DocsICP FilingConsole
官方文档
首页

Create an ACK One registered cluster

更新时间:
复制 MD 格式
产品详情
我的收藏

An ACK One registered cluster allows you to connect Kubernetes clusters from your data centers or other cloud providers to the Container Service for Kubernetes console for unified management.

Important

Before you begin, read Registered clusters to understand the key concepts and use cases of an ACK One registered cluster.

Procedure

Create an ACK One registered cluster and attach a target cluster in the console

Create an ACK One registered cluster

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. In the top-left corner of the page, select the resource group and region where your target resources reside.image

  3. On the Clusters page, click Create Kubernetes Cluster.

  4. Click the ACK One Registered Cluster tab and follow the on-screen instructions to configure the cluster.

    Parameter

    Description

    Cluster Name

    Enter a custom cluster name.

    Region

    The region where cluster resources (such as ECS instances and cloud disks) are located. The closer the region is to your location and where your resources are deployed, the lower the network latency.

    IPv6 Dual-stack
    Supported only for Kubernetes 1.22 or later, only with Terway, and cannot be used together with eRDMA.

    The cluster supports both IPv4 and IPv6 protocols, but communication between worker nodes and the control plane still uses IPv4 addresses. Ensure the following:

    • The cluster VPC supports IPv6 dual-stack.

    • When using Terway in shared ENI mode, the instance type of the node must support IPv6 and have the same number of assignable IPv4 and IPv6 addresses.

    VPC

    The VPC for the cluster. To ensure high availability, we recommend selecting two or more zones.

    • Auto-create: ACK creates a vSwitch in each selected zone.

    • Use existing: Select a vSwitch to specify the cluster zone. You can create a new vSwitch or use an existing one.

    We recommend using standard private CIDR blocks for the cluster VPC (for example, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). If you have special requirements, apply at the Quota Center (Create a cluster using a public CIDR block VPC).

    Cloud resource and billing information: imageVPC

    vSwitch

    Select an existing vSwitch by zone from the list, or click Create vSwitch to create a new one. The control plane and default node pool use the specified vSwitch. For better high availability, we recommend selecting vSwitches in multiple zones.

    Security Group
    When using an existing VPC, you can select Select Existing Security Group

    This security group applies to the cluster control plane, default node pool, and any node pool without a custom security group.

    Compared with basic security groups, enterprise security groups can accommodate a larger number of private IP addresses but do not support intra-group connectivity. For more information, see Security Group Classification.

    • Auto-create: All outbound traffic is allowed by default. Inbound rules follow recommended configurations. If you modify rules later, ensure inbound access to the 100.64.0.0/10 CIDR block is allowed.

      This CIDR block is used to access other Alibaba Cloud services for operations such as image pulling and querying ECS basic information.

    • Use existing: ACK does not add extra access rules to the security group. You must manage security group rules yourself to avoid access issues. For details, see Configure cluster security groups.

    Access to API Server

    ACK automatically creates a pay-as-you-go private CLB instance as the internal endpoint for the API Server. This CLB instance cannot be reused or deleted. If deleted, the API Server becomes inaccessible and cannot be restored.

    To use an existing CLB instance, submit a ticket. After selecting Use Existing Gateway for the VPC, you can set the SLB Source to Use Existing Gateway.

    You can optionally enable Expose API server with EIP.

    • Enabled: Binds an EIP to the private CLB instance of the API Server, allowing public network access to manage the cluster.

      This does not grant public network access to resources inside the cluster. To allow cluster resources to access the public network, select Configure SNAT for VPC.

    • Disabled: Allows cluster connection and management via KubeConfig only from within the VPC.

    To enable this later, see Enable public network access to API Server.
    Starting December 1, 2024, newly created CLB instances will no longer support Subscription billing, and will incur instance fees. For details, see [Product Announcement] Discontinuation of subscription billing for new cluster API Server CLB instances, Adjustment announcement for Classic Load Balancer CLB billing items.

