DocsICP FilingConsole
官方文档
首页

Create an ACK Auto Mode cluster

更新时间:
复制 MD 格式
产品详情
我的收藏

When you create an ACK managed cluster, you can enable Auto Mode. This mode allows you to create a best-practice Kubernetes cluster with a single click after you complete some simple planning and configuration. By default, the cluster creates an Auto Mode node pool, and ACK manages the lifecycle and operations of the nodes in this pool.

Before you enable Auto Mode, we recommend that you read Introduction to Auto Mode to understand its features and use cases.

Prerequisites

Plan and design

Before creating a cluster, plan and design its configuration based on your business requirements to ensure it runs in a stable, efficient, and secure manner.

  • Region: The closer the selected region is to your users and deployed resources, the lower the network latency and the faster the access speed.

  • Zone: We recommend that you configure multiple zones to ensure high availability (HA) for the cluster.

  • Network address planning: Plan the VPC CIDR blocks (VPC's own CIDR block and vSwitch CIDR blocks) and Kubernetes CIDR blocks (pod address range and service address range) based on your business scenario and cluster size. This defines the IP address range for the entire cluster and the number of available IP addresses for pods and nodes.

  • Public network access: Determine whether cluster nodes need to access the public network. Public network access is required to pull public images.

Activation and authorization

Before you create a cluster, you need to activate the required services and grant permissions to your account:

  • Activate ACK: If this is your first time using ACK, log on to the ACK activation page and follow the on-screen instructions.

  • Role authorization: Go to the RAM quick authorization page to grant ACK the permissions required to create default roles. This ensures that ACK can call related cloud resources.

  • Activate related cloud products: Activate the cloud products on which ACK clusters depend, such as VPC and SLB.

    • The creation process involves purchasing pay-as-you-go resources, such as CLB instances. Ensure your account has a sufficient balance to avoid service interruptions due to overdue payments.

    • Only Alibaba Cloud accounts can activate cloud products. To authorize a RAM user to manage activated cloud products, see Use RAM to grant permissions on clusters and cloud resources.

Procedure

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. In the top-left corner of the page, select the resource group and region where your target resources reside.image

  3. On the Clusters page, click Create Kubernetes Cluster. On the ACK Managed Cluster page, enable Auto Mode.

    After you enable this mode, the page displays the three core capabilities of Auto Mode: fully managed operations (fully managed control plane, automatic version upgrades, and maintenance-free nodes with auto-healing), automatic node scaling (on-demand elastic scaling, automatic instance type matching, and optimized resource costs), and highly optimized node operating system (container-optimized OS for fast startup, immutable file system, and security best practices by default).

  4. Follow the on-screen instructions to configure the cluster. After you confirm the configuration and read the terms of service, click Create Kubernetes Cluster.

    For a detailed description of the configuration items, see Cluster configuration.

    Auto Mode is available only for ACK managed cluster Pro Edition and incurs fees for cluster management and related cloud products. You can view the total cost of the cluster at the bottom of the creation page. You can also view the billing documentation for ACK and each product. For more information, see Billing overview and Fees for cloud product resources.

    In the upper-right corner of the page, you can click Console-to-Code to generate the Terraform or SDK sample parameters for the current cluster configuration.

  • After the cluster is created, an Auto Mode node pool is automatically created. This node pool dynamically scales in and out based on workload demand. ACK manages the node lifecycle and O&M tasks, including OS and software upgrades, and security vulnerability fixes.

  • After the cluster is created, ACK installs components based on the configuration. These components may consume computing resources in the cluster. The Auto Mode node pool automatically scales out to add the required nodes.

Next steps

Deploy a workload and implement load balancing

Appendix

Shared responsibility model

ACK Auto Mode is designed to provide automated and intelligent Kubernetes cluster O&M to reduce your operational overhead. However, you are still responsible for certain tasks.

Alibaba Cloud responsibilities

Customer responsibilities

Shared responsibilities

  • Deploy, maintain, and upgrade the cluster control plane.

  • Install, configure, and upgrade core cluster components.

  • Automatically scale node pools, upgrade the OS, and upgrade software, including fixing CVE vulnerabilities.

  • Configure basic cluster information, such as VPC configuration and network planning.

  • Set up and manage cluster RAM permissions and RBAC.

  • Deploy, operate, and properly configure application workloads. Proper configuration includes the number of replicas, graceful shutdown policies such as PreStop, and PodDisruptionBudget policies. This ensures that nodes can be drained for maintenance without service disruption.

  • Promptly receive and respond to monitoring alerts for the cluster and applications.

  • Ensure overall cluster security. The security of a cluster is governed by the shared responsibility model. For more information, see Shared responsibility model for security.

  • Troubleshoot and resolve issues.

Quotas and limits

If you have a large cluster or your account contains many resources, you must be aware of the quotas and limits for using ACK clusters. For more information, see Quotas and limits.

