All Products
Search
Document Center

Container Service for Kubernetes:Create an ACK managed cluster that supports sandboxed containers by calling an API operation

Last Updated:Jul 01, 2024

You can call the CreateCluster operation to create a Container Service for Kubernetes (ACK) managed cluster that supports sandboxed containers.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request syntax

POST /clusters HTTP/1.1
Content-Type:application/json
{
  "addons" : [ {
    "name" : "String",
    "config" : "String",
    "disabled" : Boolean
  } ],
  "cloud_monitor_flags" : Boolean,
  "cluster_type" : "String",
  "container_cidr" : "String",
  "cpu_policy" : "String",
  "deletion_protection" : Boolean,
  "disable_rollback" : Boolean,
  "endpoint_public_access" : Boolean,
  "is_enterprise_security_group" : Boolean,
  "key_pair" : "String",
  "kubernetes_version" : "String",
  "login_password" : "String",
  "name" : "String",
  "node_cidr_mask" : "String",
  "node_port_range" : "String",
  "num_of_nodes" : Long,
  "pod_vswitch_ids" : [ "String" ],
  "proxy_mode" : "String",
  "region_id" : "String",
  "runtime" : {
    "name" : "String",
    "version" : "String"
  },
  "service_cidr" : "String",
  "security_group_id" : "String",
  "snat_entry" : Boolean,
  "ssh_flags" : Boolean,
  "tags" : [ {
    "key" : "String",
    "value" : "String"
  } ],
  "taints" : [ {
    "key" : "String",
    "value" : "String",
    "effect" : "String"
  } ],
  "timeout_mins" : Long,
  "user_data" : "String",
  "vpcid" : "String",
  "vswitch_ids" : [ "String" ],
  "worker_auto_renew" : Boolean,
  "worker_auto_renew_period" : Long,
  "worker_data_disks" : [ {
    "category" : "String",
    "size" : Long,
    "encrypted" : "String",
    "auto_snapshot_policy_id" : "String"
  } ],
  "worker_vswitch_ids" : [ "String" ],
  "worker_instance_types" : [ "String" ],
  "worker_system_disk_category" : "String",
  "worker_system_disk_size" : Long,
  "worker_instance_charge_type" : "String",
  "worker_period_unit" : "String",
  "worker_period" : Long,
  "zone_id" : "String"
}
            

Request parameters

Table 1. Request body parameters

Parameter

Type

Required

Example

Description

addons

Array

Yes

[{"name": "terway-eniip","config": ""}, {"name": "logtail-ds","config": "{\"IngressDashboardEnabled\":\"true\",\"sls_project_name\":\"your_sls_project_name\"}"}, {"name":"nginx-ingress-controller","config":"{\"IngressSlbNetworkType\":\"internet\"}"}]

The list of add-ons to be installed.

  • Parameter description:

    • name: required.

    • config: optional. If this parameter is left empty, no configurations are required.

    • disabled: optional. It specifies whether to disable automatic installation.

  • Network plug-in: required. Supported network plug-ins are Flannel and Terway. Select one of the plug-ins for the cluster.

    • Specify the Flannel plug-in in the following format: [{"name":"flannel","config":""}].

    • Specify the Terway plug-in in the following format: [{"name": "terway-eniip","config": "\"IPVlan\":\"false\""}].

  • Volume plug-in: optional. Only the CSI volume plug-in is supported.

    Specify the CSI plug-in in the following format: [{"name":"csi-plugin","config": ""},{"name": "csi-provisioner","config": ""}].

  • Simple Log Service (SLS) component: optional.

    Important

    If you do not activate SLS, you cannot use the cluster auditing feature.

    • To use an existing SLS project, specify the component in the following format: [{"name": "logtail-ds","config": "{"IngressDashboardEnabled":"true","sls_project_name":"your_sls_project_name"}"}].

    • To create a SLS project, specify the component in the following format: [{"name": "logtail-ds","config": "{"IngressDashboardEnabled":"true"}"}].

  • Ingress controller: optional. By default, the nginx-ingress-controller component is installed.

    • To install nginx-ingress-controller and enable Internet access, specify the component in the following format: [{"name":"nginx-ingress-controller","config":"{"IngressSlbNetworkType":"internet"}"}].

    • If you do not want to install nginx-ingress-controller, specify the component in the following format: [{"name": "nginx-ingress-controller","config": "","disabled": true}].

