To create a Container Service for Kubernetes (ACK) managed cluster, you only need to create nodes. You do not need to maintain control planes. The control planes are created and managed by ACK. This reduces O&M costs and allows you to focus on application development. This topic describes how to create an ACK managed cluster in the ACK console.
Prerequisites
ACK is activated and authorized to access Alibaba Cloud services.
Limits
Item | Limit | Links for increasing quota limits/references | |
Networks | ACK clusters support only VPCs. | ||
Cloud resources | ECS | The pay-as-you-go and subscription billing methods are supported. After an ECS instance is created, you can change its billing method from pay-as-you-go to subscription in the ECS console. | Change the billing method of an ECS instance from pay-as-you-go to subscription |
VPC route entries | By default, you can add at most 200 route entries to the VPC of an ACK cluster that runs Flannel. VPCs of ACK clusters that run Terway do not have this limit. If you want to add more route entries to the VPC of your ACK cluster, request a quota increase for the VPC. | ||
Security groups | By default, you can create at most 100 security groups with each account. | ||
SLB instances | By default, you can create at most 60 pay-as-you-go SLB instances with each account. | ||
EIP | By default, you can create at most 20 EIPs with each account. |
Billing
For more information about the billing rules of ACK clusters, see Billing.
Step 1: Log on to the ACK console
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click Create Kubernetes Cluster.
Step 2: Configure a cluster
On the Managed Kubernetes page, configure the basic, network and advanced settings of the cluster.
Basic settings
Parameter | Description |
All Resources | Move the pointer over All Resources at the top of the page and select the resource group that you want to use. After you select a resource group, virtual private clouds (VPCs) and vSwitches that belong to the resource group are displayed. When you create a cluster, only VPCs and vSwitches that belong to the specified resource group are displayed. |
Cluster Name | The name of the cluster. The name must be 1 to 63 characters in length, and can contain digits, letters, hyphens (-), and underscores (_). The name must start with a letter or digit. |
Cluster Specification | Select a cluster type. You can select Professional or Basic. We recommend that you use ACK Pro clusters in the production environment and test environment. ACK Basic clusters can meet the learning and testing needs of individual users. |
Region | The region of the cluster. |
Billing Method | These billing methods are supported: Pay-As-You-Go and Subscription. If you select the subscription billing method, you must set the following parameters: Note If you set Billing Method to Subscription, only Elastic Compute Service (ECS) instances and Server Load Balancer (SLB) instances are billed on a subscription basis. Other cloud resources are billed on a pay-as-you-go basis. For more information about the billing of cloud resources, see Billing of cloud services.
|
Kubernetes Version | The supported Kubernetes versions. |
Network settings
Parameter | Description |
IPv6 Dual-stack | If you enable IPv4/IPv6 dual-stack, a dual-stack cluster is created. This feature is in public preview. To use this feature, submit an application in the Quota Center console. Important
|
VPC | Select a VPC to deploy the cluster. Standard VPCs and shared VPCs are supported.
Note ACK clusters support only VPCs. You can select a VPC from the drop-down list. If you do not have a VPC, click Create VPC to create one. For more information, see Create and manage a VPC. |
Configure SNAT | By default, the check box is selected. If the VPC that you select for the cluster cannot access the Internet, you can select Configure SNAT for VPC. This way, ACK will create a NAT gateway and configure SNAT rules to enable Internet access for the VPC. |
vSwitch | Select vSwitches. You can select up to three vSwitches that are deployed in different zones. If no vSwitch is available, click Create vSwitch. For more information, see Create and manage vSwitches. |
Security Group | You can select Create Basic Security Group, Create Advanced Security Group, or Select Existing Security Group. For more information about security groups, see Overview. Note
|
Access to API Server | By default, ACK automatically creates an internal-facing SLB instance that uses the pay-as-you-go billing method for the API server. Important
Select or clear Expose API Server with EIP. The ACK API server provides multiple HTTP-based RESTful APIs, which can be used to create, delete, modify, query, and monitor resources such as pods and Services.
