Install a P2P acceleration kit in an ACK Edge cluster-Container Registry(ACR)-阿里云帮助中心

P2P acceleration speeds up container image pulls across nodes in an ACK Edge cluster, reducing application deployment time for large-scale rollouts.

Prerequisites

Before you begin, make sure you have:

Requirement	Minimum version / edition	Reference
Container Registry Enterprise Edition instance	Standard or Advanced edition	Create a Container Registry Enterprise Edition instance
ACK Edge cluster	Kubernetes 1.26.3 or later	Create an ACK Edge cluster
VPC configured in the ACR Enterprise Edition instance	—	Configure a VPC ACL
Dedicated edge node pool with inter-node connection enabled (for edge nodes only)	—	Create an edge node pool

Choose an authentication method

The P2P component needs permission to query endpoint information from your Container Registry Enterprise Edition instance. Three authentication methods are available:

Method	When to use
Worker RAM role (recommended)	The ACR Enterprise Edition instance and the ACK Edge cluster belong to the same Alibaba Cloud account. No credentials to manage.
AccessKey pair of a RAM user	The cluster runs outside Alibaba Cloud (for example, in your own data center), or you prefer explicit credential-based access.
RAM Roles for Service Accounts (RRSA)	You need fine-grained, pod-level access control. Requires P2P agent v0.3.6 or later.

Follow the steps for your chosen method below. Steps 1 and 3 are the same for all methods; only Step 2 differs.

Step 1: Enable P2P acceleration in Container Registry

Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance you want to manage.
On the Overview page, go to the Component Settings section and turn on P2P Acceleration. In the confirmation message, click OK.

Warning

Before you disable P2P Acceleration, stop using the P2P feature and uninstall the P2P component from all clusters where it is installed. To re-enable P2P, you must reinstall the component.

Note the ID of this Container Registry Enterprise Edition instance — you'll need it in Step 3.

Step 2: Grant the P2P component access to Container Registry

Choose the tab that matches your authentication method.

Method 1: Worker RAM role

The P2P component inherits the permissions of the worker node's RAM role. The ACR Enterprise Edition instance and the ACK Edge cluster must belong to the same Alibaba Cloud account.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left-side pane, click Cluster Information.
On the Cluster Information page, click the Basic Information tab. In the Cluster Resources section, click the URL next to Worker RAM Role.
On the RAM role page, click the Permissions tab, then click the permission policy name in the Policy column.

Check whether the policy already includes the following permissions. If not, click Modify Policy Document, add the following content, and click OK.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetInstanceVpcEndpoint",
                "cr:ListInstanceEndpoint"
            ],
            "Resource": "*"
        }
    ]
}

Method 2: AccessKey pair of a RAM user

Use this method when your cluster runs outside Alibaba Cloud or when you need explicit credential control.

Create a RAM user. See Create a RAM user.

Attach the following permission policy to the RAM user, then get the RAM user's AccessKey pair. See View the information about AccessKey pairs of a RAM user.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetInstanceVpcEndpoint",
                "cr:ListInstanceEndpoint"
            ],
            "Resource": "*"
        }
    ]
}

You'll enter the accessKey and accessKeySecret values in the Helm chart parameters in Step 3.

Method 3: RRSA

RAM Roles for Service Accounts (RRSA) provides pod-level access control. Before configuring RRSA for the P2P agent, you must first enable RRSA on the cluster.

Important

Enable RRSA in the ACK console before configuring RRSA for the P2P agent. If you do it in the reverse order, you must uninstall and reinstall the P2P agent after enabling RRSA.

Enable RRSA on the cluster

Enable RRSA for your ACK cluster. See Use RRSA to authorize different pods to access different cloud services.

Configure the RRSA role

The steps differ depending on whether the ACR Enterprise Edition instance and the ACK cluster belong to the same Alibaba Cloud account.

Same account

If Account A owns both the ACR Enterprise Edition instance and the ACK Edge cluster:

Create a RAM role for Account A. See Create a RAM role for a trusted Alibaba Cloud account.

Attach the following permission policy to the RAM role.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetInstanceVpcEndpoint",
                "cr:ListInstanceEndpoint"
            ],
            "Resource": "*"
        }
    ]
}

Set the trust policy of the RAM role to allow the P2P service accounts to assume it. Replace <oidc_issuer_url> with the OIDC identity provider (IdP) URL and <oidc_provider_arn> with the OIDC IdP ARN. Both values are available on the Basic Information tab of the Cluster Information page in the ACK console.

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "oidc:aud": [
            "sts.aliyuncs.com"
          ],
          "oidc:iss": "<oidc_issuer_url>",
          "oidc:sub": [
            "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-job-sa",
            "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-sa"
          ]
        }
      },
      "Effect": "Allow",
      "Principal": {
        "Federated": [
          "<oidc_provider_arn>"
        ]
      }
    }
  ],
  "Version": "1"
}

Cross-account

If Account A owns the ACK cluster and Account B owns the ACR Enterprise Edition instance:

Create a RAM role for Account A. See Create a RAM role for a trusted Alibaba Cloud account.
Attach the AliyunSTSAssumeRoleAccess policy to the RAM role of Account A. This grants Account A permission to assume the RAM role of Account B.

