Container Service for Kubernetes (ACK) allows you to create managed node pools. Managed node pools can automate O&M tasks for specific nodes. For example, managed node pools can automatically patch high-risk Common Vulnerabilities and Exposures (CVE) vulnerabilities or fix specific anomalies. This improves the O&M efficiency. This topic introduces managed node pools and describes the use scenarios and features of managed node pools. It also compares regular node pools and managed node pools.
Table of contents
Usage notes
Managed node pools update nodes by replacing the system disks of the nodes. After the nodes are updated, the data stored on the previous system disks is deleted. The data disks that are mounted to the nodes are not affected. Do not use system disks to persist data.
Before a managed node pool replaces the system disk of a node, it disables and drains the node. This may restart the pods on the node and interrupt persistent connections.
When exceptions occur on a node in a managed node pool, the managed node pool may restart the node to fix the exceptions. This restarts the pods on the node.
To patch CVE vulnerabilities, you must activate Security Center and ensure a sufficient quota of servers that can be protected by Security Center. For more information, see Purchase Security Center.
We recommend that you enable the event center so that you can receive alert notifications about managed node pools. For more information about how to enable the event center, see Event monitoring.
We recommend that you install ack-node-problem-detector so that the system can identify node anomalies. For more information about ack-node-problem-detector, see ack-node-problem-detector.
Managed node pool diagram
Use scenarios
Users focus on application development instead of the O&M of worker nodes.
These users require elasticity instead of immutability for workloads. The pods of their applications are insensitive to node changes and are tolerable to migrations.
Key features
You can create multiple managed node pools in a Container Service for Kubernetes (ACK) cluster.
Before a node is updated by replacing the system disk of the node, ACK runs the kubectl cordon command to change the node to the Unschedulable state. Then, ACK evicts the pods on the node. If the pods are not evicted within 15 minutes, ACK forcefully replaces the system disk.
A managed node pool monitors the status of nodes in the node pool. If the status is not reported from a node for more than 10 minutes or a node is in the NotReady state, ACK restarts the node to restore the workloads on the node.
Comparison between managed node pools and regular node pools
Regular node pool: You can use a regular node pool to manage a set of nodes that have the same configurations, such as specifications, labels, and taints. You can manually manage and maintain the nodes in a regular node pool.
Managed node pool: Managed node pools provide automated O&M features, such as automatic high-risk vulnerability patching and automatic node repair.
To change the type of a node pool, go to the Node Pools page, find the node pool that you want to manage, and then click Enable Managed Node Pool or Disable Managed Node Pool in the Actions column. Make sure that the node pool and the cluster run as expected before you change the type of the node pool.
The following table compares managed node pools and regular node pools.
Item | Regular node pool | Managed Node Pool |
O&M | Managed by users. | Partially managed by ACK. |
O&M time window | No O&M time window needs to be set. | An O&M time window must be set. Managed node pools can run automated O&M tasks, such as high-risk CVE vulnerability patching, within the specified time window, |
Node repair | Manually performed. | Automatically performed. Note
|
CVE patching | Manually triggered. | Automatically triggered to patch high-risk vulnerabilities. Note CVE patching is an advanced feature provided by Security Center. To use CVE patching, you must purchase Security Center Enterprise Edition or higher. ACK does not charge additional fees. For more information, see Vulnerability patching. |
Component update | Manually performed. | Automatically performed. |
Minor kubelet version update | Manually performed. | Automatically performed. |
Instant ContainerOS scale-out | Not supported. | Supported. If you use ContainerOS to add 1,000 nodes in a cluster, it requires only 53 seconds to initialize 90% of the nodes. If you use CentOS to add 1,000 nodes in a cluster, it requires 330 seconds to initialize 90% of the nodes. Therefore, ContainerOS is more efficient than CentOS. Note ContainerOS is an operating system that Alibaba Cloud provides for containerized development. ContainerOS is fully compatible with Kubernetes. For more information about ContainerOS, see ContainerOS overview. |
Operating systems | The following operating systems are supported:
| The following operating systems are supported:
|