  • Limits: These include ACK configuration limits (such as account balance) and single-cluster capacity limits (the maximum capacity of different Kubernetes resources within a single cluster).

  • Quota limits and quota increase requests: This includes quota limits for ACK clusters and the cloud products on which ACK depends, such as ECS and VPC. To request a quota increase, follow the instructions in the relevant documentation.

Cluster configuration

You can create a cluster using the default configuration or customize the settings based on your business requirements and available resources. In the Modifiable column of the following tables, 错 indicates that the setting cannot be changed after creation, and 对 indicates that the setting can be changed. Pay close attention to the settings that cannot be changed.

Basic configurations

Parameter

Description

Modifiable

Cluster Name

Enter a custom cluster name.

Region

The region where cluster resources (such as ECS instances and cloud disks) are located. The closer the region is to your location and where your resources are deployed, the lower the network latency.

Maintenance Window

ACK performs automated O&M tasks—such as automatic cluster upgrades and OS CVE vulnerability fixes—only during the defined maintenance window.

Network configuration

Parameter

Description

Modifiable

IPv6 Dual-stack
Supported only for Kubernetes 1.22 or later, only with Terway, and cannot be used together with eRDMA.

The cluster supports both IPv4 and IPv6 protocols, but communication between worker nodes and the control plane still uses IPv4 addresses. Ensure the following:

  • The cluster VPC supports IPv6 dual-stack.

  • When using Terway in shared ENI mode, the instance type of the node must support IPv6 and have the same number of assignable IPv4 and IPv6 addresses.

VPC

The VPC for the cluster. To ensure high availability, we recommend selecting two or more zones.

  • Auto-create: ACK creates a vSwitch in each selected zone.

  • Use existing: Select a vSwitch to specify the cluster zone. You can create a new vSwitch or use an existing one.

We recommend using standard private CIDR blocks for the cluster VPC (for example, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). If you have special requirements, apply at the Quota Center (Create a cluster using a public CIDR block VPC).

Cloud resource and billing information: imageVPC

Configure SNAT for VPC
Do not select this option when using a shared VPC.

Select this option if nodes need public network access (to pull public images or access external services). ACK automatically configures a NAT Gateway and SNAT rules to enable public network access for cluster resources.

  • VPC has no NAT Gateway: ACK automatically creates a NAT Gateway, purchases a new EIP, and configures SNAT rules for the cluster's vSwitches.

  • VPC already has a NAT Gateway: ACK determines whether to purchase additional EIPs or configure SNAT rules. If no EIP is available, a new EIP is purchased. If no VPC-level SNAT rule exists, SNAT rules are configured for the cluster's vSwitches.

If you do not select this option, you can manually configure a NAT Gateway and SNAT rules after cluster creation. For details, see Public NAT Gateway.

Cloud resource and billing information: imageNAT Gateway, imageEIP

Access to API Server

ACK automatically creates a pay-as-you-go private CLB instance as the internal endpoint for the API Server. This CLB instance cannot be reused or deleted. If deleted, the API Server becomes inaccessible and cannot be restored.

To use an existing CLB instance, submit a ticket. After selecting Use Existing Gateway for the VPC, you can set the SLB Source to Use Existing Gateway.

You can optionally enable Expose API server with EIP.

  • Enabled: Binds an EIP to the private CLB instance of the API Server, allowing public network access to manage the cluster.

    This does not grant public network access to resources inside the cluster. To allow cluster resources to access the public network, select Configure SNAT for VPC.

  • Disabled: Allows cluster connection and management via KubeConfig only from within the VPC.

To enable this later, see Enable public network access to API Server.
Starting December 1, 2024, newly created CLB instances will no longer support Subscription billing, and will incur instance fees. For details, see [Product Announcement] Discontinuation of subscription billing for new cluster API Server CLB instances, Adjustment announcement for Classic Load Balancer CLB billing items.

Cloud resource and billing information: imageCLB, imageEIP

Network Plug-in

The network plugin provides the foundation for pod-to-pod communication in the cluster.

For a detailed comparison, see Compare Terway and Flannel container network plugins.

  • Flannel: A lightweight, open-source community network plugin. In ACK, it integrates deeply with Alibaba Cloud VPC and uses direct VPC route table management for pod communication.

    • Use case: Simple configuration and low resource consumption. Suitable for small-scale clusters (limited by VPC route table quotas), simplified networking, and scenarios that do not require custom container network control.

  • Terway: A high-performance network plugin developed by Alibaba Cloud that uses Elastic Network Interfaces (ENIs) for pod communication.

    • Use case: Offers eBPF-based network acceleration, NetworkPolicy, and per-pod vSwitch and security group capabilities. Ideal for high-performance computing, gaming, microservices, and other scenarios requiring large-scale nodes, high network performance, and strong security.

