This topic describes how to create a Container Service for Kubernetes (ACK) managed cluster for confidential computing in the ACK console. ACK managed clusters for confidential computing run in Trusted Execution Environments (TEEs).
Table of contents
Prerequisites
Limits
Item | Limit | Links for increasing quota limits/references | |
Networks | ACK clusters support only VPCs. | ||
Cloud resources | ECS | The pay-as-you-go and subscription billing methods are supported. After an ECS instance is created, you can change its billing method from pay-as-you-go to subscription in the ECS console. | Change the billing method of an ECS instance from pay-as-you-go to subscription |
VPC route entries | By default, you can add at most 200 route entries to the VPC of an ACK cluster that runs Flannel. VPCs of ACK clusters that run Terway do not have this limit. If you want to add more route entries to the VPC of your ACK cluster, request a quota increase for the VPC. | ||
Security groups | By default, you can create at most 100 security groups with each account. | ||
SLB instances | By default, you can create at most 60 pay-as-you-go SLB instances with each account. | ||
EIP | By default, you can create at most 20 EIPs with each account. |
Configure the parameters as required in the following table when you create an ACK managed cluster for confidential computing. Otherwise, the cluster does not support Intel SGX 2.0 applications.
Parameter | Description |
Zone | Only the following instance families support ACK managed clusters for confidential computing: c7t security-enhanced compute-optimize, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized. Make sure that the selected zones support these instance families. For more information about the ECS instance types available in different regions and zones, see Instance Types Available for Each Region. |
Container Runtime | Select containerd 1.4.4 or later. |
Instance Type | Select instances types from the following instance families: c7t security-enhanced compute-optimized, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized. Note Intel Ice Lake supports the remote attestation service only based on Intel Software Guard Extensions Data Center Attestation Primitives (SGX DCAP). Remote attestation services based on Intel Enhanced Privacy Identification (EPID) are not supported. You must adapt your applications before you can use the remote attestation service. For more information about the remote attestation service, see attestation-services. |
Operating System | Select Alibaba Cloud Linux 2.xxxx 64-bit (UEFI). |
Network Plug-in | Flannel |
Step 1: Log on to the ACK console
Log on to the ACK console. In the left-side navigation pane, click Clusters.
In the upper-right corner of the Clusters page, click Cluster Template.
On the Clusters page, click Cluster Templates in the upper-right corner, find Confidential Computing Cluster, and click Create.
Step 2: Configure the cluster
On the Managed Kubernetes page, configure the basic settings and advanced settings of the cluster.
Basic settings
Parameter | Description |
All Resources | Move the pointer over All Resources at the top of the page and select the resource group that you want to use. After you select a resource group, virtual private clouds (VPCs) and vSwitches that belong to the resource group are displayed. When you create a cluster, only VPCs and vSwitches that belong to the specified resource group are displayed. |
Cluster Name | Enter a name for the cluster. Note The name must be 1 to 63 characters in length, and can contain digits, letters, hyphens (-), and underscores (_). The name must start with a letter or digit. |
Cluster Specification | Select a cluster type. You can select Professional or Basic. We recommend that you use Container Service for Kubernetes (ACK) Pro clusters in the production environment and test environment. ACK Basic clusters can meet the learning and testing needs of individual users. |
Region | Select a region to deploy the cluster. |
Billing Method | Two billing methods are supported: Pay-As-You-Go and Subscription. If you select the subscription billing method, you must set the following parameters: Note If you set Billing Method to Subscription, only Elastic Compute Service (ECS) instances and Server Load Balancer (SLB) instances are billed on a subscription basis. Other cloud resources are billed on a pay-as-you-go basis. For more information about the billing of cloud resources, see Billing of cloud services.
|
Kubernetes Version | The Kubernetes versions supported by ACK are displayed. |
Confidential Computing | Select Enable. |
IPv6 Dual-stack | If you enable IPv4/IPv6 dual-stack, a dual-stack cluster is created. This feature is in public preview. To use this feature, submit an application in the Quota Center console. Important
|
VPC | Select a VPC to deploy the cluster. Standard VPCs and shared VPCs are supported.