    Cloud resource and billing information: imageCLB, imageEIP

    Advanced options (optional)

    Expand Advanced Options (Optional) to configure Deletion Protection, Resource Group, and other settings.

    Parameter

    Description

    Cluster Deletion Protection

    We recommend enabling this to prevent accidental cluster deletion via the console or OpenAPI.

    Resource Group

    Assign the cluster to the selected resource group for easier permission management and cost allocation.

    Label

    Bind key-value tags to the cluster as cloud resource identifiers.

  5. After you complete the configuration, click Create Kubernetes Cluster. The new cluster appears in the cluster list.

    After the cluster is created, its status is Waiting for Connection.

Attach the target cluster to an ACK One registered cluster

  1. Find the newly created ACK One registered cluster and click Details in the Actions column.

  2. On the Cluster Information page, click the Connection Information tab. On the Connection Information tab, select Internet or Private Network, and then click Copy on the right.

  3. Save the copied content to a file named agent.yaml. Then, run kubectl apply -f agent.yaml on the target cluster to register it with the ACK One registered cluster.

  4. Check the agent status in the target cluster.

    kubectl -n kube-system get pod |grep ack-cluster-agent

    Expected output:

    ack-cluster-agent-5f7d568f6-6fc4k              1/1     Running   0          9s
ack-cluster-agent-5f7d568f6-tf6fp              1/1     Running   0          9s

    After the registration succeeds, the cluster status changes to Running on the Clusters page of the Container Service for Kubernetes console.

Results

On the Clusters page, find the corresponding ACK One registered cluster and click Details in the Actions column to view the Basic Information and Connection Information of the new cluster.

You can use this kubeconfig to connect to the target cluster and deploy application workloads. For more information about how to connect to a cluster, see Connect to a Kubernetes cluster by using kubectl.

Use onectl to create an ACK One registered cluster and attach a target cluster

  1. Install and configure onectl. For more information, see Manage a registered cluster by using onectl.

  2. onectl supports the following two methods to create an ACK One registered cluster.

    Important

    When you create an ACK One registered cluster, you must specify parameters such as the VPC, vSwitch, and region.

    • Non-interactive creation:

      onectl cluster create --region **** --vpc **** --vswitch ****

    • Interactive creation:

      onectl cluster create -i

    Run the following command to view detailed parameter descriptions:

    onectl cluster create -h

    After the cluster is created, it is initialized and enters the initial state. The expected output is as follows:

    Registered cluster test-registered-cluster created successfully, information of the cluster:
name         = test-registered-cluster
state        = initial
cluster id   = c3c277f2fc10f45c1b86473**********
region id    = cn-zhangjiakou
node numbers = 0
vpc id       = vpc-8vb95w2o172**********
vswitch id   = vsw-8vbv8bxhput**********

  3. After the cluster is initialized, it enters the waiting state. Run the following command to view the cluster state:

    onectl cluster describe --cluster-id ****

    Expected output:

    name  = test-registered-cluster
state = waiting
...

  4. When the cluster is in the waiting state, run the following command to connect the target cluster to the ACK One registered cluster.

    onectl cluster connect --cluster-id **** --kubeconfig ~/.kube/config --restricted true

    Parameter

    Required

    Description

    cluster-id

    Yes

    The ID of the ACK One registered cluster created in Step 2.

    kubeconfig

    No

    The path to the kubeconfig file of the target cluster. If you do not specify this parameter, the configuration file specified by the KUBECONFIG environment variable is used.

    restricted

    No

    Specifies whether to connect to the ACK One registered cluster in restricted mode. For more information, see RBAC permissions for the ack-cluster-agent component of a registered cluster.

    You can also run the following command to view detailed parameter descriptions:

    onectl cluster connect -h

  5. Run the following command to verify that the target cluster is connected:

    onectl cluster describe --cluster-id ****

    Expected output:

    name  = test-registered-cluster
state = running
...

    A state of running indicates that the ACK One registered cluster is successfully connected.

Previous:ClusterNext:Delete a registered cluster