diff --git a/docs/cce/umn/ALL_META.TXT.json b/docs/cce/umn/ALL_META.TXT.json index 2270b6fdc..a55f31336 100644 --- a/docs/cce/umn/ALL_META.TXT.json +++ b/docs/cce/umn/ALL_META.TXT.json @@ -277,11 +277,29 @@ "title":"Security Vulnerability Responses", "githuburl":"" }, + { + "uri":"CVE-2025-23266.html", + "node_id":"cve-2025-23266.xml", + "product_code":"cce", + "code":"16", + "des":"NVIDIA Container Toolkit is an open-source tool package from NVIDIA. It allows you to use NVIDIA GPUs to speed up computing in a containerized environment. The toolkit in", + "doc_type":"usermanual2", + "kw":"Notice of the NVIDIA Container Toolkit Container Escape Vulnerabilities (CVE-2025-23266 and CVE-2025", + "search_title":"", + "metedata":[ + { + "prodname":"cce", + "documenttype":"usermanual" + } + ], + "title":"Notice of the NVIDIA Container Toolkit Container Escape Vulnerabilities (CVE-2025-23266 and CVE-2025-23267)", + "githuburl":"" + }, { "uri":"cce_bulletin_0011.html", "node_id":"cce_bulletin_0011.xml", "product_code":"cce", - "code":"16", + "code":"17", "des":"High-risk vulnerabilities:CCE fixes vulnerabilities as soon as possible after the Kubernetes community detects them and releases fixing solutions. The fixing policies are", "doc_type":"usermanual2", "kw":"Vulnerability Fixing Policies,Security Vulnerability Responses,User Guide", @@ -300,7 +318,7 @@ "uri":"CVE-2021-4034.html", "node_id":"cve-2021-4034.xml", "product_code":"cce", - "code":"17", + "code":"18", "des":"Recently, a security research team disclosed a privilege escalation vulnerability (CVE-2021-4034, also dubbed PwnKit) in PolKit's pkexec. Unprivileged users can gain full", "doc_type":"usermanual2", "kw":"Linux Polkit Privilege Escalation Vulnerability (CVE-2021-4034),Security Vulnerability Responses,Use", @@ -320,7 +338,7 @@ "uri":"cce_bulletin_0206.html", "node_id":"cce_bulletin_0206.xml", "product_code":"cce", - "code":"18", + "code":"19", "des":"The Linux Kernel SACK vulnerabilities have been fixed. This section describes the solution to these vulnerabilities.On June 18, 2019, Red Hat released a security notice, ", "doc_type":"usermanual2", "kw":"Notice on Fixing Linux Kernel SACK Vulnerabilities,Security Vulnerability Responses,User Guide", @@ -340,7 +358,7 @@ "uri":"cce_qs_0000.html", "node_id":"cce_qs_0000.xml", "product_code":"cce", - "code":"19", + "code":"20", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Getting Started", @@ -360,7 +378,7 @@ "uri":"cce_qs_0001.html", "node_id":"cce_qs_0001.xml", "product_code":"cce", - "code":"20", + "code":"21", "des":"This section describes how to use Cloud Container Engine (CCE) and provides frequently asked questions (FAQs) to help you quickly get started with CCE.Complete the follow", "doc_type":"usermanual2", "kw":"Introduction,Getting Started,User Guide", @@ -378,7 +396,7 @@ "uri":"cce_qs_0006.html", "node_id":"cce_qs_0006.xml", "product_code":"cce", - "code":"21", + "code":"22", "des":"Before using CCE, make the following preparations:Creating an IAM userObtaining Resource Permissions(Optional) Creating a VPC(Optional) Creating a Key PairIf you want to ", "doc_type":"usermanual2", "kw":"VPC,Preparations,Getting Started,User Guide", @@ -396,7 +414,7 @@ "uri":"cce_qs_0008.html", "node_id":"cce_qs_0008.xml", "product_code":"cce", - "code":"22", + "code":"23", "des":"This section describes how to quickly create a CCE cluster. In this example, the default or simple configurations are in use.If you have no clusters, click Create Cluster", "doc_type":"usermanual2", "kw":"Creating a Kubernetes Cluster,Getting Started,User Guide", @@ -414,7 +432,7 @@ "uri":"cce_qs_0003.html", "node_id":"cce_qs_0003.xml", "product_code":"cce", - "code":"23", + "code":"24", "des":"You can use images to quickly create a single-pod workload that can be accessed from public networks. This section describes how to use CCE to quickly deploy an Nginx app", "doc_type":"usermanual2", "kw":"Deploying a Deployment (Nginx),Getting Started,User Guide", @@ -432,7 +450,7 @@ "uri":"cce_qs_0007.html", "node_id":"cce_qs_0007.xml", "product_code":"cce", - "code":"24", + "code":"25", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Deploying WordPress and MySQL That Depend on Each Other", @@ -450,7 +468,7 @@ "uri":"cce_qs_0009.html", "node_id":"cce_qs_0009.xml", "product_code":"cce", - "code":"25", + "code":"26", "des":"WordPress was originally a blog platform based on PHP and MySQL. It is gradually evolved into a content management system. You can set up your own blog website on any ser", "doc_type":"usermanual2", "kw":"Overview,Deploying WordPress and MySQL That Depend on Each Other,User Guide", @@ -468,7 +486,7 @@ "uri":"cce_qs_0004.html", "node_id":"cce_qs_0004.xml", "product_code":"cce", - "code":"26", + "code":"27", "des":"WordPress must be used together with MySQL. WordPress runs the content management program while MySQL serves as a database to store data.You have created a CCE cluster th", "doc_type":"usermanual2", "kw":"Step 1: Deploying MySQL,Deploying WordPress and MySQL That Depend on Each Other,User Guide", @@ -486,7 +504,7 @@ "uri":"cce_qs_0005.html", "node_id":"cce_qs_0005.xml", "product_code":"cce", - "code":"27", + "code":"28", "des":"WordPress was originally a blog platform based on PHP and MySQL. It is gradually evolved into a content management system. You can set up your own blog website on any ser", "doc_type":"usermanual2", "kw":"Step 2: Deploying WordPress,Deploying WordPress and MySQL That Depend on Each Other,User Guide", @@ -504,7 +522,7 @@ "uri":"cce_10_0054.html", "node_id":"cce_10_0054.xml", "product_code":"cce", - "code":"28", + "code":"29", "des":"During service deployment or running, you may trigger high-risk operations at different levels, causing service faults or interruption. To help you better estimate and av", "doc_type":"usermanual2", "kw":"network-attachment-definitions,High-Risk Operations,User Guide", @@ -522,7 +540,7 @@ "uri":"cce_10_0091.html", "node_id":"cce_10_0091.xml", "product_code":"cce", - "code":"29", + "code":"30", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Clusters", @@ -540,7 +558,7 @@ "uri":"cce_10_0430.html", "node_id":"cce_10_0430.xml", "product_code":"cce", - "code":"30", + "code":"31", "des":"Cloud Container Engine (CCE) is a Kubernetes cluster hosting service for enterprises. It manages the entire lifecycle of containerized applications and delivers scalable,", "doc_type":"usermanual2", "kw":"Number of Master Nodes in a Cluster,Cluster Overview,Clusters,User Guide", @@ -558,7 +576,7 @@ "uri":"cce_10_0002.html", "node_id":"cce_10_0002.xml", "product_code":"cce", - "code":"31", + "code":"32", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Cluster Version Release Notes", @@ -576,7 +594,7 @@ "uri":"cce_10_0068.html", "node_id":"cce_10_0068.xml", "product_code":"cce", - "code":"32", + "code":"33", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Kubernetes Version Release Notes", @@ -594,8 +612,8 @@ "uri":"cce_bulletin_0099.html", "node_id":"cce_bulletin_0099.xml", "product_code":"cce", - "code":"33", - "des":"CCE allows you to create Kubernetes clusters 1.31. This section describes the changes made in Kubernetes 1.31.New and Enhanced FeaturesAPI Changes and RemovalsEnhanced Ku", + "code":"34", + "des":"CCE allows you to create Kubernetes 1.31 clusters. This section describes the changes made in Kubernetes 1.31.New and Enhanced FeaturesAPI Changes and RemovalsEnhanced Ku", "doc_type":"usermanual2", "kw":"Kubernetes 1.31 Release Notes,Kubernetes Version Release Notes,User Guide", "search_title":"", @@ -612,8 +630,8 @@ "uri":"cce_bulletin_0095.html", "node_id":"cce_bulletin_0095.xml", "product_code":"cce", - "code":"34", - "des":"CCE allows you to create Kubernetes clusters 1.30. This section describes the changes made in Kubernetes 1.30.New and Enhanced FeaturesAPI Changes and RemovalsEnhanced Ku", + "code":"35", + "des":"CCE allows you to create Kubernetes 1.30 clusters. This section describes the changes made in Kubernetes 1.30.New and Enhanced FeaturesAPI Changes and RemovalsEnhanced Ku", "doc_type":"usermanual2", "kw":"Kubernetes 1.30 Release Notes,Kubernetes Version Release Notes,User Guide", "search_title":"", @@ -630,8 +648,8 @@ "uri":"cce_bulletin_0089.html", "node_id":"cce_bulletin_0089.xml", "product_code":"cce", - "code":"35", - "des":"CCE allows you to create Kubernetes clusters 1.29. This section describes the changes made in Kubernetes 1.29.New and Enhanced FeaturesAPI Changes and RemovalsEnhanced Ku", + "code":"36", + "des":"CCE allows you to create Kubernetes 1.29 clusters. This section describes the changes made in Kubernetes 1.29.New and Enhanced FeaturesAPI Changes and RemovalsIncompatibl", "doc_type":"usermanual2", "kw":"Kubernetes 1.29 Release Notes,Kubernetes Version Release Notes,User Guide", "search_title":"", @@ -648,8 +666,8 @@ "uri":"cce_bulletin_0068.html", "node_id":"cce_bulletin_0068.xml", "product_code":"cce", - "code":"36", - "des":"CCE allows you to create Kubernetes clusters 1.28. This section describes the changes made in Kubernetes 1.28.Important NotesNew and Enhanced FeaturesAPI Changes and Remo", + "code":"37", + "des":"CCE allows you to create Kubernetes 1.28 clusters. This section describes the changes made in Kubernetes 1.28.Important NotesNew and Enhanced FeaturesAPI Changes and Remo", "doc_type":"usermanual2", "kw":"Kubernetes 1.28 Release Notes,Kubernetes Version Release Notes,User Guide", "search_title":"", @@ -666,8 +684,8 @@ "uri":"cce_bulletin_0059.html", "node_id":"cce_bulletin_0059.xml", "product_code":"cce", - "code":"37", - "des":"CCE allows you to create Kubernetes clusters 1.27. This section describes the changes made in Kubernetes 1.27 compared with Kubernetes 1.25.New FeaturesDeprecations and R", + "code":"38", + "des":"CCE allows you to create Kubernetes 1.27 clusters. This section describes the changes made in Kubernetes 1.27 compared with Kubernetes 1.25.New FeaturesDeprecations and R", "doc_type":"usermanual2", "kw":"Kubernetes 1.27 Release Notes,Kubernetes Version Release Notes,User Guide", "search_title":"", @@ -684,10 +702,10 @@ "uri":"cce_bulletin_0058.html", "node_id":"cce_bulletin_0058.xml", "product_code":"cce", - "code":"38", + "code":"39", "des":"This section describes the changes made in Kubernetes 1.25 compared with Kubernetes 1.23.New FeaturesDeprecations and RemovalsEnhanced Kubernetes 1.25 on CCEReferencesKub", "doc_type":"usermanual2", - "kw":"Kubernetes 1.25 Release Notes,Kubernetes Version Release Notes,User Guide", + "kw":"Kubernetes 1.25 (EOM) Release Notes,Kubernetes Version Release Notes,User Guide", "search_title":"", "metedata":[ { @@ -695,17 +713,17 @@ "documenttype":"usermanual" } ], - "title":"Kubernetes 1.25 Release Notes", + "title":"Kubernetes 1.25 (EOM) Release Notes", "githuburl":"" }, { "uri":"cce_bulletin_0027.html", "node_id":"cce_bulletin_0027.xml", "product_code":"cce", - "code":"39", + "code":"40", "des":"This section describes the updates in CCE Kubernetes 1.23.Kubernetes v1.23 Release NotesFlexVolume is deprecated. Use CSI.HorizontalPodAutoscaler v2 is promoted to GA, an", "doc_type":"usermanual2", - "kw":"Kubernetes 1.23 Release Notes,Kubernetes Version Release Notes,User Guide", + "kw":"Kubernetes 1.23 (EOM) Release Notes,Kubernetes Version Release Notes,User Guide", "search_title":"", "metedata":[ { @@ -713,14 +731,14 @@ "documenttype":"usermanual" } ], - "title":"Kubernetes 1.23 Release Notes", + "title":"Kubernetes 1.23 (EOM) Release Notes", "githuburl":"" }, { "uri":"cce_bulletin_0026.html", "node_id":"cce_bulletin_0026.xml", "product_code":"cce", - "code":"40", + "code":"41", "des":"This section describes the updates in CCE Kubernetes 1.21.Kubernetes v1.21 Release NotesCronJob is now in the stable state, and the version number changes to batch/v1.The", "doc_type":"usermanual2", "kw":"Kubernetes 1.21 (EOM) Release Notes,Kubernetes Version Release Notes,User Guide", @@ -738,7 +756,7 @@ "uri":"cce_whsnew_0010.html", "node_id":"cce_whsnew_0010.xml", "product_code":"cce", - "code":"41", + "code":"42", "des":"This section describes the updates in CCE Kubernetes 1.19.Kubernetes v1.19 Release NotesvSphere in-tree volumes can be migrated to vSphere CSI drivers. The in-tree vSpher", "doc_type":"usermanual2", "kw":"Kubernetes 1.19 (EOM) Release Notes,Kubernetes Version Release Notes,User Guide", @@ -756,7 +774,7 @@ "uri":"cce_whsnew_0007.html", "node_id":"cce_whsnew_0007.xml", "product_code":"cce", - "code":"42", + "code":"43", "des":"This section describes the updates in CCE Kubernetes 1.17.All resources in the apps/v1beta1 and apps/v1beta2 API versions are no longer served. Migrate to use the apps/v1", "doc_type":"usermanual2", "kw":"Kubernetes 1.17 (EOM) Release Notes,Kubernetes Version Release Notes,User Guide", @@ -774,7 +792,7 @@ "uri":"cce_10_0405.html", "node_id":"cce_10_0405.xml", "product_code":"cce", - "code":"43", + "code":"44", "des":"In CCE clusters of v1.25, containerd is the default runtime for nodes, except for nodes running EulerOS 2.5. In addition, clusters of v1.25 or later no longer support Eul", "doc_type":"usermanual2", "kw":"Patch Version Release Notes,Cluster Version Release Notes,User Guide", @@ -792,7 +810,7 @@ "uri":"cce_10_0298.html", "node_id":"cce_10_0298.xml", "product_code":"cce", - "code":"44", + "code":"45", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Creating a Cluster", @@ -810,7 +828,7 @@ "uri":"cce_10_0342.html", "node_id":"cce_10_0342.xml", "product_code":"cce", - "code":"45", + "code":"46", "des":"CCE provides different types of clusters for you to select. The following table lists the differences between them.", "doc_type":"usermanual2", "kw":"Comparison Between Cluster Types,Creating a Cluster,User Guide", @@ -828,7 +846,7 @@ "uri":"cce_10_0028.html", "node_id":"cce_10_0028.xml", "product_code":"cce", - "code":"46", + "code":"47", "des":"On the CCE console, you can easily create Kubernetes clusters. After a cluster is created, the master node is hosted by CCE. You only need to create worker nodes. In this", "doc_type":"usermanual2", "kw":"Creating a CCE Standard/Turbo Cluster,Creating a Cluster,User Guide", @@ -846,7 +864,7 @@ "uri":"cce_10_0349.html", "node_id":"cce_10_0349.xml", "product_code":"cce", - "code":"47", + "code":"48", "des":"kube-proxy is a key component of a Kubernetes cluster. It is used for load balancing and forwarding data between a Service and its backend pods.CCE supports the iptables ", "doc_type":"usermanual2", "kw":"kube-proxy,iptables,IP Virtual Server (IPVS),forwarding modes,Comparing iptables and IPVS,Creating a", @@ -864,7 +882,7 @@ "uri":"cce_10_0140.html", "node_id":"cce_10_0140.xml", "product_code":"cce", - "code":"48", + "code":"49", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Connecting to a Cluster", @@ -882,7 +900,7 @@ "uri":"cce_10_0107.html", "node_id":"cce_10_0107.xml", "product_code":"cce", - "code":"49", + "code":"50", "des":"kubectl is a command-line tool provided by Kubernetes, enabling you to manage cluster resources, view cluster status, deploy applications, and debug issues through the CL", "doc_type":"usermanual2", "kw":"Intranet access,Internet access,kubectl,intranet access,Internet access,Two-Way Authentication for D", @@ -900,7 +918,7 @@ "uri":"cce_10_0175.html", "node_id":"cce_10_0175.xml", "product_code":"cce", - "code":"50", + "code":"51", "des":"X.509 certificates are essential for verifying identities and encrypting communication within CCE clusters. These certificates enable authorized clients to access target ", "doc_type":"usermanual2", "kw":"X.509 certificate,Accessing a Cluster Using an X.509 Certificate,Connecting to a Cluster,User Guide", @@ -918,7 +936,7 @@ "uri":"cce_10_0367.html", "node_id":"cce_10_0367.xml", "product_code":"cce", - "code":"51", + "code":"52", "des":"Subject Alternative Name (SAN) enables certificates to be associated with multiple values, including IP addresses and domain names. A SAN is usually used by the client to", "doc_type":"usermanual2", "kw":"SAN,X.509 certificate,Accessing a Cluster Using a Custom Domain Name,Connecting to a Cluster,User Gu", @@ -936,7 +954,7 @@ "uri":"cce_10_0864.html", "node_id":"cce_10_0864.xml", "product_code":"cce", - "code":"52", + "code":"53", "des":"You can bind an EIP to an API server of a Kubernetes cluster so that the API server can access the Internet.Binding an EIP to an API server for Internet access can pose a", "doc_type":"usermanual2", "kw":"Configuring a Cluster's API Server for Internet Access,Connecting to a Cluster,User Guide", @@ -954,7 +972,7 @@ "uri":"cce_10_0744.html", "node_id":"cce_10_0744.xml", "product_code":"cce", - "code":"53", + "code":"54", "des":"In multi-tenant scenarios, CCE generates a unique credential (such as a kubeconfig file or an X.509 certificate) for each user to access their designated cluster. These c", "doc_type":"usermanual2", "kw":"Revoking a Cluster Access Credential,Connecting to a Cluster,User Guide", @@ -972,7 +990,7 @@ "uri":"cce_10_0031.html", "node_id":"cce_10_0031.xml", "product_code":"cce", - "code":"54", + "code":"55", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Managing a Cluster", @@ -990,7 +1008,7 @@ "uri":"cce_10_0213.html", "node_id":"cce_10_0213.xml", "product_code":"cce", - "code":"55", + "code":"56", "des":"Cluster configuration parameters are underlying rules that define node behavior, resource allocation, communication rules, and scaling policies in a distributed system. T", "doc_type":"usermanual2", "kw":"Cluster configuration parameters,cluster configuration parameters,Cluster configuration parameters,C", @@ -1008,7 +1026,7 @@ "uri":"cce_10_0602.html", "node_id":"cce_10_0602.xml", "product_code":"cce", - "code":"56", + "code":"57", "des":"Cluster overload occurs when system load such as request volume or resource usage exceeds the system's processing capacity, leading to degraded performance or system fail", "doc_type":"usermanual2", "kw":"Enabling Overload Control for a Cluster,Managing a Cluster,User Guide", @@ -1026,7 +1044,7 @@ "uri":"cce_10_0403.html", "node_id":"cce_10_0403.xml", "product_code":"cce", - "code":"57", + "code":"58", "des":"A cluster scale specifies the maximum number of nodes a cluster can manage. If the current cluster scale cannot meet your requirements, you can scale it out.A cluster tha", "doc_type":"usermanual2", "kw":"scale it out,Changing a Cluster Scale,Managing a Cluster,User Guide", @@ -1044,7 +1062,7 @@ "uri":"cce_10_0426.html", "node_id":"cce_10_0426.xml", "product_code":"cce", - "code":"58", + "code":"59", "des":"When creating a cluster, you can customize a node security group to centrally manage network security policies. For a created cluster, you can change its default node sec", "doc_type":"usermanual2", "kw":"Changing the Default Security Group of a Node,Managing a Cluster,User Guide", @@ -1062,7 +1080,7 @@ "uri":"cce_10_0212.html", "node_id":"cce_10_0212.xml", "product_code":"cce", - "code":"59", + "code":"60", "des":"Deleting a cluster will delete the workloads and Services in the cluster, and the deleted data cannot be recovered. Before performing this operation, ensure that related ", "doc_type":"usermanual2", "kw":"Deleting a Cluster,Managing a Cluster,User Guide", @@ -1080,7 +1098,7 @@ "uri":"cce_10_0927.html", "node_id":"cce_10_0927.xml", "product_code":"cce", - "code":"60", + "code":"61", "des":"Unexpected deletion of clusters can occur in practice, especially when multiple users share an account and accidentally delete clusters that do not belong to them. To pre", "doc_type":"usermanual2", "kw":"Preventing Cluster Deletion,Managing a Cluster,User Guide", @@ -1098,7 +1116,7 @@ "uri":"cce_10_0214.html", "node_id":"cce_10_0214.xml", "product_code":"cce", - "code":"61", + "code":"62", "des":"If a cluster is not needed temporarily, hibernate it to reduce costs.After a cluster is hibernated, resources such as workloads cannot be created or managed in the cluste", "doc_type":"usermanual2", "kw":"Hibernating or Waking Up a Cluster,Managing a Cluster,User Guide", @@ -1116,7 +1134,7 @@ "uri":"cce_10_0215.html", "node_id":"cce_10_0215.xml", "product_code":"cce", - "code":"62", + "code":"63", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Upgrading a Cluster", @@ -1134,7 +1152,7 @@ "uri":"cce_10_0197.html", "node_id":"cce_10_0197.xml", "product_code":"cce", - "code":"63", + "code":"64", "des":"CCE strictly complies with community consistency authentication. It releases three Kubernetes versions each year and offers a maintenance period of at least 24 months aft", "doc_type":"usermanual2", "kw":"cluster upgrade process,Node Priority,In-place upgrade,Cluster Upgrade Overview,Upgrading a Cluster,", @@ -1152,7 +1170,7 @@ "uri":"cce_10_0302.html", "node_id":"cce_10_0302.xml", "product_code":"cce", - "code":"64", + "code":"65", "des":"Before the upgrade, you can check whether your cluster can be upgraded and which versions are available on the CCE console. For details, see Cluster Upgrade Overview.Befo", "doc_type":"usermanual2", "kw":"Deprecated APIs,Before You Start,Upgrading a Cluster,User Guide", @@ -1170,7 +1188,7 @@ "uri":"cce_10_0560.html", "node_id":"cce_10_0560.xml", "product_code":"cce", - "code":"65", + "code":"66", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Performing Post-Upgrade Verification", @@ -1188,7 +1206,7 @@ "uri":"cce_10_0568.html", "node_id":"cce_10_0568.xml", "product_code":"cce", - "code":"66", + "code":"67", "des":"After a cluster is upgraded, check whether the cluster is in the Running state.CCE automatically checks your cluster status. Go to the cluster list page and confirm the c", "doc_type":"usermanual2", "kw":"Cluster Status Check,Performing Post-Upgrade Verification,User Guide", @@ -1206,7 +1224,7 @@ "uri":"cce_10_0569.html", "node_id":"cce_10_0569.xml", "product_code":"cce", - "code":"67", + "code":"68", "des":"After a cluster is upgraded, check whether nodes in the cluster are in the Running state.CCE automatically checks your node statuses. Go to the node list page and confirm", "doc_type":"usermanual2", "kw":"Node Status Check,Performing Post-Upgrade Verification,User Guide", @@ -1224,7 +1242,7 @@ "uri":"cce_10_0567.html", "node_id":"cce_10_0567.xml", "product_code":"cce", - "code":"68", + "code":"69", "des":"After a cluster is upgraded, check whether there are any nodes that skip the upgrade in the cluster. These nodes may affect the proper running of the cluster.CCE automati", "doc_type":"usermanual2", "kw":"Node Skipping Check,Performing Post-Upgrade Verification,User Guide", @@ -1242,7 +1260,7 @@ "uri":"cce_10_0561.html", "node_id":"cce_10_0561.xml", "product_code":"cce", - "code":"69", + "code":"70", "des":"After a cluster is upgraded, check whether its services are running properly.Different services have different verification mode. Select a suitable one and verify the ser", "doc_type":"usermanual2", "kw":"Service Check,Performing Post-Upgrade Verification,User Guide", @@ -1260,7 +1278,7 @@ "uri":"cce_10_0565.html", "node_id":"cce_10_0565.xml", "product_code":"cce", - "code":"70", + "code":"71", "des":"Check whether nodes can be created in the cluster.If nodes cannot be created in your cluster after the cluster is upgraded, contact technical support.", "doc_type":"usermanual2", "kw":"New Node Check,Performing Post-Upgrade Verification,User Guide", @@ -1278,7 +1296,7 @@ "uri":"cce_10_0566.html", "node_id":"cce_10_0566.xml", "product_code":"cce", - "code":"71", + "code":"72", "des":"Check whether pods can be created on the existing nodes after the cluster is upgraded.Check whether pods can be created on new nodes after the cluster is upgraded.After c", "doc_type":"usermanual2", "kw":"New Pod Check,Performing Post-Upgrade Verification,User Guide", @@ -1296,7 +1314,7 @@ "uri":"cce_10_0210.html", "node_id":"cce_10_0210.xml", "product_code":"cce", - "code":"72", + "code":"73", "des":"This section describes how to migrate services from a cluster of an earlier version to a cluster of a later version in CCE.This operation is applicable when a cross-versi", "doc_type":"usermanual2", "kw":"Migrating Services Across Clusters of Different Versions,Upgrading a Cluster,User Guide", @@ -1314,7 +1332,7 @@ "uri":"cce_10_0550.html", "node_id":"cce_10_0550.xml", "product_code":"cce", - "code":"73", + "code":"74", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Troubleshooting for Pre-upgrade Check Exceptions", @@ -1332,7 +1350,7 @@ "uri":"cce_10_0549.html", "node_id":"cce_10_0549.xml", "product_code":"cce", - "code":"74", + "code":"75", "des":"The system automatically checks a cluster before its upgrade. If the cluster does not meet the pre-upgrade check conditions, the upgrade cannot continue. To avoid risks, ", "doc_type":"usermanual2", "kw":"Pre-upgrade Check,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1350,7 +1368,7 @@ "uri":"cce_10_0431.html", "node_id":"cce_10_0431.xml", "product_code":"cce", - "code":"75", + "code":"76", "des":"Check the following items:Check whether the node is available.Check whether the node OS supports the upgrade.Check whether the node is marked with unexpected node pool la", "doc_type":"usermanual2", "kw":"Node Restrictions,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1368,7 +1386,7 @@ "uri":"cce_10_0432.html", "node_id":"cce_10_0432.xml", "product_code":"cce", - "code":"76", + "code":"77", "des":"Check whether the target cluster is under upgrade management.CCE may temporarily restrict the cluster upgrade due to the following reasons:The cluster is identified as th", "doc_type":"usermanual2", "kw":"Upgrade Management,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1386,7 +1404,7 @@ "uri":"cce_10_0433.html", "node_id":"cce_10_0433.xml", "product_code":"cce", - "code":"77", + "code":"78", "des":"Check the following items:Check whether the add-on status is normal.Check whether the add-on supports the target version.Scenario 1: The add-on malfunctions.Log in to the", "doc_type":"usermanual2", "kw":"Add-ons,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1404,7 +1422,7 @@ "uri":"cce_10_0434.html", "node_id":"cce_10_0434.xml", "product_code":"cce", - "code":"78", + "code":"79", "des":"Check whether the current HelmRelease record contains discarded Kubernetes APIs that are not supported by the target cluster version. If yes, the Helm chart may be unavai", "doc_type":"usermanual2", "kw":"Helm Charts,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1422,7 +1440,7 @@ "uri":"cce_10_0435.html", "node_id":"cce_10_0435.xml", "product_code":"cce", - "code":"79", + "code":"80", "des":"Check whether your master nodes can be accessed using SSH.There is a low probability that the SSH connectivity check fails due to network fluctuations. Perform the pre-up", "doc_type":"usermanual2", "kw":"SSH Connectivity of Master Nodes,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1440,7 +1458,7 @@ "uri":"cce_10_0436.html", "node_id":"cce_10_0436.xml", "product_code":"cce", - "code":"80", + "code":"81", "des":"Check the node pool status.Check whether the node pool OS or container runtime is supported after the upgrade.Scenario: The node pool malfunctions.Log in to the CCE conso", "doc_type":"usermanual2", "kw":"Node Pools,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1458,7 +1476,7 @@ "uri":"cce_10_0437.html", "node_id":"cce_10_0437.xml", "product_code":"cce", - "code":"81", + "code":"82", "des":"Check whether the Protocol & Port of the worker node security groups is set to ICMP: All and whether the security group rule with the source IP address set to the master ", "doc_type":"usermanual2", "kw":"Security Groups,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1476,7 +1494,7 @@ "uri":"cce_10_0439.html", "node_id":"cce_10_0439.xml", "product_code":"cce", - "code":"82", + "code":"83", "des":"Check whether nodes need to be migrated.This issue is caused by either an error in the node's package pull component or the absence of key system components on the node, ", "doc_type":"usermanual2", "kw":"Residual Nodes,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1494,7 +1512,7 @@ "uri":"cce_10_0440.html", "node_id":"cce_10_0440.xml", "product_code":"cce", - "code":"83", + "code":"84", "des":"Check whether there are discarded resources in the clusters.Scenario 1: The Service in the clusters of v1.25 or later has discarded annotation tolerate-unready-endpoints.", "doc_type":"usermanual2", "kw":"Discarded Kubernetes Resources,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1512,7 +1530,7 @@ "uri":"cce_10_0441.html", "node_id":"cce_10_0441.xml", "product_code":"cce", - "code":"84", + "code":"85", "des":"Read the version compatibility differences and ensure that they are not affected. The patch upgrade does not involve version compatibility differences.", "doc_type":"usermanual2", "kw":"Compatibility Risks,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1530,7 +1548,7 @@ "uri":"cce_10_0442.html", "node_id":"cce_10_0442.xml", "product_code":"cce", - "code":"85", + "code":"86", "des":"Check whether cce-agent on the current node is of the latest version.Scenario 1: The error message \"you cce-agent no update, please restart it\" is displayed.This issue oc", "doc_type":"usermanual2", "kw":"CCE Agent Versions,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1548,7 +1566,7 @@ "uri":"cce_10_0443.html", "node_id":"cce_10_0443.xml", "product_code":"cce", - "code":"86", + "code":"87", "des":"Check whether the node's CPU usage is above 90%.Upgrade the cluster during off-peak hours.Check whether too many pods are deployed on the node. If yes, reschedule pods to", "doc_type":"usermanual2", "kw":"Node CPU Usage,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1566,7 +1584,7 @@ "uri":"cce_10_0444.html", "node_id":"cce_10_0444.xml", "product_code":"cce", - "code":"87", + "code":"88", "des":"Check the following items:Check whether the key CRD packageversions.version.cce.io of the cluster is deleted.Check whether the cluster key CRD network-attachment-definiti", "doc_type":"usermanual2", "kw":"CRDs,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1584,7 +1602,7 @@ "uri":"cce_10_0445.html", "node_id":"cce_10_0445.xml", "product_code":"cce", - "code":"88", + "code":"89", "des":"Check the following items:Check whether the key data disks on the node meet the upgrade requirements.Check whether the /tmp directory has 500 MB available space.During th", "doc_type":"usermanual2", "kw":"Node Disks,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1602,7 +1620,7 @@ "uri":"cce_10_0446.html", "node_id":"cce_10_0446.xml", "product_code":"cce", - "code":"89", + "code":"90", "des":"Check the following items:Check whether the DNS configuration of the current node can resolve the OBS address.Check whether the current node can access the OBS address of", "doc_type":"usermanual2", "kw":"Node DNS,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1620,7 +1638,7 @@ "uri":"cce_10_0447.html", "node_id":"cce_10_0447.xml", "product_code":"cce", - "code":"90", + "code":"91", "des":"Check whether the owner and owner group of the files in the /var/paas directory used by the CCE are both paas.Scenario 1: The error message \"xx file permission has been c", "doc_type":"usermanual2", "kw":"Node Key Directory File Permissions,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1638,7 +1656,7 @@ "uri":"cce_10_0448.html", "node_id":"cce_10_0448.xml", "product_code":"cce", - "code":"91", + "code":"92", "des":"Check whether the kubelet on the node is running properly.Scenario 1: The kubelet status is abnormal.If the kubelet malfunctions, the node will be unavailable. Restore th", "doc_type":"usermanual2", "kw":"kubelet,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1656,7 +1674,7 @@ "uri":"cce_10_0449.html", "node_id":"cce_10_0449.xml", "product_code":"cce", - "code":"92", + "code":"93", "des":"Check whether the node's memory usage is above 90%.Upgrade the cluster during off-peak hours.Check whether too many pods are deployed on the node. If yes, reschedule pods", "doc_type":"usermanual2", "kw":"Node Memory,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1674,7 +1692,7 @@ "uri":"cce_10_0450.html", "node_id":"cce_10_0450.xml", "product_code":"cce", - "code":"93", + "code":"94", "des":"Check whether the clock synchronization server ntpd or chronyd of the node is running properly.Scenario 1: ntpd is running abnormally.Log in to the node and run the syste", "doc_type":"usermanual2", "kw":"Node Clock Synchronization Server,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1692,7 +1710,7 @@ "uri":"cce_10_0451.html", "node_id":"cce_10_0451.xml", "product_code":"cce", - "code":"94", + "code":"95", "des":"Check whether the OS kernel version of the node is supported by CCE.Case 1: The node image is not a standard CCE image.CCE nodes run depending on the initial standard ker", "doc_type":"usermanual2", "kw":"Node OS,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1710,7 +1728,7 @@ "uri":"cce_10_0452.html", "node_id":"cce_10_0452.xml", "product_code":"cce", - "code":"95", + "code":"96", "des":"Verify that the master nodes in your cluster have more than 2 CPU cores.The master nodes have only 2 CPU cores, which may lead to a cluster upgrade failure.Contact techni", "doc_type":"usermanual2", "kw":"Node CPU Cores,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1728,7 +1746,7 @@ "uri":"cce_10_0453.html", "node_id":"cce_10_0453.xml", "product_code":"cce", - "code":"96", + "code":"97", "des":"Check whether the Python commands are available on a node.If the command output is not 0, the check fails.Reset the node or manually install Python before attempting the ", "doc_type":"usermanual2", "kw":"Node Python Commands,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1746,7 +1764,7 @@ "uri":"cce_10_0455.html", "node_id":"cce_10_0455.xml", "product_code":"cce", - "code":"97", + "code":"98", "des":"Check whether