Set the trust policy of Account A's RAM role. Replace <oidc_issuer_url> and <oidc_provider_arn> with the values from the Basic Information tab of the Cluster Information page in the ACK console.

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "oidc:aud": [
            "sts.aliyuncs.com"
          ],
          "oidc:iss": "<oidc_issuer_url>",
          "oidc:sub": [
            "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-job-sa",
            "system:serviceaccount:aliyun-acr-acceleration:ack-acr-acceleration-p2p-sa"
          ]
        }
      },
      "Effect": "Allow",
      "Principal": {
        "Federated": [
          "<oidc_provider_arn>"
        ]
      }
    }
  ],
  "Version": "1"
}

Create a RAM role for Account B with access to the ACR Enterprise Edition instance. In Trust Policy Management, add the ARN of Account A's RAM role. Attach the following permission policy to Account B's RAM role.
You can set MaxSessionDuration for Account B's RAM role. Valid values: 3600–43200 seconds. We recommend setting MaxSessionDuration to 43200. The expireDuration parameter you set in Step 3 must be less than or equal to MaxSessionDuration.
```
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cr:GetInstanceVpcEndpoint",
                "cr:ListInstanceEndpoint"
            ],
            "Resource": "*"
        }
    ]
}
```

Step 3: Install the P2P component

Log on to the ACK console. In the left-side navigation pane, choose Marketplace > Marketplace.
On the App Catalog page, search for ack-acr-acceleration-p2p and click the component card.
On the component details page, click Deploy in the upper-right corner.
In the Create panel, select your cluster and namespace, set a release name, and click Next.
In the Parameters panel, set the chart version to the latest version. Then configure the parameters for your authentication method.

Parameters for Method 1 (worker RAM role) and Method 2 (AccessKey pair)

Set acrInstances to the ID of the Container Registry Enterprise Edition instance from Step 1. For multiple instances, separate IDs with commas.

# ID of ACR EE instances, support multi, e.g. "cri-xxx,cri-yyy"
acrInstances: ""

# Required only for Method 2 (AccessKey pair)
# accessKey: ""
# accessKeySecret: ""

# Region of ACR EE instance. Default: the region of the cluster.
# Set this if the cluster and ACR instance are in different regions, or if the cluster is in your own data center.
region: ""

# VPC connected to the ACR EE instance VPC. Default: the VPC of the cluster.
# Set this if the cluster and ACR instance are in different regions, or if the cluster is in your own data center.
vpcId: ""

# [Optional] ID (not name) of the edge node pool, for example "np8b6aaa89e93a44b5b54180898247****".
# If set, P2P is deployed only to that node pool. If not set, P2P is deployed to all edge node pools.
edgeNodePool:
  id: ""

p2p:
  # Port used by the P2P agent in host network. Default: 65001.
  port: 65001

Parameters for Method 3 (RRSA)

Set registryInstances to the ID of the Container Registry Enterprise Edition instance from Step 1. For multiple instances, separate IDs with commas.

# ID of ACR EE instances, support multi, e.g. "cri-xxx,cri-yyy"
registryInstances: ""

rrsa:
  enable: true
  rrsaRoleARN: ""           # ARN of the RAM role created for Account A
  rrsaOIDCProviderRoleARN: "" # OIDC IdP ARN from the ACK console Basic Information tab
  assumeRoleARN: ""         # ARN of the RAM role created for Account B (leave blank for same-account)
  expireDuration: 3600      # Session duration in seconds; valid range: 3600–43200; must be <= MaxSessionDuration of Account B's RAM role

# Region of ACR EE instance. Default: the region of the cluster.
region: ""

# VPC connected to the ACR EE instance VPC. Default: the VPC of the cluster.
vpcId: ""

# [Optional] ID (not name) of the edge node pool.
edgeNodePool:
  id: ""

p2p:
  port: 65001

The following table describes the RRSA-specific parameters.

Parameter	Description	Example
`rrsa.enable`	Enables RRSA	`true`
`rrsa.rrsaRoleARN`	ARN of the RAM role created for Account A	`acs:ram::aaa`
`rrsa.rrsaOIDCProviderRoleARN`	OIDC IdP ARN from the ACK console Basic Information tab	`acs:ram::bbb`
`rrsa.assumeRoleARN`	ARN of the RAM role created for Account B. Leave blank if the ACR instance and cluster belong to the same account.	`acs:ram::ccc`
`rrsa.expireDuration`	Session duration of Account B's RAM role, in seconds. Default: `3600`. Valid range: 3600–43200. Must be <= `MaxSessionDuration` of Account B's RAM role.	`3600`

Cross-region and edge node pool considerations

Same region: Leave region and vpcId blank.
Different regions: Set region to the region where the ACR Enterprise Edition instance resides, and vpcId to the VPC ID associated with that instance.
ACK Edge clusters: To limit P2P to a specific node pool, set edgeNodePool.id to the node pool ID (for example, npxyzxxxxxxxxx). The node pool must be a cloud node pool or a dedicated edge node pool with inter-node connection enabled. If you leave this parameter blank, P2P is enabled for all edge nodes. Make sure edge nodes are connected to the ACR Enterprise Edition instance VPC via Express Connect, and that the nodes can communicate with each other over the network.
P2P port: The P2P agent uses port 65001 by default. If this port is occupied by another component, change p2p.port to an available port.