Unified Management & Secure Governance for Alibaba Cloud ACK and On-Prem Kubernetes

Background

Cloud‑native technologies such as Kubernetes abstract away differences between public‑cloud providers and on‑premise data‑centers, allowing applications to be described, deployed, and operated in a standardized way.

ACK Registered Cluster Architecture

The architecture unifies public‑cloud ACK clusters and self‑built Kubernetes clusters under a single control plane. It consists of:

ACK console.

ACK registered‑cluster Agent, deployed as a Deployment inside the self‑built cluster.

ACK registered‑cluster Stub running on the control side.

Kubernetes API Server of the target cluster.

One‑Way Registration, Two‑Way Communication

Agent initiates a one‑way registration to the Stub, presenting a pre‑generated token and certificates. The TLS‑protected channel lets the Stub forward requests to the Agent, which proxies them to the target API Server and returns responses.

Non‑Managed Secure Access Mechanism

Security is ensured by:

The control side never stores private keys of the user’s cluster; access uses certificates issued by ACK.

All cluster‑access permissions are consolidated in the Agent, giving users full control over their own clusters.

The Agent is deployed non‑intrusively as a Deployment and its source will be open‑sourced.

An optional security‑audit feature records every operation.

Unified Cluster Management Experience

To manage both an ACK cluster and an on‑premise cluster with the same UI, create an ACK registered cluster and import the self‑built cluster.

Create ACK Registered Cluster

In the ACK console, select a region close to the on‑premise cluster, configure VPC and security groups, and submit. Creation finishes in about three minutes.

Connect the Self‑Built Cluster

Apply the generated agent manifest in the target cluster: $ kubectl apply -f agent.yaml After the Agent runs, the console lists both the managed ACK cluster and the registered cluster (e.g., idc‑k8s ) with their respective Kubernetes versions.

Users can now perform cluster, node, application, and operation tasks on both clusters through the same console.

Consistent Security Governance

Because different clouds provide different RBAC and policy mechanisms, ACK registered clusters unify access control using Alibaba Cloud sub‑account authentication together with Kubernetes RBAC.

Example: two sub‑accounts testuser01 (developer) and testuser02 (tester) are granted different namespace permissions on the ACK and registered clusters.

Audit logs from the API Server can be visualized via the cluster‑audit feature, and a configuration‑inspection tool scans workloads for security risks, presenting detailed reports.