Note ACK clusters support only VPCs. You can select a VPC from the drop-down list. If you do not have a VPC, click Create VPC to create one. For more information, see Create and manage a VPC. |
Network Plug-in | You must select the Flannel plug-in if you want to enable confidential computing. |
vSwitch | Select vSwitches. You can select up to three vSwitches that are deployed in different zones. If no vSwitch is available, click Create vSwitch. For more information, see Create and manage vSwitches. |
Pod CIDR Block | If you select Flannel, you must set Pod CIDR Block. The pod CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the Service CIDR block. The pod CIDR block cannot be modified after it is specified. For more information, see Plan Kubernetes cluster networks. |
Number of Pods per Node | If you set Network Plug-in to Flannel, you must set Number of Pods per Node. |
Service CIDR | Set Service CIDR. The Service CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the pod CIDR block. The Service CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for an ACK cluster, see Plan CIDR blocks for an ACK cluster. |
IPv6 Service CIDR | If you enable IPv4/IPv6 dual stack, you must specify an IPv6 CIDR block for Services. When you set this parameter, take note of the following items:
For more information about how to plan CIDR blocks for an ACK cluster, see Plan CIDR blocks for an ACK cluster. |
Configure SNAT | By default, the check box is selected. If the VPC that you select for the cluster cannot access the Internet, you can select Configure SNAT for VPC. This way, ACK will create a NAT gateway and configure SNAT rules to enable Internet access for the VPC. |
Access to API Server | By default, ACK automatically creates an internal-facing SLB instance that uses the pay-as-you-go billing method for the API server. You can manually change the billing method. For more information, see Pay-as-you-go. Important If you delete the SLB instance, you cannot access the Kubernetes API server of the cluster. Select or clear Expose API Server with EIP. The ACK API server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources, such as pods and Services.
|
Security Group | You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group. For more information about security groups, see Overview. Note
|
Deletion Protection | Specify whether to enable deletion protection for the cluster. Deletion protection can prevent clusters from being accidentally released by using the console or API. |
Resource Group | The resource group to which the cluster belongs. Each resource can belong to only one resource group. You can regard a resource group as a project, an application, or an organization based on your business scenarios. For more information, see Resource groups. |
Advanced settings
Click Show Advanced Options to configure the advanced settings of the cluster.
Step 3: Configure the node pool
Click Next:Node Pool Configurations to configure the basic settings and advanced settings of the node pool.
Basic settings
Parameter | Description |
Node Pool Name | Specify a node pool name. |
Managed Node Pool | Specify whether to enable the managed node pool feature. |
Maintenance Window | This parameter is available after you select Managed Node Pool. Image updates, runtime updates, and Kubernetes version updates are automatically performed during the maintenance window. For more information, see Overview of managed node pools. Click Set. In the Maintenance Window dialog box, set the Cycle, Started At, and Duration parameters and click OK. |
Container Runtime | Specify the container runtime based on the Kubernetes version. The following list describes the Kubernetes versions supported by different container runtimes:
For more information, see Comparison of Docker, containerd, and Sandboxed-Container. |
Instance Type and Selected Types | Only instance types of the following instance families support Intel Software Guard Extensions (SGX) 2.0 applications: c7t security-enhanced compute-optimized, g7t security-enhanced general-purpose, and r7t security-enhanced memory-optimized. |
Expected Nodes | The expected number of nodes in the node pool. You can modify the Expected Nodes parameter to adjust the number of nodes in the node pool. If you do not want to create nodes in the node pool, set this parameter to 0. For more information, see Scale a node pool. Note We recommend that you configure at least two worker nodes. After the cluster is created, you can adjust the number of worker nodes to meet your business requirements. If the cluster has only one worker node or contains low-specification worker nodes, cluster components may not run as expected. |
System Disk | ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, Standard SSD, and Ultra Disk are supported. The types of system disks that you can select depend on the instance types that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select. For more information about disks, see Overview of Block Storage. For more information about disk types supported by different instance types, see Overview of instance families. Note
You can select More System Disk Types and select a disk type other than the current one in the System Disk section to improve the success rate of system disk creation. The system will attempt to create a system disk based on the specified disk types in sequence. |
Mount Data Disk | ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, SSD, and Ultra Disk are supported. The disk types that you can select depend on the instance types that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select. For more information about disks, see Overview of Block Storage. For more information about disk types supported by different instance types, see Overview of instance families.
