All Products
Search
Document Center

Container Service for Kubernetes:how to create a registered cluster

Last Updated:Dec 11, 2024

This feature allows you to create a registered cluster and connect the registered cluster to a cluster that is deployed in a data center or on a third-party cloud. This way, you can manage your clusters in the Container Service for Kubernetes (ACK) console in a centralized manner. This topic describes how to create a registered cluster and register an external cluster in the ACK console.

Note

Before you read this topic, we recommend that you read Overview of registered clusters to learn the concepts and scenarios about registered clusters.

Prerequisites

The cluster is connected to Alibaba Cloud over the Internet or an internal network. For more information, see What are the requirements for connecting an external cluster to the cluster registration proxy?

Procedure

Use the ACK console to create a registered cluster

  1. Create a registered cluster.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click Create Kubernetes Cluster.

    3. On the ACK One Registered Cluster tab, set the parameters.

      Parameter

      Description

      All Resources

      Move the pointer over All Resources at the top of the page and select the resource group that you want to use. After you select a resource group, virtual private clouds (VPCs) and vSwitches that belong to the resource group are displayed. When you create a cluster, only VPCs and vSwitches that belong to the specified resource group are displayed.资源组

      Cluster Name

      The name of the cluster. The name must be 1 to 63 characters in length, and can contain digits, letters, hyphens (-), and underscores (_). The name must start with a letter or digit.

      Region

      The region of the cluster.

      VPC

      Select a VPC from the drop-down list.

      vSwitch

      Select node vSwitches that belong to the specified VPC.

      Security Group

      You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group. For more information about security groups, see Overview.

      Note
      • Only users in the whitelist can select the Select Existing Security Group option. To apply to be added to the whitelist, log on to the Quota Center console and submit an application.

      • If you select an existing security group, the system does not automatically configure security group rules. This may cause errors when you access the nodes in the cluster. You must manually configure security group rules. For more information about how to manage security group rules, see Configure security group rules to enforce access control on ACK clusters.

      • By default, the security group used by ACK permits all outbound traffic. When you modify the security group due to business purposes, make sure that traffic destined for 100.64.0.0/10 is permitted. This CIDR block is used to pull images and query basic ECS information.

      Access to API Server

      You can select Pay-As-You-Go or Subscription for the CLB instance of the API server.

      Important
      • If you delete the default CLB instance, you cannot access the API server. You can manually change the billing method. For more information, see Pay-as-you-go.

      • Starting from December 1, 2024, an instance fee will be charged for newly created CLB instances. For more information, see CLB billing adjustments.

      Associate EIP

      Specify whether to associate an elastic IP address (EIP) with the cluster. If you select this check box, an EIP is automatically created and associated with the cluster.

      Note

      If the cluster is connected to Alibaba Cloud over the Internet, you must select this option. You do not need to select this option if the cluster is connected to Alibaba Cloud over an Express Connect circuit.

      Deletion Protection

      Specify whether to enable deletion protection for the cluster. Deletion protection prevents the cluster from being deleted in the console or by calling the API. This prevents user errors.

      Resource Group

      The resource group to which the cluster belongs. Each resource can belong to only one resource group. You can regard a resource group as a project, an application, or an organization based on your business scenarios.

      Labels

      Add labels to the cluster. Enter a key and a value, and then click Add.

      Note
      • Key is required. Value is optional.

      • Keys are not case-sensitive. A key must be 1 to 64 characters in length, and cannot start with aliyun, acs:, http://, or https://.

      • Values are not case-sensitive. A value must be 1 to 128 characters in length, and cannot start with aliyun, acs:, http://, or https://. The Value parameter can be left empty.

      • The keys of labels that are added to the same resource must be unique. If you add a label with a used key, the label overwrites the label that uses the same key.

      • If you add more than 20 labels to a resource, all labels become invalid. You must remove excess labels for the remaining labels to take effect.

      Terms of Service

      Read and select Terms of Service and Disclaimer.