  • Event center: optional. By default, the event center feature is enabled. You can use Kubernetes event centers to store and query events, and configure alert rules. You can use the Logstores that are associated with Kubernetes event centers for free within 90 days. For more information, see Create and use an event center.

    Enable the ack-node-problem-detector component in the following format: [{"name":"ack-node-problem-detector","config":"{\"sls_project_name\":\" your_sls_project_name\"}"}].

cloud_monitor_flags

Boolean

No

true

Specifies whether to install the CloudMonitor agent. Valid values:

  • true: does not install the CloudMonitor agent.

  • false: installs the CloudMonitor agent.

Default value: false.

cluster_type

String

Yes

ManagedKubernetes

The type of the instance. If you want to create an ACK managed cluster that supports sandboxed containers, set the value to ManagedKubernetes.

container_cidr

String

No

172.20.0.0/16

The CIDR block of pods. This CIDR block cannot overlap with the CIDR block of the VPC in which the cluster is deployed. If the VPC is automatically created by the system, the CIDR block of pods is set to 172.16.0.0/16 by default. This parameter is required if the cluster uses the Flannel plug-in.

cpu_policy

String

No

none

The CPU management policy of the nodes in the cluster. The following policies are supported if the Kubernetes version of the cluster is 1.12.6 or later.

  • static: allows pods with specific resource characteristics on the node to be granted with enhanced CPU affinity and exclusivity.

  • none: indicates that the default CPU affinity is used.

Default value: none.

deletion_protection

Boolean

No

true

Specifies whether to enable deletion protection for the cluster. After deletion protection is enabled, the cluster cannot be deleted in the ACK console or by calling API operations. Valid values:

  • true: enables deletion protection for the cluster.

  • false: disables deletion protection for the cluster.

Default value: false.

disable_rollback

Boolean

No

true

Specifies whether to perform a rollback when the cluster fails to be created. Valid values:

  • true: performs a rollback when the cluster fails to be created.

  • false: does not perform a rollback when the cluster fails to be created.

Default value: false.

endpoint_public_access

Boolean

No

true

Specifies whether to enable Internet access for the API server. Valid values:

  • true: enables Internet access for the API server.

  • false: disables Internet access for the API server. The API server is accessible only within the internal network.

Default value: true.

is_enterprise_security_group

Boolean

No

true

Specifies whether to create an advanced security group. This parameter takes effect only if security_group_id is left empty. You must specify an advanced security group for a cluster that has Terway installed.

  • true: creates an advanced security group.

  • false: does not create an advanced security group.

Default value: false.

key_pair

String

Yes

security-key

The name of the key pair. You must set this parameter or the login_password parameter.

kubernetes_version

String

No

1.16.9-aliyun.1

The Kubernetes version of the cluster. The Kubernetes versions supported by Container Service are the same as the Kubernetes versions supported by open source Kubernetes. We recommend that you specify the latest Kubernetes version. If you do not set this parameter, the latest Kubernetes version is queried. You can create clusters of the latest two Kubernetes versions in the ACK console. You can create clusters of earlier Kubernetes versions by calling API operations. For more information about the Kubernetes versions supported by ACK, see Overview of Kubernetes versions supported by ACK.

login_password

String

Yes

Hello@1234

The password for SSH logon. You must set this parameter or the key_pair parameter. The password must be 8 to 30 characters in length, and must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.

name

String

Yes

cluster-demo

The name of the cluster. The name must be 1 to 63 characters in length, and can contain digits, letters, and hyphens (-). The name cannot start with a hyphen (-).

node_cidr_mask

String

No

25

The maximum number of IP addresses that can be assigned to each node. This number is determined by the specified pod CIDR block. This parameter takes effect only if the cluster uses the Flannel plug-in.

Default value: 25

node_port_range

String

No

30000~32767

The node port range. Valid values: 30000 to 65535.

num_of_nodes

Long

Yes

3

The number of worker nodes. Valid values: 0 to 100.

pod_vswitch_ids

Array of String

No

vsw-2ze97jwri7cei0mpw****

The list of pod vSwitches.

Note

The pod_vswitch_ids parameter is required when the Terway network plug-in is selected for the cluster.

For each vSwitch that is allocated to nodes, you must specify at least one pod vSwitch in the same zone. The pod vSwitches cannot be the same as the node vSwitches.

proxy_mode

String

No

ipvs

The kube-proxy mode. Valid values: iptables and ipvs.

