Starting February 17, 2025, Container Service for Kubernetes (ACK) Serverless no longer allows new users to create clusters. If you have never created an ACK Serverless cluster, use one of the following alternatives:
Create an ACS cluster to access serverless container computing through Container Compute Service (ACS).
Use serverless computing elastically in ACK Managed Cluster Pro Edition. Existing ACK Serverless users are not affected. Your current clusters and new cluster creation within default quotas continue to work as expected. For details, see Announcement on deprecation of cluster creation interface for new users of ACK Serverless clusters.
ACK Serverless clusters run containerized workloads without requiring you to provision or manage nodes. Pods scale within seconds based on CPU and memory requests, and you pay only for the resources each pod consumes. ACK Serverless fits variable workloads where on-demand scheduling reduces compute costs.
Prerequisites
Before you begin, make sure that you have:
Activated ACK and granted it access to Alibaba Cloud services
Activated Elastic Container Instance (ECI) in the ECI console
Step 1: Open the cluster creation page
Log on to the ACK console. In the left-side navigation pane, click Clusters.
In the top navigation bar, select the resource group and region where you want to create the cluster.
On the Clusters page, click Create Kubernetes Cluster.
Click the ACK Serverless tab.
Step 2: Configure cluster settings
Basic settings
Parameter | Description |
Cluster Name | A custom name for the cluster. |
Cluster Specification | Select a cluster type. You can select Pro or Basic. Pro is recommended for production and test environments. Basic is for learning and individual testing only. For more information about the differences between cluster specifications, see Comparison. |
Region | The region for the cluster. Choose a region close to your users and workloads to minimize latency. |
Kubernetes Version | The Kubernetes version to run. Use the latest available version unless you have a specific compatibility requirement. For supported versions, see Kubernetes versions supported by ACK. |
Automatic Update | Enables periodic automatic updates of control plane components. ACK applies updates during the configured maintenance window. For details, see Automatically update a cluster. |
Maintenance Window | ACK automatically updates the cluster within the maintenance window based on your configurations. You can click Set to configure the detailed maintenance policies. |
Network settings
Parameter | Description |
IPv6 Dual-stack | Enables IPv4/IPv6 dual-stack networking. This feature is in public preview. To enable it, submit a request in the Quota Center console. Requires Kubernetes 1.20.11-aliyun.1 or later. The VPC must support IPv4/IPv6 dual-stack. |
VPC | The Virtual Private Cloud (VPC) for the cluster. Specify a zone and let ACK create a VPC automatically, or select an existing VPC from the list. |
Configure SNAT for VPC | Configures Source Network Address Translation (SNAT) so that pods can access the internet. When selected, ACK handles SNAT setup automatically. See SNAT behavior for details. Do not select this option if the cluster uses a shared VPC. |
vSwitch | Select an existing vSwitch from the vSwitch list or click Create vSwitch to create a vSwitch. The control plane and the default node pool use the vSwitch that you select. For high availability, select multiple vSwitches in different zones. |
Security Group | The security group for the cluster. Options: Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group (available only when using an existing VPC). See Security group considerations for details. |
Access to API Server | Controls how you connect to the Kubernetes API server. By default, ACK creates a pay-as-you-go internal-facing Classic Load Balancer (CLB) instance as the internal endpoint. To reuse an existing CLB instance, submit a ticket to request access first. Select Expose API server with EIP to attach an elastic IP address (EIP) and enable public access. Clear this checkbox to restrict access to the VPC only. See API server access notes for details. |
Service CIDR | The CIDR block for Kubernetes Services. This block must not overlap with the VPC CIDR block, other ACK cluster CIDR blocks in the same VPC, or the pod CIDR block. This setting cannot be changed after the cluster is created. For planning guidance, see Network planning of an ACK managed cluster. |
IPv6 Service CIDR Block | The IPv6 CIDR block for Services. Only applicable when IPv4/IPv6 dual-stack is enabled. Specify a Unique Local Unicast Address (ULA) range within |
SNAT behavior
When you select Configure SNAT for VPC, ACK applies the following rules:
No existing NAT gateway: ACK creates a NAT gateway and adds vSwitch-level SNAT rules for all vSwitches used by the cluster.