the nodes in the cluster are ready.Scenario 1: The nodes are in the unavailable status.Log in to the CCE console and click the cluster name to access the cl", "doc_type":"usermanual2", "kw":"Node Readiness,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1764,7 +1782,7 @@ "uri":"cce_10_0456.html", "node_id":"cce_10_0456.xml", "product_code":"cce", - "code":"98", + "code":"99", "des":"Check whether journald of a node is normal.Log in to the node and run the systemctl is-active systemd-journald command to obtain the running status of journald. If the co", "doc_type":"usermanual2", "kw":"Node journald,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1782,7 +1800,7 @@ "uri":"cce_10_0457.html", "node_id":"cce_10_0457.xml", "product_code":"cce", - "code":"99", + "code":"100", "des":"Check whether the containerd.sock file is on the node. This file affects the startup of container runtime in the Euler OS.Scenario: The Docker used by the node is the cus", "doc_type":"usermanual2", "kw":"containerd.sock,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1800,7 +1818,7 @@ "uri":"cce_10_0458.html", "node_id":"cce_10_0458.xml", "product_code":"cce", - "code":"100", + "code":"101", "des":"This check item is not typical and implies that an internal error was found during the pre-upgrade check.Perform the pre-upgrade check again.If it fails again, submit a s", "doc_type":"usermanual2", "kw":"Internal Error,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1818,7 +1836,7 @@ "uri":"cce_10_0459.html", "node_id":"cce_10_0459.xml", "product_code":"cce", - "code":"101", + "code":"102", "des":"Check whether there are inaccessible mount points on the node.Scenario: There are inaccessible mount points on the node.If NFS (such as obsfs or SFS) is used by the node ", "doc_type":"usermanual2", "kw":"Node Mount Points,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1836,7 +1854,7 @@ "uri":"cce_10_0460.html", "node_id":"cce_10_0460.xml", "product_code":"cce", - "code":"102", + "code":"103", "des":"Check whether the taint needed for cluster upgrade exists on the node.Scenario 1: The node is skipped during the cluster upgrade.If the version of the node is different f", "doc_type":"usermanual2", "kw":"Kubernetes Node Taints,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1854,7 +1872,7 @@ "uri":"cce_10_0478.html", "node_id":"cce_10_0478.xml", "product_code":"cce", - "code":"103", + "code":"104", "des":"Check whether there are any compatibility restrictions on the current Everest add-on.There are compatibility restrictions on the current Everest add-on and it cannot be u", "doc_type":"usermanual2", "kw":"Everest Restrictions,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1872,7 +1890,7 @@ "uri":"cce_10_0479.html", "node_id":"cce_10_0479.xml", "product_code":"cce", - "code":"104", + "code":"105", "des":"Check whether there are compatibility limitations between the current and target cce-controller-hpa add-on versions.There are compatibility limitations between the curren", "doc_type":"usermanual2", "kw":"cce-hpa-controller Limitations,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1890,7 +1908,7 @@ "uri":"cce_10_0480.html", "node_id":"cce_10_0480.xml", "product_code":"cce", - "code":"105", + "code":"106", "des":"Check whether the current cluster version and the target version support enhanced CPU policy.Scenario: Only the current cluster version supports the enhanced CPU policy f", "doc_type":"usermanual2", "kw":"Enhanced CPU Policies,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1908,7 +1926,7 @@ "uri":"cce_10_0484.html", "node_id":"cce_10_0484.xml", "product_code":"cce", - "code":"106", + "code":"107", "des":"Check whether the container runtime and network components on the worker nodes are healthy.Issue 1: CNI Agent is not active.If your cluster version is earlier than v1.17.", "doc_type":"usermanual2", "kw":"Health of Worker Node Components,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1926,7 +1944,7 @@ "uri":"cce_10_0485.html", "node_id":"cce_10_0485.xml", "product_code":"cce", - "code":"107", + "code":"108", "des":"Check whether cluster components such as the Kubernetes component, container runtime component, and network component are running properly before the upgrade.Perform the ", "doc_type":"usermanual2", "kw":"Health of Master Node Components,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1944,7 +1962,7 @@ "uri":"cce_10_0486.html", "node_id":"cce_10_0486.xml", "product_code":"cce", - "code":"108", + "code":"109", "des":"Check whether the resources of Kubernetes components, such as etcd and kube-controller-manager, exceed the upper limit.Solution 1: Reduce Kubernetes resources that are ne", "doc_type":"usermanual2", "kw":"Memory Resource Limit of Kubernetes Components,Troubleshooting for Pre-upgrade Check Exceptions,User", @@ -1962,7 +1980,7 @@ "uri":"cce_10_0487.html", "node_id":"cce_10_0487.xml", "product_code":"cce", - "code":"109", + "code":"110", "des":"The system scans the audit logs of the past day to check whether the user calls the deprecated APIs of the target Kubernetes version.Due to the limited time range of audi", "doc_type":"usermanual2", "kw":"Discarded Kubernetes APIs,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1980,7 +1998,7 @@ "uri":"cce_10_0488.html", "node_id":"cce_10_0488.xml", "product_code":"cce", - "code":"110", + "code":"111", "des":"If IPv6 is enabled for a CCE Turbo cluster, check whether the target cluster version supports IPv6.CCE Turbo clusters support IPv6 since v1.23. This feature is available ", "doc_type":"usermanual2", "kw":"IPv6 Support in CCE Turbo Clusters,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -1998,7 +2016,7 @@ "uri":"cce_10_0489.html", "node_id":"cce_10_0489.xml", "product_code":"cce", - "code":"111", + "code":"112", "des":"Check whether NetworkManager of a node is normal.Log in to the node and run the systemctl is-active NetworkManager command to obtain the running status of NetworkManager.", "doc_type":"usermanual2", "kw":"NetworkManager,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2016,7 +2034,7 @@ "uri":"cce_10_0490.html", "node_id":"cce_10_0490.xml", "product_code":"cce", - "code":"112", + "code":"113", "des":"Check the ID file format.", "doc_type":"usermanual2", "kw":"Node ID File,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2034,7 +2052,7 @@ "uri":"cce_10_0491.html", "node_id":"cce_10_0491.xml", "product_code":"cce", - "code":"113", + "code":"114", "des":"When you upgrade a cluster to v1.19 or later, the system checks whether the following configuration files have been modified on the backend:/opt/cloud/cce/kubernetes/kube", "doc_type":"usermanual2", "kw":"Node Configuration Consistency,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2052,7 +2070,7 @@ "uri":"cce_10_0492.html", "node_id":"cce_10_0492.xml", "product_code":"cce", - "code":"114", + "code":"115", "des":"Check whether the configuration files of key components exist on the node.The following table lists the files to be checked.Reset the node. For details, see Resetting a N", "doc_type":"usermanual2", "kw":"Node Configuration File,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2070,7 +2088,7 @@ "uri":"cce_10_0493.html", "node_id":"cce_10_0493.xml", "product_code":"cce", - "code":"115", + "code":"116", "des":"Check whether the current CoreDNS key configuration Corefile is different from the Helm release record. The difference may be overwritten during the add-on upgrade, affec", "doc_type":"usermanual2", "kw":"CoreDNS Configuration Consistency,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2088,7 +2106,7 @@ "uri":"cce_10_0494.html", "node_id":"cce_10_0494.xml", "product_code":"cce", - "code":"116", + "code":"117", "des":"Check whether the sudo commands and sudo-related files of the node are working.Scenario 1: The sudo command fails to be executed.During the in-place cluster upgrade, the ", "doc_type":"usermanual2", "kw":"sudo,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2106,7 +2124,7 @@ "uri":"cce_10_0495.html", "node_id":"cce_10_0495.xml", "product_code":"cce", - "code":"117", + "code":"118", "des":"Whether some key commands that the node upgrade depends on are workingScenario 1: Executing the package manager command failed.Executing the rpm or dpkg command failed. I", "doc_type":"usermanual2", "kw":"Key Node Commands,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2124,7 +2142,7 @@ "uri":"cce_10_0496.html", "node_id":"cce_10_0496.xml", "product_code":"cce", - "code":"118", + "code":"119", "des":"Check whether the docker/containerd.sock file is directly mounted to the pods on a node. During an upgrade, Docker or containerd restarts and the sock file on the host ch", "doc_type":"usermanual2", "kw":"Mounting of a Sock File on a Node,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2142,7 +2160,7 @@ "uri":"cce_10_0497.html", "node_id":"cce_10_0497.xml", "product_code":"cce", - "code":"119", + "code":"120", "des":"Check whether the certificate used by an HTTPS load balancer has been modified on ELB.The certificate referenced by an HTTPS ingress created on CCE is modified on the ELB", "doc_type":"usermanual2", "kw":"HTTPS Load Balancer Certificate Consistency,Troubleshooting for Pre-upgrade Check Exceptions,User Gu", @@ -2160,7 +2178,7 @@ "uri":"cce_10_0498.html", "node_id":"cce_10_0498.xml", "product_code":"cce", - "code":"120", + "code":"121", "des":"Check whether the default mount directory and soft link on the node have been manually mounted or modified.Non-shared diskBy default, /var/lib/docker, containerd, or /mnt", "doc_type":"usermanual2", "kw":"Node Mounting,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2178,7 +2196,7 @@ "uri":"cce_10_0499.html", "node_id":"cce_10_0499.xml", "product_code":"cce", - "code":"121", + "code":"122", "des":"Check whether user paas is allowed to log in to a node.Run the following command to check whether user paas is allowed to log in to a node:If the permissions assigned to ", "doc_type":"usermanual2", "kw":"Login Permissions of User paas on a Node,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2196,7 +2214,7 @@ "uri":"cce_10_0500.html", "node_id":"cce_10_0500.xml", "product_code":"cce", - "code":"122", + "code":"123", "des":"Check whether the load balancer associated with a Service is allocated with a private IPv4 address.Solution 1: Delete the Service that is associated with a load balancer ", "doc_type":"usermanual2", "kw":"Private IPv4 Addresses of Load Balancers,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2214,7 +2232,7 @@ "uri":"cce_10_0501.html", "node_id":"cce_10_0501.xml", "product_code":"cce", - "code":"123", + "code":"124", "des":"Check the historical upgrade records of the cluster and confirm that the current version of the cluster meets the requirements for upgrading to the target version.Upgradi", "doc_type":"usermanual2", "kw":"Historical Upgrade Records,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2232,7 +2250,7 @@ "uri":"cce_10_0502.html", "node_id":"cce_10_0502.xml", "product_code":"cce", - "code":"124", + "code":"125", "des":"Check whether the CIDR block of the cluster management plane is the same as that configured on the backbone network.The CIDR block of the management plane has been modifi", "doc_type":"usermanual2", "kw":"CIDR Block of the Cluster Management Plane,Troubleshooting for Pre-upgrade Check Exceptions,User Gui", @@ -2250,7 +2268,7 @@ "uri":"cce_10_0503.html", "node_id":"cce_10_0503.xml", "product_code":"cce", - "code":"125", + "code":"126", "des":"CCE AI Suite (NVIDIA GPU) is involved in the upgrade, which may affect the GPU driver installation during the creation of a GPU node.The driver of CCE AI Suite (NVIDIA GP", "doc_type":"usermanual2", "kw":"CCE AI Suite (NVIDIA GPU),Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2268,7 +2286,7 @@ "uri":"cce_10_0504.html", "node_id":"cce_10_0504.xml", "product_code":"cce", - "code":"126", + "code":"127", "des":"Check whether the default system parameter settings on your nodes are modified.If the MTU value of the bond0 network on your BMS node is not the default value 1500, this ", "doc_type":"usermanual2", "kw":"Nodes' System Parameters,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2286,7 +2304,7 @@ "uri":"cce_10_0505.html", "node_id":"cce_10_0505.xml", "product_code":"cce", - "code":"127", + "code":"128", "des":"Check whether there are residual package version data in the current cluster.A message is displayed indicating that there are residual 10.12.1.109 CRD resources in your c", "doc_type":"usermanual2", "kw":"Residual Package Version Data,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2304,7 +2322,7 @@ "uri":"cce_10_0506.html", "node_id":"cce_10_0506.xml", "product_code":"cce", - "code":"128", + "code":"129", "des":"Check whether the commands required for the upgrade are available on the node.The cluster upgrade failure is typically caused by the lack of key node commands that are re", "doc_type":"usermanual2", "kw":"Node Commands,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2322,7 +2340,7 @@ "uri":"cce_10_0507.html", "node_id":"cce_10_0507.xml", "product_code":"cce", - "code":"129", + "code":"130", "des":"Check whether swap has been enabled on CCE nodes.By default, swap is disabled on CCE nodes. Check the necessity of enabling swap manually and determine the impact of disa", "doc_type":"usermanual2", "kw":"Node Swap,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2340,7 +2358,7 @@ "uri":"cce_10_0508.html", "node_id":"cce_10_0508.xml", "product_code":"cce", - "code":"130", + "code":"131", "des":"Check item 1: Check whether there is an Nginx Ingress route whose ingress type is not specified (kubernetes.io/ingress.class: nginx is not added to annotations) in the cl", "doc_type":"usermanual2", "kw":"NGINX Ingress Controller,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2358,7 +2376,7 @@ "uri":"cce_10_0510.html", "node_id":"cce_10_0510.xml", "product_code":"cce", - "code":"131", + "code":"132", "des":"Check whether the service pods running on a containerd node are restarted when containerd is upgraded.containerd on your node may need to be restarted. To minimize the im", "doc_type":"usermanual2", "kw":"containerd Pod Restart Risks,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2376,7 +2394,7 @@ "uri":"cce_10_0511.html", "node_id":"cce_10_0511.xml", "product_code":"cce", - "code":"132", + "code":"133", "des":"Check whether the configuration of CCE AI Suite (NVIDIA GPU) in a cluster has been intrusively modified. If so, upgrading the cluster may fail.", "doc_type":"usermanual2", "kw":"Key CCE AI Suite (NVIDIA GPU) Parameters,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2394,7 +2412,7 @@ "uri":"cce_10_0512.html", "node_id":"cce_10_0512.xml", "product_code":"cce", - "code":"133", + "code":"134", "des":"Check whether GPU service pods are rebuilt in a cluster when kubelet is restarted during the upgrade of the cluster.Upgrade the cluster when the impact on services is con", "doc_type":"usermanual2", "kw":"GPU Pod Rebuild Risks,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2412,7 +2430,7 @@ "uri":"cce_10_0513.html", "node_id":"cce_10_0513.xml", "product_code":"cce", - "code":"134", + "code":"135", "des":"Check whether ELB listener access control has been configured using annotations for the Services in the current cluster.If so, check whether their configurations are corr", "doc_type":"usermanual2", "kw":"ELB Listener Access Control,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2430,7 +2448,7 @@ "uri":"cce_10_0514.html", "node_id":"cce_10_0514.xml", "product_code":"cce", - "code":"135", + "code":"136", "des":"Check whether the flavor of the master nodes in the cluster is the same as the actual flavor of these nodes.This issue is typically caused by modifications made to the ma", "doc_type":"usermanual2", "kw":"Master Node Flavor,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2448,7 +2466,7 @@ "uri":"cce_10_0515.html", "node_id":"cce_10_0515.xml", "product_code":"cce", - "code":"136", + "code":"137", "des":"Check whether the number of available IP addresses in the cluster subnet supports rolling upgrade.Rolling upgrade is not supported if there are not enough IP addresses in", "doc_type":"usermanual2", "kw":"Subnet Quota of Master Nodes,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2466,7 +2484,7 @@ "uri":"cce_10_0516.html", "node_id":"cce_10_0516.xml", "product_code":"cce", - "code":"137", + "code":"138", "des":"Check whether an alarm is generated when a cluster is upgraded to v1.27 or later. Do not use Docker in clusters of versions later than 1.27.If your node's runtime is not ", "doc_type":"usermanual2", "kw":"Node Runtime,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2484,7 +2502,7 @@ "uri":"cce_10_0517.html", "node_id":"cce_10_0517.xml", "product_code":"cce", - "code":"138", + "code":"139", "des":"Check whether an alarm is generated when a cluster is upgraded to v1.27 or later. Do not use Docker in clusters of versions later than 1.27.If your node pool's runtime is", "doc_type":"usermanual2", "kw":"Node Pool Runtime,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2502,7 +2520,7 @@ "uri":"cce_10_0518.html", "node_id":"cce_10_0518.xml", "product_code":"cce", - "code":"139", + "code":"140", "des":"Check the number of images on your node. If there are more than 1000 images, it takes a long time for Docker to start, affecting the standard Docker output and functions ", "doc_type":"usermanual2", "kw":"Number of Node Images,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2520,7 +2538,7 @@ "uri":"cce_10_0520.html", "node_id":"cce_10_0520.xml", "product_code":"cce", - "code":"140", + "code":"141", "des":"Check whether the target version supports secret encryption. If it does not, clusters that have this feature enabled cannot be upgraded to the target version.Secret encry", "doc_type":"usermanual2", "kw":"Compatibility Check of Secret Encryption,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2538,7 +2556,7 @@ "uri":"cce_10_0521.html", "node_id":"cce_10_0521.xml", "product_code":"cce", - "code":"141", + "code":"142", "des":"Make sure that CCE AI Suite (NVIDIA GPU) and Ubuntu nodes are compatible before using them in a cluster. If the Ubuntu kernel is 5.15.0-113-generic, the driver of the GPU", "doc_type":"usermanual2", "kw":"Compatibility Between the Ubuntu Kernel and GPU Driver,Troubleshooting for Pre-upgrade Check Excepti", @@ -2556,7 +2574,7 @@ "uri":"cce_10_0522.html", "node_id":"cce_10_0522.xml", "product_code":"cce", - "code":"142", + "code":"143", "des":"An unfinished drainage task is detected in the cluster, which may resume after the upgrade. If this happens, running pods will be evicted, which could impact your service", "doc_type":"usermanual2", "kw":"Drainage Tasks,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2574,7 +2592,7 @@ "uri":"cce_10_0523.html", "node_id":"cce_10_0523.xml", "product_code":"cce", - "code":"143", + "code":"144", "des":"Check the number of image layers on your node. If there are more than 5000 layers, it will take a long time for Docker or containerd to start, affecting the stdout of Doc", "doc_type":"usermanual2", "kw":"Image Layers on a Node,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2592,7 +2610,7 @@ "uri":"cce_10_0524.html", "node_id":"cce_10_0524.xml", "product_code":"cce", - "code":"144", + "code":"145", "des":"Check whether your cluster is eligible for a rolling upgrade. The result shows that the rolling upgrade is not supported.Rolling upgrades cannot be performed if the tenan", "doc_type":"usermanual2", "kw":"Cluster Rolling Upgrade,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2610,7 +2628,7 @@ "uri":"cce_10_0525.html", "node_id":"cce_10_0525.xml", "product_code":"cce", - "code":"145", + "code":"146", "des":"Check whether the number of certificates on your node is greater than 1000. During an upgrade, certificate files will be processed in batches. An excessive number of cert", "doc_type":"usermanual2", "kw":"Rotation Certificates,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2628,7 +2646,7 @@ "uri":"cce_10_0526.html", "node_id":"cce_10_0526.xml", "product_code":"cce", - "code":"146", + "code":"147", "des":"Check whether any modifications have been made to the listener, forwarding policy, forwarding rule, backend cloud server group, backend cloud server, or certificate confi", "doc_type":"usermanual2", "kw":"Ingress and ELB Configuration Consistency,Troubleshooting for Pre-upgrade Check Exceptions,User Guid", @@ -2646,7 +2664,7 @@ "uri":"cce_10_0527.html", "node_id":"cce_10_0527.xml", "product_code":"cce", - "code":"147", + "code":"148", "des":"Check the network policy settings on the master nodes in your cluster. If any manual modifications have been made, they will be reset during the upgrade.Check whether net", "doc_type":"usermanual2", "kw":"Network Policies of Cluster Network Components,Troubleshooting for Pre-upgrade Check Exceptions,User", @@ -2664,7 +2682,7 @@ "uri":"cce_10_0528.html", "node_id":"cce_10_0528.xml", "product_code":"cce", - "code":"148", + "code":"149", "des":"Check whether the nic-max-above-warm-target value configured for the network component of the current cluster exceeds the maximum value allowed.Determine the scope of imp", "doc_type":"usermanual2", "kw":"Cluster and Node Pool Configurations,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2682,7 +2700,7 @@ "uri":"cce_10_0529.html", "node_id":"cce_10_0529.xml", "product_code":"cce", - "code":"149", + "code":"150", "des":"Check whether the time zone of the master nodes matches the cluster's time zone. If they are different, the master nodes will be updated to match the cluster's time zone ", "doc_type":"usermanual2", "kw":"Time Zone of Master Nodes,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2700,7 +2718,7 @@ "uri":"cce_10_0530.html", "node_id":"cce_10_0530.xml", "product_code":"cce", - "code":"150", + "code":"151", "des":"Check whether the SNATIPRanges value has changed after the upgrade. This check is available only for CCE Turbo clusters.In a CCE Turbo cluster, the CIDR blocks in SNATIPR", "doc_type":"usermanual2", "kw":"SNATIPRanges,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2718,7 +2736,7 @@ "uri":"cce_10_0531.html", "node_id":"cce_10_0531.xml", "product_code":"cce", - "code":"151", + "code":"152", "des":"Manual modifications to add-on configuration parameters (typically ConfigMaps), instead of modifications through the CCE console or APIs, may be overwritten after an upgr", "doc_type":"usermanual2", "kw":"Add-on Configuration Consistency,Troubleshooting for Pre-upgrade Check Exceptions,User Guide", @@ -2736,7 +2754,7 @@ "uri":"cce_10_0183.html", "node_id":"cce_10_0183.xml", "product_code":"cce", - "code":"152", + "code":"153", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Nodes", @@ -2754,7 +2772,7 @@ "uri":"cce_10_0180.html", "node_id":"cce_10_0180.xml", "product_code":"cce", - "code":"153", + "code":"154", "des":"A container cluster consists of a set of worker machines, called nodes, that run containerized applications. A node can be a virtual machine (VM) or a physical machine (P", "doc_type":"usermanual2", "kw":"paas,user group,Node Overview,Nodes,User Guide", @@ -2772,7 +2790,7 @@ "uri":"cce_10_0462.html", "node_id":"cce_10_0462.xml", "product_code":"cce", - "code":"154", + "code":"155", "des":"Container engines, one of the most important components of Kubernetes, manage the lifecycle of images and containers. The kubelet interacts with a container runtime throu", "doc_type":"usermanual2", "kw":"Container Engines,Nodes,User Guide", @@ -2790,7 +2808,7 @@ "uri":"cce_10_0476.html", "node_id":"cce_10_0476.xml", "product_code":"cce", - "code":"155", + "code":"156", "des":"This section describes the mappings between released cluster versions and OS versions.", "doc_type":"usermanual2", "kw":"Node OSs,Nodes,User Guide", @@ -2808,7 +2826,7 @@ "uri":"cce_10_0363.html", "node_id":"cce_10_0363.xml", "product_code":"cce", - "code":"156", + "code":"157", "des":"At least one cluster has been created.A key pair has been created for identity authentication upon remote node login.The DNS configuration of a subnet where a node is loc", "doc_type":"usermanual2", "kw":"Creating a Node,Nodes,User Guide", @@ -2826,7 +2844,7 @@ "uri":"cce_10_0198.html", "node_id":"cce_10_0198.xml", "product_code":"cce", - "code":"157", + "code":"158", "des":"In CCE, you can create a node (Creating a Node) or add existing nodes (ECSs) to your cluster for management.When accepting an ECS, you can reset the ECS OS to a standard ", "doc_type":"usermanual2", "kw":"Accepting Nodes for Management,Nodes,User Guide", @@ -2844,7 +2862,7 @@ "uri":"cce_10_0185.html", "node_id":"cce_10_0185.xml", "product_code":"cce", - "code":"158", + "code":"159", "des":"Before you log in to a node using SSH, ensure that the SSH port (22 by default) is enabled in the security group of the node.Before you log in to a node (an ECS) using SS", "doc_type":"usermanual2", "kw":"Logging In to a Node,Nodes,User Guide", @@ -2862,7 +2880,7 @@ "uri":"cce_10_0672.html", "node_id":"cce_10_0672.xml", "product_code":"cce", - "code":"159", + "code":"160", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"node labels", @@ -2880,7 +2898,7 @@ "uri":"cce_10_0004.html", "node_id":"cce_10_0004.xml", "product_code":"cce", - "code":"160", + "code":"161", "des":"You can add different labels to nodes and define different attributes for labels. By using these node labels, you can quickly understand the characteristics of each node.", "doc_type":"usermanual2", "kw":"node labels,Inherent Label of a Node,Managing Node Labels,Management Nodes,User Guide", @@ -2898,7 +2916,7 @@ "uri":"cce_10_0352.html", "node_id":"cce_10_0352.xml", "product_code":"cce", - "code":"161", + "code":"162", "des":"Taints enable a node to repel specific pods to prevent these pods from being scheduled to the node.On the CCE console, you can also batch manage nodes' taints.Enter the k", "doc_type":"usermanual2", "kw":"NoSchedule,PreferNoSchedule,NoExecute,System Taints,Managing Node Taints,Management Nodes,User Guide", @@ -2916,7 +2934,7 @@ "uri":"cce_10_0003.html", "node_id":"cce_10_0003.xml", "product_code":"cce", - "code":"162", + "code":"163", "des":"You can reset a node to modify the node configuration, such as the node OS and login mode.Resetting a node will reinstall the node OS and the Kubernetes software on the n", "doc_type":"usermanual2", "kw":"reset a node,Resetting a Node,Management Nodes,User Guide", @@ -2934,7 +2952,7 @@ "uri":"cce_10_0338.html", "node_id":"cce_10_0338.xml", "product_code":"cce", - "code":"163", + "code":"164", "des":"Removing a node from a cluster will re-install the node OS and clear CCE components on the node.Removing a node will not delete the server corresponding to the node. You ", "doc_type":"usermanual2", "kw":"Removing a Node,Management Nodes,User Guide", @@ -2952,7 +2970,7 @@ "uri":"cce_10_0184.html", "node_id":"cce_10_0184.xml", "product_code":"cce", - "code":"164", + "code":"165", "des":"Each node in a cluster is a cloud server or physical machine. After a cluster node is created, you can change the cloud server name or specifications as required. Modifyi", "doc_type":"usermanual2", "kw":"synchronize the ECS,Synchronizing the Data of Cloud Servers,Management Nodes,User Guide", @@ -2970,7 +2988,7 @@ "uri":"cce_10_0605.html", "node_id":"cce_10_0605.xml", "product_code":"cce", - "code":"165", + "code":"166", "des":"After you enable nodal drainage on the console, CCE configures the node to be non-schedulable and securely evicts all pods that comply with Rules for Draining Nodes on th", "doc_type":"usermanual2", "kw":"nodal drainage,nodal drainage,Draining a Node,Management Nodes,User Guide", @@ -2988,7 +3006,7 @@ "uri":"cce_10_0186.html", "node_id":"cce_10_0186.xml", "product_code":"cce", - "code":"166", + "code":"167", "des":"If a node is no longer needed, delete it from the node list on the CCE console if the node is billed on a pay-per-use basis. Do not manually remove nodes using kubectl de", "doc_type":"usermanual2", "kw":"Deleting a Node,Management Nodes,User Guide", @@ -3006,7 +3024,7 @@ "uri":"cce_10_0036.html", "node_id":"cce_10_0036.xml", "product_code":"cce", - "code":"167", + "code":"168", "des":"When a node in the cluster is stopped, all services on that node will also be stopped, and the node will no longer be available for scheduling. Check if your services wil", "doc_type":"usermanual2", "kw":"Stopping a Node,Management Nodes,User Guide", @@ -3024,7 +3042,7 @@ "uri":"cce_10_0276.html", "node_id":"cce_10_0276.xml", "product_code":"cce", - "code":"168", + "code":"169", "des":"In a rolling upgrade, a new node is created, existing workloads are migrated to the new node, and then the old node is deleted. Figure 1 shows the migration process.The o", "doc_type":"usermanual2", "kw":"Performing Rolling Upgrade for Nodes,Management Nodes,User Guide", @@ -3042,7 +3060,7 @@ "uri":"cce_10_0704.html", "node_id":"cce_10_0704.xml", "product_code":"cce", - "code":"169", + "code":"170", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Node O&M", @@ -3060,7 +3078,7 @@ "uri":"cce_10_0178.html", "node_id":"cce_10_0178.xml", "product_code":"cce", - "code":"170", + "code":"171", "des":"Some node resources are used to run mandatory Kubernetes system components and resources to make the node as part of your cluster. Therefore, the total number of node res", "doc_type":"usermanual2", "kw":"total number of node resources,Node Resource Reservation Policy,Node O&M,User Guide", @@ -3078,7 +3096,7 @@ "uri":"cce_10_0341.html", "node_id":"cce_10_0341.xml", "product_code":"cce", - "code":"171", + "code":"172", "des":"This section describes how to allocate data disk space to nodes so that you can configure the data disk space accordingly.In clusters of a version earlier than v1.23.18-r", "doc_type":"usermanual2", "kw":"Data Disk Space Allocation,Container engine and container image space,container engine and container", @@ -3096,7 +3114,7 @@ "uri":"cce_10_0348.html", "node_id":"cce_10_0348.xml", "product_code":"cce", - "code":"172", + "code":"173", "des":"The maximum number of pods that can be created on a node is calculated based on the cluster type:When creating a cluster in the VPC network model, follow the and specify", "doc_type":"usermanual2", "kw":"Maximum Number of Pods on a Node,alpha.cce/fixPoolMask,maximum number of pods,Maximum Number of Pods", @@ -3114,7 +3132,7 @@ "uri":"cce_10_0883.html", "node_id":"cce_10_0883.xml", "product_code":"cce", - "code":"173", + "code":"174", "des":"To maintain the stability of nodes, CCE stores Kubernetes and container runtime components on separate data disks. Kubernetes uses the /mnt/paas/kubernetes directory, and", "doc_type":"usermanual2", "kw":"Differences in kubelet and Runtime Component Configurations Between CCE and the Native Community,Nod", @@ -3132,7 +3150,7 @@ "uri":"cce_10_0601.html", "node_id":"cce_10_0601.xml", "product_code":"cce", - "code":"174", + "code":"175", "des":"As of Kubernetes v1.24, dockershim has been deprecated. To maintain compatibility and ensure continued support for future Kubernetes releases, switch your node's containe", "doc_type":"usermanual2", "kw":"Migrating Nodes from Docker to containerd,Node O&M,User Guide", @@ -3150,7 +3168,7 @@ "uri":"cce_10_0659.html", "node_id":"cce_10_0659.xml", "product_code":"cce", - "code":"175", + "code":"176", "des":"The node fault detection function depends on the NPD add-on. The add-on instances run on nodes and monitor nodes. This section describes how to enable node fault detectio", "doc_type":"usermanual2", "kw":"Node Fault Detection,Check Items,Configuring Node Fault Detection Policies,Node O&M,User Guide", @@ -3168,7 +3186,7 @@ "uri":"cce_bestpractice_10020.html", "node_id":"cce_bestpractice_10020.xml", "product_code":"cce", - "code":"176", + "code":"177", "des":"When creating a node, use the pre- or -installation commands to install tools or perform security hardening on the node. This section provides guidance for you to correct", "doc_type":"usermanual2", "kw":"Executing the Pre- or Post-installation Commands During Node Creation,Node O&M,User Guide", @@ -3186,7 +3204,7 @@ "uri":"cce_10_0035.html", "node_id":"cce_10_0035.xml", "product_code":"cce", - "code":"177", + "code":"178", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Node Pools", @@ -3204,7 +3222,7 @@ "uri":"cce_10_0081.html", "node_id":"cce_10_0081.xml", "product_code":"cce", - "code":"178", + "code":"179", "des":"CCE introduces node pools to help you better manage nodes in Kubernetes clusters. A node pool contains one node or a group of nodes with identical configuration in a clus", "doc_type":"usermanual2", "kw":"DefaultPool,DefaultPool,Deploying a Workload in a Specified Node Pool,Node Pool Overview,Node Pools,", @@ -3222,7 +3240,7 @@ "uri":"cce_10_0012.html", "node_id":"cce_10_0012.xml", "product_code":"cce", - "code":"179", + "code":"180", "des":"This section describes how to create a node pool and perform operations on the node pool. For details about how a node pool works, see Node Pool Overview.Basic SettingsNo", "doc_type":"usermanual2", "kw":"Creating a Node Pool,Node Pools,User Guide", @@ -3240,7 +3258,7 @@ "uri":"cce_10_0658.html", "node_id":"cce_10_0658.xml", "product_code":"cce", - "code":"180", + "code":"181", "des":"You can specify a specification in a node pool for scaling.The default node pool does not support scaling. Use Creating a Node to add a node.Resize: Add or reduce nodes f", "doc_type":"usermanual2", "kw":"Scaling a Node Pool,Node Pools,User Guide", @@ -3258,7 +3276,7 @@ "uri":"cce_10_0222.html", "node_id":"cce_10_0222.xml", "product_code":"cce", - "code":"181", + "code":"182", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Managing