Default value: ipvs.

region_id

String

Yes

cn-beijing

The ID of the region in which you want to deploy the cluster.

runtime

runtime

Yes

{"name": "Sandboxed-Container.runv", "version": "2.2.0"}

The container runtime. Valid values: Sandboxed-Container.runv, docker, and containerd. Default value: docker.

  • containerd: containerd is recommended for all Kubernetes versions.

  • Sandboxed-Container.runv: supports clusters that run Kubernetes 1.24 and earlier.

  • docker: supports clusters that run Kubernetes 1.22 and earlier.

You must specify the name and version of the container runtime:

  • name: the name of the container runtime.

  • version: the version of the container runtime.

Important

Set the value to Sandboxed-Container.runv if you want to create a cluster that supports sandboxed containers.

The version of the container runtime. By default, the latest version is used. For more information about the release notes for Sandboxed-Container, see Release notes for Sandboxed-Container.

security_group_id

String

No

sg-bp1bdue0qc1g7k****

The ID of the existing security group that is specified for the cluster. Nodes in the cluster are automatically added to the specified security group. You must set this parameter or the is_enterprise_security_group parameter.

service_cidr

String

Yes

172.21.0.0/20

The CIDR block of Services. This CIDR block cannot overlap with the CIDR block of pods or the CIDR block of the VPC in which the cluster is deployed. If the VPC is automatically created by the system, the default CIDR block of Services is 172.19.0.0/20.

snat_entry

Boolean

No

true

Specifies whether to configure SNAT rules for the VPC in which your cluster is deployed.

  • If the VPC supports Internet access, set the value to false.

  • If the VPC cannot access the Internet, the following values are valid:

    • true: configures SNAT rules. This enables Internet access for the cluster.

    • false: does not configure SNAT rules. In this case, the cluster cannot access the Internet.

If your applications deployed in the cluster need to access the Internet, we recommend that you set the value to true.

Default value: false.

ssh_flags

Boolean

No

true

Specifies whether to enable SSH logon over the Internet. Valid values:

  • true: enables SSH logon over the Internet.

  • false: disables SSH logon over the Internet.

Default value: false.

tags

Array

No

The tags of the cluster.

key

String

No

env

The key of the label.

value

String

No

prod

The value of the label.

taints

Array

No

The taints that you want to add to nodes. Taints are added to nodes to prevent pods from being scheduled to inappropriate nodes. However, tolerations allow pods to be scheduled to nodes with matching taints. For more information, see taint-and-toleration.

effect

String

No

NoSchedule

The scheduling policy. Valid values:

  • NoSchedule: Pods cannot be scheduled to a node with taints.

  • NoExecute: If a taint is added to a node, all pods that do not tolerate the taint are immediately evicted from the node.

  • PreferNoSchedule: a soft version of NoSchedule. The system attempts not to schedule pods to a node with taints.

key

String

No

disk_type

The key of the taint.

value

String

No

sshd

The value of the taint.

timeout_mins

Long

No

60

The timeout period of cluster creation. Unit: minutes.

Default value: 60

user_data

String

No

IyEvdXNyL2Jpbi9iYXNoCmVjaG8gIkhlbGxvIEFD****

The user-defined data on the node. For more information, see Instance user data.

vpcid

String

Yes

vpc-2zeik9h3ahvv2zz95****

The ID of the VPC in which you want to deploy the cluster.

vswitch_ids

Array of String

Yes

vsw-2ze48rkq464rsdts1****"

The IDs of vSwitches.

worker_auto_renew

Boolean

No

true

Specifies whether to enable auto-renewal for worker nodes. This parameter takes effect only if worker_instance_charge_type is set to PrePaid. Valid values:

  • true: enables auto-renewal.

  • false: disables auto-renewal.

Default value: true.

worker_auto_renew_period

Long

No

1

The cycle of auto-renewal. This parameter takes effect and is required only if the subscription billing method is selected for worker nodes. Valid values: 1, 2, 3, 6, and 12.

worker_data_disks

Array

Yes

The configuration of the data disk that is mounted to worker nodes. The configuration includes the disk type and disk size.

auto_snapshot_policy_id

String

No

sp-bp14j6w7ss6ozz****

The ID of the automatic snapshot policy.

category

String

No

cloud_ssd

The type of data disk that is mounted to worker nodes. Valid values:

  • cloud_efficiency: ultra disk.

