When you use Container Service for Kubernetes (ACK) for the first time, you must assign default roles to ACK with your Alibaba Cloud account. Only after you assign these roles to ACK, ACK can use resources in other cloud services to create clusters or save log files. These cloud services include Elastic Compute Service (ECS), Object Storage Service (OSS), File Storage NAS (NAS), and Server Load Balancer (SLB). This topic describes how to assign default roles to ACK and activate the associated cloud services when you use ACK for the first time.
Step 1: Activate ACK
ACK is available for commercial use. You must activate ACK before you can create an ACK cluster. To do this, perform the following steps.
Go to the Container Service for Kubernetes page.
Read and select Container Service for Kubernetes Terms of Service.
Click Activate Now.
If you have not activated ACK before, you are prompted to activate ACK in the Dependency Check section of the cluster creation page when you create an ACK cluster.
Step 2: Assign default roles to ACK
When you use ACK for the first time, you must assign default roles to ACK with your Alibaba Cloud account. To do this, perform the following steps.
You can use Alibaba Cloud accounts or Resource Access Management (RAM) users that have administrator permissions to assign default roles to ACK.
Log on to the ACK console.
If you have not assigned your Alibaba Cloud account the default roles, click Go to RAM console and the Cloud Resource Access Authorization page appears. Click Agree to Authorization.
After you assign the RAM roles to ACK, log on to the ACK console again to get started with ACK.
Step 3: Activate the associated cloud services
Some features provided by ACK are reliant on or associated with other cloud services. Therefore, you must activate the cloud services before you can use these features.
You must use your Alibaba Cloud account to activate cloud services. RAM users are not allowed to activate cloud services.
Log on to the Alibaba Cloud official website with your Alibaba Cloud account and activate the following cloud services based on your requirements.
Required: the cloud services that you must activate. These services must be activated so that ACK clusters can function as normal.
Recommended: the cloud services that we recommend you to activate. You can choose to use these services when you create ACK clusters and manage applications.
Optional: the cloud services that you can activate based on your business architecture and O&M requirements.
Cloud service | Service link | Activation | Description |
Virtual Private Cloud (VPC) | Required | This service can be used to build networks and create routing rules for clusters. | |
Server Load Balancer (SLB) | Required | This service allows you to enable load balancing for ACK clusters. | |
Auto Scaling | Required | This service allows ACK to automatically create worker nodes and enables ACK clusters to automatically scale in or out. | |
NAT Gateway | Recommended | This service enables Internet access for clusters and allows clusters to pull images over the Internet. | |
Container Registry | Recommended | This service ensures the security of cloud-native applications that are fully managed on the cloud and allows you to manage the lifecycle of these applications. | |
Elastic Container Instance | https://www.alibabacloud.com/products/elastic-container-instance | Recommended | This service allows you to deploy ACK Serverless clusters. |
Service Mesh | Recommended | This service allows you to manage the network traffic of applications that are deployed across multiple ACK clusters by using Service Mesh. | |
Simple Log Service | Recommended | This service allows you to collect and query the log data of ACK components and applications. | |
CloudMonitor | Recommended | This service allows you to monitor the status of nodes and applications in ACK clusters. | |
Managed Service for Prometheus | Recommended | This service allows you to monitor ACK clusters and generate alerts when exceptions are detected. | |
Security Center (SAS) | Optional | This service allows you to monitor the security events of application runtimes in ACK clusters and generate alerts when exceptions are detected. | |
File Storage NAS (NAS) | Optional | This service allows you to store application data in NAS file systems. | |
Object Storage Service (OSS) | Optional | This service allows you to store application data in OSS buckets. | |
Key Management Service (KMS) | Optional | This service allows you to manage application Secrets and encrypt Secrets for ACK Pro clusters. | |
Alibaba Cloud DNS PrivateZone | Optional | This service is intended for resolving private domain names in VPCs. You can use this service to resolve the domain names of applications in ACK Serverless clusters. | |
Cloud Backup | Optional | This service provides data backup, disaster recovery, and policy-based archive management. |
ACK default roles
Role | Description |
ACK assumes this role to access your resources in other cloud services when ACK manages clusters. These cloud services include ECS, Virtual Private Cloud (VPC), SLB, Auto Scaling, and Resource Orchestration Service (ROS). | |
Container Intelligent Service (CIS) assumes this role to access your resources in other cloud services such as ECS, VPC, and SLB to perform diagnostics and inspections. | |
An ACK managed cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and Container Registry. | |
An ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, SLB, and Alibaba Cloud DNS PrivateZone. | |
The audit feature of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Simple Log Service. | |
The network component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS and VPC. | |
The storage component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS and NAS. | |
The monitoring component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in other cloud services such as CloudMonitor and Simple Log Service. | |
The logging component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Simple Log Service. | |
The virtual node component of an ACK Serverless cluster assumes this role to access your resources in other cloud services such as ECS, VPC, and Elastic Container Instance. | |
The Application Real-Time Monitoring Service (ARMS) component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ARMS. | |
The password-free image pulling plug-in of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Container Registry. | |
The managed node pool controller of an ACK managed cluster assumes this role to access your node pool resources in ECS and ACK. | |
The auto scaling component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Auto Scaling and ECS. | |
The disk encryption component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in Key Management Service (KMS). | |
The cost analysis component of an ACK managed cluster or ACK Serverless cluster assumes this role to access your resources in ECS and Elastic Container Instance and use BSS OpenAPI (BOA). | |
The network component of an ACK Lingjun managed cluster assumes this role to access your resources in Lingjun AI Computing Service. | |
The backup center component of an ACK managed cluster assumes this role to access your resources in Cloud Backup and OSS. | |
The control component of an ACK Edge cluster assumes this role to access your resources in Smart Access Gateway (SAG), VPC, and Cloud Enterprise Network (CEN). |