    • Pod limit: Each pod consumes one secondary IP address from an ENI. The number of IPs per ENI is limited (depending on the instance type). Therefore, the maximum number of pods per node is constrained by ENI and secondary IP quotas.

      When using a shared VPC, only Terway is supported.

    Terway also provides the following capabilities.

    For details, see Use the Terway network plugin.

    • DataPathV2

      Configurable only during cluster creation.

      Enable DataPathV2 acceleration mode. Terway uses eBPF technology to optimize traffic forwarding paths, delivering lower latency and higher throughput for network-intensive applications.

      Supported only on Alibaba Cloud Linux 3 (all versions), ContainerOS, and Ubuntu with Linux kernel version 5.10 or later. For details, see Network acceleration.

    • NetworkPolicy support

      In public preview. Apply on the Quota Center console.

      Supports native Kubernetes NetworkPolicy to implement pod-level "firewalls" and fine-grained access control rules, enhancing cluster security.

    • Support for ENI Trunking

      Allows assigning dedicated IPs, vSwitches, and security groups to pods. Suitable for special business scenarios requiring fixed IPs or independent network policy management for specific pods. For details, see Assign fixed IPs, dedicated vSwitches, and security groups to pods.

Pod vSwitch
Required only when using the Terway plugin.

The vSwitch used to assign IP addresses to pods. Each pod vSwitch corresponds to a worker node vSwitch, and both must be in the same zone.

Important

For the Pod virtual switch, use a subnet mask no larger than /19. The maximum allowed subnet mask is /25. If you use a larger subnet mask, the number of Pod IP addresses that can be allocated in the cluster is severely limited, which affects the cluster’s normal operation.

Container CIDR Block
Required only for Flannel.

The IP address pool for assigning pod IPs. This CIDR block must not overlap with the VPC or any existing ACK cluster CIDR blocks in the VPC, and must not overlap with the Service CIDR.

Number of Pods per Node
Required only for Flannel.

Defines the maximum number of pods allowed on a single node.

Service CIDR

Also known as Service CIDR, this is the IP address pool for assigning IPs to internal cluster services. This CIDR block must not overlap with the VPC or any existing cluster CIDR blocks in the VPC, and must not overlap with the Container CIDR Block.

Forwarding Mode

Select the kube-proxy proxy mode, which determines how cluster Services distribute requests to backend pods.

  • iptables: Uses Linux firewall rules for traffic forwarding. Stable but limited in performance. As the number of Services increases, firewall rules grow exponentially, slowing request processing. Suitable for clusters with few Services.

  • IPVS: A high-performance traffic distribution solution that uses hash tables for fast pod targeting, delivering lower latency under heavy Service loads. Suitable for large-scale production clusters or scenarios requiring high network performance.

Advanced options

The following configurations are based on Kubernetes cluster best practices. You can keep the default settings. If you need to make changes, refer to the configuration item descriptions and follow the on-screen instructions.

Parameter

Description

Modifiable

Kubernetes Version

Only the latest three minor versions are supported. We recommend using the latest available version. For details about ACK version support, see ACK version support overview.

Supports manual cluster upgrades and automatic cluster upgrades.

Automatic Update

Enable automatic upgrades to keep the control plane and node pools periodically updated.

For upgrade policies and instructions, see Automatically upgrade clusters.

Security Group
When using an existing VPC, you can select Select Existing Security Group

This security group applies to the cluster control plane, default node pool, and any node pool without a custom security group.

Compared with basic security groups, enterprise security groups can accommodate a larger number of private IP addresses but do not support intra-group connectivity. For more information, see Security Group Classification.

  • Auto-create: All outbound traffic is allowed by default. Inbound rules follow recommended configurations. If you modify rules later, ensure inbound access to the 100.64.0.0/10 CIDR block is allowed.

    This CIDR block is used to access other Alibaba Cloud services for operations such as image pulling and querying ECS basic information.

  • Use existing: ACK does not add extra access rules to the security group. You must manage security group rules yourself to avoid access issues. For details, see Configure cluster security groups.

Cluster Deletion Protection

We recommend enabling this to prevent accidental cluster deletion via the console or OpenAPI.

Resource Group

Assign the cluster to the selected resource group for easier permission management and cost allocation.

A resource can belong to only one resource group.

Label

Bind key-value tags to the cluster as cloud resource identifiers.

Time Zone

The time zone used by the cluster. Defaults to the browser's configured time zone.

Log Service

Use an existing SLS Project or create a new one to collect cluster application logs.

Also enables the cluster API Server audit feature to collect requests to the Kubernetes API and their results.

To enable this later, see Collect ACK cluster container logs, Use cluster API Server audit feature.

Cloud resource and billing information: imageSLS

Alerts

Enables Container Service alert management, sending alert notifications to alert contact groups based on data sources from SLS, Managed Service for Prometheus, and Cloud Monitor when cluster anomalies occur.

Previous:Auto ModeNext:Deploy a workload and implement load balancing