|
Network Plug-in | Select a network plug-in. Flannel and Terway are supported. For more information, see Work with Terway.
|
Pod vSwitch | If you select Terway as the network plug-in, you must allocate vSwitches to pods. Each pod vSwitch corresponds to a vSwitch of a worker node. The vSwitch of the pod and the vSwitch of the worker node must be in the same zone. Important We recommend that you set the subnet mask of the CIDR block of a pod vSwitch to no longer than 19 bits, but the subnet mask must not exceed 25 bits. Otherwise, the cluster network has only a limited number of IP addresses that can be allocated to the pods. As a result, the cluster may not function as expected. |
Container CIDR Block | If you select Flannel, you must set Container CIDR Block. The container CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the Service CIDR block. The container CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster. |
Number of Pods per Node | If you set Network Plug-in to Flannel, you must configure the Number of Pods per Node parameter. |
Service CIDR | Set Service CIDR. The Service CIDR block must not overlap with the CIDR block of the VPC, the CIDR blocks of the ACK clusters in the VPC, or the pod CIDR block. The Service CIDR block cannot be modified after it is specified. For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster. |
IPv6 Service CIDR | If you enable IPv4/IPv6 dual stack, you must specify an IPv6 CIDR block for Services. When you set this parameter, take note of the following items:
For more information about how to plan CIDR blocks for a cluster, see Plan the network of an ACK cluster. |
Advanced settings
Click Advanced Options (Optional) to configure the Forwarding Mode.
Parameter | Description |
Forwarding Mode | iptables and IPVS are supported.
|
Click Advanced Options (Optional) to configure advanced settings such as Deletion Protection and Resource Group.
Step 3: Configure the node pool
Click Next:Node Pool Configurations to configure the basic settings and advanced settings of the node pool.
Basic settings
Parameter | Description | |
Node Pool Name | Specify a node pool name. | |
Container Runtime | Specify the container runtime based on the Kubernetes version.
For more information, see Comparison among Docker, containerd, and Sandboxed-Container. | |
Managed node pool settings | Managed Node Pool | Specify whether to enable the managed node pool feature. Managed node pools are O&M-free node pools provided by ACK. Managed node pools support CVE vulnerability patching and auto recovery. They can efficiently reduce your O&M work and enhance node security. For more information, see Overview of managed node pools. |
Auto Recovery Rule | This parameter is available after you select Enable for the managed node pool feature. After you select Restart Faulty Node, the system automatically restarts relevant components to repair nodes in the NotReady state and drains the nodes before restarting them. | |
Auto Update Rule | This parameter is available after you select Enable for the managed node pool feature. After you select Automatically Update Kubelet and Containerd, the system automatically updates the kubelet when a new version is available. For more information, see Node pool updates. | |
Auto CVE Patching (OS) | This parameter is available after you select Enable for the managed node pool feature. You can configure ACK to automatically patch high-risk, medium-risk, and low-risk vulnerabilities. For more information, see Auto repair and CVE patching. Some patches take effect only after you restart the ECS instances. After you select Restart Nodes if Necessary to Patch CVE Vulnerabilities, the system automatically restarts nodes on demand. If you do not select this option, you need to manually restart nodes. | |
Maintenance Window | This parameter is available after you select Enable for the managed node pool feature. Image updates, runtime updates, and Kubernetes version updates are automatically performed during the maintenance window. For more information, see Overview of managed node pools. Click Set. In the Maintenance Window dialog box, set the Cycle, Started At, and Duration parameters and click OK. |
Instance and Image settings
Parameter | Description | |
Instance-related parameters | Select the ECS instances used by the worker node pool based on instance types or attributes. You can filter ECS instances by attributes such as vCPU, memory, instance family, and architecture. When the node pool is scaled out, ECS instances of the selected instance types are created. The scaling policy of the node pool determines which instance types are used to create new nodes during scale-out activities. Select multiple instance types to improve the success rate of node pool scale-out operations. If the node pool fails to be scaled out because the instance types are unavailable or the instances are out of stock, you can specify more instance types for the node pool. The ACK console automatically evaluates the scalability of the node pool. You can view the scalability level when you create the node pool or after you create the node pool.