a Node Pool", @@ -3276,7 +3294,7 @@ "uri":"cce_10_0653.html", "node_id":"cce_10_0653.xml", "product_code":"cce", - "code":"182", + "code":"183", "des":"Changes to the container engine, OS, or pre-/post-installation script in a node pool take effect only on new nodes. To synchronize the modification onto existing nodes, m", "doc_type":"usermanual2", "kw":"base size,Updating a Node Pool,Managing a Node Pool,User Guide", @@ -3294,7 +3312,7 @@ "uri":"cce_10_0727.html", "node_id":"cce_10_0727.xml", "product_code":"cce", - "code":"183", + "code":"184", "des":"Auto Scaling (AS) enables elastic scaling of nodes in a node pool based on scaling policies. Without this function, you have to manually adjust the number of nodes in a n", "doc_type":"usermanual2", "kw":"Updating an AS Configuration,Managing a Node Pool,User Guide", @@ -3312,7 +3330,7 @@ "uri":"cce_10_0652.html", "node_id":"cce_10_0652.xml", "product_code":"cce", - "code":"184", + "code":"185", "des":"The default node pool does not support the management operations described in this section.CCE allows you to highly customize Kubernetes parameter settings on core compon", "doc_type":"usermanual2", "kw":"Modifying Node Pool Configurations,Managing a Node Pool,User Guide", @@ -3330,7 +3348,7 @@ "uri":"cce_10_0886.html", "node_id":"cce_10_0886.xml", "product_code":"cce", - "code":"185", + "code":"186", "des":"If you want to add a newly created ECS to a node pool in a cluster, or remove a node from a node pool and add it to the node pool again, accept the node.When an ECS is ac", "doc_type":"usermanual2", "kw":"Accepting Nodes in a Node Pool,Managing a Node Pool,User Guide", @@ -3348,7 +3366,7 @@ "uri":"cce_10_0655.html", "node_id":"cce_10_0655.xml", "product_code":"cce", - "code":"186", + "code":"187", "des":"You can copy the configuration of an existing node pool on the CCE console to create new node pools.", "doc_type":"usermanual2", "kw":"Copying a Node Pool,Managing a Node Pool,User Guide", @@ -3366,7 +3384,7 @@ "uri":"cce_10_0654.html", "node_id":"cce_10_0654.xml", "product_code":"cce", - "code":"187", + "code":"188", "des":"After the configuration of a node pool is updated, some configurations cannot be automatically synchronized for existing nodes. You can manually synchronize configuration", "doc_type":"usermanual2", "kw":"Synchronizing Node Pools,Managing a Node Pool,User Guide", @@ -3384,7 +3402,7 @@ "uri":"cce_10_0660.html", "node_id":"cce_10_0660.xml", "product_code":"cce", - "code":"188", + "code":"189", "des":"After CCE releases a new OS image, if existing nodes cannot be automatically upgraded, you can manually upgrade them in batches.This section describes how to upgrade an O", "doc_type":"usermanual2", "kw":"Upgrading an OS,Managing a Node Pool,User Guide", @@ -3402,7 +3420,7 @@ "uri":"cce_10_0656.html", "node_id":"cce_10_0656.xml", "product_code":"cce", - "code":"189", + "code":"190", "des":"You can migrate nodes between node pools within a cluster. Table 1 lists migration scenarios.Migration scenariosMigration ScenarioMigrationOperationSource Node PoolTarget", "doc_type":"usermanual2", "kw":"Migrating a Node,Managing a Node Pool,User Guide", @@ -3420,7 +3438,7 @@ "uri":"cce_10_0657.html", "node_id":"cce_10_0657.xml", "product_code":"cce", - "code":"190", + "code":"191", "des":"Deleting a node pool will delete nodes in the pool. Pods on these nodes will be automatically migrated to available nodes in other node pools.Deleting a node pool will de", "doc_type":"usermanual2", "kw":"Deleting a Node Pool,Managing a Node Pool,User Guide", @@ -3438,7 +3456,7 @@ "uri":"cce_10_0046.html", "node_id":"cce_10_0046.xml", "product_code":"cce", - "code":"191", + "code":"192", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Workloads", @@ -3456,7 +3474,7 @@ "uri":"cce_10_0006.html", "node_id":"cce_10_0006.xml", "product_code":"cce", - "code":"192", + "code":"193", "des":"A workload is an application running on Kubernetes. No matter how many components are there in your workload, you can run it in a group of Kubernetes pods. A workload is ", "doc_type":"usermanual2", "kw":"Deployments,StatefulSets,DaemonSets,jobs,cron jobs,Overview,Workloads,User Guide", @@ -3474,7 +3492,7 @@ "uri":"cce_10_0673.html", "node_id":"cce_10_0673.xml", "product_code":"cce", - "code":"193", + "code":"194", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Creating a Workload", @@ -3492,7 +3510,7 @@ "uri":"cce_10_0047.html", "node_id":"cce_10_0047.xml", "product_code":"cce", - "code":"194", + "code":"195", "des":"Deployments are workloads (for example, Nginx) that do not store any data or status. You can create Deployments on the CCE console or by running kubectl commands.Before c", "doc_type":"usermanual2", "kw":"create a workload using kubectl,Creating a Deployment,Creating a Workload,User Guide", @@ -3510,7 +3528,7 @@ "uri":"cce_10_0048.html", "node_id":"cce_10_0048.xml", "product_code":"cce", - "code":"195", + "code":"196", "des":"StatefulSets are a type of workloads whose data or status is stored while they are running. For example, MySQL is a StatefulSet because it needs to store new data.A conta", "doc_type":"usermanual2", "kw":"Using kubectl,Creating a StatefulSet,Creating a Workload,User Guide", @@ -3528,7 +3546,7 @@ "uri":"cce_10_0216.html", "node_id":"cce_10_0216.xml", "product_code":"cce", - "code":"196", + "code":"197", "des":"CCE provides deployment and management capabilities for multiple types of containers and supports features of container workloads, including creation, configuration, moni", "doc_type":"usermanual2", "kw":"create a workload using kubectl,Creating a DaemonSet,Creating a Workload,User Guide", @@ -3546,7 +3564,7 @@ "uri":"cce_10_0150.html", "node_id":"cce_10_0150.xml", "product_code":"cce", - "code":"197", + "code":"198", "des":"Jobs are short-lived and run for a certain time to completion. They can be executed immediately after being deployed. It is completed after it exits normally (exit 0).A j", "doc_type":"usermanual2", "kw":"Creating a Job,Creating a Workload,User Guide", @@ -3564,7 +3582,7 @@ "uri":"cce_10_0151.html", "node_id":"cce_10_0151.xml", "product_code":"cce", - "code":"198", + "code":"199", "des":"A CronJob runs on a repeating schedule. You can perform time synchronization for all active nodes at a fixed time point.A CronJob runs periodically at the specified time.", "doc_type":"usermanual2", "kw":"time synchronization,Creating a CronJob,Creating a Workload,User Guide", @@ -3582,7 +3600,7 @@ "uri":"cce_10_0130.html", "node_id":"cce_10_0130.xml", "product_code":"cce", - "code":"199", + "code":"200", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Configuring a Workload", @@ -3600,7 +3618,7 @@ "uri":"cce_10_0463.html", "node_id":"cce_10_0463.xml", "product_code":"cce", - "code":"200", + "code":"201", "des":"Compared with a common runtime, a secure runtime allows each container (pod) to run on its own micro-VM with a separate OS kernel. This ensures secure isolation at the vi", "doc_type":"usermanual2", "kw":"Secure Runtime and Common Runtime,Configuring a Workload,User Guide", @@ -3618,7 +3636,7 @@ "uri":"cce_10_0354.html", "node_id":"cce_10_0354.xml", "product_code":"cce", - "code":"201", + "code":"202", "des":"When creating a workload, you can configure containers to use the same time zone as the node. You can enable time zone synchronization when creating a workload.The time z", "doc_type":"usermanual2", "kw":"Configuring Time Zone Synchronization,Configuring a Workload,User Guide", @@ -3636,7 +3654,7 @@ "uri":"cce_10_0353.html", "node_id":"cce_10_0353.xml", "product_code":"cce", - "code":"202", + "code":"203", "des":"When a workload is created, the container image is pulled from the image repository to the node. The image is also pulled when the workload is restarted or upgraded.By de", "doc_type":"usermanual2", "kw":"Configuring an Image Pull Policy,Configuring a Workload,User Guide", @@ -3654,7 +3672,7 @@ "uri":"cce_10_0009.html", "node_id":"cce_10_0009.xml", "product_code":"cce", - "code":"203", + "code":"204", "des":"CCE allows you to create workloads using images pulled from third-party image repositories.Generally, a third-party image repository can be accessed only after authentica", "doc_type":"usermanual2", "kw":"Using Third-Party Images,Configuring a Workload,User Guide", @@ -3672,7 +3690,7 @@ "uri":"cce_10_0163.html", "node_id":"cce_10_0163.xml", "product_code":"cce", - "code":"204", + "code":"205", "des":"CCE allows you to set resource requirements and limits, such as CPU and RAM, for added containers during workload creation. Kubernetes also allows using YAML to set requi", "doc_type":"usermanual2", "kw":"ephemeral storage,Configuring Container Specifications,Configuring a Workload,User Guide", @@ -3690,7 +3708,7 @@ "uri":"cce_10_0105.html", "node_id":"cce_10_0105.xml", "product_code":"cce", - "code":"205", + "code":"206", "des":"CCE provides callback functions for the lifecycle management of containerized applications. For example, if you want a container to perform a certain operation before sto", "doc_type":"usermanual2", "kw":"Startup Command,Post-Start,Pre-Stop,Configuring Container Lifecycle Parameters,Configuring a Workloa", @@ -3708,7 +3726,7 @@ "uri":"cce_10_0112.html", "node_id":"cce_10_0112.xml", "product_code":"cce", - "code":"206", + "code":"207", "des":"Health check regularly checks the health status of containers during container running. If the health check function is not configured, a pod cannot detect application ex", "doc_type":"usermanual2", "kw":"Health check,HTTP request,TCP port,CLI,Configuring Container Health Check,Configuring a Workload,Use", @@ -3726,7 +3744,7 @@ "uri":"cce_10_0113.html", "node_id":"cce_10_0113.xml", "product_code":"cce", - "code":"207", + "code":"208", "des":"An environment variable is a variable whose value can affect the way a running container will behave. You can modify environment variables even after workloads are deploy", "doc_type":"usermanual2", "kw":"Configuring Environment Variables,Configuring a Workload,User Guide", @@ -3744,7 +3762,7 @@ "uri":"cce_10_0397.html", "node_id":"cce_10_0397.xml", "product_code":"cce", - "code":"208", + "code":"209", "des":"In actual applications, upgrade is a common operation. A Deployment, StatefulSet, or DaemonSet can easily support application upgrade.You can set different upgrade polici", "doc_type":"usermanual2", "kw":"Configuring Workload Upgrade Policies,Configuring a Workload,User Guide", @@ -3762,7 +3780,7 @@ "uri":"cce_10_0728.html", "node_id":"cce_10_0728.xml", "product_code":"cce", - "code":"209", + "code":"210", "des":"Tolerations allow the scheduler to schedule pods to nodes with target taints. Tolerances work with node taints. Each node allows one or more taints. If no tolerance is co", "doc_type":"usermanual2", "kw":"Configuring Tolerance Policies,Configuring a Workload,User Guide", @@ -3780,7 +3798,7 @@ "uri":"cce_10_0386.html", "node_id":"cce_10_0386.xml", "product_code":"cce", - "code":"210", + "code":"211", "des":"CCE allows you to add annotations to a YAML file to realize some advanced pod functions. The following table describes the annotations you can add.When you create a workl", "doc_type":"usermanual2", "kw":"Configuring Labels and Annotations,Configuring a Workload,User Guide", @@ -3798,7 +3816,7 @@ "uri":"cce_10_0889.html", "node_id":"cce_10_0889.xml", "product_code":"cce", - "code":"211", + "code":"212", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Scheduling a Workload", @@ -3816,7 +3834,7 @@ "uri":"cce_10_0232.html", "node_id":"cce_10_0232.xml", "product_code":"cce", - "code":"212", + "code":"213", "des":"Kubernetes schedules workloads based on pods. After you create a workload, the scheduler automatically assigns pods. For example, the scheduler distributes pods to nodes ", "doc_type":"usermanual2", "kw":"Overview,Scheduling a Workload,User Guide", @@ -3834,7 +3852,7 @@ "uri":"cce_10_0891.html", "node_id":"cce_10_0891.xml", "product_code":"cce", - "code":"213", + "code":"214", "des":"To select a node for scheduling in Kubernetes, simply configure the nodeSelector field in the workload. This field allows you to configure the label of the desired node t", "doc_type":"usermanual2", "kw":"Configuring Specified Node Scheduling (nodeSelector),Scheduling a Workload,User Guide", @@ -3852,7 +3870,7 @@ "uri":"cce_10_0892.html", "node_id":"cce_10_0892.xml", "product_code":"cce", - "code":"214", + "code":"215", "des":"Kubernetes can schedule workload pods to affinity nodes based on their labels and label values. For example, some nodes support GPU computing, and node affinity schedulin", "doc_type":"usermanual2", "kw":"Specify node,Specify node pool,Configuring Node Affinity Scheduling (nodeAffinity),Scheduling a Work", @@ -3870,7 +3888,7 @@ "uri":"cce_10_0893.html", "node_id":"cce_10_0893.xml", "product_code":"cce", - "code":"215", + "code":"216", "des":"Kubernetes offers workload affinity and anti-affinity scheduling, which allows for flexible scheduling of new workloads on either related or unrelated nodes. This results", "doc_type":"usermanual2", "kw":"Configuring Workload Affinity or Anti-affinity Scheduling (podAffinity or podAntiAffinity),Schedulin", @@ -3888,8 +3906,8 @@ "uri":"cce_10_00356.html", "node_id":"cce_10_00356.xml", "product_code":"cce", - "code":"216", - "des":"If you encounter unexpected problems when using a container, you can log in to the container to debug it.When kubectl is used in CloudShell, permissions are determined by", + "code":"217", + "des":"If you encounter unexpected problems when using a container, you can log in to the container to debug it.The example output is as follows:NAME ", "doc_type":"usermanual2", "kw":"Logging In to a Container,Workloads,User Guide", "search_title":"", @@ -3906,7 +3924,7 @@ "uri":"cce_10_0007.html", "node_id":"cce_10_0007.xml", "product_code":"cce", - "code":"217", + "code":"218", "des":"After a workload is created, you can upgrade, log, monitor, roll back, or delete the workload, as well as edit its YAML file.Workload/Job managementOperationDescriptionMo", "doc_type":"usermanual2", "kw":"Managing Workloads,Workloads,User Guide", @@ -3924,7 +3942,7 @@ "uri":"cce_10_0833.html", "node_id":"cce_10_0833.xml", "product_code":"cce", - "code":"218", + "code":"219", "des":"Custom Resource Definition (CRD) is an extension of Kubernetes APIs. When default Kubernetes resources cannot meet service requirements, you can use CRDs to define new re", "doc_type":"usermanual2", "kw":"Managing Custom Resources,Workloads,User Guide", @@ -3942,7 +3960,7 @@ "uri":"cce_10_0465.html", "node_id":"cce_10_0465.xml", "product_code":"cce", - "code":"219", + "code":"220", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Pod Security", @@ -3960,7 +3978,7 @@ "uri":"cce_10_0275.html", "node_id":"cce_10_0275.xml", "product_code":"cce", - "code":"220", + "code":"221", "des":"A pod security policy (PSP) is a cluster-level resource that controls sensitive security aspects of the pod specification. The PodSecurityPolicy object in Kubernetes defi", "doc_type":"usermanual2", "kw":"Configuring a Pod Security Policy,Pod Security,User Guide", @@ -3978,7 +3996,7 @@ "uri":"cce_10_0466.html", "node_id":"cce_10_0466.xml", "product_code":"cce", - "code":"221", + "code":"222", "des":"Before using pod security admission, understand Kubernetes Pod Security Standards. These standards define different isolation levels for pods. They let you define how you", "doc_type":"usermanual2", "kw":"Configuring Pod Security Admission,Pod Security,User Guide", @@ -3996,7 +4014,7 @@ "uri":"cce_10_0674.html", "node_id":"cce_10_0674.xml", "product_code":"cce", - "code":"222", + "code":"223", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Scheduling", @@ -4014,7 +4032,7 @@ "uri":"cce_10_0702.html", "node_id":"cce_10_0702.xml", "product_code":"cce", - "code":"223", + "code":"224", "des":"CCE supports different types of resource scheduling and task scheduling, improving application performance and overall cluster resource utilization. This section describe", "doc_type":"usermanual2", "kw":"Overview,Scheduling,User Guide", @@ -4032,7 +4050,7 @@ "uri":"cce_10_0551.html", "node_id":"cce_10_0551.xml", "product_code":"cce", - "code":"224", + "code":"225", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"CPU Scheduling", @@ -4050,7 +4068,7 @@ "uri":"cce_10_0351.html", "node_id":"cce_10_0351.xml", "product_code":"cce", - "code":"225", + "code":"226", "des":"By default, kubelet uses CFS quotas to enforce pod CPU limits. When a node runs many CPU-bound pods, the workload can move to different CPU cores depending on whether the", "doc_type":"usermanual2", "kw":"CPU Policy,CPU Scheduling,User Guide", @@ -4068,7 +4086,7 @@ "uri":"cce_10_0552.html", "node_id":"cce_10_0552.xml", "product_code":"cce", - "code":"226", + "code":"227", "des":"Kubernetes provides two CPU policies: none and static.none: The CPU policy is disabled by default, indicating the existing scheduling behavior.static: The static CPU core", "doc_type":"usermanual2", "kw":"Enhanced CPU Policy,CPU Scheduling,User Guide", @@ -4086,7 +4104,7 @@ "uri":"cce_10_0720.html", "node_id":"cce_10_0720.xml", "product_code":"cce", - "code":"227", + "code":"228", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"GPU Scheduling", @@ -4104,7 +4122,7 @@ "uri":"cce_10_0345.html", "node_id":"cce_10_0345.xml", "product_code":"cce", - "code":"228", + "code":"229", "des":"You can use GPUs in CCE containers.A GPU node has been created. For details, see Creating a Node.The CCE AI Suite (NVIDIA GPU) add-on has been installed, with the selecte", "doc_type":"usermanual2", "kw":"Default GPU Scheduling in Kubernetes,GPU Scheduling,User Guide", @@ -4122,7 +4140,7 @@ "uri":"cce_10_0955.html", "node_id":"cce_10_0955.xml", "product_code":"cce", - "code":"229", + "code":"230", "des":"The CCE AI Suite (NVIDIA GPU) add-on provides GPU monitoring metrics. This add-on offers additional GPU observability options. This section describes the metrics provided", "doc_type":"usermanual2", "kw":"GPU Metrics,GPU Scheduling,User Guide", @@ -4140,7 +4158,7 @@ "uri":"cce_10_0423.html", "node_id":"cce_10_0423.xml", "product_code":"cce", - "code":"230", + "code":"231", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Volcano Scheduling", @@ -4158,7 +4176,7 @@ "uri":"cce_10_0721.html", "node_id":"cce_10_0721.xml", "product_code":"cce", - "code":"231", + "code":"232", "des":"Volcano is a batch processing platform that runs on Kubernetes for machine learning, deep learning, bioinformatics, genomics, and other big data applications. It provides", "doc_type":"usermanual2", "kw":"Overview,Volcano Scheduling,User Guide", @@ -4176,7 +4194,7 @@ "uri":"cce_10_0722.html", "node_id":"cce_10_0722.xml", "product_code":"cce", - "code":"232", + "code":"233", "des":"Volcano is a Kubernetes-based batch processing platform with high-performance general computing capabilities like task scheduling engine, heterogeneous chip management, a", "doc_type":"usermanual2", "kw":"Scheduling Workloads,Volcano Scheduling,User Guide", @@ -4194,7 +4212,7 @@ "uri":"cce_10_0768.html", "node_id":"cce_10_0768.xml", "product_code":"cce", - "code":"233", + "code":"234", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Resource Usage-based Scheduling", @@ -4212,7 +4230,7 @@ "uri":"cce_10_0773.html", "node_id":"cce_10_0773.xml", "product_code":"cce", - "code":"234", + "code":"235", "des":"Bin packing is an optimization algorithm that aims to properly allocate resources to each job and get the jobs done using the minimum amount of resources. After bin packi", "doc_type":"usermanual2", "kw":"Bin Packing,Resource Usage-based Scheduling,User Guide", @@ -4230,7 +4248,7 @@ "uri":"cce_10_0766.html", "node_id":"cce_10_0766.xml", "product_code":"cce", - "code":"235", + "code":"236", "des":"Scheduling in a cluster is the process of binding pending pods to nodes, and is performed by a component called kube-scheduler or Volcano Scheduler. The scheduler uses a ", "doc_type":"usermanual2", "kw":"Descheduling,Resource Usage-based Scheduling,User Guide", @@ -4248,7 +4266,7 @@ "uri":"cce_10_0767.html", "node_id":"cce_10_0767.xml", "product_code":"cce", - "code":"236", + "code":"237", "des":"In scenarios such as node pool replacement and rolling node upgrade, an old resource pool needs to be replaced with a new one. To prevent the node pool replacement from a", "doc_type":"usermanual2", "kw":"Node Pool Affinity,Resource Usage-based Scheduling,User Guide", @@ -4266,7 +4284,7 @@ "uri":"cce_10_0789.html", "node_id":"cce_10_0789.xml", "product_code":"cce", - "code":"237", + "code":"238", "des":"Volcano Scheduler offers CPU and memory load-aware scheduling for pods and preferentially schedules pods to the node with the lightest load to balance node loads. This pr", "doc_type":"usermanual2", "kw":"Load-aware Scheduling,Resource Usage-based Scheduling,User Guide", @@ -4284,7 +4302,7 @@ "uri":"cce_10_0813.html", "node_id":"cce_10_0813.xml", "product_code":"cce", - "code":"238", + "code":"239", "des":"Volcano scheduling involves node filtering and scoring, which is used to filter the nodes meeting scheduling conditions and score the filtered nodes to find the one with ", "doc_type":"usermanual2", "kw":"Configuration Cases for Resource Usage-based Scheduling,Resource Usage-based Scheduling,User Guide", @@ -4302,7 +4320,7 @@ "uri":"cce_10_0774.html", "node_id":"cce_10_0774.xml", "product_code":"cce", - "code":"239", + "code":"240", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Priority-based Scheduling", @@ -4320,7 +4338,7 @@ "uri":"cce_10_0775.html", "node_id":"cce_10_0775.xml", "product_code":"cce", - "code":"240", + "code":"241", "des":"A pod priority indicates the importance of a pod relative to other pods. Volcano supports pod PriorityClasses in Kubernetes. After PriorityClasses are configured, the sch", "doc_type":"usermanual2", "kw":"Priority-based Scheduling,Priority-based Scheduling,User Guide", @@ -4338,7 +4356,7 @@ "uri":"cce_10_0776.html", "node_id":"cce_10_0776.xml", "product_code":"cce", - "code":"241", + "code":"242", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"AI Performance-based Scheduling", @@ -4356,7 +4374,7 @@ "uri":"cce_10_0777.html", "node_id":"cce_10_0777.xml", "product_code":"cce", - "code":"242", + "code":"243", "des":"Dominant Resource Fairness (DRF) is a scheduling algorithm based on the dominant resource of a container group. DRF scheduling can be used to enhance the service throughp", "doc_type":"usermanual2", "kw":"DRF,AI Performance-based Scheduling,User Guide", @@ -4374,7 +4392,7 @@ "uri":"cce_10_0778.html", "node_id":"cce_10_0778.xml", "product_code":"cce", - "code":"243", + "code":"244", "des":"Gang scheduling is a scheduling algorithm that schedules correlated processes or threads to run simultaneously on different processors. It meets the scheduling requiremen", "doc_type":"usermanual2", "kw":"Gang,AI Performance-based Scheduling,User Guide", @@ -4392,7 +4410,7 @@ "uri":"cce_10_0425.html", "node_id":"cce_10_0425.xml", "product_code":"cce", - "code":"244", + "code":"245", "des":"In non-uniform memory access (NUMA) architecture, a NUMA node is a fundamental component that includes a processor and local memory. These nodes are physically separate b", "doc_type":"usermanual2", "kw":"NUMA Affinity Scheduling,Volcano Scheduling,User Guide", @@ -4410,7 +4428,7 @@ "uri":"cce_10_0709.html", "node_id":"cce_10_0709.xml", "product_code":"cce", - "code":"245", + "code":"246", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Cloud Native Hybrid Deployment", @@ -4428,7 +4446,7 @@ "uri":"cce_10_0384.html", "node_id":"cce_10_0384.xml", "product_code":"cce", - "code":"246", + "code":"247", "des":"Many services see surges in traffic. To ensure performance and stability, resources are often requested at the maximum needed. However, the surges may ebb very shortly an", "doc_type":"usermanual2", "kw":"Dynamic Resource Oversubscription,Cloud Native Hybrid Deployment,User Guide", @@ -4446,7 +4464,7 @@ "uri":"cce_10_0020.html", "node_id":"cce_10_0020.xml", "product_code":"cce", - "code":"247", + "code":"248", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Network", @@ -4464,7 +4482,7 @@ "uri":"cce_10_0010.html", "node_id":"cce_10_0010.xml", "product_code":"cce", - "code":"248", + "code":"249", "des":"You can learn about a cluster network from the following two aspects:What is a cluster network like? A cluster consists of multiple nodes, and pods (or containers) are ru", "doc_type":"usermanual2", "kw":"Overview,Network,User Guide", @@ -4482,7 +4500,7 @@ "uri":"cce_10_0280.html", "node_id":"cce_10_0280.xml", "product_code":"cce", - "code":"249", + "code":"250", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Container Network", @@ -4500,7 +4518,7 @@ "uri":"cce_10_0281.html", "node_id":"cce_10_0281.xml", "product_code":"cce", - "code":"250", + "code":"251", "des":"The container network assigns IP addresses to pods in a cluster and provides networking services. In CCE, you can select the following network models for your cluster:Clo", "doc_type":"usermanual2", "kw":"Overview,Container Network,User Guide", @@ -4518,7 +4536,7 @@ "uri":"cce_10_0678.html", "node_id":"cce_10_0678.xml", "product_code":"cce", - "code":"251", + "code":"252", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Cloud Native Network 2.0 Settings", @@ -4536,7 +4554,7 @@ "uri":"cce_10_0284.html", "node_id":"cce_10_0284.xml", "product_code":"cce", - "code":"252", + "code":"253", "des":"Cloud Native Network 2.0 is a proprietary, next-generation container network model that combines the elastic network interfaces (ENIs) and supplementary network interface", "doc_type":"usermanual2", "kw":"Cloud Native Network 2.0,Cloud Native Network 2.0 Settings,User Guide", @@ -4554,7 +4572,7 @@ "uri":"cce_10_0906.html", "node_id":"cce_10_0906.xml", "product_code":"cce", - "code":"253", + "code":"254", "des":"If the pod subnet configured during CCE Turbo cluster creation cannot meet service expansion requirements, you can add a pod subnet for the cluster.This function is avail", "doc_type":"usermanual2", "kw":"Configuring a Default Container Subnet for a CCE Turbo Cluster,Cloud Native Network 2.0 Settings,Use", @@ -4572,7 +4590,7 @@ "uri":"cce_10_0897.html", "node_id":"cce_10_0897.xml", "product_code":"cce", - "code":"254", + "code":"255", "des":"In Cloud Native Network 2.0, pods use ENIs or sub-ENIs of the VPC. You can configure a security group for a pod using a pod's annotation.Configure a security group in eit", "doc_type":"usermanual2", "kw":"Binding a Security Group to a Pod Using an Annotation,Cloud Native Network 2.0 Settings,User Guide", @@ -4590,7 +4608,7 @@ "uri":"cce_10_0288.html", "node_id":"cce_10_0288.xml", "product_code":"cce", - "code":"255", + "code":"256", "des":"In Cloud Native Network 2.0, pods use VPC ENIs or sub-ENIs for networking. You can directly bind security groups and EIPs to pods. To bind CCE pods with security groups, ", "doc_type":"usermanual2", "kw":"Binding a Security Group to a Workload Using a Security Group Policy,Cloud Native Network 2.0 Settin", @@ -4608,7 +4626,7 @@ "uri":"cce_10_0196.html", "node_id":"cce_10_0196.xml", "product_code":"cce", - "code":"256", + "code":"257", "des":"In a CCE Turbo cluster, you can configure subnets and security groups for containers by namespace or workload using NetworkAttachmentDefinition CRDs. To configure a parti", "doc_type":"usermanual2", "kw":"Binding a Subnet and Security Group to a Namespace or Workload Using a Container Network Configurati", @@ -4626,7 +4644,7 @@ "uri":"cce_10_0603.html", "node_id":"cce_10_0603.xml", "product_code":"cce", - "code":"257", + "code":"258", "des":"In Cloud Native Network 2.0, each pod is associated with an ENI, providing a static IP address to the StatefulSet pods (container ENI). This is a common practice in acces", "doc_type":"usermanual2", "kw":"Configuring a Static IP Address for a Pod,Cloud Native Network 2.0 Settings,User Guide", @@ -4644,7 +4662,7 @@ "uri":"cce_10_0734.html", "node_id":"cce_10_0734.xml", "product_code":"cce", - "code":"258", + "code":"259", "des":"In Cloud Native Network 2.0, pods use VPC ENIs or sub-ENIs for networking. You can directly bind EIPs to pods.To associate an EIP with a pod, simply set the value of the ", "doc_type":"usermanual2", "kw":"Configuring an EIP for a Pod,Cloud Native Network 2.0 Settings,User Guide", @@ -4662,7 +4680,7 @@ "uri":"cce_10_0651.html", "node_id":"cce_10_0651.xml", "product_code":"cce", - "code":"259", + "code":"260", "des":"In Cloud Native Network 2.0, static public IP addresses (EIPs) can be assigned to StatefulSets or pods created directly.You can configure a static EIP for a pod only in C", "doc_type":"usermanual2", "kw":"static EIPs,Configuring a Static EIP for a Pod,Cloud Native Network 2.0 Settings,User Guide", @@ -4680,7 +4698,7 @@ "uri":"cce_10_0604.html", "node_id":"cce_10_0604.xml", "product_code":"cce", - "code":"260", + "code":"261", "des":"By default, pods with IPv6 dual-stack ENIs can access only the IPv6 private network. To access the public network, configure shared bandwidth for such pods.Only CCE Turbo", "doc_type":"usermanual2", "kw":"Configuring Shared Bandwidth for a Pod with IPv6 Dual-Stack ENIs,Cloud Native Network 2.0 Settings,U", @@ -4698,7 +4716,7 @@ "uri":"cce_10_0904.html", "node_id":"cce_10_0904.xml", "product_code":"cce", - "code":"261", + "code":"262", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"VPC Network Settings", @@ -4716,7 +4734,7 @@ "uri":"cce_10_0283.html", "node_id":"cce_10_0283.xml", "product_code":"cce", - "code":"262", + "code":"263", "des":"The VPC network model seamlessly combines VPC routing with the underlying network, making it ideal for high-performance scenarios. However, the maximum number of nodes al", "doc_type":"usermanual2", "kw":"VPC Network Model,VPC Network Settings,User Guide", @@ -4734,7 +4752,7 @@ "uri":"cce_10_0680.html", "node_id":"cce_10_0680.xml", "product_code":"cce", - "code":"263", + "code":"264", "des":"If the container CIDR block configured during CCE cluster creation cannot meet service expansion requirements, you can add a container CIDR block for the cluster.This fun", "doc_type":"usermanual2", "kw":"Adding a Container CIDR Block for a Cluster,VPC Network Settings,User Guide", @@ -4752,7 +4770,7 @@ "uri":"cce_10_0677.html", "node_id":"cce_10_0677.xml", "product_code":"cce", - "code":"264", + "code":"265", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Tunnel Network Settings", @@ -4770,7 +4788,7 @@ "uri":"cce_10_0282.html", "node_id":"cce_10_0282.xml", "product_code":"cce", - "code":"265", + "code":"266", "des":"A container tunnel network creates a separate network plane for containers by using tunnel encapsulation on the host network plane. The container tunnel network of a CCE ", "doc_type":"usermanual2", "kw":"Tunnel Network Model,Tunnel Network Settings,User Guide", @@ -4788,7 +4806,7 @@ "uri":"cce_10_0675.html", "node_id":"cce_10_0675.xml", "product_code":"cce", - "code":"266", + "code":"267", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Pod Network Settings", @@ -4806,7 +4824,7 @@ "uri":"cce_10_0402.html", "node_id":"cce_10_0402.xml", "product_code":"cce", - "code":"267", + "code":"268", "des":"Kubernetes allows pods to directly use the host/node network. When a pod is configured with hostNetwork: true, applications running in the pod can directly view the netwo", "doc_type":"usermanual2", "kw":"Configuring hostNetwork for Pods,Pod Network Settings,User Guide", @@ -4824,7 +4842,7 @@ "uri":"cce_10_0382.html", "node_id":"cce_10_0382.xml", "product_code":"cce", - "code":"268", + "code":"269", "des":"Bandwidth preemption occurs between different containers deployed on the same node, which may cause service jitter. You can configure bandwidth limitation for the pod to ", "doc_type":"usermanual2", "kw":"Configuring QoS for a Pod,Pod Network Settings,User Guide", @@ -4842,7 +4860,7 @@ "uri":"cce_10_0059.html", "node_id":"cce_10_0059.xml", "product_code":"cce", - "code":"269", + "code":"270", "des":"Network policies are designed by Kubernetes to restrict pod access. It is equivalent to a firewall at the application layer to enhance network security. The capabilities ", "doc_type":"usermanual2", "kw":"Configuring Network Policies to Restrict Pod Access,Pod Network Settings,User Guide", @@ -4860,7 +4878,7 @@ "uri":"cce_10_0945.html", "node_id":"cce_10_0945.xml", "product_code":"cce", - "code":"270", + "code":"271", "des":"DataPlane V2 can be enabled for clusters that use Cloud Native 2.0 networks. After this function is enabled, eBPF redirection will be enabled for the capability of networ", "doc_type":"usermanual2", "kw":"DataPlane V2 Network Acceleration,Pod Network Settings,User Guide", @@ -4878,7 +4896,7 @@ "uri":"cce_10_0247.html", "node_id":"cce_10_0247.xml", "product_code":"cce", - "code":"271", + "code":"272", "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", "doc_type":"usermanual2", "kw":"Service", @@ -4896,8 +4914,8 @@ "uri":"cce_10_0249.html", "node_id":"cce_10_0249.xml", "product_code":"cce", - "code":"272", - "des":"After a pod is created, the following problems may occur if you directly access the pod:The pod can be deleted and recreated at any time by a controller such as a Deploym", + "code":"273", + "des":"After a pod is created, accessing it directly can result in certain problems:The pod can be deleted and recreated at any time by a controller such as a Deployment. If the", "doc_type":"usermanual2", "kw":"Overview,Service,User Guide", "search_title":"", @@ -4914,7 +4932,7 @@ "uri":"cce_10_0011.html", "node_id":"cce_10_0011.xml", "product_code":"cce", - "code":"273", + "code":"274", "des":"ClusterIP Services allow workloads in the same cluster to use their cluster-internal domain names to access each other.The cluster-internal domain name format is + +

