Alauda Container Platform

Import Alibaba Cloud ACK Cluster

Import existing Alibaba Cloud ACK managed clusters (Managed Kubernetes) or Alibaba Cloud ACK dedicated clusters (Dedicated Kubernetes) for unified platform management.

TIP

For product information about ACK managed clusters (Managed Kubernetes) or Alibaba Cloud ACK dedicated clusters (Dedicated Kubernetes), refer to the official documentation.

TOC

Prerequisites

Get Image Registry Address

  • To use the platform-deployed image registry from the global cluster deployment, execute the following command on the control node of the global cluster to get the address:

    if [ "$(kubectl get productbase -o jsonpath='{.items[].spec.registry.preferPlatformURL}')" = 'false' ]; then
    REGISTRY=$(kubectl get cm -n kube-public global-info -o jsonpath='{.data.registryAddress}')
else
    REGISTRY=$(kubectl get cm -n kube-public global-info -o jsonpath='{.data.platformURL}' | awk -F \// '{print $NF}')
fi
echo "Image registry address is: $REGISTRY"

  • To use an external image registry, manually set the REGISTRY variable.

    REGISTRY=<external image registry address>  # Valid examples: registry.example.cn:60080 or 192.168.134.43
echo "Image registry address is: $REGISTRY"

Determine if Image Registry Requires Additional Configuration

  1. Execute the following command to determine if the specified image registry supports HTTPS access and uses certificates issued by trusted CA authorities:

    REGISTRY=<image registry address obtained from the "Get Image Registry Address" section>

if curl -s -o /dev/null --retry 3 --retry-delay 5 -- "https://${REGISTRY}/v2/"; then
    echo 'Test passed: The image registry uses certificates issued by trusted CA authorities. You do not need to execute the content in the "Trust Insecure Image Registry" section.'
else
    echo 'Test failed: The image registry does not support HTTPS or the certificate is not trusted. Please refer to the "Trust Insecure Image Registry" section for configuration.'
fi

  2. If the test fails, refer to the FAQ How to trust insecure image registries?.

Get KubeConfig

  1. Log in to the Alibaba Cloud Container Service management platform.

  2. In the left navigation bar of the console, click Clusters.

  3. On the Cluster List page, click the target cluster name or Details under the Actions column on the right side of the target cluster.

  4. On the Cluster Information page, click the Connection Information tab, then click Generate Temporary KubeConfig.

  5. In the Temporary KubeConfig dialog, set the validity period of the temporary credentials and the method to access the cluster (including public network access and internal network access).

  6. Click Generate Temporary KubeConfig, then click Copy to copy the content and save it to the KubeConfig file on your local computer.

  7. After the cluster is successfully imported, you can revoke the temporary credentials.

Import Cluster

  1. In the left navigation bar, click Cluster Management > Clusters.

  2. Click Import Cluster.

  3. Configure the relevant parameters according to the following instructions.

    ParameterDescription
    Image RegistryRepository for storing platform component images required by the cluster. - Platform Default: Image registry configured during global cluster deployment. - Private Registry: Pre-built registry that stores platform-required component images. You need to enter the private image registry address, port, username, and password for accessing the image registry. - Public Registry: Use public image registry services on the internet. Before use, you need to refer to Update Public Repository Cloud Credentials to obtain repository authentication permissions.
    Cluster InformationTip: Can be filled manually or uploaded via KubeConfig file for automatic parsing and filling by the platform. Parse KubeConfig File: After uploading the obtained KubeConfig file, the platform will automatically parse and fill the Cluster Information. You can modify the automatically filled information. Cluster Address: The access address of the cluster's externally exposed API Server, used by the platform to access the cluster's API Server. CA Certificate: The cluster's CA certificate. Note: When entering manually, you need to enter the Base64-decoded certificate. Authentication Method: Authentication method for accessing the cluster. You need to use a token or certificate authentication (client certificate and key) with cluster management permissions for authentication.

  4. Click Check Connectivity to check network connectivity with the cluster to be imported and automatically identify the type of cluster to be imported. The cluster type will be displayed as a badge in the upper right corner of the form.

  5. After connectivity check passes, click Import and confirm.

    TIP
    • Click the Details icon on the right side of a cluster in Importing status to view the cluster's execution progress (status.conditions) in the popup Execution Progress dialog.
    • After the cluster is successfully imported, you can view the cluster's key information in the cluster list. The cluster status shows as normal and you can perform cluster-related operations.

Network Configuration

Ensure network connectivity between the global cluster and the cluster to be imported. See Network Configuration for Imported Clusters.

FAQ

How to handle port conflicts between Alibaba Cloud monitoring and platform monitoring components?

When Alibaba Cloud's built-in monitoring and platform monitoring components coexist, port conflicts will occur. It is recommended to uninstall Alibaba Cloud monitoring and keep only platform monitoring.

How to use public network access for Alibaba Cloud clusters?

If using public network access for Alibaba Cloud clusters, you can bind a public IP on Alibaba Cloud.

After importing a cluster, the add node button is grayed out. How to add nodes?

Both Alibaba Cloud ACK managed clusters and ACK dedicated clusters do not support adding nodes through the platform interface. Please add them in the backend or contact the cluster provider to add them.

Which certificates are supported by the certificate management function for imported clusters?

  1. Kubernetes Certificates: All imported clusters only support viewing APIServer certificate information in the platform certificate management interface. They do not support viewing other Kubernetes certificates and do not support automatic rotation.

  2. Platform Component Certificates: All imported clusters can view platform component certificate information in the platform certificate management interface and support automatic rotation.

What other features are not supported for imported Alibaba Cloud ACK managed clusters and ACK dedicated clusters?

  • Alibaba Cloud ACK managed clusters do not support obtaining audit data.

  • Alibaba Cloud ACK managed clusters do not support ETCD, Scheduler, Controller Manager related monitoring information, but support some APIServer monitoring charts.

  • Both Alibaba Cloud ACK managed clusters and ACK dedicated clusters do not support obtaining cluster certificate-related information except for Kubernetes APIServer certificates.