    4. On the right of the page, click Create Cluster.

      You can find the newly created cluster on the Clusters page.集群列表

  2. Register a cluster.

    1. On the Clusters page, select the newly created cluster and click Details in the Actions column. In this example, select the cluster named test-external-cluster1.

    2. On the details page of the cluster, click the Connection Information tab.

    3. In the Agent for Connecting to the Cluster section, click the Public Network or Internal Network tab based on your business requirements and then click Copy on the right side. Create a YAML file and paste the copied code to the file. Then, use kubectl to execute the file and register the external cluster.

      For example, you can create a file named agent.yaml and paste the copied code to the agent.yaml file. Then, run the kubectl apply -f agent.yaml command in the cluster to register the cluster.

      Important

      If the cluster is connected to Alibaba Cloud over the Internet, select Public Network. If the cluster is connected to Alibaba Cloud over an internal network, select Internal Network.

      导入配置

    4. Run the following command in the cluster to query the status of the agent:

      kubectl -n kube-system get pod |grep ack-cluster-agent

      Expected output:

      ack-cluster-agent-5f7d568f6-6fc4k              1/1     Running   0          9s
      ack-cluster-agent-5f7d568f6-tf6fp              1/1     Running   0          9s

      After the cluster is registered, verify that the cluster is in the Running state on the Clusters page.

Result

On the Clusters page, find the newly registered cluster and click Details in the Actions column. On the page that appears, you can view Basic Information and Connection Information about the cluster.

You can use kubeconfig to connect to the cluster and deploy applications in the cluster. For more information, see Use kubectl to connect to an ACK cluster.

Use onectl to create a registered cluster

  1. Install and configure onectl. For more information, see Use onectl to manage registered clusters.

  2. You can use onectl to create a registered cluster by using one of the following methods:

    Important

    When you create a registered cluster, you must specify the VPC, vSwitch, and region of the cluster. If the registered cluster is exposed to the Internet, to enhance security, you need to set the access control whitelist for the Server Load Balancer (SLB) instance of the registered cluster by using --acl. Make sure that the whitelist contains the following IP addresses: the CIDR block of outbound traffic in the external cluster and the source CIDR block of requests sent to the registered cluster.

    • Non-interactive mode: Run the following command to create a registered cluster.

      onectl cluster create --region **** --vpc **** --vswitch ****
    • Interactive mode: Run the following command to create a registered cluster.

      onectl cluster create

    You can run the following command to view the help information of the parameters:

    onectl cluster create -h

    After the registered cluster is created, ACK will initialize the registered cluster. At this point, the status of the registered cluster is initial. Expected output:

    Registered cluster test-registered-cluster created successfully, information of the cluster:
    name         = test-registered-cluster
    state        = initial
    cluster id   = c3c277f2fc10f45c1b86473**********
    region id    = cn-zhangjiakou
    node numbers = 0
    vpc id       = vpc-8vb95w2o172**********
    vswitch id   = vsw-8vbv8bxhput**********
  3. After the initialization is complete, the status of the registered cluster changes to waiting. Run the following command to query the status of the cluster:

    onectl cluster describe --cluster-id ****

    Expected output:

    name  = test-registered-cluster
    state = waiting
    ...
  4. After the status of the registered cluster changes to waiting, run the following command to connect the external cluster to the registered cluster:

    onectl cluster connect --cluster-id **** --kubeconfig ~/.kube/config --restricted true

    Parameter

    Required

    Description

    cluster-id

    Yes

    The ID of the registered cluster created in the preceding Step 2.

    kubeconfig

    No

    The path of the kubeconfig file of the external cluster. If no path is specified, the kubeconfig file specified in the KUBECONFIG environment variable is used.

    restricted

    No

    Specifies whether to connect to the registered cluster in restricted mode. For more information, see RBAC permissions required by the ack-cluster-agent component in a registered cluster.

    You can run the following command to view the help information of the parameters:

    onectl cluster connect -h
  5. Run the following command to check whether the external cluster is connected to the registered cluster:

    onectl cluster describe --cluster-id ****

    Expected output:

    name  = test-registered-cluster
    state = running
    ...

    If the registered cluster is in the running state, the external cluster is connected to the registered cluster.