Notice of the NVIDIA Container Toolkit Container Escape Vulnerabilities (CVE-2025-23266 and CVE-2025-23267)

+

NVIDIA Container Toolkit is an open-source tool package from NVIDIA. It allows you to use NVIDIA GPUs to speed up computing in a containerized environment. The toolkit includes a container runtime library and utilities for automatically configuring containers to leverage NVIDIA GPUs.

+

Description

+
+ + + + + + + + + + + + + + + + +
Table 1 Vulnerability details

Type

+

CVE-ID

+

Severity

+

Discovered

+

Container escape

+

CVE-2025-23266

+

Critical

+

2025-07-17

+

Data tampering and denial of service

+

CVE-2025-23267

+

High

+

2025-07-17

+
+
+
+

Impact

In NVIDIA Container Toolkit v1.17.7 and earlier versions, an attacker can run a malicious image, which may result in container escape and enables the attacker to obtain host permissions. Successful exploitation of these vulnerabilities may enable privilege escalation, data tampering, information leakage, and denial of service.

+
+

Identification Method

  1. If the cluster does not have the CCE AI Suite (NVIDIA GPU) add-on installed or the add-on version is earlier than 2.0.0, these vulnerabilities are not relevant.

    +

    +

    In earlier versions, CCE AI Suite (NVIDIA GPU) add-on are named gpu-beta or gpu-device-plugin.

    +
    +
  2. If the CCE AI Suite (NVIDIA GPU) add-on version is in the range of 2.0.0 to 2.2.1 or 2.5.0 to 2.8.1, log in to the GPU node and run the following command:
    nvidia-container-runtime --version
    +
    • If no such command is displayed, these vulnerabilities are not present.
    • If the version of nvidia-container-runtime is earlier than 1.17.8, these vulnerabilities are present.

      +
    +
+
+

Solution

Do not run an untrusted container image in the cluster before the vulnerabilities are fixed.

+

CCE will release a new version of the add-on to fix these vulnerabilities. For details, see CCE AI Suite (NVIDIA GPU) Release History.

+
+

Helpful Links

NVIDIA Container Toolkit Security Bulletin: https://nvidia.custhelp.com/app/answers/detail/a_id/5659

+
+
+
+
+
Parent topic: Security Vulnerability Responses
+
+
+ diff --git a/docs/cce/umn/cce_01_0300.html b/docs/cce/umn/cce_01_0300.html index 75a6fef64..64e8fb822 100644 --- a/docs/cce/umn/cce_01_0300.html +++ b/docs/cce/umn/cce_01_0300.html @@ -8,10 +8,28 @@ -

2025-05-23

+

2025-07-25

+ +

Added Notice of the NVIDIA Container Toolkit Container Escape Vulnerabilities (CVE-2025-23266 and CVE-2025-23267).

+ + +

2025-06-30

+ +

Update:

+

Updated Cluster Upgrade Overview.

+

Updated Before You Start.

+ + +

2025-06-23

+ +

Update:

+

Updated Overview. Common I/O disks are the previous-generation product and cannot be created.

+ + +

2025-05-23

Update:

- +

2025-05-12

diff --git a/docs/cce/umn/cce_10_0003.html b/docs/cce/umn/cce_10_0003.html index b59f05025..918af2b25 100644 --- a/docs/cce/umn/cce_10_0003.html +++ b/docs/cce/umn/cce_10_0003.html @@ -67,7 +67,7 @@

Data Disk

- +

Click Expand to configure Data Disk Space Allocation. This allocates space for container engines, images, and ephemeral storage to ensure their proper running. For details about how to allocate data disk space, see Space Allocation of a Data Disk.

For other data disks, a raw disk is created without any processing by default. You can also click Expand and select Mount Disk to mount the data disk to a specified directory. Data disks can also be used as local PVs or local EVs.

diff --git a/docs/cce/umn/cce_10_0006.html b/docs/cce/umn/cce_10_0006.html index 248e4baef..428e6f516 100644 --- a/docs/cce/umn/cce_10_0006.html +++ b/docs/cce/umn/cce_10_0006.html @@ -3,32 +3,32 @@

Overview

A workload is an application running on Kubernetes. No matter how many components are there in your workload, you can run it in a group of Kubernetes pods. A workload is an abstract model of a group of pods in Kubernetes. Workloads in Kubernetes are classified as Deployments, StatefulSets, DaemonSets, jobs, and cron jobs.

CCE provides Kubernetes-native container deployment and management and supports lifecycle management of container workloads, including creation, configuration, monitoring, auto scaling, upgrade, uninstall, service discovery, and load balancing.

-

Overview of Pod

A pod is the smallest, simplest unit in the Kubernetes object model that you create or deploy. A pod is a group of one or more containers, with shared storage and network resources, and a specification for how to run the containers. Each pod has a separate IP address.

+

Overview of Pods

Pods are the smallest unit that you can create or deploy in Kubernetes. Each pod comprises one or more containers, shared storage (volumes), a unique IP address, and container runtime policies.

Pods can be used in either of the following ways:

-
  • A pod runs only one container. This is the most common usage of pods in Kubernetes. You can consider a pod as a container, but Kubernetes directly manages pods instead of containers.
  • A pod runs multiple containers that need to be tightly coupled. In this scenario, a pod contains a main container and several sidecar containers, as shown in Figure 1. For example, the main container is a web server that provides file services from a fixed directory, and sidecar containers periodically download files to this fixed directory.
    Figure 1 Pod running multiple containers
    +
    • A pod runs a single container. This is the most common scenario in Kubernetes. In this case, a pod can be thought of as a container, although Kubernetes manages the pod rather than the container itself.
    • A pod runs multiple tightly coupled containers that need to share resources. In this case, the pod includes a main container and several sidecar containers, as shown in Figure 1. For example, the main container might be a web server providing file services from a fixed directory, while sidecar containers periodically download files to that directory.
      Figure 1 A pod running multiple containers
    -

    In Kubernetes, pods are rarely created directly. Instead, Kubernetes controller manages pods through pod instances such as Deployments and jobs. A controller typically uses a pod template to create pods. The controller can also manage multiple pods and provide functions such as replica management, rolling upgrade, and self-healing.

    +

    In Kubernetes, you rarely create pods directly. Instead, controllers like Deployments and jobs create and manage them. These controllers typically use pod templates to create and manage pods, providing features like replica management, rolling upgrades, and self-healing.

-

Overview of Deployment

A pod is the smallest and simplest unit that you create or deploy in Kubernetes. It is designed to be an ephemeral, one-off entity. A pod can be evicted when node resources are insufficient and disappears along with a cluster node failure. Kubernetes provides controllers to manage pods. Controllers can create and manage pods, and provide replica management, rolling upgrade, and self-healing capabilities. The most commonly used controller is Deployment.

+

Overview of Deployments

A pod is the smallest unit that you create or deploy in Kubernetes. It is evicted when resources are tight and gone if its node fails. Kubernetes provides controllers to manage pods. These controllers create and manage pods, providing features like replica management, rolling upgrades, and self-healing. The most common controller is Deployment.

Figure 2 Relationship between a Deployment and pods
-

A Deployment can contain one or more pods. These pods have the same role. Therefore, the system automatically distributes requests to multiple pods of a Deployment.

-

A Deployment integrates a lot of functions, including online deployment, rolling upgrade, replica creation, and restoration of online jobs. To some extent, Deployments can be used to realize unattended rollout, which greatly reduces difficulties and operation risks in the rollout process.

+

A Deployment runs one or more identical pods. Kubernetes load-balances traffic across them.

+

A Deployment handles rollout, rolling upgrades, scaling, and automatic replacement of failed pods. This enables zero-touch releases with minimal risk.

-

Overview of StatefulSet

All pods under a Deployment have the same characteristics except for the name and IP address. If required, a Deployment can use a pod template to create new pods. If not required, the Deployment can delete any one of the pods.

-

However, Deployments cannot meet the requirements in some distributed scenarios when each pod requires its own status or in a distributed database where each pod requires independent storage.

-

Distributed stateful applications involve different roles for different responsibilities. For example, databases work in active/standby mode, and pods depend on each other. To deploy stateful applications in Kubernetes, ensure pods meet the following requirements:

-
  • Each pod must have a fixed identifier so that it can be recognized by other pods.
  • Separate storage resources must be configured for each pod. In this way, the original data can be retrieved after a pod is deleted and restored. Otherwise, the pod status will be changed after the pod is rebuilt.
-

To address the preceding requirements, Kubernetes provides StatefulSets.

-
  1. StatefulSets provide a fixed name for each pod following a fixed number ranging from 0 to N. After a pod is rescheduled, the pod name and the hostname remain unchanged.
  2. StatefulSets use a headless Service to allocate a fixed domain name for each pod.
  3. StatefulSets create PVCs with fixed identifiers to ensure that pods can access the same persistent data after being rescheduled.
    Figure 3 StatefulSet
    +

    Overview of StatefulSets

    All pods under a Deployment are identical except for their names and IP addresses. Deployments can create new pods using a pod template and delete any pod when not needed.

    +

    However, Deployments are not suitable for distributed scenarios where each pod requires its own status or independent storage, such as in distributed databases.

    +

    Distributed stateful applications often involve different roles and responsibilities. For example, databases may operate in active/standby mode, and pods may depend on each other. To deploy stateful applications in Kubernetes, pods must meet the following requirements:

    +
    • Each pod must have a unique, fixed identifier to be recognized by other pods.
    • Each pod should be configured with separate storage resources to ensure data persistence. This allows the original data to be retained and retrieved even after a pod is deleted and recreated. Without dedicated storage, the pod's data will be lost upon deletion, and the new pod will initialize with a different state.
    +

    To address these requirements, Kubernetes provides StatefulSets:

    +
    1. StatefulSets provide a fixed name for each pod, followed by a sequential numeric suffix (for example, pod-0, pod-1, ..., pod-N). After a pod is rescheduled, its name and hostname remain unchanged.
    2. StatefulSets use a headless Service to allocate a fixed domain name for each pod.
    3. StatefulSets create PVCs with fixed identifiers. This ensures that pods can access the original persistent data after being rescheduled.
      Figure 3 StatefulSet
    -

    Overview of DaemonSet

    A DaemonSet runs a pod on each node in a cluster and ensures that there is only one pod. This works well for certain system-level applications such as log collection and resource monitoring since they must run on each node and need only a few pods. A good example is kube-proxy.

    +

    Overview of DaemonSet

    A DaemonSet runs a pod on each node in a cluster and ensures that there is only one pod. This works well for certain system-level applications such as log collection and resource monitoring since they must run on each node. A good example is kube-proxy.

    DaemonSets are closely related to nodes. If a node becomes faulty, the DaemonSet will not create the same pods on other nodes.

    Figure 4 DaemonSet
    -

    Overview of Job and CronJob

    Jobs and CronJobs allow you to run short lived, one-off tasks in batch. They ensure the task pods run to completion.

    -
    • A job is a resource object used by Kubernetes to control batch tasks. Jobs are different from long-term servo tasks (such as Deployments and StatefulSets). The former is started and terminated at specific times, while the latter runs unceasingly unless being terminated. The pods managed by a job will be automatically removed after successfully completing tasks based on user configurations.
    • A CronJob runs a job periodically on a specified schedule. A CronJob object is similar to a line of a crontab file in Linux.
    -

    This run-to-completion feature of jobs is especially suitable for one-off tasks, such as continuous integration (CI).

    +

    Overview of Jobs and CronJobs

    Jobs and CronJobs are Kubernetes resources designed to manage short-lived, one-off tasks that run to completion.

    +
    • A job is a resource object used to control batch tasks. Jobs start and terminate at specific times, unlike long-running services such as Deployments and StatefulSets, which run continuously unless terminated. Pods managed by a job are automatically removed after successfully completing their tasks, based on the specified settings.
    • A CronJob runs a job periodically on a specified schedule. A CronJob object is similar to a line in a crontab file in Linux.
    +

    The run-to-completion feature of workloads makes them particularly suitable for one-off tasks, such as continuous integration (CI) pipelines.

    Workload Lifecycle

    - - - @@ -173,7 +173,7 @@ spec: diff --git a/docs/cce/umn/cce_10_0068.html b/docs/cce/umn/cce_10_0068.html index b37036d47..7ec7e0bae 100644 --- a/docs/cce/umn/cce_10_0068.html +++ b/docs/cce/umn/cce_10_0068.html @@ -14,9 +14,9 @@
  4. Kubernetes 1.27 Release Notes
    5. -
  5. Kubernetes 1.25 Release Notes
    +
  6. Kubernetes 1.25 (EOM) Release Notes
    7. -
  7. Kubernetes 1.23 Release Notes
    +
  8. Kubernetes 1.23 (EOM) Release Notes
  9. Kubernetes 1.21 (EOM) Release Notes
    10. diff --git a/docs/cce/umn/cce_10_0132.html b/docs/cce/umn/cce_10_0132.html index 32801e416..520a2220e 100644 --- a/docs/cce/umn/cce_10_0132.html +++ b/docs/cce/umn/cce_10_0132.html @@ -100,7 +100,7 @@

    Typical scenario: Disk I/O suspension causes process suspension.

    @@ -112,7 +112,7 @@ diff --git a/docs/cce/umn/cce_10_0141.html b/docs/cce/umn/cce_10_0141.html index a74808596..293003e11 100644 --- a/docs/cce/umn/cce_10_0141.html +++ b/docs/cce/umn/cce_10_0141.html @@ -42,7 +42,7 @@ cd /usr/local/nvidia/bin && ./nvidia-smi

    Obtaining the Driver Link from Public Network

    1. Log in to the CCE console.
    2. Create a node. In the Specifications area, select the GPU node flavor. The GPU card models are displayed in the lower part of the area.

      -

    1. Log in to the NVIDIA driver download page and search for the driver information. The OS must be Linux 64-bit.

      Figure 1 Selecting parameters
      +

    1. Log in to the NVIDIA driver download page and search for the driver information. The OS must be Linux 64-bit.

      Figure 1 Selecting parameters

    2. After confirming the driver information, click Find. On the displayed page, find the driver to be downloaded and click View.

      Figure 2 Viewing the driver information

    3. Click Download and copy the download link.

      Figure 3 Obtaining the link

    diff --git a/docs/cce/umn/cce_10_0164.html b/docs/cce/umn/cce_10_0164.html index ef2253841..07de0fd6c 100644 --- a/docs/cce/umn/cce_10_0164.html +++ b/docs/cce/umn/cce_10_0164.html @@ -10,8 +10,6 @@
  10. Namespace Permissions (Kubernetes RBAC-based)
    11. -
  11. Using the AccessPolicy API to Manage Namespace Permissions (Kubernetes RBAC-based)
    -
  12. Example: Designing and Configuring Permissions for Users in a Department
  13. Permission Dependency of the CCE Console
    diff --git a/docs/cce/umn/cce_10_0184.html b/docs/cce/umn/cce_10_0184.html index 6410c7eb5..3ef2eda8e 100644 --- a/docs/cce/umn/cce_10_0184.html +++ b/docs/cce/umn/cce_10_0184.html @@ -2,7 +2,7 @@

    Synchronizing the Data of Cloud Servers

    Scenario

    Each node in a cluster is a cloud server or physical machine. After a cluster node is created, you can change the cloud server name or specifications as required. Modifying node specifications will affect services. Perform the operation on nodes one by one.

    -

    Some information of CCE nodes is maintained independently from the ECS console. After you change the name, EIP, or specifications of an ECS on the ECS console, synchronize the ECS with the target node on the CCE console. After the synchronization, information on both consoles is consistent.

    +

    Some information of CCE nodes is maintained independently from the ECS console. After you change the name, EIP, or specifications of an ECS on the ECS console, synchronize the ECS with the target node on the CCE console. After the synchronization, information on both consoles is consistent.

    Notes and Constraints

    • Data, including the VM status, ECS names, number of CPUs, size of memory, ECS specifications, and public IP addresses, can be synchronized.
    • The following data cannot be synchronized: OS, image ID, and disk configuration.
    diff --git a/docs/cce/umn/cce_10_0185.html b/docs/cce/umn/cce_10_0185.html index c8aac4b0b..db2fd8d8d 100644 --- a/docs/cce/umn/cce_10_0185.html +++ b/docs/cce/umn/cce_10_0185.html @@ -1,13 +1,13 @@

    Logging In to a Node

    -

    Prerequisites

    • Before you log in to a node using SSH, ensure that the SSH port (22 by default) is enabled in the security group of the node.
    • Before you log in to a node (an ECS) using SSH through the Internet, ensure that the ECS already has an EIP bound.
    • Only login to a running ECS is allowed.
    • Only the user linux can log in to a Linux server.
    +

    Prerequisites

    • Before you log in to a node using SSH, ensure that the SSH port (22 by default) is enabled in the security group of the node.
    • Before you log in to a node (an ECS) using SSH through the Internet, ensure that the ECS already has an EIP bound.
    • Only login to a running ECS is allowed.
    • Only the user linux can log in to a Linux server.

    Login Modes

    You can log in to an ECS in either of the following modes:

    • Management console (VNC)

      If an ECS has no EIP, log in to the ECS console and click Remote Login in the same row as the ECS.

      For details, see Login Using VNC.

    • SSH

      This mode applies only to ECSs running Linux. Usually, you can use a remote login tool, such as PuTTY, Xshell, and SecureCRT, to log in to your ECS. If none of the remote login tools can be used, log in to the ECS console and click Remote Login in the same row as the ECS to view the connection status and running status of the ECS.

      -
      • When you use the Windows OS to log in to a Linux node, set Auto-login username to linux.
      • The CCE console does not support node OS upgrade. Do not upgrade the node OS using the yum update command. Otherwise, the container networking components will be unavailable.
      +
      • When you use the Windows OS to log in to a Linux node, set Auto-login username to linux.
      • The CCE console does not support node OS upgrade. Do not upgrade the node OS using the yum update command. Otherwise, the container networking components will be unavailable.
    diff --git a/docs/cce/umn/cce_10_0189.html b/docs/cce/umn/cce_10_0189.html index d9b586bf4..e9d5d7e52 100644 --- a/docs/cce/umn/cce_10_0189.html +++ b/docs/cce/umn/cce_10_0189.html @@ -54,7 +54,7 @@

    Using kubectl to Configure Namespace Permissions

    When you access a cluster using kubectl, CCE uses the kubeconfig file generated on the cluster for authentication. This file contains user information, based on which CCE determines which Kubernetes resources can be accessed via kubectl. Since the kubeconfig file contains user identity details, the permissions associated with that user are inherited when accessing the cluster via kubectl. For details about user permissions, see Cluster Permissions (IAM-based) and Namespace Permissions (Kubernetes RBAC-based).

    In addition to cluster-admin, admin, edit, and view, you can define Roles and RoleBindings to configure the permissions to add, delete, modify, and obtain resources, such as pods, Deployments, and Services, in the namespace.

    -

    The procedure for creating a Role is very simple. To be specific, specify a namespace and then define rules. The rules in the following example are to allow GET and LIST operations on pods in the default namespace.

    +

    The definition of a Role is simple. You just specify a namespace and some rules. For example, the following rules allow you to perform GET and LIST operations on pods in the default namespace.

    kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -83,7 +83,7 @@ subjects:
   name: 0c97ac3cb280f4d91fa7c0096739e1f8 # User ID of the user-example
   apiGroup: rbac.authorization.k8s.io

    The subjects section binds a Role with an IAM user so that the IAM user can obtain the permissions defined in the Role, as shown in the following figure.

    -
    Figure 2 Binding a role to a user
    +
    Figure 2 Binding a Role to a user

    You can also specify a user group in the subjects section. In this case, all users in the user group obtain the permissions defined in the Role.

    ...
 subjects:
diff --git a/docs/cce/umn/cce_10_0193.html b/docs/cce/umn/cce_10_0193.html
index 4ad835b5a..c2b9be00a 100644
--- a/docs/cce/umn/cce_10_0193.html
+++ b/docs/cce/umn/cce_10_0193.html
@@ -23,7 +23,7 @@
    14. Table 1 Status description

    Status

    diff --git a/docs/cce/umn/cce_10_0010.html b/docs/cce/umn/cce_10_0010.html index 956fe1d6c..a99833169 100644 --- a/docs/cce/umn/cce_10_0010.html +++ b/docs/cce/umn/cce_10_0010.html @@ -19,8 +19,8 @@
    • ClusterIP: used to make the Service only reachable from within a cluster.
    • NodePort: used for access from outside a cluster. A NodePort Service is accessed through the port on the node.
    • LoadBalancer: used for access from outside a cluster. It is an extension of NodePort, to which a load balancer routes, and external systems only need to access the load balancer.

    For details about the Service, see Overview.

    -

    Ingress

    Services forward requests using layer-4 TCP and UDP protocols. Ingresses forward requests using layer-7 HTTP and HTTPS protocols. Domain names and paths can be used to achieve finer granularities.

    -
    Figure 2 Ingress and Service
    +

    Ingress

    Services forward requests using TCP and UDP at Layer 4. Ingresses forward requests using HTTP and HTTPS at Layer 7. Domain names and paths can be used for access of finer granularities.

    +
    Figure 2 An ingress and associated Services

    For details about the ingress, see Overview.

    Access Scenarios

    Workload access scenarios can be categorized as follows:

    diff --git a/docs/cce/umn/cce_10_0012.html b/docs/cce/umn/cce_10_0012.html index 956534554..05a16c4cf 100644 --- a/docs/cce/umn/cce_10_0012.html +++ b/docs/cce/umn/cce_10_0012.html @@ -92,7 +92,7 @@

    Data Disk

    • At least one default data disk must be added for storing container runtime and kubelet components if System Component Storage is set to Data Disk. This data disk cannot be deleted or detached. Otherwise, the node will be unavailable. This function is available for clusters of a version earlier than v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, or v1.29.4-r0.
      • Default data disk: used for container runtime and kubelet components. The disk size ranges from 20 GiB to 32768 GiB. The default value is 100 GiB.
      • Other common data disks: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB.
      +
    • At least one default data disk must be added for storing container runtime and kubelet components if System Component Storage is set to Data Disk. This data disk cannot be deleted or detached. Otherwise, the node will be unavailable. This function is available for clusters of a version earlier than v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, or v1.29.4-r0.
      • Default data disk: used for container runtime and kubelet components. The disk size ranges from 20 GiB to 32768 GiB. The default value is 100 GiB.
      • Other common data disks: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB.
    • If System Component Storage is set to System Disk, you do not need to add a default data disk. In this case, all data disks are common ones: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB. This function is available for clusters of v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, v1.29.4-r0, or later versions.
    NOTE:
    • If the node flavor is disk-intensive or ultra-high I/O, one data disk can be a local disk.
    • Local disks may break down and do not ensure data reliability. Store your service data in EVS disks, which are more reliable than local disks.
    diff --git a/docs/cce/umn/cce_10_0018.html b/docs/cce/umn/cce_10_0018.html index a74b5b756..f517d110b 100644 --- a/docs/cce/umn/cce_10_0018.html +++ b/docs/cce/umn/cce_10_0018.html @@ -1,7 +1,7 @@

    Collecting Container Logs Using ICAgent

    -

    CCE works with AOM to collect workload logs. When a node is created, ICAgent (a DaemonSet named icagent in the kube-system namespace of a cluster) of AOM is installed by default. ICAgent collects workload logs and reports them to AOM. You can view workload logs on the CCE or AOM console.

    +

    CCE can collect workload logs and report them to AOM 1.0. When a node is created, ICAgent (a DaemonSet named icagent in the kube-system namespace of a cluster) is installed by default. ICAgent collects workload logs and reports them to AOM 1.0. You can view workload logs on the CCE or AOM 1.0 console.

    Constraints

    ICAgent only collects text logs in .log, .trace, and .out formats.

    Using ICAgent to Collect Logs

    1. When creating a workload, set logging for the container.
    2. Click to add a log policy.

      The following uses Nginx as an example. Log policies vary depending on workloads.

      @@ -31,7 +31,7 @@

    Extended Host Path

    This parameter is mandatory only if Volume Type is set to HostPath.

    +

    This parameter is mandatory only if Volume Type is set to hostPath.

    Extended host paths contain pod IDs or container names to distinguish different containers into which the host path is mounted.

    A level-3 directory is added to the original volume directory/subdirectory. You can easily obtain the files output by a single Pod.

    • None: No extended path is configured.
    • PodUID: ID of a pod.
    • PodName: name of a pod.
    • PodUID/ContainerName: ID of a pod or name of a container.
    • PodName/ContainerName: name of a pod or container.
    @@ -39,7 +39,7 @@

    Collection Path

    A collection path narrows down the scope of collection to specified logs.

    +

    A collection path narrows down the scope of collection to specified logs.

    • If no collection path is specified, log files in .log, .trace, and .out formats will be collected from the specified path.
    • /Path/**/ indicates that all log files in .log, .trace, and .out formats will be recursively collected from the specified path and all subdirectories at 5 levels deep.
    • * in log file names indicates a fuzzy match.

    Example: The collection path /tmp/**/test*.log indicates that all .log files prefixed with test will be collected from /tmp and subdirectories at 5 levels deep.

    CAUTION:

    Ensure that ICAgent is of version 5.12.22 or later.

    @@ -154,8 +154,8 @@ spec:

    Extended host path

    Extended host paths contain pod IDs or container names to distinguish different containers into which the host path is mounted.

    -

    A level-3 directory is added to the original volume directory/subdirectory. You can easily obtain the files output by a single Pod.

    -
    • None: No extended path is configured.
    • PodUID: ID of a pod.
    • PodName: name of a pod.
    • PodUID/ContainerName: ID of a pod or name of a container.
    • PodName/ContainerName: name of a pod or container.
    +

    A level-3 directory is added to the original volume directory/subdirectory. You can easily obtain the files output by a single Pod.

    +
    • None: No extended path is configured.
    • PodUID: ID of a pod.
    • PodName: name of a pod.
    • PodUID/ContainerName: ID of a pod or name of a container.
    • PodName/ContainerName: name of a pod or container.

    policy.logs.rotate

    @@ -163,7 +163,7 @@ spec:

    Log dump

    Log dump refers to rotating log files on a local host.

    -
    • Enabled: AOM scans log files every minute. When a log file exceeds 50 MB, it is dumped immediately. A new .zip file is generated in the directory where the log file locates. For a log file, AOM stores only the latest 20 .zip files. When the number of .zip files exceeds 20, earlier .zip files will be deleted. After the dump is complete, the log file in AOM will be cleared.
    • Disabled: AOM does not dump log files.
    +
    • Enabled: AOM scans log files every minute. When a log file exceeds 50 MB, it is dumped immediately. A new .zip file is generated in the directory where the log file locates. For a log file, AOM stores only the latest 20 .zip files. When the number of .zip files exceeds 20, earlier .zip files will be deleted. After the dump is complete, the log file in AOM will be cleared.
    • Disabled: AOM does not dump log files.
    NOTE:
    • AOM rotates log files using copytruncate. Before enabling log dumping, ensure that log files are written in the append mode. Otherwise, file holes may occur.
    • Currently, mainstream log components such as Log4j and Logback support log file rotation. If you have already set rotation for log files, skip the configuration. Otherwise, conflicts may occur.
    • You are advised to configure log file rotation for your own services to flexibly control the size and number of rolled files.

    Collection path

    A collection path narrows down the scope of collection to specified logs.

    -
    • If no collection path is specified, log files in .log, .trace, and .out formats will be collected from the specified path.
    • /Path/**/ indicates that all log files in .log, .trace, and .out formats will be recursively collected from the specified path and all subdirectories at 5 levels deep.
    • * in log file names indicates a fuzzy match.
    +
    • If no collection path is specified, log files in .log, .trace, and .out formats will be collected from the specified path.
    • /Path/**/ indicates that all log files in .log, .trace, and .out formats will be recursively collected from the specified path and all subdirectories at 5 levels deep.
    • * in log file names indicates a fuzzy match.

    Example: The collection path /tmp/**/test*.log indicates that all .log files prefixed with test will be collected from /tmp and subdirectories at 5 levels deep.

    CAUTION:

    Ensure that ICAgent is of version 5.12.22 or later.

    @@ -202,16 +202,12 @@ spec:

    Viewing Logs

    After a log collection path is configured and the workload is created, the ICAgent collects log files from the configured path. The collection takes about 1 minute.

    After the log collection is complete, go to the workload details page and click Logs in the upper right corner to view logs.

    You can also view logs on the AOM console.

    -

    You can also run the kubectl logs command to view the container stdout.

    -
    # View logs of a specified pod.
-kubectl logs <pod_name>
-kubectl logs -f <pod_name> # Similar to tail -f
-
-# View logs of a specified container in a specified pod.
-kubectl logs <pod_name> -c <container_name>
-
-kubectl logs pod_name -c container_name -n namespace (one-off query)
-kubectl logs -f <pod_name> -n namespace (real-time query in tail -f mode)
    +

    You can also run the kubectl logs command to view the container stdout.

    +
    • View the logs of a specified pod.
      kubectl logs <pod_name> -n <namespace>
      +
    • View the logs of a specified pod in real time.
      kubectl logs -f <pod_name> -n <namespace>
      +
    • View logs of a specified container in a specified pod.
      kubectl logs <pod_name> -c <container_name> -n <namespace>
      +
    • View the logs of a specified container in a specified pod in real time.
      kubectl logs -f <pod_name> -c <container_name> -n <namespace>
      +
    diff --git a/docs/cce/umn/cce_10_0028.html b/docs/cce/umn/cce_10_0028.html index cf61cb744..668a4b988 100644 --- a/docs/cce/umn/cce_10_0028.html +++ b/docs/cce/umn/cce_10_0028.html @@ -123,7 +123,7 @@

    Container CIDR Block

    Specify the CIDR block for containers, which determines the maximum number of containers allowed in the cluster. This parameter is available only for CCE standard clusters. CCE standard clusters allow both manual and automatic CIDR block settings.

    -
    • Manually set: You can customize the container CIDR blocks as needed. For cross-VPC passthrough networking, make sure the container CIDR block does not overlap with the VPC CIDR block to be accessed to prevent conflicts. For details, see Planning CIDR Blocks for a Cluster. The VPC network model allows you to configure multiple CIDR blocks, and container CIDR blocks can be added even after the cluster is created. For details, see Adding a Container CIDR Block for a Cluster.
    • Auto select: CCE will randomly allocate a non-conflicting CIDR block from the ranges 172.16.0.0/16 to 172.31.0.0/16, or from 10.0.0.0/12, 10.16.0.0/12, 10.32.0.0/12, 10.48.0.0/12, 10.64.0.0/12, 10.80.0.0/12, 10.96.0.0/12, and 10.112.0.0/12. Since the allocated CIRD block cannot be modified after the cluster is created, you are advised to manually configure the CIDR blocks, especially in commercial scenarios.
    +
    • Manually set: You can customize the container CIDR blocks as needed. For cross-VPC passthrough networking, make sure the container CIDR block does not overlap with the VPC CIDR block to be accessed to prevent conflicts. For details, see Planning CIDR Blocks for a Cluster. The VPC network model allows you to configure multiple CIDR blocks, and container CIDR blocks can be added even after the cluster is created. For details, see Adding a Container CIDR Block for a Cluster.
    • Auto select: CCE will randomly allocate a non-conflicting CIDR block from the ranges 172.16.0.0/16 to 172.31.0.0/16, or from 10.0.0.0/12, 10.16.0.0/12, 10.32.0.0/12, 10.48.0.0/12, 10.64.0.0/12, 10.80.0.0/12, 10.96.0.0/12, and 10.112.0.0/12. Since the allocated CIDR block cannot be modified after the cluster is created, you are advised to manually configure the CIDR blocks, especially in commercial scenarios.

    Pod IP Addresses Reserved for Each Node (supported by CCE standard clusters using a VPC network)

    diff --git a/docs/cce/umn/cce_10_0034.html b/docs/cce/umn/cce_10_0034.html index ef2c393fd..501d6b3fd 100644 --- a/docs/cce/umn/cce_10_0034.html +++ b/docs/cce/umn/cce_10_0034.html @@ -17,9 +17,9 @@

    Prerequisites

    Before installing this add-on, you have one available cluster and there is a node running properly. If no cluster is available, create one according to Creating a CCE Standard/Turbo Cluster.

    Installing the Add-on

    1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Add-ons, locate NGINX Ingress Controller on the right, and click Install.
    2. On the Install Add-on page, configure the specifications as needed.

      You can adjust the number of add-on pods and resource quotas as required. High availability is not possible with a single pod. If an error occurs on the node where the add-on instance runs, the add-on will fail.

      -

    3. Configure the add-on parameters.

      • Ingress Class: Enter a controller name. The name of each controller in the same cluster must be unique and cannot be set to cce (which is the unique identifier of the ELB ingress controller.) When creating an ingress, you can specify the controller name to declare which controller should manage this ingress.
      • Add-on Namespace: Select a namespace for the ingress controller.
      • Load Balancer: Select a shared or dedicated load balancer. If no load balancer is available, create one. The load balancer has at least two listeners, and ports 80 and 443 are not occupied by listeners.
      • Admission Check: Admission control is performed on Ingresses to ensure that the controller can generate valid configurations. Admission verification is performed on the configuration of Nginx Ingresses. If the verification fails, the request will be intercepted. For details about admission verification, see Access Control.
        • Admission check slows down the responses to Ingress requests.
        • Only add-ons of version 2.4.1 or later support admission verification.
        +

      • Configure the add-on parameters.

