must be unique. A key cannot exceed 128 characters in length. Keys and values cannot start with aliyun or acs:. Keys and values cannot contain https:// or http://.

    An ECS instance can have at most 20 tags. To increase the quota limit, submit an application in the Quota Center console. The following tags are automatically added to an ECS node by ACK and Auto Scaling. Therefore, you can add at most 17 tags to an ECS node.

    • The following two ECS tags are added by ACK:

      • ack.aliyun.com:<Cluster ID>

      • ack.alibabacloud.com/nodepool-id:<Node pool ID>

    • The following label is added by Auto Scaling: acs:autoscaling:scalingGroupId:<Scaling group ID>.

    Note

    • After you enable auto scaling, the following ECS tags are added to the node pool by default: k8s.io/cluster-autoscaler:true and k8s.aliyun.com:true.

    • The auto scaling component simulates scale-out activities based on node labels and taints. To meet this purpose, the format of node labels is changed to k8s.io/cluster-autoscaler/node-template/label/Label key:Label value and the format of taints is changed to k8s.io/cluster-autoscaler/node-template/taint/Taint key/Taint value:Taint effect.

    Taints

    Add taints to nodes. A taint consists of a key, a value, and an effect. A taint key can be prefixed. If you want to specify a prefixed taint key, add a forward slash (/) between the prefix and the remaining content of the key. For more information, see Taints and tolerations. The following limits apply to taints:

    • Key: A key must be 1 to 63 characters in length, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). A key must start and end with a letter or digit.

      If you want to specify a prefixed key, the prefix must be a subdomain name. A subdomain name consists of DNS labels that are separated by periods (.), and cannot exceed 253 characters in length. It must end with a forward slash (/). For more information about subdomain names, see DNS subdomain names.

    • Value: A value cannot exceed 63 characters in length, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). A value must start and end with a letter or digit. You can also leave a value empty.

    • You can specify the following effects for a taint: NoSchedule, NoExecute, and PreferNoSchedule.

      • NoSchedule: If a node has a taint whose effect is NoSchedule, the system does not schedule pods to the node.

      • NoExecute: Pods that do not tolerate this taint are evicted after this taint is added to a node. Pods that tolerate this taint are not evicted after this taint is added to a node.

      • PreferNoSchedule: The system attempts to avoid scheduling pods to nodes with taints that are not tolerated by the pods.

    Node Label

    Add labels to nodes. A label is a key-value pair. A label key can be prefixed. If you want to specify a prefixed label key, add a forward slash (/) between the prefix and the remaining content of the key. The following limits apply to labels:

    • The key of a label must be 1 to 63 characters in length, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). It must start and end with a letter or a digit.

      If you want to specify a prefixed key, the prefix must be a subdomain name. A subdomain name consists of DNS labels that are separated by periods (.), and cannot exceed 253 characters in length. It must end with a forward slash (/). For more information about subdomain names, see Subdomain names.

      The following prefixes are used by key Kubernetes components and cannot be used in node labels:

      • kubernetes.io/

      • k8s.io/

      • Prefixes that end with kubernetes.io/ or k8s.io/. Example: test.kubernetes.io/.

        However, you can still use the following prefixes:

        • kubelet.kubernetes.io/

        • node.kubernetes.io

        • Prefixes that are end with kubelet.kubernetes.io/.

        • Prefixes that are end with node.kubernetes.io.

    • A value cannot exceed 63 characters in length, and can contain letters, digits, hyphens (-), underscores (_), and periods (.). A value must start and end with a letter or digit. You can also leave a value empty.

    • If you select Set New Nodes to Unschedulable, nodes are unschedulable when they are added to the cluster. You can set an existing node to schedulable on the Nodes page in the ACK console.

    Scaling Policy

    • Priority: The system scales the node pool based on the priorities of the vSwitches that you select for the node pool. The vSwitches that you select are displayed in descending order of priority. If Auto Scaling fails to create ECS instances in the zone of the vSwitch with the highest priority, Auto Scaling attempts to create ECS instances in the zone of the vSwitch with a lower priority.