  • cloud_ssd: SSD.

  • cloud: basic disk.

Default value: cloud_efficiency.

encrypted

String

No

false

Specifies whether to encrypt the data disk. Valid values:

  • true: encrypts a data disk.

  • false: does not encrypt a data disk.

Default value: false.

size

String

Yes

200

The size of the data disk. Unit: GiB. Valid values:

  • cloud_efficiency: 20 to 32768.

  • cloud_ssd: 20 to 32768.

  • cloud: 5 to 2000.

Note

You must mount at least one data disk to nodes that run sandboxed containers. The data disk must be at least 200 GiB in size.

worker_instance_charge_type

String

Yes

PrePaid

The billing method of worker nodes. Valid values:

  • PrePaid: subscription.

  • PostPaid: pay-as-you-go.

Default value: PostPaid.

worker_instance_types

Array of String

Yes

ecs.ebmg5s.24xlarge

The instance types of worker nodes.

Important

To create a cluster that supports sandboxed containers, you must select ECS Bare Metal instances.

worker_period

Long

No

1

The subscription duration of worker nodes. This parameter takes effect and is required only if worker_instance_charge_type is set to PrePaid. Valid values: 1, 2, 3, 6, 12, 24, 36, 48, and 60.

Default value: 1.

worker_period_unit

String

No

Month

The billing cycle of worker nodes. This parameter is required if worker_instance_charge_type is set to PrePaid. Set the value to Month. Worker nodes are billed only on a monthly basis.

worker_system_disk_category

String

No

cloud_efficiency

The type of system disk that is specified for worker nodes. Valid values:

  • cloud_efficiency: ultra disk.

  • cloud_ssd: SSD.

Default value: cloud_ssd.

worker_system_disk_size

Long

No

120

The size of the system disk that you want to use for worker nodes. Unit: GiB.

Valid values: 40 to 500

Note

If you use a custom image, set the parameter to a value that is equal to or greater than the larger value between 40 and the size of the custom image.

Default value: 120.

worker_vswitch_ids

Array of String

No

vsw-2ze3ds0mdip0hdz8i****

The list of vSwitches that are specified for nodes. Each node is allocated a vSwitch.

zone_id

String

No

cn-beijing-b

The ID of the zone in which the cluster is deployed.

resource_group_id

String

No

rg-acfm3mkrure****

The ID of the resource group to which the cluster belongs. You can use this parameter to isolate different clusters.

Response syntax

HTTP/1.1 200
Content-Type:application/json
{
  "cluster_id" : "String",
  "request_id" : "String",
  "task_id" : "String"
}

Response parameters

Table 2. Response body parameters

Parameter

Type

Example

Description

cluster_id

String

cb95aa626a47740afbf6aa099b650****

The ID of the cluster.

request_id

String

687C5BAA-D103-4993-884B-C35E4314A1E1

The request ID.

task_id

String

T-5a54309c80282e39ea00002f

The ID of the job.

Example 1: Create an ACK managed cluster that supports sandboxed containers and uses the Flannel plug-in

Sample requests

POST /clusters
Common request headers
{
  "name": "webService",
  "cluster_type": "ManagedKubernetes",
  "disable_rollback": true,
  "timeout_mins": 60,
  "kubernetes_version": "1.18.8-aliyun.1",
  "region_id": "cn-hangzhou",
  "snat_entry": true,
  "cloud_monitor_flags": true,
  "endpoint_public_access": false,
  "deletion_protection": false,
  "node_cidr_mask": "26",
  "proxy_mode": "ipvs",
  "tags": [],
  "timezone": "Asia/Shanghai",
  "addons": [{
    "name": "flannel"
  }, {
    "name": "sandboxed-container-controller"
  }, {
    "name": "csi-plugin"
  }, {
    "name": "csi-provisioner"
  }, {
    "name": "logtail-ds",
    "config": "{\"IngressDashboardEnabled\":\"true\"}"
  }, {
    "name": "ack-node-problem-detector",
    "config": "{\"sls_project_name\":\"\"}"
  }, {
    "name": "nginx-ingress-controller",
    "config": "{\"IngressSlbNetworkType\":\"internet\"}"
  }, {
    "name": "arms-prometheus"
  }],
  "runtime": {
    "name": "Sandboxed-Container.runv",
    "version": "2.1.0"
  },
  "worker_instance_types": ["ecs.ebmc5s.24xlarge"],
  "num_of_nodes": 3,
  "worker_system_disk_category": "cloud_essd",
  "worker_system_disk_size": 120,
  "worker_data_disks": [{
    "category": "cloud_efficiency",
    "size": "200",
    "encrypted": "false",
    "auto_snapshot_policy_id": ""
  }],
  "worker_instance_charge_type": "PostPaid",
  "vpcid": "vpc-bp1gxh70jnkl12vq27jg7",
  "container_cidr": "172.23.0.0/16",
  "service_cidr": "172.21.0.0/20",
  "vswitch_ids": ["vsw-bp1hl2o4i9z7sbmy*****"],
  "login_password": "Hello1234!",
  "logging_type": "SLS",
  "cpu_policy": "none",
  "is_enterprise_security_group": true
}