        • Ingress Class: Enter a controller name. The name of each controller in the same cluster must be unique and cannot be set to cce (which is the unique identifier of the LoadBalancer ingress controller.) When creating an ingress, you can specify the controller name to declare which controller should manage this ingress.
        • Add-on Namespace: Select a namespace for the ingress controller.
        • Load Balancer: Select a shared or dedicated load balancer. If no load balancer is available, create one. The load balancer has at least two listeners, and ports 80 and 443 are not occupied by listeners.
        • Admission Check: Admission control is performed on Ingresses to ensure that the controller can generate valid configurations. Admission verification is performed on the configuration of Nginx Ingresses. If the verification fails, the request will be intercepted. For details about admission verification, see Access Control.
          • Admission check slows down the responses to Ingress requests.
          • Only add-ons of version 2.4.1 or later support admission verification.
          -
        • Nginx Parameters: You can configure the nginx.conf file, which will affect all managed ingresses. You can select GUI or YAML. GUI is supported by the NGINX Ingress Controller of version 2.2.75, 2.6.26, 3.0.1, or later.

          To configure custom parameters supported by the Kubernetes community, choose YAML and find the related parameters in ConfigMaps. For example, you can use the keep-alive-requests parameter to describe how to set the maximum number of requests for keeping active connections to 100.

          +
        • Nginx Parameters: You can configure the nginx.conf file, which will affect all managed ingresses. You can select GUI or YAML. GUI is supported by the NGINX Ingress Controller of version 2.2.75, 2.6.26, 3.0.1, or later.

          To configure custom parameters supported by the Kubernetes community, choose YAML and find the related parameters in ConfigMaps. For example, you can use the keep-alive-requests parameter to describe how to set the maximum number of requests for keeping active connections to 100.

          {
     "keep-alive-requests": "100"
 }
          diff --git a/docs/cce/umn/cce_10_00356.html b/docs/cce/umn/cce_10_00356.html index c0e1467a9..c842eaaeb 100644 --- a/docs/cce/umn/cce_10_00356.html +++ b/docs/cce/umn/cce_10_00356.html @@ -3,8 +3,6 @@

          Logging In to a Container

          Scenario

          If you encounter unexpected problems when using a container, you can log in to the container to debug it.

          -

          Notes and Constraints

          • When kubectl is used in CloudShell, permissions are determined by the logged-in user.
          • When using CloudShell to access a CCE cluster or container, you can open up to 15 instances concurrently.
          • The kubectl certificate in CloudShell is valid for one day. You can reset its validity period by accessing CloudShell through the CCE console.
          -

          Using kubectl

          1. Use kubectl to access the cluster. For details, see Accessing a Cluster Using kubectl.
          2. Run the following command to view the created pod:

            kubectl get pod
            The example output is as follows:
            NAME                               READY   STATUS    RESTARTS       AGE
 nginx-59d89cb66f-mhljr             1/1     Running   0              11m
            diff --git a/docs/cce/umn/cce_10_0048.html b/docs/cce/umn/cce_10_0048.html index 1f4142f49..185ebc1fd 100644 --- a/docs/cce/umn/cce_10_0048.html +++ b/docs/cce/umn/cce_10_0048.html @@ -95,7 +95,7 @@

            A Service provides external access for pods. With a static IP address, a Service forwards access traffic to pods and automatically balances load for these pods.

            You can also create a Service after creating a workload. For details about Services of different types, see Overview.

            (Optional) Advanced Settings
            • Upgrade: Specify the upgrade mode and parameters of the workload. Rolling upgrade and Replace upgrade are available. For details, see Configuring Workload Upgrade Policies.
            • Pod Management Policies

              For some distributed systems, the StatefulSet sequence is unnecessary and/or should not occur. These systems require only uniqueness and identifiers.

              -
              • OrderedReady: The StatefulSet will deploy, delete, or scale pods in order and one by one. (The StatefulSet continues only after the previous pod is ready or deleted.) This is the default policy.
              • Parallel: The StatefulSet will create pods in parallel to match the desired scale without waiting, and will delete all pods at once.
              +
              • OrderedReady: This is the default policy. The StatefulSet will deploy, delete, or scale pods in order and one by one. It continues only after the previous pod is ready or deleted.
              • Parallel: The StatefulSet will create pods in parallel to match the desired scale without waiting, and will delete all pods at once.
            • Scheduling: Configure affinity and anti-affinity policies for flexible workload scheduling. Load affinity and node affinity are provided.
              • Load Affinity: Common load affinity policies are offered for quick load affinity deployment.
                • Not configured: No load affinity policy is configured.
                • Multi-AZ deployment preferred: Workload pods are preferentially scheduled to nodes in different AZs through pod anti-affinity.
                • Forcible multi-AZ deployment: Workload pods are forcibly scheduled to nodes in different AZs through pod anti-affinity (podAntiAffinity). If there are fewer AZs than pods, the extra pods will fail to run.
                • Customize affinity: Affinity and anti-affinity policies can be customized. For details, see Configuring Workload Affinity or Anti-affinity Scheduling (podAffinity or podAntiAffinity).
              • Node Affinity: Common node affinity policies are offered for quick load affinity deployment.
                • Not configured: No node affinity policy is configured.
                • Specify node: Workload pods can be deployed on specified nodes through node affinity (nodeAffinity). If no node is specified, the pods will be randomly scheduled based on the default scheduling policy of the cluster.
                • Specify node pool: Workload pods can be deployed in a specified node pool through node affinity (nodeAffinity). If no node pool is specified, the pods will be randomly scheduled based on the default scheduling policy of the cluster.
                • Customize affinity: Affinity and anti-affinity policies can be customized. For details, see Configuring Node Affinity Scheduling (nodeAffinity).
              diff --git a/docs/cce/umn/cce_10_0059.html b/docs/cce/umn/cce_10_0059.html index 3d81884d1..6b421a3cb 100644 --- a/docs/cce/umn/cce_10_0059.html +++ b/docs/cce/umn/cce_10_0059.html @@ -67,7 +67,7 @@

    Supported OS

    EulerOS

    -

    HCE 2.0

    +

    HCE OS 2.0

    HCE OS 2.0

    Warning event

    -

    Listening object: /dev/kmsg

    +

    Listening object: /dev/kmsg

    Matching rule: "task \\S+:\\w+ blocked for more than \\w+ seconds\\."

    Warning event

    -

    Listening object: /dev/kmsg

    +

    Listening object: /dev/kmsg

    Matching rule: Remounting filesystem read-only
    - @@ -765,7 +765,7 @@ workload_balancer_third_party_types: ''

    This section describes how to configure volcano-scheduler.

    Only Volcano of v1.7.1 and later support this function.

    -

    Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Settings and click the Scheduling tab. In the Select Cluster Scheduler area, select Volcano scheduler, find the expert mode, and click Try Now.

    +

    Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Settings and click the Scheduling tab. In the Select Cluster Scheduler area, select Volcano scheduler, find the expert mode, and click Try Now.

    • Using resource_exporter:
      ...
@@ -1112,7 +1112,7 @@ workload_balancer_third_party_types: ''

      v1.23

      v1.25

      -
    + + + + + + +
    Table 1 Recommended requested resources and resource limits for volcano-admission

    Cluster Scale

    CPU Request(m)

    +

    CPU Request (m)

    vCPU Limit (m)
    • Fixed the issue that the counting pipeline pod of the networkresource add-on occupies supplementary network interfaces (sub-ENIs).
    • Fixed the issue where the binpack add-on scores nodes with insufficient resources.
    • Fixed the issue of processing resources in the pod with unknown end status.
    • Optimized event output.
    • Supported HA deployment by default.
    +
    • Fixed the issue that the counting pipeline pod of the networkresource add-on occupies supplementary network interfaces.
    • Fixed the issue where the binpack add-on scores nodes with insufficient resources.
    • Fixed the issue of processing resources in the pod with unknown end status.
    • Optimized event output.
    • Supported HA deployment by default.

    1.7.1

    diff --git a/docs/cce/umn/cce_10_0197.html b/docs/cce/umn/cce_10_0197.html index dbc2c24ea..f342966f0 100644 --- a/docs/cce/umn/cce_10_0197.html +++ b/docs/cce/umn/cce_10_0197.html @@ -123,6 +123,20 @@

    This function is gradually replaced by EVS snapshot backup.

    EVS snapshot backup

    +

    Master node disks, including component images, configurations, logs, and etcd data

    +

    One-click backup on a web page (manually triggered)

    +

    1-5 minutes

    +

    20 minutes

    +

    This function is coming soon.

    +

    After this function is released, it will replace CBR cloud server backup.

    +
    diff --git a/docs/cce/umn/cce_10_0198.html b/docs/cce/umn/cce_10_0198.html index 0549a8e06..c13e3a873 100644 --- a/docs/cce/umn/cce_10_0198.html +++ b/docs/cce/umn/cce_10_0198.html @@ -76,7 +76,7 @@

    Data Disk

    -
    • At least one default data disk must be added for storing container runtime and kubelet components if System Component Storage is set to Data Disk. This data disk cannot be deleted or detached. Otherwise, the node will be unavailable. This function is available for clusters of a version earlier than v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, or v1.29.4-r0.
    • If System Component Storage is set to System Disk, you do not need to add a default data disk. In this case, all data disks are common ones: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB. This function is available for clusters of v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, v1.29.4-r0, or later versions.
    +
    • At least one default data disk must be added for storing container runtime and kubelet components if System Component Storage is set to Data Disk. This data disk cannot be deleted or detached. Otherwise, the node will be unavailable. This function is available for clusters of a version earlier than v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, or v1.29.4-r0.
    • If System Component Storage is set to System Disk, you do not need to add a default data disk. In this case, all data disks are common ones: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB. This function is available for clusters of v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, v1.29.4-r0, or later versions.

    Click Expand to configure Data Disk Space Allocation. This allocates space for container engines, images, and ephemeral storage to ensure their proper running. For details about how to allocate data disk space, see Space Allocation of a Data Disk.

    For other data disks, a raw disk is created without any processing by default. You can also click Expand and select Mount Disk to mount the data disk to a specified directory. Data disks can also be used as local PVs or local EVs.

    diff --git a/docs/cce/umn/cce_10_0249.html b/docs/cce/umn/cce_10_0249.html index 4aac614f8..17b0de3b4 100644 --- a/docs/cce/umn/cce_10_0249.html +++ b/docs/cce/umn/cce_10_0249.html @@ -1,13 +1,13 @@

    Overview

    -

    Direct Access to a Pod

    After a pod is created, the following problems may occur if you directly access the pod:

    -
    • The pod can be deleted and recreated at any time by a controller such as a Deployment, and the result of accessing the pod becomes unpredictable.
    • The IP address of the pod is allocated only after the pod is started. Before the pod is started, the IP address of the pod is unknown.
    • An application is usually composed of multiple pods that run the same image. Accessing pods one by one is not efficient.
    -

    For example, an application uses Deployments to create the frontend and backend. The frontend calls the backend for computing, as shown in Figure 1. Three pods are running in the backend, which are independent and replaceable. When a backend pod is re-created, the new pod is assigned with a new IP address, of which the frontend pod is unaware.

    +

    Direct Access to a Pod

    After a pod is created, accessing it directly can result in certain problems:

    +
    • The pod can be deleted and recreated at any time by a controller such as a Deployment. If the pod is recreated, access to it may fail.
    • An IP address cannot be assigned to a pod until the pod is started. Before the pod is started, its IP address is unknown.
    • Applications usually run on multiple pods that use the same image. Accessing pods one by one is not efficient.
    +

    For example, Deployments are used to deploy the frontend and backend of an application. The frontend calls the backend for computing, as shown in Figure 1. Three pods are running in the backend, and they are independent and replaceable. When a backend pod is recreated, the new pod is assigned a new IP address, but the frontend pod is unaware of this change.

    Figure 1 Inter-pod access
    -

    Using Services for Pod Access

    Kubernetes Services are used to solve the preceding pod access problems. A Service has a fixed IP address. (When a CCE cluster is created, a Service CIDR block is set, which is used to allocate IP addresses to Services.) A Service forwards requests accessing the Service to pods based on labels, and at the same time, perform load balancing for these pods.

    -

    In the preceding example, a Service is added for the frontend pod to access the backend pods. In this way, the frontend pod does not need to be aware of the changes on backend pods, as shown in Figure 2.

    +

    Using Services for Pod Access

    Kubernetes Services are used to solve the preceding pod access problems. A Service has a fixed IP address. (When you create a CCE cluster, you need to specify a Service CIDR block, which is used to allocate IP addresses to Services.) A Service distributes requests across pods based on labels and balances the loads for these pods.

    +

    In the preceding example, a Service is created for the frontend pod to access the backend pods. In this way, the frontend pod does not need to be aware of the changes on backend pods, as shown in Figure 2.

    Figure 2 Accessing pods through a Service

    Service Types

    Kubernetes allows you to specify a Service of a required type. The values and actions of different types of Services are as follows:

    diff --git a/docs/cce/umn/cce_10_0251.html b/docs/cce/umn/cce_10_0251.html index ed0a77a71..44722b38d 100644 --- a/docs/cce/umn/cce_10_0251.html +++ b/docs/cce/umn/cce_10_0251.html @@ -39,7 +39,7 @@
  14. SNI: stands for Server Name Indication (SNI), which is an extended protocol of TLS. SNI allows multiple TLS-compliant domain names for external access using the same IP address and port number, and different domain names can use different security certificates. After SNI is enabled, the client is allowed to submit the requested domain name when initiating a TLS handshake request. After receiving the TLS request, the load balancer searches for the certificate based on the domain name in the request. If the certificate corresponding to the domain name is found, the load balancer returns the certificate for authorization. Otherwise, the default certificate (server certificate) is returned for authorization.
    • The SNI option is available only when HTTPS is used.
    • This function is supported only in clusters of v1.15.11 or later.
    • Only one domain name can be specified for each SNI certificate. Wildcard-domain certificates are supported.
    • For ingresses connected to the same ELB port, do not configure SNIs with the same domain name but different certificates. Otherwise, the SNIs will be overwritten.
    -
  15. Security Policy: combinations of different TLS versions and supported cipher suites available to HTTPS listeners.

    For details about security policies, see Elastic Load Balance User Guide.

    +
  16. Security Policy: combinations of different TLS versions and supported cipher suites available to HTTPS listeners.

    For details about security policies, see Elastic Load Balance User Guide.

    • Security Policy is available only when HTTPS is selected.
    • This function is supported only in clusters of v1.17.9 or later.
  17. Backend Protocol:

    When the listener is HTTP-compliant, only HTTP can be selected.

    diff --git a/docs/cce/umn/cce_10_0252.html b/docs/cce/umn/cce_10_0252.html index e675a430a..ab4068f2b 100644 --- a/docs/cce/umn/cce_10_0252.html +++ b/docs/cce/umn/cce_10_0252.html @@ -3,7 +3,7 @@

    Creating a LoadBalancer Ingress Using kubectl

    This section uses an Nginx workload as an example to describe how to create a LoadBalancer ingress using kubectl.

    -

    Ingress API Version Upgrade in CCE Clusters v1.23

    In CCE clusters of v1.23 or later, the ingress version is switched to networking.k8s.io/v1.

    +

    Ingress API Version Upgrade in CCE Clusters v1.23

    In CCE clusters of v1.23 or later, the ingress version is switched to networking.k8s.io/v1.

    Compared with v1beta1, v1 has the following differences in parameters:

    • The ingress type is specified by spec.ingressClassName instead of kubernetes.io/ingress.class in annotations.
    • The format of backend has changed.
    • The pathType parameter must be specified for each path. The options are as follows:
      • ImplementationSpecific: The matching method depends on Ingress Controller. The matching method defined by ingress.beta.kubernetes.io/url-match-mode is used in CCE, which is the same as v1beta1.
      • Exact: exact matching of the URL, which is case-sensitive.
      • Prefix: matching based on the URL prefix separated by a slash (/). The match is case-sensitive, and elements in the path are matched one by one. A path element refers to a list of labels in the path separated by a slash (/).
    diff --git a/docs/cce/umn/cce_10_0296.html b/docs/cce/umn/cce_10_0296.html index 940cc4d2b..b564a506a 100644 --- a/docs/cce/umn/cce_10_0296.html +++ b/docs/cce/umn/cce_10_0296.html @@ -67,7 +67,7 @@

    A combined policy. The priorities for the policies are as follows: priority > least-waste > random.

    It is an enhanced least-waste policy configured based on the node pool or scaling group priority. If multiple node pools meet the condition, the least-waste policy is used for further decision-making.

    -

    This policy allows you to configure the priorities of node pools or scaling groups through the console or API, while the least-waste policy can effectively minimize resource waste in various scenarios. The priority policy is used as the default preferred policy thanks to its good universality.

    +

    This policy allows you to configure the priorities of node pools or scaling groups through the console or API, while the least-waste policy can effectively minimize resource waste in various scenarios. The priority policy is used as the default preferred policy thanks to its good universality.

    Assume that auto scaling is enabled for node pools 1 and 2 in the cluster and the scale-out upper limit is not reached. The policy for scaling out the number of pods for a workload is as follows:

    1. Pending pods trigger the Autoscaler to determine the scale-out process.
    2. Autoscaler simulates the scheduling phase and evaluates that some pending pods can be scheduled to the added nodes in both node pools 1 and 2.
    3. Autoscaler evaluates that node pool 1 has a higher priority than node pool 2. Therefore, Autoscaler selects node pool 1 for scale-out.
    diff --git a/docs/cce/umn/cce_10_0302.html b/docs/cce/umn/cce_10_0302.html index 6007d37f1..c5e1c1982 100644 --- a/docs/cce/umn/cce_10_0302.html +++ b/docs/cce/umn/cce_10_0302.html @@ -580,6 +580,20 @@

    This function is gradually replaced by EVS snapshot backup.

    +

    EVS snapshot backup

    + +

    Master node disks, including component images, configurations, logs, and etcd data

    + +

    One-click backup on a web page (manually triggered)

    + +

    1-5 minutes

    + +

    20 minutes

    + +

    This function is coming soon.

    +

    After this function is released, it will replace CBR cloud server backup.

    + +
    diff --git a/docs/cce/umn/cce_10_0363.html b/docs/cce/umn/cce_10_0363.html index 06defce5e..ffce1b481 100644 --- a/docs/cce/umn/cce_10_0363.html +++ b/docs/cce/umn/cce_10_0363.html @@ -94,7 +94,7 @@

    Data Disk

    -
    • At least one default data disk must be added for storing container runtime and kubelet components if System Component Storage is set to Data Disk. This data disk cannot be deleted or detached. Otherwise, the node will be unavailable. This function is available for clusters of a version earlier than v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, or v1.29.4-r0.
      • Default data disk: used for container runtime and kubelet components. The disk size ranges from 20 GiB to 32768 GiB. The default value is 100 GiB.
      • Other common data disks: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB.
      +
      • At least one default data disk must be added for storing container runtime and kubelet components if System Component Storage is set to Data Disk. This data disk cannot be deleted or detached. Otherwise, the node will be unavailable. This function is available for clusters of a version earlier than v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, or v1.29.4-r0.
        • Default data disk: used for container runtime and kubelet components. The disk size ranges from 20 GiB to 32768 GiB. The default value is 100 GiB.
        • Other common data disks: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB.
      • If System Component Storage is set to System Disk, you do not need to add a default data disk. In this case, all data disks are common ones: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB. This function is available for clusters of v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, v1.29.4-r0, or later versions.
      NOTE:
      • If the node flavor is disk-intensive or ultra-high I/O, one data disk can be a local disk.
      • Local disks may break down and do not ensure data reliability. Store your service data in EVS disks, which are more reliable than local disks.
      diff --git a/docs/cce/umn/cce_10_0364.html b/docs/cce/umn/cce_10_0364.html index aafd667b0..b60207d2a 100644 --- a/docs/cce/umn/cce_10_0364.html +++ b/docs/cce/umn/cce_10_0364.html @@ -2,7 +2,7 @@

      Creating an Nginx Ingress Using kubectl

      This section uses an Nginx workload as an example to describe how to create an Nginx ingress using kubectl.

      -

      Ingress API Version Upgrade in CCE Clusters v1.23

      In CCE clusters of v1.23 or later, the ingress version is switched to networking.k8s.io/v1.

      +

      Ingress API Version Upgrade in CCE Clusters v1.23

      In CCE clusters of v1.23 or later, the ingress version is switched to networking.k8s.io/v1.

      Compared with v1beta1, v1 has the following differences in parameters:

      • The ingress type is specified by spec.ingressClassName instead of kubernetes.io/ingress.class in annotations.
      • The format of backend has changed.
      • The pathType parameter must be specified for each path. The options are as follows:
        • ImplementationSpecific: The matching method depends on Ingress Controller. The matching method defined by ingress.beta.kubernetes.io/url-match-mode is used in CCE, which is the same as v1beta1.
        • Exact: exact matching of the URL, which is case-sensitive.
        • Prefix: matching based on the URL prefix separated by a slash (/). The match is case-sensitive, and elements in the path are matched one by one. A path element refers to a list of labels in the path separated by a slash (/).
      diff --git a/docs/cce/umn/cce_10_0380.html b/docs/cce/umn/cce_10_0380.html index ef4a771e1..f1d8b6160 100644 --- a/docs/cce/umn/cce_10_0380.html +++ b/docs/cce/umn/cce_10_0380.html @@ -123,7 +123,7 @@ metadata:

      Yes

      -

      Driver type. If an EVS disk is used, the parameter value is fixed at disk.csi.everest.io.

      +

      Driver type. If an EVS disk is used, the parameter value is fixed at disk.csi.everest.io.

      EVS

      @@ -132,8 +132,8 @@ metadata:

      Yes

      -

      If an EVS disk is used, the parameter value can be ext4 or xfs.

      -
      The restrictions on using xfs are as follows:
      • The nodes must run CentOS 7, HCE OS 2.0, or Ubuntu 22.04, and the Everest version in the cluster must be 2.3.2 or later.
      • Only common containers are supported.
      +

      If an EVS disk is used, the parameter value can be ext4 or xfs.

      +
      The restrictions on using xfs are as follows:
      • The nodes must run CentOS 7, HCE OS 2.0, or Ubuntu 22.04, and the Everest version in the cluster must be 2.3.2 or later.
      • Only common containers are supported.
      @@ -153,7 +153,7 @@ metadata:

      Yes

      -

      The parameter value is fixed at true, which indicates that the EVS device type is SCSI. No other parameter values are allowed.

      +

      The parameter value is fixed at true, which indicates that the EVS device type is SCSI. No other parameter values are allowed.

      SFS

      diff --git a/docs/cce/umn/cce_10_0382.html b/docs/cce/umn/cce_10_0382.html index 06c72f705..d528bee70 100644 --- a/docs/cce/umn/cce_10_0382.html +++ b/docs/cce/umn/cce_10_0382.html @@ -70,7 +70,7 @@
      -
      • CCE DataPlane V2 is released with restrictions. To use this feature, submit a service ticket to CCE.
      • After DataPlane V2 network acceleration is enabled, pods on HCE OS 2.0 use Earliest Departure Time (EDT) to limit the egress bandwidth. The ingress bandwidth limitation is not supported. In other network modes, a Token Bucket Filter (TBF) qdisc is used to limit the bandwidth.
      • Pod bandwidth limitation applies to regular containers (runC as the container runtime), not secure containers (Kata Containers as the container runtime).
      • Pod bandwidth limitation does not apply to hostNetwork pods.
      +
      • CCE DataPlane V2 is released with restrictions. To use this feature, submit a service ticket to CCE.
      • After DataPlane V2 network acceleration is enabled, pods on the nodes running HCE OS 2.0 use EDT to limit the egress bandwidth. The ingress bandwidth limitation is not supported. In other network modes, a Token Bucket Filter (TBF) qdisc is used to limit the bandwidth.
      • Pod bandwidth limitation applies to regular containers (runC as the container runtime), not secure containers (Kata Containers as the container runtime).
      • Pod bandwidth limitation does not apply to hostNetwork pods.

      Using the CCE Console

      When creating a workload on the console, you can set pod ingress and egress bandwidth limits by clicking Network Configuration in the Advanced Settings area.

      diff --git a/docs/cce/umn/cce_10_0384.html b/docs/cce/umn/cce_10_0384.html index ff32ba7c6..74923d722 100644 --- a/docs/cce/umn/cce_10_0384.html +++ b/docs/cce/umn/cce_10_0384.html @@ -74,7 +74,7 @@

      Compatible kubelet Oversubscription

      Specifications
      • Cluster version
        • v1.19: v1.19.16-r4 or later
        • v1.21: v1.21.7-r0 or later
        • v1.23: v1.23.5-r0 or later
        • v1.25 or later
      • Cluster type: CCE standard or Turbo
      • Node OS: EulerOS 2.9 (kernel-4.18.0-147.5.1.6.h729.6.eulerosv2r9.x86_64) or HCE OS 2.0
      • Node type: ECS
      • Volcano version: 1.7.0 or later
      -
      Constraints
      • Before enabling oversubscription, ensure that the overcommit add-on is not enabled on Volcano.
      • Modifying the label of an oversubscribed node does not affect the running pods.
      • Running pods cannot be converted between online and offline services. To convert services, rebuild pods.
      • If the label volcano.sh/oversubscription=true is configured for a node in the cluster, the oversubscription configuration must be added to the Volcano add-on. Otherwise, the scheduling of oversold nodes will be abnormal. Ensure that you have correctly configure labels because the scheduler does not check the add-on and node configurations. For details, see Table 1.
      • To disable oversubscription, perform the following operations:
        • Remove the volcano.sh/oversubscription label from the oversubscribed node.
        • Set over-subscription-resource to false.
        • Modify the configmap of Volcano Scheduler named volcano-scheduler-configmap and remove the oversubscription add-on.
        +
        Constraints
        • Before enabling oversubscription, ensure that the overcommit add-on is not enabled on Volcano.
        • Modifying the label of an oversubscribed node does not affect the running pods.
        • Running pods cannot be converted between online and offline services. To convert services, rebuild pods.
        • If the label volcano.sh/oversubscription=true is configured for a node in the cluster, the oversubscription configuration must be added to the Volcano add-on. Otherwise, the scheduling of oversold nodes will be abnormal. Ensure that you have correctly configure labels because the scheduler does not check the add-on and node configurations. For details, see Table 1.
        • To disable oversubscription, perform the following operations:
          • Remove the volcano.sh/oversubscription label from the oversubscribed node.
          • Modify the configmap of Volcano Scheduler named volcano-scheduler-configmap and remove the oversubscription add-on.
        • If you have set cpu-manager-policy to statically bind CPU cores on a node, do not assign the QoS class of Guaranteed to offline pods. This is because offline pods may occupy the CPUs of online pods, leading to an online pod startup failure and offline pods failing to start even though they have been successfully scheduled. To prevent this, switch the pods to online pods if CPU core binding is required.
        • If cpu-manager-policy is set to static CPU core binding on a node, do not bind CPU cores to all online pods. This is because doing so can cause online pods to occupy all available CPU or memory resources, leaving only a small number of oversubscribed resources.
      @@ -145,8 +145,6 @@ data: - name: cce-gpu ...
      -

    • Enable node oversubscription.

      A label can be configured to use oversubscribed resources only after the oversubscription feature is enabled for a node. Related nodes can be created only in a node pool. To enable the oversubscription feature, perform the following steps:

      -
      1. Create a node pool.
      2. Choose Manage in the Operation column of the created node pool.
      3. On the Manage Components page, enable Node oversubscription feature (over-subscription-resource) and click OK.

    • Set the node oversubscription label.

      The volcano.sh/oversubscription label needs to be configured for an oversubscribed node. If this label is set for a node and the value is true, the node is an oversubscribed node. Otherwise, the node is not an oversubscribed node.

      kubectl label node 192.168.0.0 volcano.sh/oversubscription=true

      An oversubscribed node also supports the oversubscription thresholds, as listed in Table 2. For example:

      @@ -160,39 +158,39 @@ Labels: ... Annotations: ... volcano.sh/evicting-cpu-high-watermark: 70 -
      Table 2 Node oversubscription annotations

      Parameter

      +
      - - - - - - - - - - - @@ -219,7 +217,7 @@ preemptionPolicy: PreemptLowerPriority value: -90000 EOF -

    • Deploy online and offline jobs and configure PriorityClasses for these jobs.

      The volcano.sh/qos-level annotation needs to be added to distinguish offline jobs. The value is an integer ranging from -7 to 7. If the value is less than 0, the job is an offline job. If the value is greater than or equal to 0, the job is an online job. You do not need to set this annotation for online jobs. For both online and offline jobs, set schedulerName to volcano to enable Volcano.

      +

    • Deploy online and offline jobs and configure PriorityClasses for these jobs.

      The volcano.sh/qos-level annotation needs to be added to distinguish offline jobs. The value is an integer ranging from -7 to 7. If the value is less than 0, the job is an offline job. If the value is greater than or equal to 0, the job is an online job. You do not need to set this annotation for online jobs. For both online and offline jobs, set schedulerName to volcano to enable Volcano.

      The priorities between online jobs and between offline jobs are not differentiated, and the value validity is not verified. If the value of volcano.sh/qos-level of an offline job is not a negative integer ranging from -7 to 0, the job is processed as an online job.

      For an offline job:

      diff --git a/docs/cce/umn/cce_10_0385.html b/docs/cce/umn/cce_10_0385.html index 0ef815f0e..7905d98be 100644 --- a/docs/cce/umn/cce_10_0385.html +++ b/docs/cce/umn/cce_10_0385.html @@ -511,7 +511,7 @@ spec:
      • diff --git a/docs/cce/umn/cce_10_0405.html b/docs/cce/umn/cce_10_0405.html index dce4dd3ff..67807fe6b 100644 --- a/docs/cce/umn/cce_10_0405.html +++ b/docs/cce/umn/cce_10_0405.html @@ -2,13 +2,13 @@

      Patch Version Release Notes

      Version 1.31

      -
      Table 2 Node oversubscription annotations

      Parameter

      Description

      +

      Description

      volcano.sh/evicting-cpu-high-watermark

      +

      volcano.sh/evicting-cpu-high-watermark

      Upper limit for CPU usage. When the CPU usage of a node exceeds the specified value, offline job eviction is triggered and the node becomes unschedulable.

      +

      Upper limit for CPU usage. When the CPU usage of a node exceeds the specified value, offline job eviction is triggered and the node becomes unschedulable.

      The default value is 80, indicating that offline job eviction is triggered when the CPU usage of a node exceeds 80%.

      volcano.sh/evicting-cpu-low-watermark

      +

      volcano.sh/evicting-cpu-low-watermark

      Lower limit for CPU usage. When the CPU usage of a node is higher than the upper limit, offline jobs will be evicted. The node accepts the offline jobs again only when the CPU usage of the node is lower than the lower limit.

      +

      Lower limit for CPU usage. When the CPU usage of a node is higher than the upper limit, offline jobs will be evicted. The node accepts the offline jobs again only when the CPU usage of the node is lower than the lower limit.

      The default value is 30, indicating that offline jobs are accepted again when the CPU usage of a node is lower than 30%.

      volcano.sh/evicting-memory-high-watermark

      +

      volcano.sh/evicting-memory-high-watermark

      Upper limit for memory usage. When the memory usage of a node exceeds the specified value, offline job eviction is triggered and the node becomes unschedulable.

      +

      Upper limit for memory usage. When the memory usage of a node exceeds the specified value, offline job eviction is triggered and the node becomes unschedulable.

      The default value is 60, indicating that offline job eviction is triggered when the memory usage of a node exceeds 60%.

      volcano.sh/evicting-memory-low-watermark

      +

      volcano.sh/evicting-memory-low-watermark

      Lower limit for memory usage. When the memory usage of a node is higher than the upper limit, offline jobs will be evicted. The node accepts the offline jobs again only when the memory usage of the node is lower than the lower limit.

      +

      Lower limit for memory usage. When the memory usage of a node is higher than the upper limit, offline jobs will be evicted. The node accepts the offline jobs again only when the memory usage of the node is lower than the lower limit.

      The default value is 30, indicating that offline jobs are accepted again when the memory usage of a node is lower than 30%.

      volcano.sh/oversubscription-types

      +

      volcano.sh/oversubscription-types

      Oversubscribed resource type. Options:

      +

      Oversubscribed resource type. Options:

      • cpu: oversubscribed CPU
      • memory: oversubscribed memory
      • cpu,memory: oversubscribed CPU and memory

      The default value is cpu,memory.

      If the pod uses hostNetwork, the ELB forwards the request to the host network after this annotation is used.

      Options:

      -
      • true: enabled
      • false (default): disabled
      +
      • true: enabled
      • false (default): disabled

      v1.9 or later
      Table 1 Release notes for the v1.31 patch

      CCE Cluster Patch Version

      +
      - - - @@ -18,7 +18,7 @@ - @@ -42,15 +42,15 @@

      Version 1.30

      -
      Table 1 Release notes for the v1.31 patch

      CCE Cluster Patch Version

      Kubernetes Version

      +

      Kubernetes Version

      Feature Updates

      +

      Feature Updates

      Optimization

      +

      Optimization

      Vulnerability Fixing

      v1.31.4

      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • ELB ingresses allow you to specify backend server groups for forwarding.
      +
      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • LoadBalancer ingresses allow you to specify backend server groups for forwarding.

      -
      Table 2 Release notes for the v1.30 patch

      CCE Cluster Patch Version

      +
      - - - - @@ -58,7 +58,7 @@ - @@ -104,13 +104,13 @@

      Version 1.29

      -
      Table 2 Release notes for the v1.30 patch

      CCE Cluster Patch Version

      Kubernetes Version

      +

      Kubernetes Version

      Feature Updates

      +

      Feature Updates

      Optimization

      +

      Optimization

      Vulnerability Fixing

      +

      Vulnerability Fixing

      v1.30.6

      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • ELB ingresses allow you to specify backend server groups for forwarding.
      +
      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • LoadBalancer ingresses allow you to specify backend server groups for forwarding.