Existing NAT gateway, no VPC-level SNAT rules: ACK adds vSwitch-level SNAT rules for all vSwitches used by the cluster.
Existing NAT gateway with VPC-level SNAT rules: No changes are made.
If you leave this option unselected, configure a NAT gateway and SNAT rules manually after creating the cluster. For instructions, see Create and manage an Internet NAT gateway.
Security group considerations
Auto-created security groups allow all outbound traffic by default. If you modify the security group rules, keep the
100.64.0.0/10CIDR block open. This range is required for pulling container images and querying Elastic Compute Service (ECS) metadata.When you select an existing security group, ACK does not configure any rules automatically. Configure the required rules manually. For details, see Configure security groups for clusters.
API server access notes
Do not delete the default CLB instance. Deleting it makes the API server unreachable.
Attaching an EIP exposes the API server to public traffic, but resources inside the cluster still cannot access the internet. To allow pods to pull public images, also select Configure SNAT for VPC.
The API server restarts briefly when you associate or disassociate an EIP. Avoid running cluster operations during the restart.
Starting December 1, 2024, newly created CLB instances incur an instance fee. For details, see CLB billing adjustments.
Advanced settings
Parameter | Description |
Deletion Protection | Prevents the cluster from being accidentally deleted. Enable this for production clusters. |
Resource Group | The resource group for the cluster. Each resource belongs to exactly one resource group. |
Labels | Key-value pairs that help you organize and identify cloud resources. |
Cluster Domain | The top-level domain suffix for in-cluster DNS. Defaults to |
Time Zone | The time zone of the cluster. Defaults to your browser's time zone. |
Step 3: Configure components
Click Next: Component Configurations and configure the following components.
Component | Description |
Service Discovery | Disable, PrivateZone, or CoreDNS. Alibaba Cloud DNS PrivateZone resolves private domain names to IP addresses within one or more VPCs. CoreDNS is a flexible DNS server and the standard Kubernetes service discovery component. |
Ingress | Do Not Install, Nginx Ingress, ALB Ingress, or MSE Ingress. Nginx Ingress provides flexible routing based on Ingress resources. ALB Ingress delivers Layer-7 load balancing through Application Load Balancer (ALB) instances with support for automatic certificate discovery, HTTP/HTTPS/QUIC, and high-elasticity traffic handling. MSE Ingress uses Microservices Engine (MSE) cloud-native gateways for advanced ingress traffic management. |
Container Monitoring | Enables Managed Service for Prometheus for predefined dashboards and performance metrics. Optionally install the metrics-server component for offline monitoring data. |
Log Service | Select Enable Log Service to integrate with Simple Log Service (SLS). If disabled, cluster auditing is unavailable. For more information, see Quick start with Logtail. |
Knative | Select Enable Knative to install the Knative serverless framework. Knative supports request-based auto scaling, scale-to-zero, version management, and canary releases. |
Step 4: Confirm and create the cluster
Click Next: Confirm Order.
Review the cluster configuration and read the terms of service.
Click Create Cluster.
Cluster creation takes approximately 10 minutes.
Verify cluster creation
After the cluster is created, it appears on the Clusters page in the ACK console.
On the Clusters page, find your cluster and click Details in the Actions column.
Click the Basic Information tab to view basic information about the cluster.
Click the Connection Information tab to view information about how to connect to the cluster. The following information is displayed:
API server Public Endpoint: The IP address and port that the Kubernetes API Server uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on the client.
API server Internal Endpoint: The IP address and port that the API server uses to provide services within the cluster. The IP address belongs to the SLB instance that is associated with the cluster.
Click the Cluster Logs tab to review cluster event logs.
Manage EIP association
After cluster creation, you can associate or disassociate an EIP for public API server access:
Associate EIP: Select an existing EIP or create a new one. The API server restarts during this operation.
Disassociate EIP: Removes public access to the API server. The API server restarts during this operation.
Avoid running cluster operations while the API server restarts.