Note ARM-based ECS instances support only ARM images. For more information about ARM-based node pools, see Configure an ARM-based node pool. | |
Operating System | Container Service for Kubernetes supports ContainerOS, Alibaba Cloud Linux 3, Ubuntu, and Windows. For more information, see Overview of OS images. Note
| |
Security Reinforcement |
Note After the cluster is created, you cannot modify the Security Hardening parameter. | |
Logon Type | Valid values: Key Pair, Password, and Later. Note If you select Reinforcement based on classified protection for the Security Reinforcement parameter, only the Password option is supported.
|
Volumes settings
Parameter | Description | |
System Disk | ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, Standard SSD, and Ultra Disk are supported. The types of system disks that you can select depend on the instance types that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select. For more information about disks, see Overview of Block Storage. For more information about disk types supported by different instance types, see Overview of instance families. Note
You can select More System Disk Types and select a disk type other than the current one in the System Disk section to improve the success rate of system disk creation. The system will attempt to create a system disk based on the specified disk types in sequence. | |
Data Disk | ESSD AutoPL, Enterprise SSD (ESSD), ESSD Entry, SSD, and Ultra Disk are supported. The disk types that you can select depend on the instance types that you select. Disk types that are not displayed in the drop-down list are not supported by the instance types that you select. For more information about disks, see Overview of Block Storage. For more information about disk types supported by different instance types, see Overview of instance families.
Note You can attach up to 64 data disks to an ECS instance. The maximum number of disks that can be attached to an ECS instance varies based on the instance type. To query the maximum number of disks that you can attach to an ECS instance of a specific instance type, call the DescribeInstanceTypes operation and check the DiskQuantity parameter in the response. |
Instances settings
Parameter | Description |
Expected Nodes | The expected number of nodes in the node pool. You can modify the Expected Nodes parameter to adjust the number of nodes in the node pool. If you do not want to create nodes in the node pool, set this parameter to 0. For more information, see Scale a node pool. Note We recommend that you set the parameter to a value that is greater than or equal to 2. You can add or remove nodes after the cluster is created based on your requirements. If the cluster has only one worker node or contains low-specification worker nodes, cluster components may not run as expected. |
Advanced Options (Optional)
Click Advanced Options (Optional) to configure the Scaling Policy.
Parameter | Description |
Scaling Policy |
Important You cannot change the scaling policy of a node pool after the node pool is created. |
Click Advanced Options (Optional) to configure advanced settings such as ECS Label and Taints.
Step 4: Configure cluster components
Click Next:Component Configurations to configure the basic settings and advanced settings of cluster components.
Basic settings
Parameter | Description |
Ingress | Specify whether to install an Ingress controller. We recommend that you install an Ingress controller if you want to expose Services. By default, Nginx Ingress is selected. Valid values:
|
Service Discovery | Specify whether to install NodeLocal DNSCache. By default, NodeLocal DNSCache is installed. NodeLocal DNSCache runs a Domain Name System (DNS) caching agent to improve the performance and stability of DNS resolution. For more information about NodeLocal DNSCache, see Configure NodeLocal DNSCache. |
Volume Plug-in | By default, CSI is installed as the volume plug-in. Dynamically Provision Volumes by Using Default NAS File Systems and CNFS, Enable NAS Recycle Bin, and Support Fast Data Restore is selected by default. ACK clusters can be automatically bound to Alibaba Cloud disks, File Storage NAS (NAS) file systems, and Object Storage Service (OSS) buckets that are mounted to pods. For more information, see CSI overview. |
Monitor containers | You can select Enable Managed Service for Prometheus to provide basic monitoring and alerting services for the ACK cluster. |
Cost Suite | ACK Cost Suite - Cost Insights is enabled by default. It monitors and analyzes the costs and resource usage of the ACK cluster, namespaces, node pools, and workloads. Suggestions on cost savings are provided to improve the overall resource utilization. For more information, see Overview of cost insights. |