      -
      Table 3 Release notes for the v1.29 patch

      CCE Cluster Patch Version

      +
      - - - @@ -120,7 +120,7 @@ - @@ -165,13 +165,13 @@

      Version 1.28

      -
      Table 3 Release notes for the v1.29 patch

      CCE Cluster Patch Version

      Kubernetes Version

      +

      Kubernetes Version

      Feature Updates

      +

      Feature Updates

      Optimization

      +

      Optimization

      Vulnerability Fixing

      v1.29.10

      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • ELB ingresses allow you to specify backend server groups for forwarding.
      +
      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • LoadBalancer ingresses allow you to specify backend server groups for forwarding.

      -
      Table 4 Release notes for the v1.28 patch

      CCE Cluster Patch Version

      +
      - - - @@ -181,7 +181,7 @@ - @@ -261,13 +261,13 @@

      Version 1.27

      -
      Table 4 Release notes for the v1.28 patch

      CCE Cluster Patch Version

      Kubernetes Version

      +

      Kubernetes Version

      Feature Updates

      +

      Feature Updates

      Optimization

      +

      Optimization

      Vulnerability Fixing

      v1.28.15

      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • ELB ingresses allow you to specify backend server groups for forwarding.
      +
      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • LoadBalancer ingresses allow you to specify backend server groups for forwarding.

      -
      Table 5 Release notes for the v1.27 patch

      CCE Cluster Patch Version

      +
      - - - @@ -277,7 +277,7 @@ - @@ -370,13 +370,13 @@

      Version 1.25

      In CCE clusters of v1.25, containerd is the default runtime for nodes, except for nodes running EulerOS 2.5. In addition, clusters of v1.25 or later no longer support EulerOS 2.5.

      -
      Table 5 Release notes for the v1.27 patch

      CCE Cluster Patch Version

      Kubernetes Version

      +

      Kubernetes Version

      Feature Updates

      +

      Feature Updates

      Optimization

      +

      Optimization

      Vulnerability Fixing

      v1.27.16

      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • ELB ingresses allow you to specify backend server groups for forwarding.
      +
      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • LoadBalancer ingresses allow you to specify backend server groups for forwarding.

      -

      Table 6 Release notes for the v1.25 patch

      CCE Cluster Patch Version

      +
      - - - @@ -386,7 +386,7 @@ - @@ -509,13 +509,13 @@

      Version 1.23

      -
      Table 6 Release notes for the v1.25 patch

      CCE Cluster Patch Version

      Kubernetes Version

      +

      Kubernetes Version

      Feature Updates

      +

      Feature Updates

      Optimization

      +

      Optimization

      Vulnerability Fixing

      v1.25.16

      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • ELB ingresses allow you to specify backend server groups for forwarding.
      +
      • Nodes added during a node pool scale-out can be automatically bound with EIPs.
      • LoadBalancer ingresses allow you to specify backend server groups for forwarding.

      -
      Table 7 Release notes for the v1.23 patch

      CCE Cluster Patch Version

      +
      - - - @@ -660,13 +660,13 @@

      Version 1.21

      -
      Table 7 Release notes for the v1.23 patch

      CCE Cluster Patch Version

      Kubernetes Version

      +

      Kubernetes Version

      Feature Updates

      +

      Feature Updates

      Optimization

      +

      Optimization

      Vulnerability Fixing
      Table 8 Release notes for the v1.21 patch

      CCE Cluster Patch Version

      +
      - - - @@ -777,13 +777,13 @@

      Version 1.19

      -
      Table 8 Release notes for the v1.21 patch

      CCE Cluster Patch Version

      Kubernetes Version

      +

      Kubernetes Version

      Feature Updates

      +

      Feature Updates

      Optimization

      +

      Optimization

      Vulnerability Fixing
      Table 9 Release notes for the v1.19 patch

      CCE Cluster Patch Version

      +
      - - - diff --git a/docs/cce/umn/cce_10_0425.html b/docs/cce/umn/cce_10_0425.html index 408e47306..491066a46 100644 --- a/docs/cce/umn/cce_10_0425.html +++ b/docs/cce/umn/cce_10_0425.html @@ -156,7 +156,7 @@

    • Enable the numa-aware add-on and the resource_exporter function.

      Volcano 1.7.1 or later

      1. Log in to the CCE console and click the cluster name to access the cluster console. Choose Add-ons in the navigation pane, locate Volcano Scheduler on the right, and click Edit.
      2. In the Extended Functions area, enable NUMA Topology Scheduling and click OK.
      -
      Volcano earlier than 1.7.1
      1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Settings and click the Scheduling tab. Select Volcano scheduler, find the expert mode, and click Try Now.

        +
        Volcano earlier than 1.7.1
        1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Settings and click the Scheduling tab. Select Volcano scheduler, find the expert mode, and click Try Now.

        2. Enable resource_exporter_enable to collect node NUMA information. The following is an example in JSON format:
          {
    "plugins": {
       "eas_service": {
diff --git a/docs/cce/umn/cce_10_0497.html b/docs/cce/umn/cce_10_0497.html
index c4a073480..4bfd40d4c 100644
--- a/docs/cce/umn/cce_10_0497.html
+++ b/docs/cce/umn/cce_10_0497.html
@@ -7,7 +7,7 @@
 
          1. Log in to the ELB console, choose Elastic Load Balance > Certificates, locate the certificate, and find the secret_id in the certificate description.
            The secret_id is the metadata.uid of the secret in the cluster. Use this UID to obtain the secret name in the cluster.
            
 
            Run the following kubectl command to obtain the secret name (replace <secret_id> with the actual value):
            kubectl get secret --all-namespaces -o jsonpath='{range .items[*]}{"uid:"}{.metadata.uid}{" namespace:"}{.metadata.namespace}{" name:"}{.metadata.name}{"\n"}{end}' | grep <secret_id>
            
 
            
-
          2. Only clusters of v1.19.16-r2, v1.21.5-r0, v1.23.3-r0, and later versions support certificates required by load balancers. For clusters of the earlier versions, see Solution 1. For clusters of other versions, see Solution 2.
            • Solution 1: Replace the certificate used by an ingress with the one used by the load balancer. Then, you can create or edit the certificate on the ELB console.
              1. Log in to the CCE console and click the cluster name to access the cluster console. Choose Services & Ingresses in the navigation pane, click the Ingresses tab, locate the row containing the ingress that uses the certificate, and choose More > Update in the Operation column. If multiple ingresses are using this certificate, update the certificate for all of these ingresses. To check which ingresses are using a certificate, use the secretName parameter in spec.tls of the ingress YAML files.
                Run the following kubectl command to obtain the ingresses using a certificate (replace <secret_name> with the actual value):
                
+
              2. Only clusters of v1.19.16-r2, v1.21.5-r0, v1.23.3-r0, and later versions support certificates required by load balancers. For clusters of the earlier versions, see Solution 1. For clusters of other versions, see Solution 2.
                • Solution 1: Replace the certificate used by an ingress with the one used by the load balancer. Then, you can create or edit the certificate on the ELB console.
                  1. Log in to the CCE console and click the cluster name to access the cluster console. Choose Services & Ingresses in the navigation pane, click the Ingresses tab, locate the row containing the ingress that uses the certificate, and choose More > Update in the Operation column. If multiple ingresses are using this certificate, update the certificate for all of these ingresses. To check which ingresses are using a certificate, use the secretName parameter in spec.tls of the ingress YAML files.
                    Run the following kubectl command to obtain the ingresses using a certificate (replace <secret_name> with the actual value):
                    
 
                    kubectl get ingress --all-namespaces -o jsonpath='{range .items[*]}{"namespace:"}{.metadata.namespace}{" name:"}{.metadata.name}{" tls:"}{.spec.tls[*]}{"\n"}{end}' | grep <secret_name>
                    
 
                  2. When configuring a listener, select ELB server certificate for Certificate Source and click OK. In this way, the certificate can be created or edited on the ELB console.
                  3. On the ConfigMaps and Secrets page, delete the target secret. Before the deletion, back up data.
                  
 
                • Solution 2: Overwrite the certificate used by an ingress with the corresponding secret resource of the cluster to prevent the certificate being updated on the ELB console during the cluster upgrade.
                  Log in to the CCE console and click the cluster name to access the cluster console. Choose ConfigMaps and Secrets from the navigation pane, click the Secrets tab, locate the row containing the target secret, click Update in the Operation column, and enter the certificate you are using.
                  
diff --git a/docs/cce/umn/cce_10_0552.html b/docs/cce/umn/cce_10_0552.html
index c30b481f1..259bcff4b 100644
--- a/docs/cce/umn/cce_10_0552.html
+++ b/docs/cce/umn/cce_10_0552.html
@@ -23,7 +23,7 @@ spec:
 
                  Notes and Constraints
                  To use this feature, the following conditions must be met:
                  
 
                  • The cluster version must be v1.23 or later.
                  • The node OS is HCE OS 2.0.
                  • The CPU management policy does not apply to ECS (PM) nodes in CCE Turbo clusters.
                  
 
                  
-
                  Procedure
                  1. Log in to the CCE console.
                  2. Click the cluster name to access the cluster console. Choose Nodes in the navigation pane. In the right pane, click the Node Pools tab.
                  3. Select a node pool whose OS is HCE OS 2.0 and choose Manage in the Operation column.
                  4. On the Manage Configurations page, change the cpu-manager-policy value to enhanced-static in the kubelet area.
                  5. Click OK.
                  
+
                  Procedure
                  1. Log in to the CCE console.
                  2. Click the cluster name to access the cluster console. Choose Nodes in the navigation pane. In the right pane, click the Node Pools tab.
                  3. Select a node pool whose OS is HCE OS 2.0 and choose Manage in the Operation column.
                  4. On the Manage Configurations page, change the cpu-manager-policy value to enhanced-static in the kubelet area.
                  5. Click OK.
                  
 
                  
 
                  Verification
                  Take a node with 8 vCPUs and 32 GiB of memory as an example. Deploy a workload whose CPU request is 1 and limit is 2 in the cluster beforehand.
                  
 
                  1. Log in to a node in the node pool and view the /var/lib/kubelet/cpu_manager_state output.
                    cat /var/lib/kubelet/cpu_manager_state
                    
diff --git a/docs/cce/umn/cce_10_0554.html b/docs/cce/umn/cce_10_0554.html
index 66190cdf4..8163668ab 100644
--- a/docs/cce/umn/cce_10_0554.html
+++ b/docs/cce/umn/cce_10_0554.html
@@ -2,7 +2,7 @@
 
 
                    Collecting Control Plane Component Logs
                    
 
                    CCE allows you to collect the logs of master nodes. On the Logging page, you can select one or more control plane components (kube-controller-manager, kube-apiserver, and kube-scheduler) whose logs need to be reported.
                    
-
                    Constraints
                    • The cluster version must be v1.21.7-r0 or later, v1.23.5-r0 or later, or 1.25.
                    • There is required LTS resource quota.
                    
+
                    Notes and Constraints
                    • The cluster version must be v1.21.7-r0 or later, v1.23.5-r0 or later, or 1.25.
                    • There is required LTS resource quota.
                    
 
                    
 
                    Control Plane Components
                    There are three control plane log types. Each log stream corresponds to a component of the Kubernetes control plane. To learn more about these components, see Kubernetes Components.
                    
 
@@ -44,7 +44,7 @@
 
                    
 
                    
 
                    Enabling Control Plane Logging
                    Enabling control plane logging during cluster creation
                    
-
                    1. Log in to the CCE console.
                    2. In the upper right corner, click Create Cluster. Then, configure the parameters and click Next: Select Add-on.
                    3. On the displayed page, select Cloud Native Log Collection and click Next: Add-on Configuration.
                    4. On the displayed page, select Control Plane Logs for Cloud Native Log Collection.
                      
+
                      1. Log in to the CCE console.
                      2. Click Create Cluster. Then, configure the parameters and click Next: Select Add-on.
                      3. On the displayed page, select Cloud Native Log Collection and click Next: Add-on Configuration.
                      4. On the displayed page, select Control Plane Logs for Cloud Native Log Collection.
                        
 
                      5. Click Next: Confirm configuration.
                      
 
                      Enabling control plane logging for an existing cluster
                      1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Logging.
                      2. Click the Control Plane Logs tab and modify the settings in Logging Settings.
                        Figure 1 Modifying logging settings
                        
 
                      3. Determine whether to enable logging for each component. If yes, click .
                      
diff --git a/docs/cce/umn/cce_10_0555.html b/docs/cce/umn/cce_10_0555.html
index af3802b77..01d35c65b 100644
--- a/docs/cce/umn/cce_10_0555.html
+++ b/docs/cce/umn/cce_10_0555.html
@@ -5,7 +5,7 @@
 
                      Constraints
                      • Up to 100 log rules can be created for each cluster.
                      • The Cloud Native Log Collection add-on cannot collect .gz, .tar, and .zip logs and cannot access symbolic links of logs.
                      • If the node storage driver is Device Mapper, container file logs must be collected from the path where the data disk is attached to the node.
                      • If the container runtime is containerd, each stdout log cannot be in multiple lines. (This does not apply to the Cloud Native Log Collection add-on of version 1.3.0 or later.)
                      • If a volume is mounted to the directory of a service container, this add-on cannot collect data from the parent directory. In this case, you need to configure a complete data directory.
                      • If the lifetime of a container is less than 1 minute, logs cannot be collected in a timely manner. As a result, logs may be lost.
                      
 
                      
 
                      Enabling Logging on the Console
                      1. Enable logging.
                        Enabling logging during cluster creation
                        
-
                        1. Log in to the CCE console.
                        2. Click Create Cluster from the top menu.
                        3. Configure the parameters by referring to Creating a CCE Standard/Turbo Cluster. Then, click Next: Select Add-on in the lower right corner.
                        4. On the Select Add-on page, select Cloud Native Log Collection.
                        5. Click Next: Add-on Configuration in the lower right corner and select the required logs.
                          • Container logs: A log collection policy named default-stdout will be created, and stdout logs in all namespaces will be reported to LTS.
                          • Kubernetes events: A log collection policy named default-event will be created, and Kubernetes events in all namespaces will be reported to LTS.
                          
+
                          1. Log in to the CCE console.
                          2. Click Create Cluster from the top menu.
                          3. Configure the parameters by referring to Creating a CCE Standard/Turbo Cluster. Then, click Next: Select Add-on in the lower right corner.
                          4. On the Select Add-on page, select Cloud Native Log Collection.
                          5. Click Next: Add-on Configuration in the lower right corner and select the required logs.
                            • Container logs: A log collection policy named default-stdout will be created, and stdout logs in all namespaces will be reported to LTS.
                            • Kubernetes events: A log collection policy named default-event will be created, and Kubernetes events in all namespaces will be reported to LTS.
                            
 
                          6. Click Next: Confirm configuration in the lower right corner. On the displayed page, click Submit.
                          
 
                        6. View and configure log collection policies.
                          1. On the CCE console, click the cluster name to access the cluster console. In the navigation pane, choose Logging.
                          2. Click View Log Collection Policies in the upper right corner.
                            
 
                            All log collection policies reported to LTS are displayed.
                            
@@ -23,9 +23,9 @@
      • - - @@ -34,9 +34,9 @@ - - -
      Table 9 Release notes for the v1.19 patch

      CCE Cluster Patch Version

      Kubernetes Version

      +

      Kubernetes Version

      Feature Updates

      +

      Feature Updates

      Optimization

      +

      Optimization

      Vulnerability Fixing

      Log Type

      Container standard output: used to collect container stdout logs. You can create a log collection policy by namespace, workload name, or instance label.

      +

      Container standard output: used to collect container stdout logs. You can create a log collection policy by namespace, workload name, or instance label.

      Container file log: used to collect text logs. You can specify a workload or instance label to create a log collection policy.

      +

      Container file log: used to collect text logs. You can specify a workload or instance label to create a log collection policy.

      Node file log: used to collect logs from a node. Only one file path can be configured for a log collection policy.

      Log Source

      • All containers: You can specify all containers in a namespace. If this parameter is not specified, logs of containers in all namespaces will be collected.
      • Workload: You can specify a workload and its containers. If this parameter is not specified, logs of all containers running the workload will be collected.
      • Workload with target label: You can specify a workload by label and its containers. If this parameter is not specified, logs of all containers running the workload will be collected.
      +
      • All containers: You can specify all containers in a namespace. If this parameter is not specified, logs of containers in all namespaces will be collected.
      • Workload: You can specify a workload and its containers. If this parameter is not specified, logs of all containers running the workload will be collected.
      • Workload with target label: You can specify a workload by label and its containers. If this parameter is not specified, logs of all containers running the workload will be collected.
      • Workload: You can specify a workload and its containers. If this parameter is not specified, logs of all containers running the workload will be collected.
      • Workload with target label: You can specify a workload by label and its containers. If this parameter is not specified, logs of all containers running the workload will be collected.
      +
      • Workload: You can specify a workload and its containers. If this parameter is not specified, logs of all containers running the workload will be collected.
      • Workload with target label: You can specify a workload by label and its containers. If this parameter is not specified, logs of all containers running the workload will be collected.

      You also need to specify the log collection path. For details, see the log path configuration requirements.

      Collection Path: used to configure the log collection path. For details, see the log path configuration requirements.

      @@ -46,9 +46,9 @@

      Log Format

      • Single-line

        Each log contains only one line of text. The newline character \n denotes the start of a new log.

        -
      • Multi-line

        Some programs (for example, Java program) print a log that occupies multiple lines. By default, logs are collected by line. If you want to display logs as a single message, you can enable multi-line logging and use the regular pattern. When you select Multi-line, configure Log Matching Format.

        -

        For example, if logs need to be collected by line and each log starts with a date and occupies three lines, you can set Log Matching Format to the regular expression of the date, for example, \d{4}-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2}.*.

        +
      • Single-line

        Each log contains only one line of text. The newline character \n denotes the start of a new log.

        +
      • Multi-line

        Some programs (for example, Java program) print a log that occupies multiple lines. By default, logs are collected by line. If you want to display logs as a single message, you can enable multi-line logging and use the regular pattern. When you select Multi-line, configure Log Matching Format.

        +

        For example, if logs need to be collected by line and each log starts with a date and occupies three lines, you can set Log Matching Format to the regular expression of the date, for example, \d{4}-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2}.*.

        The three lines starting with the date are regarded as a log.
        2022-01-01 00:00:00 Exception in thread "main" java.lang.RuntimeException: Something has gone wrong, aborting!
 at com.myproject.module.MyProject.badMethod(MyProject.java:22)
 at com.myproject.module.MyProject.oneMoreMethod(MyProject.java:18)
        @@ -60,8 +60,8 @@ at com.myproject.module.MyProject.oneMoreMethod(MyProject.java:18)

      LTS Collection

      This parameter is used to configure the log group and log stream for log reporting.

      -
      • Centralized: The default log group (k8s-log-{Cluster ID}) and default log stream (stdout-{Cluster ID}) are automatically selected.
      • Custom: Select a log group and log stream from the drop-down list.
        • Log Group: A log group is the basic unit for LTS to manage logs. If you do not have a log group, CCE prompts you to create one. The default name is k8s-log-{Cluster ID}, for example, k8s-log-bb7eaa87-07dd-11ed-ab6c-0255ac1001b3.
        • Log Stream: A log stream is the basic unit for reading and writing logs. You can put different types of logs into different streams to ease management. When you install the add-on or create a log collection policy based on the policy template, the following log streams are automatically created:

          - stdout-{Cluster ID} for container logs, for example, stdout-bb7eaa87-07dd-11ed-ab6c-0255ac1001b3

          -

          - event-{Cluster ID} for Kubernetes events, for example, event-bb7eaa87-07dd-11ed-ab6c-0255ac1001b3

          +
          • Centralized: The default log group (k8s-log-{Cluster ID}) and default log stream (stdout-{Cluster ID}) are automatically selected.
          • Custom: Select a log group and log stream from the drop-down list.
            • Log Group: A log group is the basic unit for LTS to manage logs. If you do not have a log group, CCE prompts you to create one. The default name is k8s-log-{Cluster ID}, for example, k8s-log-bb7eaa87-07dd-11ed-ab6c-0255ac1001b3.
            • Log Stream: A log stream is the basic unit for reading and writing logs. You can put different types of logs into different streams to ease management. When you install the add-on or create a log collection policy based on the policy template, the following log streams are automatically created:

              - stdout-{Cluster ID} for container logs, for example, stdout-bb7eaa87-07dd-11ed-ab6c-0255ac1001b3

              +

              - event-{Cluster ID} for Kubernetes events, for example, event-bb7eaa87-07dd-11ed-ab6c-0255ac1001b3

          diff --git a/docs/cce/umn/cce_10_0557.html b/docs/cce/umn/cce_10_0557.html index 3099bf636..407350312 100644 --- a/docs/cce/umn/cce_10_0557.html +++ b/docs/cce/umn/cce_10_0557.html @@ -3,7 +3,7 @@

          Overview

          Kubernetes logs allow you to locate and rectify faults. This section describes how to manage Kubernetes logs using different methods.

          The following are Kubernetes log management methods:

          - +
          diff --git a/docs/cce/umn/cce_10_0613.html b/docs/cce/umn/cce_10_0613.html index 2176dde4c..fe8478301 100644 --- a/docs/cce/umn/cce_10_0613.html +++ b/docs/cce/umn/cce_10_0613.html @@ -2,125 +2,127 @@

          Overview

          To achieve persistent storage, CCE allows you to mount the storage volumes created from Elastic Volume Service (EVS) disks to a path of a container. When the container is migrated within an AZ, the mounted EVS volumes are also migrated. By using EVS volumes, you can mount the remote file directory of a storage system to a container so that data in the data volume is permanently preserved. Even if the container is deleted, the data in the data volume is still stored in the storage system.

          +

          Common I/O disks are the previous-generation product and cannot be created.

          +

          EVS Disk Performance Specifications

          EVS performance metrics include:

          • IOPS: the number of input/output operations performed by an EVS disk per second
          • Throughput: the amount of data read from and written into an EVS disk per second
          • I/O latency: the minimum interval between two consecutive I/O operations on an EVS disk
          -
          - diff --git a/docs/cce/umn/cce_bestpractice_00227.html b/docs/cce/umn/cce_bestpractice_00227.html index 4f6d021a0..58e138418 100644 --- a/docs/cce/umn/cce_bestpractice_00227.html +++ b/docs/cce/umn/cce_bestpractice_00227.html @@ -3,7 +3,7 @@

          Modifying Kernel Parameters Using a Privileged Container

          Prerequisites

          To access a Kubernetes cluster from a client, you can use the Kubernetes command line tool kubectl.

          -

          Procedure

          1. Create a DaemonSet in the background, select the Nginx image, enable the Privileged Container, configure the lifecycle, and add the hostNetwork field (value: true).

            1. Create a daemonSet file.

              vi daemonSet.yaml

              +

              Procedure

              1. Create a DaemonSet on the backend, select the Nginx image, enable the privileged container, configure the lifecycle, and specify hostNetwork: true.

                1. Create a DaemonSet file.
                  vi daemonset.yaml

                  An example YAML file is provided as follows:

                  The spec.spec.containers.lifecycle field indicates the command that will be run after the container is started.

                  @@ -43,23 +43,24 @@ spec: privileged: true imagePullSecrets: - name: default-secret -
                2. Create a DaemonSet.

                  kubectl create –f daemonSet.yaml

                  +
                3. Create the DaemonSet.
                  kubectl create –f daemonSet.yaml
                -

              2. Check whether the DaemonSet is successfully created.

                kubectl get daemonset DaemonSet name

                +

              3. Check whether the DaemonSet has been created.

                kubectl get daemonset {daemonset_name}

                In this example, run the following command:

                -

                kubectl get daemonset daemonset-test

                +
                kubectl get daemonset daemonset-test

                Information similar to the following is displayed:

                NAME               DESIRED    CURRENT   READY    UP-T0-DATE    AVAILABLE     NODE SELECTOR   AGE
 daemonset-test     2          2         2        2             2             <node>          2h
                -

              4. Query the container ID of DaemonSet on the node.

                docker ps -a|grep DaemonSet name

                +

              5. Obtain the IDs of the DaemonSet pods on the nodes.

                kubectl get pod | grep {daemonset_name}

                In this example, run the following command:

                -

                docker ps -a|grep daemonset-test

                +
                kubectl get pod | grep daemonset-test

                Information similar to the following is displayed:

                -
                897b99faa9ce        3e094d5696c1                           "/bin/sh  -c while..."     31 minutes ago     Up  30 minutes  ault_fa7cc313-4ac1-11e9-a716-fa163e0aalba_0
                -

              6. Access the container.

                docker exec -it containerid /bin/sh

                +
                daemonset-test-mqdpv               1/1     Running             0          2h
+daemonset-test-n56vm               1/1     Running             0          2h
                +

              7. Access the container.

                kubectl exec -it {pod_name} -- /bin/sh

                In this example, run the following command:

                -

                docker exec -it 897b99faa9ce /bin/sh

                -

              8. Check whether the configured command is executed after the container is started.

                sysctl -a |grep net.ipv4.tcp_tw_reuse

                +
                kubectl exec -it daemonset-test-mqdpv -- /bin/sh
                +

              9. Check whether the configured command is executed after the container is started.

                sysctl -a |grep net.ipv4.tcp_tw_reuse

                If the following information is displayed, the system parameters are modified successfully:

                net.ipv4.tcp_tw_reuse=1

              diff --git a/docs/cce/umn/cce_bestpractice_00228.html b/docs/cce/umn/cce_bestpractice_00228.html index 3a39d69db..fe3c91fb9 100644 --- a/docs/cce/umn/cce_bestpractice_00228.html +++ b/docs/cce/umn/cce_bestpractice_00228.html @@ -8,7 +8,7 @@
              • Scenario 1: Wait for other modules to be ready. For example, an application contains two containerized services: web server and database. The web server service needs to access the database service. However, when the application is started, the database service may have not been started. Therefore, web server may fail to access database. To solve this problem, you can use an init container in the pod where web server is running to check whether database is ready. The init container runs to completion only when database is accessible. Then, web server is started and initiates a formal access request to database.
              • Scenario 2: Initialize the configuration. For example, the init container can check all existing member nodes in the cluster and prepare the cluster configuration information for the application container. After the application container is started, it can be added to the cluster using the configuration information.
              • Other scenarios: For example, a pod is registered with a central database and application dependencies are downloaded.

              For details, see Init Containers.

              -

              Procedure

              1. Edit the YAML file of the init container workload.

                vi deployment.yaml

                +

                Procedure

                1. Edit the YAML file of the init container workload.

                  vi deployment.yaml

                  An example YAML file is provided as follows:

                  apiVersion: apps/v1
 kind: Deployment
@@ -44,10 +44,10 @@ spec:
         env:
         - name: MYSQL_ROOT_PASSWORD
           value: "mysql"
                  -

                2. Create an init container workload.

                  kubectl create -f deployment.yaml

                  +

                3. Create an init container workload.

                  kubectl create -f deployment.yaml

                  Information similar to the following is displayed:

                  deployment.apps/mysql created
                  -

                4. Query the created Docker container on the node where the workload is running.

                  docker ps -a|grep mysql

                  +

                5. Query the created Docker container on the node where the workload is running.

                  docker ps -a|grep mysql

                  The init container will exit after it runs to completion. The query result Exited (0) shows the exit status of the init container.

                diff --git a/docs/cce/umn/cce_bestpractice_00231.html b/docs/cce/umn/cce_bestpractice_00231.html index 4df5de4ba..fdc8b090e 100644 --- a/docs/cce/umn/cce_bestpractice_00231.html +++ b/docs/cce/umn/cce_bestpractice_00231.html @@ -39,7 +39,7 @@

                When creating a load balancer, configure sticky sessions by setting kubernetes.io/elb.lb-algorithm to ROUND_ROBIN or kubernetes.io/elb.lb-algorithm to LEAST_CONNECTIONS. If you set kubernetes.io/elb.lb-algorithm is to SOURCE_IP, source IP address-based sticky sessions are supported. In this case, you do not need to configure sticky sessions again.

                -

                Enabling Layer 4 Sticky Session in a CCE Standard Cluster

                In a CCE standard cluster, to enable source IP address-based sticky session for a Service, ensure the following conditions are met:
                1. Service Affinity of the Service must be set to Node-level, where the externalTrafficPolicy value of the Service must be Local.
                2. Anti-affinity has been enabled on the backend applications of the Service to prevent all pods from being deployed on the same node.
                +

                Enabling Layer 4 Sticky Session in a CCE Standard Cluster

                In a CCE standard cluster, to enable source IP address-based sticky session for a Service, ensure the following conditions are met:
                1. Service Affinity of the Service must be set to Node-level, where the externalTrafficPolicy value of the Service must be Local.
                2. Anti-affinity has been enabled on the backend applications of the Service to prevent all pods from being deployed on the same node.

                Procedure

                1. Create an Nginx workload.

                  Set the number of pods to 3 and configure podAntiAffinity.
                  kind: Deployment
@@ -105,7 +105,7 @@ spec:

          -

          Enabling Layer 4 Sticky Session in a CCE Turbo Cluster

          In a CCE Turbo cluster, enabling source IP address-based sticky session for a Service relies on the load balancer type.

          +

          Enabling Layer 4 Sticky Session in a CCE Turbo Cluster

          In a CCE Turbo cluster, enabling source IP address-based sticky session for a Service relies on the load balancer type.

          • When a dedicated load balancer is used, passthrough networking is allowed between the load balancer and pods, and pods function as the backend server group of the load balancer. Therefore, you do not need to configure Service affinity or application anti-affinity when enabling source IP address-based sticky session for the Service.
          • If a shared load balancer is used, sticky session cannot be enabled.

          Procedure

          • For dedicated load balancers
            The following shows an example YAML file for configuring source IP address-based sticky sessions for a Service that uses an existing load balancer:
            apiVersion: v1
@@ -135,7 +135,7 @@ spec:
          -

          Enabling Layer 7 Sticky Session in a CCE Standard Cluster

          To enable cookie-based sticky session on an ingress, ensure the following conditions are met:

          +

          Enabling Layer 7 Sticky Session in a CCE Standard Cluster

          To enable cookie-based sticky session on an ingress, ensure the following conditions are met:

          1. Service Affinity of the ingress must be set to Node-level, where the externalTrafficPolicy value of the Service must be Local.
          2. Anti-affinity must be enabled for the ingress workload to prevent all pods from being deployed on the same node.

          Procedure

          1. Create an Nginx workload.

            Set the number of pods to 3 and configure podAntiAffinity.
            kind: Deployment
@@ -248,7 +248,7 @@ spec:

          -

          Enabling Layer 7 Sticky Session in a CCE Turbo Cluster

          Enable cookie-based sticky session on the ingress.

          +

          Enabling Layer 7 Sticky Session in a CCE Turbo Cluster

          Enable cookie-based sticky session on the ingress.

          • When a dedicated load balancer is used, passthrough networking is allowed between the load balancer and pods, and pods function as the backend server group of the load balancer. Therefore, you do not need to configure Service affinity or application anti-affinity when enabling cookie-based sticky session for the ingress.
          • If a shared load balancer is used, sticky session cannot be enabled.

          Procedure

          • For dedicated load balancers
            1. Create a Service for the workload. In a CCE Turbo cluster, the ingresses that use a dedicated load balancer must interconnect with ClusterIP Services.
              Configure sticky sessions during the creation of a Service. An ingress can access multiple Services, and each Service can have different sticky sessions.
              apiVersion: v1
diff --git a/docs/cce/umn/cce_bestpractice_00281.html b/docs/cce/umn/cce_bestpractice_00281.html
index 5c5673a14..936c0812a 100644
--- a/docs/cce/umn/cce_bestpractice_00281.html
+++ b/docs/cce/umn/cce_bestpractice_00281.html
@@ -117,7 +117,7 @@ metadata:
          - - @@ -147,7 +147,7 @@ metadata: -
          Table 1 EVS disk performance specifications

          Parameter

          +
          - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/cce/umn/cce_10_0625.html b/docs/cce/umn/cce_10_0625.html index 0aab5cd86..20716b2df 100644 --- a/docs/cce/umn/cce_10_0625.html +++ b/docs/cce/umn/cce_10_0625.html @@ -291,7 +291,7 @@ spec:

          -

          Using Subdirectories of an Existing SFS Turbo File System Through kubectl

          1. Use kubectl to access the cluster.
          2. Create a PV.

            1. Create the pv-sfsturbo.yaml file.
              Example:
              apiVersion: v1
+
              Using Subdirectories of an Existing SFS Turbo File System Through kubectl
              1. Use kubectl to access the cluster.
              2. Create a PV.
                1. Create the pv-sfsturbo.yaml file.
                  Example:
                  apiVersion: v1
 kind: PersistentVolume
 metadata:
   annotations:
@@ -300,9 +300,9 @@ metadata:
   name: pv-sfsturbo    # PV name
 spec:
   accessModes:
-  - ReadWriteMany      # Access mode. The value must be ReadWriteMany for SFS Turbo.
+  - ReadWriteMany      # Access mode. The value must be ReadWriteMany for SFS Turbo.
   capacity:
-    storage: 500Gi       # SFS Turbo volume capacity
+    storage: 500Gi       # SFS Turbo volume capacity
   csi:
     driver: sfsturbo.csi.everest.io    # Dependent storage driver for the mounting
     fsType: nfs
@@ -362,7 +362,7 @@ spec:
          @@ -403,7 +403,7 @@ spec: - @@ -411,7 +411,7 @@ spec:
        • Run the following command to create a PV:
          kubectl apply -f pv-sfsturbo.yaml
          • -

        • Create a PVC.