    • Cost Optimization: The system creates instances based on the vCPU unit prices in ascending order. Preemptible instances are preferentially created when multiple preemptible instance types are specified in the scaling configurations. If preemptible instances cannot be created due to reasons such as insufficient stocks, the system attempts to create pay-as-you-go instances.

      When Billing Method is set to Preemptible Instance, you can configure the following parameters in addition to the Enable Supplemental Preemptible Instances parameter:

      • Percentage of Pay-as-you-go Instances: Specify the percentage of pay-as-you-go instances in the node pool. Valid values: 0 to 100.

      • Enable Supplemental Pay-as-you-go Instances: After you enable this feature, Auto Scaling attempts to create pay-as-you-go ECS instances to meet the scaling requirement if Auto Scaling fails to create preemptible instances for reasons such as that the unit price is too high or preemptible instances are out of stock.

    • Distribution Balancing: The even distribution policy takes effect only when you select multiple vSwitches. This policy ensures that ECS instances are evenly distributed among the zones (the vSwitches) of the scaling group. If ECS instances are unevenly distributed across the zones due to reasons such as insufficient stocks, you can perform a rebalancing operation.

      Important

      You cannot change the scaling policy of a node pool after the node pool is created.

      When Billing Method is set to Preemptible Instance, you can specify whether to turn on Enable Supplemental Preemptible Instances. After this feature is enabled, when a system message that indicates preemptible instances are reclaimed is received, the node pool with auto scaling enabled attempts to create new instance to replace the reclaimed the preemptible instances.

    Important

    You cannot change the scaling policy of a node pool after the node pool is created.

    CPU Policy

    The CPU management policy for kubelet nodes.

    • None: The default CPU management policy.

    • Static: This policy allows pods with specific resource characteristics on the node to be granted enhanced CPU affinity and exclusivity.

    For more information, see CPU management policies.

    Custom Image

    After you specify Custom Image, the custom image will replace the default system image.

    • Custom Images: All nodes in the cluster are deployed based on the custom image. For more information about how to create a custom image, see Create a cluster or node pool based on a custom image.

    • Shared Images: All nodes in the cluster are deployed based on the shared image. For more information about shared images, see Procedure.

    Important

    • Create a custom image based on the operating system supported by the ACK cluster. For more information, see Overview of OS images.

    • The predefined behavior logic in a custom image may affect operations such as cluster node initialization, container launching, node updates, and automatic recovery of nodes in a managed node pool. Before you use it in a production environment, ensure that the custom image has been tested and validated.

    • This feature is only available to whitelist users. submit an application in the Quota Center console.

    RDS Whitelist

    Click Select RDS Instance to add node IP addresses to the whitelist of an ApsaraDB RDS instance.

    Custom Node Name

    Specify whether to use a custom node name. If you choose to use a custom node name, the name of the node, name of the ECS instance, and hostname of the ECS instance are changed.

    Note

    If a Windows instance uses a custom node name, the hostname of the instance is fixed to an IP address. You need to use hyphens (-) to replace the periods (.) in the IP address. In addition, no prefix or suffix is allowed in the IP address.

    A custom node name consists of a prefix, an IP substring, and a suffix.

    • A custom node name must be 2 to 64 characters in length. The name must start and end with a lowercase letter or digit.

    • The prefix and suffix can contain letters, digits, hyphens (-), and periods (.). The prefix and suffix must start with a letter and cannot end with a hyphen (-) or period (.). The prefix and suffix cannot contain consecutive hyphens (-) or periods (.).

    • The prefix is required due to ECS limits and the suffix is optional.

    For example, the node IP address is 192.XX.YY.55, the prefix is aliyun.com, and the suffix is test.

    • If the node is a Linux node, the node name, ECS instance name, and ECS instance hostname are aliyun.com192.XX.YY.55test.

    • If the node is a Windows node, the ECS instance hostname is 192-XX-YY-55 and the node name and ECS instance name are aliyun.com192.XX.YY.55test.