Sample success responses

XML format

<cluster_id>cb95aa626a47740afbf6aa099b650****</cluster_id>
<task_id>T-5a54309c80282e39ea00002f</task_id>
<request_id>687C5BAA-D103-4993-884B-C35E4314A1E1</request_id>

JSON format

{
    "cluster_id": "cb95aa626a47740afbf6aa099b650****",
    "task_id": "T-5a54309c80282e39ea00002f",
    "request_id": "687C5BAA-D103-4993-884B-C35E4314A1E1"
}

Example 2: Create an ACK managed cluster that supports sandboxed containers and uses the Terway plug-in

Note

pod_vswitch_ids is required if you create a cluster that uses the Terway plug-in.

Sample requests

POST /clusters HTTP/1.1
Common request headers
{
  "name": "webService",
  "cluster_type": "ManagedKubernetes",
  "disable_rollback": true,
  "timeout_mins": 60,
  "kubernetes_version": "1.18.8-aliyun.1",
  "region_id": "cn-hangzhou",
  "snat_entry": true,
  "cloud_monitor_flags": true,
  "endpoint_public_access": false,
  "deletion_protection": false,
  "proxy_mode": "ipvs",
  "tags": [],
  "timezone": "Asia/Shanghai",
  "addons": [{
    "name": "terway-eniip",
    "config": "{\"IPVlan\":\"false\",\"NetworkPolicy\":\"false\"}"
  }, {
    "name": "sandboxed-container-controller"
  }, {
    "name": "csi-plugin"
  }, {
    "name": "csi-provisioner"
  }, {
    "name": "logtail-ds",
    "config": "{\"IngressDashboardEnabled\":\"true\"}"
  }, {
    "name": "ack-node-problem-detector",
    "config": "{\"sls_project_name\":\"\"}"
  }, {
    "name": "nginx-ingress-controller",
    "config": "{\"IngressSlbNetworkType\":\"internet\"}"
  }, {
    "name": "arms-prometheus"
  }],
  "pod_vswitch_ids": ["vsw-bp1e5819t8dl8ulcrpgkm"],
  "runtime": {
    "name": "Sandboxed-Container.runv",
    "version": "2.1.0"
  },
  "worker_instance_types": ["ecs.ebmc5s.24xlarge"],
  "num_of_nodes": 3,
  "worker_system_disk_category": "cloud_essd",
  "worker_system_disk_size": 120,
  "worker_data_disks": [{
    "category": "cloud_efficiency",
    "size": "200",
    "encrypted": "false",
    "auto_snapshot_policy_id": ""
  }],
  "worker_instance_charge_type": "PostPaid",
  "vpcid": "vpc-bp1gxh70jnkl12vq27jg7",
  "service_cidr": "172.21.0.0/20",
  "vswitch_ids": ["vsw-bp1hl2o4i9z7sbmy*****"],
  "login_password": "Hello1234!",
  "logging_type": "SLS",
  "cpu_policy": "none",
  "is_enterprise_security_group": true
}

Sample success responses

XML format

<cluster_id>cb95aa626a47740afbf6aa099b650****</cluster_id>
<task_id>T-5a54309c80282e39ea00002f</task_id>
<request_id>687C5BAA-D103-4993-884B-C35E4314A1E1</request_id>

JSON format

{
    "cluster_id": "cb95aa626a47740afbf6aa099b650****",
    "task_id": "T-5a54309c80282e39ea00002f",
    "request_id": "687C5BAA-D103-4993-884B-C35E4314A1E1"
}

Error codes

For a list of error codes, see Service error codes.