          1. Create the pvc-sfsturbo.yaml file.
            apiVersion: v1
+
          2. Create a PVC.

            1. Create the pvc-sfsturbo.yaml file.
              apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: pvc-sfsturbo
@@ -421,12 +421,12 @@ metadata:
 
 spec:
   accessModes:
-  - ReadWriteMany                  # The value must be ReadWriteMany for SFS Turbo.
+  - ReadWriteMany                  # The value must be ReadWriteMany for SFS Turbo.
   resources:
     requests:
-      storage: 500Gi               # SFS Turbo volume capacity.
-  storageClassName: csi-sfsturbo       # StorageClass name of the SFS Turbo file system, which must be the same as that of the PV
-  volumeName: pv-sfsturbo    # PV name
              + storage: 500Gi # SFS Turbo volume capacity. + storageClassName: csi-sfsturbo # StorageClass name of the SFS Turbo file system, which must be the same as that of the PV + volumeName: pv-sfsturbo # PV name
          • Table 1 EVS disk performance specifications

          Parameter

          Extreme SSD

          +

          Extreme SSD

          General Purpose SSD

          +

          General Purpose SSD

          Ultra-high I/O

          +

          Ultra-high I/O

          High I/O

          +

          High I/O

          Common I/O

          +

          Common I/O (Previous Generation Product)

          Max. capacity (GiB)

          +

          Max. capacity (GiB)

          • System disk: 1,024
          • Data disk: 32,768
          +
          • System disk: 1,024
          • Data disk: 32,768
          • System disk: 1,024
          • Data disk: 32,768
          +
          • System disk: 1,024
          • Data disk: 32,768
          • System disk: 1,024
          • Data disk: 32,768
          +
          • System disk: 1,024
          • Data disk: 32,768
          • System disk: 1,024
          • Data disk: 32,768
          +
          • System disk: 1,024
          • Data disk: 32,768
          • System disk: 1,024
          • Data disk: 32,768
          +
          • System disk: 1,024
          • Data disk: 32,768

          Max. IOPS

          +

          Max. IOPS

          128,000

          +

          128,000

          20,000

          +

          20,000

          50,000

          +

          50,000

          5000

          +

          5000

          2200

          +

          2200

          Max. throughput (MiB/s)

          +

          Max. throughput (MiB/s)

          1000

          +

          1000

          250

          +

          250

          350

          +

          350

          150

          +

          150

          50

          +

          50

          Burst IOPS limit

          +

          Burst IOPS limit

          64,000

          +

          64,000

          8000

          +

          8000

          16,000

          +

          16,000

          5000

          +

          5000

          2200

          +

          2200

          Disk IOPS

          +

          Disk IOPS

          Min. (128,000, 1800 + 50 x Capacity)

          +

          Min. (128,000, 1800 + 50 x Capacity)

          Min. (20,000, 1800 + 12 x Capacity)

          +

          Min. (20,000, 1800 + 12 x Capacity)

          Min. (50,000, 1800 + 50 x Capacity)

          +

          Min. (50,000, 1800 + 50 x Capacity)

          Min. (5000, 1800 + 8 x Capacity)

          +

          Min. (5000, 1800 + 8 x Capacity)

          Min. (2200, 500 + 2 x Capacity)

          +

          Min. (2200, 500 + 2 x Capacity)

          Disk throughput (MiB/s)

          +

          Disk throughput (MiB/s)

          Min. (1000, 120 + 0.5 x Capacity)

          +

          Min. (1000, 120 + 0.5 x Capacity)

          Min. (250, 100 + 0.5 x Capacity)

          +

          Min. (250, 100 + 0.5 x Capacity)

          Min. (350, 120 + 0.5 x Capacity)

          +

          Min. (350, 120 + 0.5 x Capacity)

          Min. (150, 100 + 0.15 x Capacity)

          +

          Min. (150, 100 + 0.15 x Capacity)

          50

          +

          50

          Single-queue access latency (ms)

          +

          Single-queue access latency (ms)

          Sub-millisecond

          +

          Sub-millisecond

          1

          +

          1

          1

          +

          1

          1–3

          +

          1–3

          5–10

          +

          5–10

          API name

          +

          API name

          ESSD

          +

          ESSD

          GPSSD

          +

          GPSSD

          SSD

          +

          SSD

          SAS

          +

          SAS

          SATA

          +

          SATA

          Yes

          A reclaim policy is supported when the cluster version is or later than 1.19.10 and the Everest version is or later than 1.2.9. For details, see PV Reclaim Policy.

          -

          Retain: When a PVC is deleted, both the PV and underlying storage resources will be retained. You need to manually delete these resources. After the PVC is deleted, the PV is in the Released state and cannot be bound to a PVC again.

          +

          Retain: When a PVC is deleted, both the PV and underlying storage resources will be retained. You need to manually delete these resources. After the PVC is deleted, the PV is in the Released state and cannot be bound to a PVC again.

          Delete: This parameter can be configured when subdirectories are automatically created, indicating that the PV is deleted when a PVC is deleted.

          Yes

          The StorageClass name of SFS Turbo volumes is csi-sfsturbo.

          +

          The StorageClass name of SFS Turbo volumes is csi-sfsturbo.
          diff --git a/docs/cce/umn/cce_10_0652.html b/docs/cce/umn/cce_10_0652.html index 86161fc26..1e4a900e5 100644 --- a/docs/cce/umn/cce_10_0652.html +++ b/docs/cce/umn/cce_10_0652.html @@ -565,12 +565,12 @@ - @@ -586,7 +586,7 @@ diff --git a/docs/cce/umn/cce_10_0653.html b/docs/cce/umn/cce_10_0653.html index 2d2a13289..e14c030e6 100644 --- a/docs/cce/umn/cce_10_0653.html +++ b/docs/cce/umn/cce_10_0653.html @@ -97,7 +97,7 @@ - @@ -81,7 +81,7 @@ diff --git a/docs/cce/umn/cce_10_0681.html b/docs/cce/umn/cce_10_0681.html index 747884b8d..b59d1d1be 100644 --- a/docs/cce/umn/cce_10_0681.html +++ b/docs/cce/umn/cce_10_0681.html @@ -12,7 +12,7 @@
        • After a Service is created, if the affinity setting is switched from the cluster level to the node level, the connection tracing table will not be cleared. Do not modify the Service affinity setting after the Service is created. To modify it, create a Service again.
        • If service affinity is set to the node level (that is, externalTrafficPolicy is set to Local), the cluster may fail to access the Service by using the ELB address. For details, see Why a Service Fail to Be Accessed from Within the Cluster.
        • In a CCE Turbo cluster that utilizes Cloud Native Network 2.0, node-level affinity is supported only when the Service backend is connected to a hostNetwork pod.
        • Dedicated ELB load balancers can be used only in clusters of v1.17 and later.
        • Dedicated load balancers must support private networks (with private IP addresses). If the Service needs to support HTTP, the dedicated load balancers must be of the application (HTTP/HTTPS) type.
        • When the cluster service forwarding (proxy) mode is IPVS, the node IP cannot be configured as the external IP of the Service. Otherwise, the node is unavailable.
        • If you have an IPVS-backed cluster and use the same ELB load balancer for both the ingress and Service in the same cluster or for the Service ports in different clusters, you will not be able to access the ingress from the nodes or containers in the cluster, or the Service ports in other clusters. This is because kube-proxy mounts the LoadBalancer Service address to the ipvs-0 bridge, which intercepts the load balancer traffic. Use separate load balancers for these ingresses and Services.

          • Using the Console

          1. Log in to the CCE console and click the cluster name to access the cluster console.
          2. In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.
          3. Configure parameters.

            • Service Name: Specify a Service name, which can be the same as the workload name.
            • Service Type: Select LoadBalancer.
            • Namespace: namespace that the workload belongs to.
            • Service Affinity: For details, see externalTrafficPolicy (Service Affinity).
              • Cluster level: The IP addresses and access ports of all nodes in a cluster can access the workload associated with the Service. Accessing the Service will result in a decrease in performance due to route redirection, and the source IP address of the client cannot be obtained.
              • Node level: Only the IP address and access port of the node where the workload is located can access the workload associated with the Service. Accessing the Service will not result in a decrease in performance due to route redirection, and the source IP address of the client can be obtained.
              -
            • Selector: Add a label and click Confirm. The Service will use this label to select pods. You can also click Reference Workload Label to use the label of an existing workload. In the dialog box that is displayed, select a workload and click OK.
            • Protocol Version: This function is disabled by default. After this function is enabled, the cluster IP address of the Service can be set to an IPv6 address. This parameter is available only in clusters of v1.15 or later with IPv6 enabled (set during cluster creation).
            • Load Balancer: Select a load balancer type and creation mode.

              A load balancer can be dedicated or shared. A dedicated load balancer supports Network (TCP/UDP), Application (HTTP/HTTPS), or Network (TCP/UDP) & Application (HTTP/HTTPS).

              +
            • Selector: Add a label and click Confirm. The Service will use this label to select pods. You can also click Reference Workload Label to use the label of an existing workload. In the dialog box that is displayed, select a workload and click OK.
            • Protocol Version: This function is disabled by default. After this function is enabled, the cluster IP address of the Service can be set to an IPv6 address. This function is available only in clusters of v1.15 or later with IPv6 enabled (set during cluster creation).
            • Load Balancer: Select a load balancer type and creation mode.

              A load balancer can be dedicated or shared. A dedicated load balancer supports Network (TCP/UDP), Application (HTTP/HTTPS), or Network (TCP/UDP) & Application (HTTP/HTTPS).

              You can select Use existing or Auto create to obtain a load balancer. For details about the configuration of different creation modes, see Table 1.
          Table 5 Key parameters

          Parameter

          Maximum size of a container core file

          +

          Maximum size of a container core file

          limitcore

          Maximum size of a core file in a container. The unit is byte.

          -

          If not specified, the value is infinity.

          +

          If not specified, the value is infinity.

          Default: 5368709120

          Default: 1048576

          The value cannot exceed the value of the kernel parameter nr_open and cannot be a negative number.

          -

          You can run the following command to obtain the kernel parameter nr_open:

          +

          You can run the following command to obtain the kernel parameter nr_open:

          sysctl -a | grep nr_open

          Data Disk

          • At least one default data disk must be added for storing container runtime and kubelet components if System Component Storage is set to Data Disk. This data disk cannot be deleted or detached. Otherwise, the node will be unavailable. This function is available for clusters of a version earlier than v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, or v1.29.4-r0.
            • Default data disk: used for container runtime and kubelet components. The disk size ranges from 20 GiB to 32768 GiB. The default value is 100 GiB.
            • Other common data disks: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB.
            +
          • At least one default data disk must be added for storing container runtime and kubelet components if System Component Storage is set to Data Disk. This data disk cannot be deleted or detached. Otherwise, the node will be unavailable. This function is available for clusters of a version earlier than v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, or v1.29.4-r0.
            • Default data disk: used for container runtime and kubelet components. The disk size ranges from 20 GiB to 32768 GiB. The default value is 100 GiB.
            • Other common data disks: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB.
          • If System Component Storage is set to System Disk, you do not need to add a default data disk. In this case, all data disks are common ones: You can set the data disk size to a value ranging from 10 GiB to 32768 GiB. The default value is 100 GiB. This function is available for clusters of v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, v1.29.4-r0, or later versions.
          NOTE:

          After the data disk configuration is modified, the modification takes effect only on newly added nodes. The configuration cannot be synchronized to existing nodes even if they are reset.

          @@ -105,7 +105,7 @@

          Expand the area and configure the following parameters:

          • Data Disk Space Allocation: allocates space for container engines, images, and ephemeral storage for them to run properly. For details about how to allocate data disk space, see Space Allocation of a Data Disk.
            NOTE:

            After the data disk space allocation configuration is modified, the modification takes effect only for new nodes. The configuration cannot take effect for the existing nodes even if they are reset.

            -
          • Enabled: Data disk encryption safeguards your data. Snapshots generated from encrypted disks and disks created using these snapshots automatically inherit the encryption setting.
            • Not encrypted is selected by default.
            • After setting Data Disk Encryption to Enabled, choose an existing key. If no key is available, click View Key List and create a key. After the key is created, click the refresh icon next to the text box.
            +
          • Enabled: Data disk encryption safeguards your data. Snapshots generated from encrypted disks and disks created using these snapshots automatically inherit the encryption setting.
            • Not encrypted is selected by default.
            • After setting Data Disk Encryption to Enabled, choose an existing key. If no key is available, click View Key List and create a key. After the key is created, click the refresh icon next to the text box.
            NOTE:

            After the Data Disk Encryption is modified, the modification takes effect only on newly added nodes. The configuration cannot be synchronized to existing nodes even if they are reset.

          diff --git a/docs/cce/umn/cce_10_0656.html b/docs/cce/umn/cce_10_0656.html index 8ab5930a3..24b3eb2d4 100644 --- a/docs/cce/umn/cce_10_0656.html +++ b/docs/cce/umn/cce_10_0656.html @@ -50,7 +50,7 @@

          -

          Migrating Nodes from the Default Node Pool to a Custom Node Pool

          1. Log in to the CCE console and click the cluster name to access the cluster console.
          2. In the navigation pane, choose Nodes and click the Node Pools tab.
          3. Locate the target node pool and choose More > Accept Node.
          4. In the Accept Node dialog box, select the nodes that meet the following conditions:

            • The nodes and the current node pool are deployed in the same VPC and subnet.
            • The nodes and the current node pool are in the same cloud server group.
            • The billing mode of the nodes is supported by the current node pool.
            • The nodes are running and they are from the default node pool.
            • The flavor, AZ, resource reservation, container engine, and OS configurations of the nodes are the same as those of the node pool.
            +

            Migrating Nodes from the Default Node Pool to a Custom Node Pool

            1. Log in to the CCE console and click the cluster name to access the cluster console.
            2. In the navigation pane, choose Nodes and click the Node Pools tab.
            3. Locate the target node pool and choose More > Migrate Node.
            4. In the Migrate Node dialog box, select the nodes that meet the following conditions:

              • The nodes and the current node pool are deployed in the same VPC and subnet.
              • The nodes and the current node pool are in the same cloud server group.
              • The billing mode of the nodes is supported by the current node pool.
              • The nodes are running and they are from the default node pool.
              • The flavor, AZ, resource reservation, container engine, and OS configurations of the nodes are the same as those of the node pool.

            5. Click OK.

              • After nodes are migrated into a node pool, the pool's resource tags, Kubernetes labels, and Kubernetes taints will be synchronized to the nodes. If there is a conflict, the node pool's configurations will take precedence.
              • After the migration, the pool's security group will take over the nodes' original security group.
              • After the migration, the pool's agency will take over the nodes' original agency.
              • After the migration, the nodes' original login mode will remain unchanged.
              • After a node is migrated to a node pool after being accepted by the cluster, its acceptance tag will be removed. Scaling in the node pool may result in the removal of the node.

            diff --git a/docs/cce/umn/cce_10_0659.html b/docs/cce/umn/cce_10_0659.html index 1dc0b50c6..3b58de4e3 100644 --- a/docs/cce/umn/cce_10_0659.html +++ b/docs/cce/umn/cce_10_0659.html @@ -69,7 +69,7 @@

            Typical scenario: Disk I/O suspension causes process suspension.

          Warning event

          -

          Listening object: /dev/kmsg

          +

          Listening object: /dev/kmsg

          Matching rule: "task \\S+:\\w+ blocked for more than \\w+ seconds\\."

          Warning event

          -

          Listening object: /dev/kmsg

          +

          Listening object: /dev/kmsg

          Matching rule: Remounting filesystem read-only
          @@ -562,7 +562,7 @@ spec: diff --git a/docs/cce/umn/cce_10_0683.html b/docs/cce/umn/cce_10_0683.html index 556dd55b7..6644bca77 100644 --- a/docs/cce/umn/cce_10_0683.html +++ b/docs/cce/umn/cce_10_0683.html @@ -50,7 +50,7 @@
        • Do not connect an ingress and a Service that uses HTTP or HTTPS to the same listener of the same load balancer. Otherwise, a port conflict occurs.

          • Using the CCE Console

          1. Log in to the CCE console and click the cluster name to access the cluster console.
          2. In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.
          3. Configure Service parameters. In this example, only mandatory parameters required for using HTTP/HTTPS are listed. For details about how to configure other parameters, see Using the Console.

            • Service Name: Specify a Service name, which can be the same as the workload name.
            • Service Type: Select LoadBalancer.
            • Selector: Add a label and click Confirm. The Service will use this label to select pods. You can also click Reference Workload Label to use the label of an existing workload. In the dialog box that is displayed, select a workload and click OK.
            • Load Balancer: Select a load balancer type and creation mode.
              • A load balancer can be dedicated or shared. To enable HTTP/HTTPS on the listener port of a dedicated load balancer, the type of the load balancer must be Application (HTTP/HTTPS) or Network (TCP/UDP) & Application (HTTP/HTTPS).
              • This section uses an existing load balancer as an example. For details about the parameters for automatically creating a load balancer, see Table 1.
              -
            • Ports
              • Protocol: Select TCP. If you select UDP, HTTP and HTTPS will be unavailable.
              • Service Port: port used by the Service. The port number ranges from 1 to 65535.
              • Container Port: listener port of the workload. For example, Nginx uses port 80 by default.
              • Frontend Protocol: specifies whether to enable HTTP/HTTPS on the listener port. For a dedicated load balancer, to use HTTP/HTTPS, the type of the load balancer must be Application (HTTP/HTTPS).
              +
            • Ports
              • Protocol: Select TCP. If you select UDP, HTTP and HTTPS will be unavailable.
              • Service Port: port used by the Service. The port number ranges from 1 to 65535.
              • Container Port: listener port of the workload. For example, Nginx uses port 80 by default.
              • Frontend Protocol: specifies whether to enable HTTP/HTTPS on the listener port. For a dedicated load balancer, to use HTTP/HTTPS, the type of the load balancer must be Application (HTTP/HTTPS).
            • Listener
              • SSL Authentication: Select this option if HTTPS is enabled on the listener port. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.
                • One-way authentication: Only the backend server is authenticated. If you also need to authenticate the identity of the client, select mutual authentication.
                • Mutual authentication: If you want the clients and the load balancer to authenticate each other, select this option. Only authenticated clients will be allowed to access the load balancer.
              • CA Certificate: If SSL Authentication is set to Mutual authentication, add a CA certificate to authenticate the client. A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If HTTPS mutual authentication is required, HTTPS connections can be established only when the client provides a certificate issued by a specific CA.
              • Server Certificate: If HTTPS is enabled on the listener port, you must select a server certificate.
              • SNI: If HTTPS is enabled on the listener port, you must determine whether to add an SNI certificate. Before adding an SNI certificate, ensure the certificate contains a domain name.
              • Security Policy: If HTTPS is enabled on the listener port, you can select a security policy. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.
              • Backend Protocol: If HTTPS is enabled on the listener port, HTTP or HTTPS can be used to access the backend server. The default value is HTTP. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.

              If multiple HTTPS Services are released, all listeners will use the same certificate configuration.

              diff --git a/docs/cce/umn/cce_10_0695.html b/docs/cce/umn/cce_10_0695.html index c5b8328ee..9f70f6e91 100644 --- a/docs/cce/umn/cce_10_0695.html +++ b/docs/cce/umn/cce_10_0695.html @@ -255,7 +255,7 @@
          - diff --git a/docs/cce/umn/cce_10_0766.html b/docs/cce/umn/cce_10_0766.html index e51b98f53..0e2278f15 100644 --- a/docs/cce/umn/cce_10_0766.html +++ b/docs/cce/umn/cce_10_0766.html @@ -16,7 +16,7 @@

          Notes and Constraints

          • Pods need to be rescheduled using a scheduler, and no scheduler can label pods or nodes. Therefore, an evicted pod might be rescheduled to the original node.
          • Descheduling does not support anti-affinity between pods. An evicted pod is in anti-affinity relationship with other running pods. Therefore, the scheduler may still schedule the pod back to the node where the pod was evicted from.
          • When configuring load-aware descheduling, you are required to enable load-aware scheduling on Volcano Scheduler. When configuring HighNodeUtilization, you are required to enable bin packing on Volcano Scheduler.

          Configuring a Load-aware Descheduling Policy

          When configuring a load-aware descheduling policy, do as follows to enable load-aware scheduling on Volcano Scheduler:

          -
          1. Log in to the CCE console and click the cluster name to access the cluster details page. Choose Add-ons in the navigation pane, locate Volcano Scheduler on the right, and click Edit. In the Extended Functions area, enable descheduling and click OK to update the add-on configuration.
          2. In the navigation pane, choose Settings. On the Scheduling tab page, enable load-aware scheduling. For details, see Load-aware Scheduling.
          3. On the Scheduling tab page, select Volcano scheduler, find the expert mode, and click Try Now.

            +
            1. Log in to the CCE console and click the cluster name to access the cluster details page. Choose Add-ons in the navigation pane, locate Volcano Scheduler on the right, and click Edit. In the Extended Functions area, enable descheduling and click OK to update the add-on configuration.
            2. In the navigation pane, choose Settings. On the Scheduling tab page, enable load-aware scheduling. For details, see Load-aware Scheduling.
            3. On the Scheduling tab page, select Volcano scheduler, find the expert mode, and click Try Now.

            4. Configure a load-aware descheduling policy. If you are using Volcano v1.11.21 or later, refer to the example JSON parameter settings below. For more parameters, see the JSON example in Getting Started on the console.

              {
 ...
@@ -143,7 +143,7 @@
            5. Click OK.

          Configuring a HighNodeUtilization Policy

          When configuring a HighNodeUtilization policy, do as follows to enable the bin packing policy on Volcano Scheduler:

          -
          1. Log in to the CCE console and click the cluster name to access the cluster details page. Choose Add-ons in the navigation pane, locate Volcano Scheduler on the right, and click Edit. In the Extended Functions area, enable descheduling and click OK to update the add-on configuration.
          2. In the navigation pane, choose Settings. On the Scheduling tab page, enable bin packing. For details, see Bin Packing.
          3. On the Scheduling tab page, select Volcano scheduler, find the expert mode, and click Try Now.

            +
            1. Log in to the CCE console and click the cluster name to access the cluster details page. Choose Add-ons in the navigation pane, locate Volcano Scheduler on the right, and click Edit. In the Extended Functions area, enable descheduling and click OK to update the add-on configuration.
            2. In the navigation pane, choose Settings. On the Scheduling tab page, enable bin packing. For details, see Bin Packing.
            3. On the Scheduling tab page, select Volcano scheduler, find the expert mode, and click Try Now.

            4. If you are using a resource defragmentation policy, refer to the example JSON parameter settings below. For more parameters, see the JSON example in Getting Started on the console.

              {
 ... 
diff --git a/docs/cce/umn/cce_10_0767.html b/docs/cce/umn/cce_10_0767.html
index d88cd1768..1f720ff8e 100644
--- a/docs/cce/umn/cce_10_0767.html
+++ b/docs/cce/umn/cce_10_0767.html
@@ -13,7 +13,7 @@
 
              Prerequisites
              
 
              
 
              Configuring Soft Affinity Scheduling for Volcano Node Pools
              1. Configure labels for affinity scheduling in the node pool.
                1. Log in to the CCE console.
                2. Click the cluster name to access the cluster console. Choose Nodes in the navigation pane. In the right pane, click the Node Pools tab.
                3. Click Update of the target node pool. On the page that is displayed, configure labels in the Kubernetes Label area.
                
-
              2. In the navigation pane, choose Settings and click the Scheduling tab. Select Volcano scheduler, find the expert mode, and click Try Now.
                
+
              3. In the navigation pane, choose Settings and click the Scheduling tab. Select Volcano scheduler, find the expert mode, and click Try Now.
                
 
                
 
              4. Configure Volcano scheduler parameters. The following shows a configuration example in JSON format:
                ...
     "default_scheduler_conf": {
diff --git a/docs/cce/umn/cce_10_0792.html b/docs/cce/umn/cce_10_0792.html
index 1ea018446..67c8d7817 100644
--- a/docs/cce/umn/cce_10_0792.html
+++ b/docs/cce/umn/cce_10_0792.html
@@ -1,7 +1,7 @@
 
 
 
                Collecting Audit Logs
                
-
                CCE allows you to collect the logs of master nodes. On the Kubernetes Audit Logs tab of Logging, you can determine whether to report audit logs to LTS.
                
+
                CCE allows you to collect the logs of master nodes. On the Kubernetes Audit Logs tab of Logging, you can determine whether to report audit logs to LTS.
                
 
                Constraints
                • The cluster version must be v1.21.7-r0 or later, v1.23.5-r0 or later, or 1.25.
                • There is required LTS resource quota.
                
 
                
 
                Audit Logs
                
@@ -29,18 +29,18 @@
 
                
 
                
 
                Enabling Kubernetes Audit Logging
                Enabling audit logging during cluster creation
                
-
                1. Log in to the CCE console.
                2. In the upper right corner, click Create Cluster. Then, configure the parameters and click Next: Select Add-on.
                3. On the displayed page, select Cloud Native Log Collection and click Next: Add-on Configuration.
                4. On the displayed page, select Kubernetes Audit Logs for Cloud Native Log Collection.
                  
+
                  1. Log in to the CCE console.
                  2. Click Create Cluster. Then, configure the parameters and click Next: Select Add-on.
                  3. On the displayed page, select Cloud Native Log Collection and click Next: Add-on Configuration.
                  4. On the displayed page, select Kubernetes Audit Logs for Cloud Native Log Collection.
                    
 
                  5. Click Next: Confirm configuration.
                  
 
                  Enabling audit logging for an existing cluster
                  1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Logging.
                  2. Click the Kubernetes Audit Logs tab and modify the settings in Logging Settings.
                    Figure 1 Enabling audit logging for an existing cluster
                    
 
                  3. Determine whether to enable logging for the audit component. If yes, click .
                  
 
                  
 
                
-
                Viewing Kubernetes Audit Logs
                Viewing Kubernetes audit logs on the CCE console
                
-
                1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Logging.
                2. Click the Kubernetes Audit Logs tab to view audit logs in the cluster. For details about related operations, see Log Tank Service User Guide.
                
-
                Viewing Kubernetes audit logs on the TLS console
                
+
                Viewing Kubernetes Audit Logs
                Viewing Kubernetes audit logs on the CCE console
                
+
                1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Logging.
                2. Click the Kubernetes Audit Logs tab to view audit logs in the cluster. For details about related operations, see Log Tank Service User Guide.
                
+
                Viewing Kubernetes audit logs on the LTS console
                
 
                1. Log in to the LTS console and choose Log Management.
                2. Search for the log group by cluster ID and click the log group name to view the log streams. For details, see Log Tank Service User Guide.
                
 
                
-
                Disabling Kubernetes Audit Logging
                1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Logging.
                2. Click the Kubernetes Audit Logs tab.
                3. Disable the audit component and click .
                   
                  After you disable audit logging, logs are no longer written to the original log stream, but the existing logs will not be deleted and expenditures may be incurred for this.
                  
+
                  Disabling Kubernetes Audit Logging
                  1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Logging.
                  2. Click the Kubernetes Audit Logs tab.
                  3. Disable the audit component and click .
                     
                    After you disable audit logging, logs are no longer written to the original log stream, but the existing logs will not be deleted and expenditures may be incurred for this.
                    
 
                    
 
                  
 
                  
diff --git a/docs/cce/umn/cce_10_0809.html b/docs/cce/umn/cce_10_0809.html
index 44d104cd9..1859423f4 100644
--- a/docs/cce/umn/cce_10_0809.html
+++ b/docs/cce/umn/cce_10_0809.html
@@ -9,8 +9,8 @@
 
                  
 
                  Disabling log collection for control plane components
                  
 
                  Choose Logging > Control Plane Logs and deselect one or more components whose logs do not need to be collected.
                  
-
                  Disabling Kubernetes audit log collection
                  
-
                  Choose Logging > Kubernetes Audit Logs and deselect the component whose logs do not need to be collected.
                  
+
                  Disabling Kubernetes audit log collection
                  
+
                  Choose Logging > Kubernetes Audit Logs and deselect the component whose logs do not need to be collected.
                  
 
                  
 
                  What Can I Do If All Components Except log-operator Are Not Ready?
                  Symptom: All components except log-operator are not ready, and the volume failed to be mounted to the node.
                  
 
                  Solution: Check the logs of log-operator. During add-on installation, the configuration files required by other components are generated by log-operator. If the configuration files are invalid, all components cannot be started.
                  
diff --git a/docs/cce/umn/cce_10_0836.html b/docs/cce/umn/cce_10_0836.html
index d3b701542..c25bd5115 100644
--- a/docs/cce/umn/cce_10_0836.html
+++ b/docs/cce/umn/cce_10_0836.html
@@ -3,7 +3,7 @@
 
                  Monitoring
                  
 
                  CCE monitors applications and resources and collects metrics and events to analyze application health status. You can choose Settings from the navigation pane, click the Monitoring tab, and change monitoring parameters on the console.
                  
 
                  Log Configuration
                  Collection configuration
                  
-
                  Send stdout Logs to AOM 1.0 (No more evolution): Logging in AOM 1.0 has not been improved, so you are advised to disable this function and use LTS logging instead. 
                  
+
                  Send stdout Logs to AOM 1.0 (No more evolution): Logging in AOM 1.0 has not been improved, so you are advised to disable this function and use LTS logging instead. 
                  
 
                  
 
                  
 
                  
diff --git a/docs/cce/umn/cce_10_0842.html b/docs/cce/umn/cce_10_0842.html
index ea6e035aa..cb78e3972 100644
--- a/docs/cce/umn/cce_10_0842.html
+++ b/docs/cce/umn/cce_10_0842.html
@@ -11,7 +11,7 @@
 
                  Using the CCE Console
                  1. Log in to the CCE console and click the cluster name to access the cluster console.
                  2. In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.
                  3. Configure Service parameters. In this example, only mandatory parameters are listed. For details about how to configure other parameters, see Using the Console.
                    • Service Name: Specify a Service name, which can be the same as the workload name.
                    • Service Type: Select LoadBalancer.
                    • Selector: Add a label and click Confirm. The Service will use this label to select pods. You can also click Reference Workload Label to use the label of an existing workload. In the dialog box that is displayed, select a workload and click OK.
                    • Load Balancer: Select a load balancer type and creation mode.
                      • A load balancer can be dedicated or shared. To enable HTTP/HTTPS on the listener port of a dedicated load balancer, the type of the load balancer must be Application (HTTP/HTTPS) or Network (TCP/UDP) & Application (HTTP/HTTPS).
                      • This section uses an existing load balancer as an example. For details about the parameters for automatically creating a load balancer, see Table 1.
                      
 
                    • Ports
                      • Protocol: Select TCP. If you select UDP, HTTP and HTTPS will be unavailable.
                      • Service Port: port used by the Service. The port number ranges from 1 to 65535.
                      • Container Port: listener port of the workload. For example, Nginx uses port 80 by default.
                      • Frontend Protocol: In this example, HTTPS must be enabled for the Service to use HTTP/2. For a dedicated load balancer, to use HTTP/HTTPS, the type of the load balancer must be Application (HTTP/HTTPS).
                      
 
                    • Listener
                      • SSL authentication is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.
                        • One-way authentication: Only the backend server is authenticated. If you also need to authenticate the identity of the client, select mutual authentication.
                        • Mutual authentication: If you want the clients and the load balancer to authenticate each other, select this option. Only authenticated clients will be allowed to access the load balancer.
                        
-
                      • CA Certificate: If SSL Authentication is set to Mutual authentication, add a CA certificate to authenticate the client. A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If HTTPS mutual authentication is required, HTTPS connections can be established only when the client provides a certificate issued by a specific CA.
                      • Server Certificate: Select a server certificate when HTTPS is used. 
                      • SNI: Add an SNI certificate containing a domain name. 
                      • Advanced Options: Click Add custom container network settings and enable HTTP/2.
                      
+
                    • CA Certificate: If SSL Authentication is set to Mutual authentication, add a CA certificate to authenticate the client. A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If HTTPS mutual authentication is required, HTTPS connections can be established only when the client provides a certificate issued by a specific CA.
                    • Server Certificate: Select a server certificate when HTTPS is used. 
                    • SNI: Add an SNI certificate containing a domain name. 
                    • Advanced Options: Click Add advanced options and enable HTTP/2.
                    
 
                    4. 
 
                  4. Click OK.
                  
 
                  
diff --git a/docs/cce/umn/cce_10_0919.html b/docs/cce/umn/cce_10_0919.html
index afd95ad4a..5c68b0e73 100644
--- a/docs/cce/umn/cce_10_0919.html
+++ b/docs/cce/umn/cce_10_0919.html
@@ -8,13 +8,13 @@
 
                  
 
                  Suggestions
                  The following provides some suggestions on optimizing the NGINX Ingress Controller add-on in high-traffic scenarios.
                  
 
                  
-
                  Using a High-Performance Node
                  In high-concurrency scenarios, ingresses typically need a large number of CPUs and network connections, so you can select a computing-plus ECS to run the add-on instances.
                  
+
                  Using a High-Performance Node
                  In high-concurrency scenarios, ingresses typically need a large number of CPUs and network connections, so you can select a computing-plus ECS to run the add-on instances.
                  
 
                  1. Log in to the CCE console.
                  2. Click the cluster name to access the cluster console. Choose Nodes in the navigation pane. In the right pane, click the Node Pools tab.
                  3. Click Create Node Pool in the upper right corner to create a node pool and add two nodes to the node pool. The node pool can be dedicated for the NGINX Ingress Controller add-on. For details, see Creating a Node Pool.
                    For high-concurrency scenarios, you can select a high-performance ECS such as the general computing-plus c7.8xlarge.2 ECS, with 32 cores, 64 GiB of memory, a maximum bandwidth of 30 Gbit/s, and 5.5 million PPS.
                    
 
                  4. In the Advanced Settings area, configure labels and taints for the node pool.
                    • Configure a taint and set its key to nginx-ingress-pod-reserved, value to true, and the effect to NoExecute.
                    • Configure a label and set its key to nginx-ingress-pod-reserved and value to true.
                    
 
                  5. In the navigation pane, choose Add-ons, edit the configurations of NGINX Ingress Controller, and modify the scheduling policies.
                    • Node Affinity: Set it to Customize affinity and configure the add-on to be affinity for the nginx-ingress-pod-reserved: true label.
                    • Toleration: Add a toleration and configure the add-on to tolerate the taint whose label is nginx-ingress-pod-reserved: true and the taint policy is NoExecute.
                    