    User Data

    Nodes automatically run user-data scripts after they are added to the cluster. For more information about user-data scripts, see User-data scripts.

    For example, if you enter echo "hello world", a node runs the following script: 

    #!/bin/bash
[Node initialization script]
echo "hello world"
    Note

    After you create a cluster or add nodes, the execution of the user-data script on a node may fail. We recommend that you log on to a node and run the grep cloud-init/var/log/messages command to view the execution log and check whether the execution succeeds or fails on the node.

    Step 4: Configure cluster components

    Click Next:Component Configurations to configure the basic settings and advanced settings of cluster components.

    Basic settings

    Parameter

    Description

    Ingress

    Specify whether to install an Ingress controller. We recommend that you install an Ingress controller if you want to expose Services. By default, Nginx Ingress is selected. Valid values:

    Service Discovery

    Specify whether to install NodeLocal DNSCache. By default, NodeLocal DNSCache is installed.

    NodeLocal DNSCache runs a Domain Name System (DNS) caching agent to improve the performance and stability of DNS resolution. For more information about NodeLocal DNSCache, see Configure NodeLocal DNSCache.

    Volume Plug-in

    By default, CSI is installed as the volume plug-in. Dynamically Provision Volumes by Using Default NAS File Systems and CNFS, Enable NAS Recycle Bin, and Support Fast Data Restore is selected by default. ACK clusters can be automatically bound to Alibaba Cloud disks, File Storage NAS (NAS) file systems, and Object Storage Service (OSS) buckets that are mounted to pods. For more information, see CSI overview.

    Monitor containers

    You can select Enable Managed Service for Prometheus to provide basic monitoring and alerting services for the ACK cluster.

    Log Service

    By default, Create Ingress Dashboard is selected. You can specify whether to create Ingress dashboards in the Simple Log Service console. For more information, see Analyze and monitor the access log of nginx-ingress-controller.

    Alerts

    Use Default Alert Rule Template is selected by default to enable alert rules. After you select this check box, you can specify contacts and contact groups. The default is Default Contact Group. For more information, see Alert management.

    Log Collection for Control Plane Components

    By default, Enable is selected to collect the logs of the control plane components in ACK managed clusters to your projects in Simple Log Service. For more information, see Collect logs of control plane components in ACK managed clusters.

    Cluster Inspection

    Specify whether to enable the cluster inspection feature for intelligent O&M. You can enable this feature to periodically check the resource quotas, resource usage, and component versions of a cluster and identify potential risks in the cluster. For more information, see Work with the cluster inspection feature.

    Advanced settings

    Click Show Advanced Options to select the components that you want to install.

    Step 5: Confirm the cluster configurations

    Click Next:Confirm Order, confirm the configurations, read and select the terms of service, and then click Create Cluster.

    After the cluster is created, you can find the cluster on the Clusters page in the ACK console.

    Note

    It requires about 10 minutes to create a cluster that contains multiple nodes.

    What to do next

    • View the basic information about the cluster

      On the Clusters page, find the created cluster and click Details in the Actions column. On the cluster details page, click the Basic Information tab to view the basic information about the cluster and click the Connection Information tab to view information about how to connect to the cluster. The following information is displayed:

      • API Server Public Endpoint: the IP address and port that the API server of the cluster uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on your client.

        Only ACK managed clusters support the Associate EIP and Disassociate EIP features.

        • Associate EIP: You can select an existing EIP or create an EIP.

          The API server restarts after you associate an EIP with the API server. We recommend that you do not perform operations on the cluster during the restart process.

        • Disassociate EIP: After you disassociate the EIP, you can no longer access the API server over the Internet.

          The API server restarts after you disassociate the EIP from the API server. We recommend that you do not perform operations on the cluster during the restart process.

      • API Server Internal Endpoint: the IP address and port that the API server uses to provide services within the cluster. The IP address belongs to the Server Load Balancer (SLB) instance that is associated with the cluster.

    References