Log Service | Specify whether to enable Simple Log Service. You can select an existing Simple Log Service project or create one. By default, Enable Log Service is selected. For more information about how to quickly configure Simple Log Service when you create an application, see Collect log data from containers by using Simple Log Service. By default, Create Ingress Dashboard is selected. You can specify whether to create Ingress dashboards in the Simple Log Service console. For more information, see Analyze and monitor the access log of nginx-ingress-controller. By default, Install node-problem-detector and Create Event Center is selected. You can specify whether to enable the Kubernetes event center in the Simple Log Service console. For more information, see Create and use an event center. |
Alerts | Use Default Alert Rule Template is selected by default to enable alert rules. After you select this check box, you can specify contacts and contact groups. The default is Default Contact Group. For more information, see Alert management. |
Log Collection for Control Plane Components | By default, Enable is selected to collect the logs of the control plane components in ACK managed clusters to your projects in Simple Log Service. For more information, see Collect logs of control plane components in ACK managed clusters. |
Cluster Inspection | Specify whether to enable the cluster inspection feature for intelligent O&M. You can enable this feature to periodically check the resource quotas, resource usage, and component versions of a cluster and identify potential risks in the cluster. For more information, see Work with the cluster inspection feature. |
Advanced settings
Click Advanced Options (Optional) to select the components that you want to install.
Step 5: Confirm the cluster configurations
Click Next:Confirm Order, confirm the configurations, read and select the terms of service, and then click Create Cluster.
After the cluster is created, you can find the cluster on the Clusters page in the ACK console.
It requires about 10 minutes to create a cluster that contains multiple nodes.
What to do next
View the basic information about the cluster
On the Clusters page, find the created cluster and click Details in the Actions column. On the cluster details page, click the Basic Information tab to view the basic information about the cluster and click the Connection Information tab to view information about how to connect to the cluster. The following information is displayed:
API Server Public Endpoint: the IP address and port that the API server of the cluster uses to provide services over the Internet. It allows you to manage the cluster by using kubectl or other tools on your client.
Only ACK managed clusters support the Associate EIP and Disassociate EIP features.
Associate EIP: You can select an existing EIP or create an EIP.
The API server restarts after you associate an EIP with the API server. We recommend that you do not perform operations on the cluster during the restart process.
Disassociate EIP: After you disassociate the EIP, you can no longer access the API server over the Internet.
The API server restarts after you disassociate the EIP from the API server. We recommend that you do not perform operations on the cluster during the restart process.
API Server Internal Endpoint: the IP address and port that the API server uses to provide services within the cluster. The IP address belongs to the Server Load Balancer (SLB) instance that is associated with the cluster.
View cluster logs
You can choose
in the Actions column to go to the Log Center page and view the logs of the cluster.View the information of nodes in the cluster
You can obtain the kubeconfig file of the cluster and use kubectl to connect to the cluster, and run the
kubectl get node
command to view the node information of the cluster.
References
You can also use other methods to create an ACK cluster:
For information about how to connect to a cluster, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Outdated Kubernetes versions may have security and stability issues. We recommend that you update your clusters to the latest version. For more information, see Manually upgrade ACK clusters and Automatically update a cluster.
For more information about how to plan a virtual private cloud (VPC), vSwitches, the pod CIDR block, and Service CIDR block, see Plan the network of an ACK cluster.
We recommend that you enable workload scaling and node scaling based on your business requirements to automatically adjust the number of replicated pods in a workload and node resources in the cluster. For more information, see Auto scaling overview.
If you have storage requirements such as persistent storage of application data, storage of sensitive and configuration data, and dynamical provision of storage resources, ACK clusters provide the container storage feature based on the Container Storage Interface (CSI) plug-in. For more information, see CSI overview.
We recommend that you use the monitoring and logging features provided by ACK to monitor the status of the system and troubleshoot when issues arise. For more information, see Observability overview.