Note Up to 64 data disks can be attached to an ECS instance. The maximum number of disks that can be attached to an instance varies based on the instance type. When you create an instance, you can attach only one system disk and up to 16 data disks to the instance. If the instance requires additional data disks, attach the data disks after you create the instance. The number of disks that can be attached to an instance varies based on the instance type. You can call the DescribeInstanceTypes operation to query the number of disks that can be attached to an instance. |
Operating System | Only Alibaba Cloud Linux 2.xxxx 64-bit (UEFI) is supported. |
Security Reinforcement |
Note After the cluster is created, you cannot modify the Security Hardening parameter. |
Logon Type | Valid values: Key Pair, Password, and Later. Note If you select Reinforcement based on classified protection for the Security Reinforcement parameter, only the Password option is supported.
|
Public IP | Specify whether to allocate an IPv4 address to each node. If you clear the check box, no public IP address is allocated. If you select the check box, you must also set the Bandwidth Billing Method and Peak Bandwidth parameters. Note This parameter takes effect only on newly added nodes and does not take effect on existing nodes. If you want to enable an existing node to access the Internet, you must create an EIP and associate the EIP with the node. For more information, see Associate an EIP with an ECS instance. |
CloudMonitor Agent | Specify whether to install the CloudMonitor agent. After you install the CloudMonitor agent on ECS nodes, you can view the monitoring information about the nodes in the CloudMonitor console. Note This parameter takes effect only on newly added nodes and does not take effect on existing nodes. If you want to install the CloudMonitor agent on an existing ECS node, go to the CloudMonitor console. |
Advanced settings
Click Show Advanced Options to configure advanced settings.
Step 4: Configure cluster components
Click Next:Component Configurations to configure the basic settings and advanced settings of cluster components.
Basic settings
Parameter | Description |
Ingress | Specify whether to install an Ingress controller. We recommend that you install an Ingress controller if you want to expose Services. By default, Nginx Ingress is selected. Valid values:
|
Service Discovery | Specify whether to install NodeLocal DNSCache. By default, NodeLocal DNSCache is installed. NodeLocal DNSCache runs a Domain Name System (DNS) caching agent to improve the performance and stability of DNS resolution. For more information about NodeLocal DNSCache, see Configure NodeLocal DNSCache. |
Volume Plug-in | By default, CSI is installed as the volume plug-in. Dynamically Provision Volumes by Using Default NAS File Systems and CNFS, Enable NAS Recycle Bin, and Support Fast Data Restore is selected by default. ACK clusters can be automatically bound to Alibaba Cloud disks, Apsara File Storage NAS (NAS) file systems, and Object Storage Service (OSS) buckets that are mounted to pods. For more information, see CSI overview. |
Monitor containers | Enable Managed Service for Prometheus is selected by default to monitor ACK clusters and generate alerts. |
Log Service | By default, Create Ingress Dashboard is selected. You can specify whether to create Ingress dashboards in the Simple Log Service console. For more information, see Analyze and monitor the access log of nginx-ingress-controller. |
Alerts | Use Default Alert Rule Template is selected by default to enable alert rules. After you select this check box, you can specify contacts and contact groups. The default is Default Contact Group. For more information, see Alert management. |
Log Collection for Control Plane Components | By default, Enable is selected to collect the logs of the control plane components in ACK managed clusters to your projects in Simple Log Service. For more information, see Collect the logs of control plane components in ACK Pro clusters. |
Cluster Inspection | Specify whether to enable the cluster inspection feature for intelligent O&M. You can enable this feature to periodically check the resource quotas, resource usage, and component versions of a cluster and identify potential risks in the cluster. For more information, see Work with the cluster inspection feature. |
Advanced settings
Click Show Advanced Options to select the components that you want to install.
Step 5: Confirm the cluster configurations
Click Next:Confirm Order, confirm the configurations, read and select the terms of service, and then click Create Cluster.
After the cluster is created, you can find the cluster on the Clusters page in the ACK console.
It requires about 10 minutes to create a cluster that contains multiple nodes.
What to do next
View the basic information about the cluster
On the Clusters page, find the created cluster and click Details in the Actions column. On the cluster details page, click the Basic Information tab to view the basic information about the cluster and click the Connection Information tab to view information about how to connect to the cluster. The following information is displayed:
API Server Public Endpoint: the IP address and port that the API server of the cluster uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on your client.
Only ACK managed clusters support the Associate EIP and Disassociate EIP features.
Associate EIP: You can select an existing EIP or create an EIP.
The API server restarts after you associate an EIP with the API server. We recommend that you do not perform operations on the cluster during the restart process.
Disassociate EIP: After you disassociate the EIP, you can no longer access the API server over the Internet.
The API server restarts after you disassociate the EIP from the API server. We recommend that you do not perform operations on the cluster during the restart process.
API Server Internal Endpoint: the IP address and port that the API server uses to provide services within the cluster. The IP address belongs to the Server Load Balancer (SLB) instance that is associated with the cluster.
View cluster logs
You can choose
in the Actions column to go to the Log Center page and view the logs of the cluster.View the information of nodes in the cluster
You can obtain the kubeconfig file of the cluster and use kubectl to connect to the cluster, and run the
kubectl get node
command to view the node information of the cluster.