 
                  
 
                  
-
                  Modifying the NGINX Ingress Controller Configuration
                  You can perform the following operations when installing or editing NGINX Ingress Controller:
                  • Change the resource limit of the nginx-ingress-controller container. If an application processes HTTP requests with a PRS of 300,000, you can configure the CPU and memory limits, as well as the requested CPU and memory, to 16 vCPU cores and 20 GiB of memory.
                  • Set the number of pods to be greater than or equal to 2.
                  
+
                  Modifying the NGINX Ingress Controller Configuration
                  You can perform the following operations when installing or editing NGINX Ingress Controller:
                  • Change the resource limit of the nginx-ingress-controller container. If an application processes HTTP requests with a PRS of 300,000, you can configure the CPU and memory limits, as well as the requested CPU and memory, to 16 vCPU cores and 20 GiB of memory.
                  • Set the number of pods to be greater than or equal to 2.
                  
 
                  
 
                  • Disable the metric collection of the add-on.
                    If you do not need to obtain metrics, you are advised to disable metric collection to reduce the CPU and memory usage of the Nginx container.
                    
 
                  • Optimize the global configuration by doing as follows:
                    • Increase the maximum number of requests that a keepalive connection can handle.
                      Nginx provides the keepalive_requests parameter to control how many requests a single keepalive connection between a client and an upstream server can handle. This parameter defaults to 100.
                      
@@ -31,7 +31,7 @@
 
                    
 
                  
 
                  
-
                  Optimizing Nginx Kernel Parameters
                   
                  Before modifying a kernel parameter, it is important to have a full understanding of its meaning and function. Exercise caution when making changes, because incorrect settings can lead to unexpected system errors and instability.
                  
+
                  Optimizing Nginx Kernel Parameters
                   
                  Before modifying a kernel parameter, it is important to have a full understanding of its meaning and function. Exercise caution when making changes, because incorrect settings can lead to unexpected system errors and instability.
                  
 
                  You need to make sure that:
                  
 
                  1. You have fully understood the functions and impacts of kernel parameters. This helps you set kernel parameters correctly.
                  2. The parameter values you entered must be valid and meet the expectation, or the modification will not take effect.
                  
 
                  
diff --git a/docs/cce/umn/cce_10_0945.html b/docs/cce/umn/cce_10_0945.html
index 8d29aa470..e512e5243 100644
--- a/docs/cce/umn/cce_10_0945.html
+++ b/docs/cce/umn/cce_10_0945.html
@@ -40,7 +40,7 @@
          -
          Table 1 Load balancer configurations

          How to Create

          Specifies the load balancing algorithm of the backend server group. The default value is ROUND_ROBIN.

          Options:

          -
          • ROUND_ROBIN: weighted round robin algorithm
          • LEAST_CONNECTIONS: weighted least connections algorithm
          • SOURCE_IP: source IP hash algorithm
          +
          • ROUND_ROBIN: weighted round robin algorithm
          • LEAST_CONNECTIONS: weighted least connections algorithm
          • SOURCE_IP: source IP hash algorithm
          NOTE:

          If this parameter is set to SOURCE_IP, the weight setting (weight field) of backend servers bound to the backend server group is invalid, and sticky session cannot be enabled.

          String

          To interconnect with HTTPS backend services, set this parameter to https.

          +

          To interconnect with HTTPS backend services, set this parameter to https.

          v1.23.8, v1.25.3, or later

          Bandwidth

          After DataPlane V2 network acceleration is enabled, pods on HCE OS 2.0 use EDT to limit the egress bandwidth. The ingress bandwidth limitation is not supported. In other network modes, a TBF qdisc is used to limit the bandwidth. For details, see Configuring QoS for a Pod.

          +

          After DataPlane V2 network acceleration is enabled, pods on the nodes running HCE OS 2.0 use EDT to limit the egress bandwidth. The ingress bandwidth limitation is not supported. In other network modes, a TBF qdisc is used to limit the bandwidth. For details, see Configuring QoS for a Pod.

          NetworkPolicy

          diff --git a/docs/cce/umn/cce_10_0949.html b/docs/cce/umn/cce_10_0949.html index e032210b7..e1fd1979b 100644 --- a/docs/cce/umn/cce_10_0949.html +++ b/docs/cce/umn/cce_10_0949.html @@ -72,7 +72,7 @@
          -

          CCE allows you to configure and traffic limit on requests, based on ELB's advanced forwarding for LoadBalancer ingresses. These functions are coming soon. To use some advanced forwarding actions that are not available on the console yet, submit a service ticket to enable required functions.

          +

          CCE allows you to configure and traffic limit on requests, based on ELB's advanced forwarding for LoadBalancer ingresses. These functions are coming soon. To use some advanced forwarding actions that are not available on the console yet, submit a service ticket to enable required functions.

          Prerequisites

          • A CCE standard or Turbo cluster is available, and the cluster version meets the requirements.
          • The cluster can be accessed using kubectl. For details, see Accessing a Cluster Using kubectl.
          @@ -283,7 +283,7 @@ ingress-test cce * 121.**.**.** 80 10s

          Configuring a Custom Backend Server Group for a LoadBalancer Ingress

          • Configuring a custom backend server group for a LoadBalancer ingress is subject to the capabilities of your ELB service. Before using this feature, submit a service ticket to enable the required ELB capabilities.
          • Custom backend server groups cannot be used for grayscale release or fixed responses.
          • If you configure a custom backend server group for a LoadBalancer ingress, the number field for the backend Services of the ingress will be invalid and the port name must be set to use-annotation. For details, see the example provided in this section.
          • When configuring a custom backend server group for a LoadBalancer ingress, ensure that each Service name and backend server group ID are unique.
          -
          1. Use kubectl to access the cluster. For details, see Accessing a Cluster Using kubectl.
          2. Create a YAML file named ingress-test.yaml. The file name can be customized.

            vi ingress-test.yaml
            +
            1. Use kubectl to access the cluster. For details, see Accessing a Cluster Using kubectl.
            2. Create a YAML file named ingress-test.yaml. The file name can be customized.

              vi ingress-test.yaml
              An example YAML file of an ingress created using an existing load balancer is as follows:
              apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
diff --git a/docs/cce/umn/cce_10_0957.html b/docs/cce/umn/cce_10_0957.html
deleted file mode 100644
index 294e12f50..000000000
--- a/docs/cce/umn/cce_10_0957.html
+++ /dev/null
@@ -1,118 +0,0 @@
-
-
-
              Using the AccessPolicy API to Manage Namespace Permissions (Kubernetes RBAC-based)
              
-
              Prerequisites
              • Before assigning permissions to users or user groups, you need to review the information provided in Namespace Permissions (Kubernetes RBAC-based).
              • To use an access policy, an IAM user or user group must have the specific permissions. These include CreateAccessPolicy, UpdateAccessPolicy, DeleteAccessPolicy, ListAccessPolicy, and GetAccessPolicy. Learn about the CCE system policies that can be added to a user group and select appropriate ones as needed. For details about how to assign permissions to a user group, see Granting Cluster Permissions to an IAM User.
              
-
              
-
              Configuring Namespace Permissions Through APIs
              You can regulate users' or user groups' access to Kubernetes resources in a single namespace based on their Kubernetes RBAC roles. Users with the configuration permission can configure access policies through APIs.
              
-
              
-
              1. Call the API to create an access policy. 
                POST   /api/v3/access-policies
                
-
                Request body:
                
-
                {
-    "kind": "AccessPolicy",
-    "apiVersion": "v3",
-    "name": "policy-test",
-    "clusters": [ "*" ],
-    "accessScope": {
-        "namespaces": [ "ns1", "ns2" ]
-    },
-    "policyType": "CCEAdminPolicy/CCEClusterAdminPolicy/CCEEditPolicy/CCEViewPolicy",
-    "principal": {
-        "type": "user/group/agency",
-        "ids": ["id1", "id2" ]
-    }
-}
                
-
-
                
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
                Parameter
                
-
                Item
                
-
                Description
                
-
                name
                
-
                Name
                
-
                Name of the access policy.
                
-
                clusters
                
-
                Cluster list
                
-
                IDs of the clusters to which access policies are to be added. Wildcard characters (*) are supported.
                
-
                namespaces
                
-
                Namespaces
                
-
                Namespaces to which access policies are to be added. Wildcard characters (*) are supported.
                
-
                policyType
                
-
                Permission type
                
-
                Permission type. Options:
                
-
                • CCEClusterAdminPolicy: administrator permission
                • CCEAdminPolicy: O&M permission
                • CCEEditPolicy: developer permission
                • CCEViewPolicy: read-only permission
                
-
                principalType
                
-
                User or user group type
                
-
                Type of a user or user group. Options:
                
-
                • user: user
                • group: user group
                • agency: agency account
                
-
                principalId
                
-
                User or user group list
                
-
                IDs of the users or user groups to be authorized.
                
-
                
-
                
-
              2. The CCE management plane automatically synchronizes the access policies to the associated cluster. Run the kubectl command. Then, RoleBinding or ClusterRoleBinding will be created in the cluster.
                 
                The synchronization will take several minutes to take effect.
                
-
                
-
                1. Check RoleBinding in the cluster.
                  kubectl get rolebinding
                  
-
                  In the following command output, clusterrole_access_policy_069fcc2116c347b89869eae3cd38ba23 is the automatically created RoleBinding:
                  
-
                  NAME                                                         ROLE                AGE
-clusterrole_access_policy_069fcc2116c347b89869eae3cd38ba23   ClusterRole/admin   18s
                  
-
                2. Check RoleBinding details.
                  kubectl get rolebinding clusterrole_access_policy_069fcc2116c347b89869eae3cd38ba23 -oyaml
                  
-
                  Command output:
                  
-
                  apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  annotations:
-CCE.com/IAM: "true"
-  label:
-rbac.kubernetes.io/GeneratedByAccessPolicy: "true"
-  creationTimestamp: "2021-06-24T01:30:08Z"
-  name: clusterrole_admin_group0c96fad22880f32a3f84c009862af6f7
-  resourceVersion: "36963685"
-  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/clusterrole_admin_group0c96fad22880f32a3f84c009862af6f7
-  uid: 6c6f46a6-8584-47da-83f5-9eef1f7b75d6
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: Group
-  name: 0c96fad22880f32a3f84c009862af6f7
                  
-
                
-
              3. Log in to the CCE console as the newly authorized IAM user for verification. 
                In the service list, choose Cloud Container Engine. On the CCE console, access the cluster and choose the target namespace. If only the default namespace is authorized and the kube-system namespace is unavailable, the access policy has taken effect.
                
-
              
-
              
-
              
-
              
-
              
-
              Parent topic: Permissions
              
-
              
-
              
-
diff --git a/docs/cce/umn/cce_10_0967.html b/docs/cce/umn/cce_10_0967.html
index 22fbe3d94..e3f8f5c70 100644
--- a/docs/cce/umn/cce_10_0967.html
+++ b/docs/cce/umn/cce_10_0967.html
@@ -44,7 +44,7 @@

              Step 3: Verify that the Custom Scale-in Conditions Take Effect

              In this example, the custom scale-in threshold is set to 30% for the node pool, while the default scale-in threshold is 50%. If the node CPU and memory in the node pool remains between 30% and 50% and scale-in is not triggered, the node pool preferentially follows the custom scale-in conditions instead of the default scale-in conditions.

              -

              Related Operations

              +

              Helpful Links

              diff --git a/docs/cce/umn/cce_10_0968.html b/docs/cce/umn/cce_10_0968.html index de99fad12..39c3248b5 100644 --- a/docs/cce/umn/cce_10_0968.html +++ b/docs/cce/umn/cce_10_0968.html @@ -5,8 +5,8 @@

              Before upgrading the NGINX Ingress Controller, pay attention to the following compatibility issues identified by CCE:

              -

              Native Nginx Validity Check Disabled by Default

              Affected versions: earlier than 3.0.33

              -

              The NGINX Ingress Controller v3.0.33 corresponds to community version v1.11.5. In this community version, the security vulnerability CVE-2025-1974 has been fixed, and nginx -t (syntax check) has been removed from webhooks. In the community version v1.11.5, the format of ingress resources is still verified using admission webhooks. However, if you enable snippet annotations and the configuration contains syntax errors, invalid configurations may be directly injected into the nginx.conf file. Since there is no pre-check to validate the injected configuration, such errors may cause the Nginx configuration reload to fail. Therefore, if you enable snippet annotations, check NGINX Ingress Controller's pod logs for errors each time you modify the ingress rules. To do so, run the following command:

              +

              Native Nginx Validity Check Disabled by Default

              Affected versions: earlier than 3.0.34

              +

              The NGINX Ingress Controller v3.0.34 corresponds to community version v1.11.5. In this community version, the security vulnerability CVE-2025-1974 has been fixed, and nginx -t (syntax check) has been removed from webhooks. In the community version v1.11.5, the format of ingress resources is still verified using admission webhooks. However, if you enable snippet annotations and the configuration contains syntax errors, invalid configurations may be directly injected into the nginx.conf file. Since there is no pre-check to validate the injected configuration, such errors may cause the Nginx configuration reload to fail. Therefore, if you enable snippet annotations, check NGINX Ingress Controller's pod logs for errors each time you modify the ingress rules. To do so, run the following command:

              kubectl logs -f {nginx-ingress-controller-pod-name} -n kube-system | grep Error

              Snippet Annotations Disabled by Default

              Affected versions: earlier than 2.4.6

              diff --git a/docs/cce/umn/cce_bestpractice_00199.html b/docs/cce/umn/cce_bestpractice_00199.html index 880a38fdb..8ff20a417 100644 --- a/docs/cce/umn/cce_bestpractice_00199.html +++ b/docs/cce/umn/cce_bestpractice_00199.html @@ -228,7 +228,7 @@ spec:

          mountOptions.default_acl

          Specify access control policies for a bucket and objects in the bucket. In this example, account A owns the bucket, and both account A and account B have the ability to upload data.

          +

          Specify access control policies for a bucket and objects in the bucket. In this example, account A owns the bucket, and both account A and account B can upload data.

          • private: The bucket or objects can only be fully accessed by the owner of the bucket.
          • public-read: The owner of the bucket has complete control over both the bucket and its objects. While other users can read data from the bucket, they are unable to modify, delete, or upload any data within it.
          • public-read-write: The owner of the bucket has complete control over the bucket and its objects. Other users can read and write data from and to the bucket.
          • bucket-owner-read: Users who have uploaded objects to the bucket has complete control over the objects, while the bucket owner is only granted read permissions for said objects. This mode is usually used in cross-account sharing scenarios.
          • bucket-owner-full-control: Users who have uploaded objects to the bucket are granted write permissions for those specific objects, but not read permissions by default. The bucket owner has complete control over all objects within the bucket. This mode is usually used in cross-account sharing scenarios.

          bucket-owner-full-control

          @@ -416,7 +416,7 @@ obs-deployment-example-6b4dfd7b57-frfxv 1/1 Running 0
          1. Check whether the ConfigMap is present.
            kubectl get configmap -n kube-system

            If it is present, the ConfigMap may be incorrectly configured. If it is not present, you can create one by referring to 1.

            -
          2. Check the ConfigMap parameter configurations. The following shows the common issues:
            • The name parameter is not set to paas-obs-endpoint.
            • The namespace parameter is not set to kube-system.
            • The region name is not set to the region where the OBS bucket is located.
            +
          3. Check the ConfigMap parameter configurations. The following shows the common issues:
            • The name parameter is not set to paas-obs-endpoint.
            • The namespace parameter is not set to kube-system.
            • The region name is not set to the region where the OBS bucket is located.

          Yes

          Driver type. If an EVS disk is used, the parameter value is fixed at disk.csi.everest.io.

          +

          Driver type. If an EVS disk is used, the parameter value is fixed at disk.csi.everest.io.

          EVS

          @@ -126,8 +126,8 @@ metadata:

          Yes

          If an EVS disk is used, the parameter value can be ext4 or xfs.

          -
          The restrictions on using xfs are as follows:
          • The nodes must run CentOS 7, HCE OS 2.0, or Ubuntu 22.04, and the Everest version in the cluster must be 2.3.2 or later.
          • Only common containers are supported.
          +

          If an EVS disk is used, the parameter value can be ext4 or xfs.

          +
          The restrictions on using xfs are as follows:
          • The nodes must run CentOS 7, HCE OS 2.0, or Ubuntu 22.04, and the Everest version in the cluster must be 2.3.2 or later.
          • Only common containers are supported.

          Yes

          The parameter value is fixed at true, which indicates that the EVS device type is SCSI. No other parameter values are allowed.

          +

          The parameter value is fixed at true, which indicates that the EVS device type is SCSI. No other parameter values are allowed.

          SFS

          diff --git a/docs/cce/umn/cce_bestpractice_0300.html b/docs/cce/umn/cce_bestpractice_0300.html index 5f818282d..0e8a2977b 100644 --- a/docs/cce/umn/cce_bestpractice_0300.html +++ b/docs/cce/umn/cce_bestpractice_0300.html @@ -5,8 +5,8 @@

          Currently, the CCE console provides four types of namespace-level ClusterRole permissions by default: cluster-admin, admin, edit, and view. However, these permissions apply to resources in the namespace regardless of resource types (pods, Deployments, and Services).

          Solution

          Kubernetes RBAC enables you to easily control permissions on namespace resources.

          -
          • Role: defines a set of rules for accessing Kubernetes resources in a namespace.
          • RoleBinding: defines the relationship between users and roles.
          • ClusterRole: defines a set of rules for accessing Kubernetes resources in a cluster (including all namespaces).
          • ClusterRoleBinding: defines the relationship between users and cluster roles.
          -

          Role and ClusterRole specify actions that can be performed on specific resources. RoleBinding and ClusterRoleBinding bind roles to specific users, user groups, or ServiceAccounts. See the following figure.

          +
          • Roles: define a set of rules for accessing Kubernetes resources in a namespace.
          • RoleBindings: define the relationship between users and roles.
          • ClusterRoles: define a set of rules for accessing Kubernetes resources in a cluster (including all namespaces).
          • ClusterRoleBindings: define the relationship between users and cluster roles.
          +

          Roles and ClusterRoles specify actions that can be performed on specific resources. RoleBindings and ClusterRoleBindings bind Roles to specific users, user groups, or service accounts.

          Figure 1 Role binding

          The user in the preceding figure can be an IAM user or user group in CCE. You can efficiently control permissions on namespace resources through RoleBindings.

          The section describes how to use Kubernetes RBAC to grant user user-example with the permission for viewing pods. (This is the only permission the user has.)

          @@ -29,7 +29,7 @@ Error from server (Forbidden): deployments.apps is forbidden: User "0c97ac3cb280

          Creating a Role and RoleBinding

          Log in to the CCE console, download the kubectl configuration file in the cluster and access the cluster, and create a Role and RoleBinding.

          Log in as the account used to create the cluster because CCE automatically assigns the cluster-admin permissions to the account, which means that the account has the permissions to create Roles and RoleBindings. Alternatively, you can use IAM users who have the permissions to create Roles and RoleBindings.

          -

          The procedure for creating a Role is very simple. To be specific, specify a namespace and then define rules. The rules in the following example are to allow GET and LIST operations on pods in the default namespace.

          +

          The definition of a Role is simple. You just specify a namespace and some rules. For example, the following rules allow you to perform GET and LIST operations on pods in the default namespace.

          kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -58,7 +58,7 @@ subjects:
   name: 0c97ac3cb280f4d91fa7c0096739e1f8    # IAM user ID
   apiGroup: rbac.authorization.k8s.io

          The subjects section binds a Role with an IAM user so that the IAM user can obtain the permissions defined in the Role, as shown in the following figure.

          -
          Figure 2 Binding a role to a user
          +
          Figure 2 Binding a Role to a user

          You can also specify a user group in the subjects section. In this case, all users in the user group obtain the permissions defined in the Role.

          subjects:
 - kind: Group
diff --git a/docs/cce/umn/cce_bestpractice_0317.html b/docs/cce/umn/cce_bestpractice_0317.html
index db2a1513c..198f9a2fa 100644
--- a/docs/cce/umn/cce_bestpractice_0317.html
+++ b/docs/cce/umn/cce_bestpractice_0317.html
@@ -94,6 +94,9 @@ spec:

          Uninstalling web-terminal After Use

          The web-terminal add-on can be used to manage CCE clusters. Keep the login password secure and uninstall the add-on when it is no longer needed.

          +

          Using Physical Multi-Tenancy

          To ensure that resources of different tenants are isolated and to reduce the attack surface, a separate CCE cluster can be created for each tenant. However, this solution comes with some drawbacks.

          +
          • High costs: It may increase the costs as more hardware or VM resources need to be purchased, and more manpower and time need to be spent on managing and maintaining these clusters.
          • Low resource utilization: Each tenant requires separate hardware or VM resources to run their clusters, which may result in low resource utilization and wastage.
          • Increased management complexity: Managing and maintaining separate clusters for each tenant increases management complexity and may require more manpower and time.
          +
          diff --git a/docs/cce/umn/cce_bestpractice_0318.html b/docs/cce/umn/cce_bestpractice_0318.html index eacf61f7a..3ad8f1811 100644 --- a/docs/cce/umn/cce_bestpractice_0318.html +++ b/docs/cce/umn/cce_bestpractice_0318.html @@ -29,7 +29,15 @@ curl 169.254.169.254/openstack/latest/user_data
        • Run the following commands in the container to access the userdata and metadata interfaces of OpenStack and check whether the request is intercepted:
          curl 169.254.169.254/openstack/latest/meta_data.json
 curl 169.254.169.254/openstack/latest/user_data
          • -
        • CCE Turbo cluster

          No additional configuration is required.

          +
        • CCE Turbo cluster

          No additional configuration is required for a cluster of a version earlier than v1.23.13-r0, v1.25.8-r0, v1.27.5-r0, or v1.28.3-r0.

          +
          For a cluster of v1.23.13-r0, v1.25.8-r0, v1.27.5-r0, v1.28.3-r0, and later version, log in to the CCE console, click the cluster name to access the cluster console. In the navigation pane, choose Settings, click the Network tab, and view the value of Pod Access to Metadata.
          • If Pod Access to Metadata is not enabled, no additional configuration is required. The container has been disabled from obtaining the node metadata.
          • If Pod Access to Metadata is enabled, take the following steps to disable the container from obtaining the node metadata:
            1. Log in to each node in the cluster as user root and run the following command:
              iptables -I FORWARD -s {container_cidr} -d 169.254.169.254 -j REJECT
              +

              {container_cidr} indicates the container CIDR block of the cluster, for example, 10.0.0.0/16.

              +

              To ensure configuration persistence, write the command to the /etc/rc.local script.

              +
            2. Run the following commands in the container to access the userdata and metadata interfaces of OpenStack and check whether the request is intercepted:
              curl 169.254.169.254/openstack/latest/meta_data.json
+curl 169.254.169.254/openstack/latest/user_data
              +
            +
          +

          • diff --git a/docs/cce/umn/cce_bestpractice_0319.html b/docs/cce/umn/cce_bestpractice_0319.html index 9dd8c0e10..8a50c2aca 100644 --- a/docs/cce/umn/cce_bestpractice_0319.html +++ b/docs/cce/umn/cce_bestpractice_0319.html @@ -83,6 +83,32 @@ spec:

        • Run the following command in the container to access kube-apiserver and check whether the request is intercepted:

          curl -k https://{Private API server IP}:5443

          • +

          Properly Setting Volume Propagation

          When mounting a host path, set the propagation mode to None. Exercise caution when using the Bidirectional mode.

          +

          The mountPropagation field in Container.volumeMounts controls the mount propagation feature of a volume. Value options are as follows:

          +
          • None: the default value, equal to the private mount propagation option described in Linux kernel documentation. This volume mount will not receive any subsequent mounts that are mounted to this volume or any of its subdirectories by the host. In similar fashion, no mounts created by the container will be visible on the host.
          +
          • HostToContainer: equal to the rslave mount propagation option described in Linux kernel documentation. This volume mount will receive all subsequent mounts that are mounted to this volume or any of its subdirectories. In other words, if the host mounts anything inside the volume mount, the container will see it mounted there. If a Bidirectional pod mounts anything to the same volume, this change is visible to all HostToContainer pods.
          +
          • Bidirectional: equal to the rshared mount propagation option described in Linux kernel documentation. All volume mounts created by the container will be propagated back to the host and to all containers of all pods that use the same volume.

            Bidirectional mount propagation can be dangerous. It can damage the host operating system and therefore it is allowed only in privileged containers. An example is as follows:

            +
            apiVersion: v1
+kind: Pod
+metadata:
+    name: security-mount
+    label:
+      app: security-mount
+spec:
+    containers:
+    - name: security-mount
+      image: ...
+      volumeMounts:
+      - name: mount-none
+        mountPath: /opt
+        mountPropagation: None
+    volumes:
+    - name: mount-none
+      hostPath:
+        path: /opt/
            +
          +

          For details, see the community documentation.

          +
          diff --git a/docs/cce/umn/cce_bestpractice_0333.html b/docs/cce/umn/cce_bestpractice_0333.html index 70e831ea0..e74350bad 100644 --- a/docs/cce/umn/cce_bestpractice_0333.html +++ b/docs/cce/umn/cce_bestpractice_0333.html @@ -1,11 +1,11 @@

          Configuration Suggestions on CCE Workload Identity Security

          -

          A workload identity enables workloads within a cluster to act as IAM users, granting them access to cloud services without the need for an IAM account's AK and SK. This helps to minimize security risks.

          +

          A workload identity enables workloads within a cluster to act as IAM users, granting them access to cloud services without the need for an IAM account's AK/SK. This helps minimize security risks.

          This section describes how to use workload identities in CCE.

          Notes and Constraints

          The cluster version must be v1.19.16 or later.

          -

          Procedure

          1. Obtain the public key of the cluster serviceAccountToken from CCE. For details, see Step 1: Obtain the Public Key for Signature of the CCE Cluster.
          2. Create an identity provider on IAM. For details, see Step 2: Configure an Identity Provider.
          3. Obtain an IAM token from the workload and simulate an IAM user to access a cloud service. For details, see Step 3: Use a Workload Identity.

            The procedure is as follows:
            1. Deploy the application pod and obtain the OpenID Connect ID token file by mounting the identity provider.
            2. Use the mounted OpenID Connect ID token file in programs in the pod to access IAM and obtain a temporary IAM token.
            3. Access the cloud service using the IAM token in programs in the pod.
            +

            Procedure

            1. Obtain the public key of the cluster service account token from CCE. For details, see Step 1: Obtain the Public Key for Signature of the CCE Cluster.
            2. Create an identity provider on IAM. For details, see Step 2: Configure an Identity Provider.
            3. Obtain an IAM token from the workload and simulate an IAM user to access a cloud service. For details, see Step 3: Use a Workload Identity.

              The procedure is as follows:
              1. Deploy the application pod and obtain the OpenID Connect ID token file by mounting the identity provider.
              2. Use the mounted OpenID Connect ID token file in programs in the pod to access IAM and obtain a temporary IAM token.
              3. Access the cloud service using the IAM token in programs in the pod.
              Figure 1 Workflow

            @@ -18,7 +18,7 @@

            Step 2: Configure an Identity Provider

            1. Log in to the IAM console, choose Identity Providers in the navigation pane, and click Create Identity Provider in the upper right corner. On the displayed page, set Protocol to OpenID Connect and SSO Type to Virtual user and click OK.
            2. In the identity provider list, locate the row containing the new identity provider and click Modify in the Operation column to modify the identity provider information.

              Access Type: Select Programmatic access.

              Configuration Information

              -
              • Identity Provider URL: Enter https://kubernetes.default.svc.cluster.local.
              • Client ID: Enter an ID, which will be used when you create a container.

                You are not advised to use a client ID consisting solely of digits. If the client ID consists only of digits, enclose it in double quotation marks ("") when editing the YAML file for the workload. If the client ID is 123456789, it should be entered as "123456789" in the YAML file.

                +
                • Identity Provider URL: Enter https://kubernetes.default.svc.cluster.local.
                • Client ID: Enter a client ID, which will be used when you create a container.

                  A client ID cannot contain only digits. If the client ID consists only of digits, enclose it in double quotation marks ("") when editing the YAML file for the workload. For example, if the client ID is 123456789, it should be entered as "123456789" in the YAML file.

                • Signing Key: Enter the JWKS of the CCE cluster obtained in Step 1: Obtain the Public Key for Signature of the CCE Cluster.

                Identity Conversion Rules

                @@ -77,7 +77,7 @@ spec: - name: container-1 image: nginx:latest volumeMounts: - - mountPath: "/var/run/secrets/tokens" # Mount the serviceAccountToken generated by Kubernetes to the /var/run/secrets/tokens/oidc-token file. + - mountPath: "/var/run/secrets/tokens" # Mount the service account token generated by Kubernetes to the /var/run/secrets/tokens/oidc-token file. name: oidc-token imagePullSecrets: - name: default-secret @@ -92,15 +92,15 @@ spec: expirationSeconds: 7200 # Expiry period path: oidc-token # Path name, which can be customized
                -

              • After the creation is complete, log in to the container. The content of the /var/run/secrets/tokens/oidc-token file is the serviceAccountToken generated by Kubernetes.

                If the serviceAccountToken is used for more than 24 hours or 80% of its expiry period, kubelet will automatically rotate the serviceAccountToken.

                +

              • After the creation is complete, log in to the container. The content of the /var/run/secrets/tokens/oidc-token file is the service account token generated by Kubernetes.

                If the service account token is used for more than 24 hours or 80% of its expiry period, kubelet will automatically rotate the service account token.

                -

              • Use the OpenID Connect ID token to call the API for Obtaining a Token with an OpenID Connect ID Token. The X-Subject-Token field in the response header is the IAM token. Then, you can use this token to access cloud services.

                The following shows an example:

                +

              • Use the OpenID Connect ID token to call the API for Obtaining a Token with an OpenID Connect ID Token. The X-Subject-Token field in the response header is the IAM token. Then, you can use this token to access cloud services.

                The following shows an example:

                curl -i --location --request POST 'https://{{iam endpoint}}/v3.0/OS-AUTH/id-token/tokens' \
  --header 'X-Idp-Id: workload_identity' \
  --header 'Content-Type: application/json' \
  --data @token_body.json

                Specifically:

                -
                • {{iam endpoint}} indicates the endpoint of IAM. For details, see Regions and Endpoints.
                • workload_identity is the identity provider name, which is the same as that configured in Step 2: Configure an Identity Provider.
                • token_body.json is a local file and its content is as follows:
                   { 
+
                  • {{iam endpoint}} indicates the endpoint of IAM. For details, see Regions and Endpoints.
                  • workload_identity is the identity provider name, which is the same as that configured in Step 2: Configure an Identity Provider.
                  • token_body.json is a local file and its content is as follows:
                     { 
    "auth" : { 
      "id_token" : { 
        "id" : "eyJhbGciOiJSU..."
diff --git a/docs/cce/umn/cce_bestpractice_10009.html b/docs/cce/umn/cce_bestpractice_10009.html
index 4e6eef561..ad86aebf2 100644
--- a/docs/cce/umn/cce_bestpractice_10009.html
+++ b/docs/cce/umn/cce_bestpractice_10009.html
@@ -67,8 +67,8 @@ subjects:

            Run the following command to create the RBAC permission:

            kubectl apply -f prometheus_rbac.yaml

            -
          4. Obtain the bearer_token information of the target cluster.
            • In clusters earlier than v1.21, a token is obtained by mounting the secret of the service account to a pod. Tokens obtained this way are permanent. This approach is no longer recommended starting from version 1.21. Service accounts will stop auto creating secrets in clusters from version 1.25.

              In clusters of version 1.21 or later, you can use the TokenRequest API to obtain the token and use the projected volume to mount the token to the pod. Such tokens are valid for a fixed period. When the mounting pod is deleted, the token automatically becomes invalid.

              -
            • If you need a token that never expires, you can also manually manage secrets for service accounts. Although a permanent service account token can be manually created, you are advised to use a short-lived token by calling the TokenRequest API for higher security.
            +
          5. Obtain the bearer_token information of the target cluster.
            • In clusters earlier than v1.21, tokens are obtained by mounting the secret of a service account to a pod. Such tokens are permanent. However, this approach is not recommended in clusters of v1.21 or later. Starting from v1.25, Kubernetes no longer automatically creates secrets for service accounts as part of its community iteration policy.

              Instead, in clusters of v1.21 and later, the recommended approach is to use the TokenRequest API to obtain tokens and mount them via a projected volume to pods. These tokens remain valid only for a fixed period and become invalid once the pods are deleted.

              +
            • If you need a token that never expires, you can manually manage secrets for service accounts. Although a permanent service account token can be created manually, you are advised to use a short-lived token by calling the TokenRequest API for better security.

            Obtain the serviceaccount information.

            kubectl describe sa prometheus-test -n kube-system

            diff --git a/docs/cce/umn/cce_bestpractice_10016.html b/docs/cce/umn/cce_bestpractice_10016.html index 0f9b32e97..fdb500369 100644 --- a/docs/cce/umn/cce_bestpractice_10016.html +++ b/docs/cce/umn/cce_bestpractice_10016.html @@ -170,7 +170,7 @@

          Service Forwarding Modes

          kube-proxy is a key component of a Kubernetes cluster. It is responsible for load balancing and forwarding between a Service and its backend pod.

          CCE supports the iptables and IPVS forwarding modes.

          -
          • IPVS allows higher throughput and faster forwarding. It applies to scenarios where the cluster scale is large or the number of Services is large.
          • iptables is the traditional kube-proxy mode. This mode applies to the scenario where the number of Services is small or there are a large number of short concurrent connections on the client.
          +
          • IPVS allows higher throughput and faster forwarding. It applies to scenarios where the cluster scale is large or the number of Services is large.
          • Iptables: the traditional kube-proxy mode. This mode applies to the scenario where the number of Services is small or there are a large number of short concurrent connections on the client.

          If high stability is required and the number of Services is less than 2000, the iptables forwarding mode is recommended. In other scenarios, the IPVS forwarding mode is recommended.

          Node Specifications

          The minimum specifications of a node are 2 vCPUs and 4 GiB memory. Evaluate based on service requirements before configuring the nodes. However, using many low-specification ECSs is not the optimal choice. The reasons are as follows:
          • The upper limit of network resources is low, which may result in a single-point bottleneck.
          • Resources may be wasted. If each container running on a low-specification node needs a lot of resources, the node cannot run multiple containers and there may be idle resources in it.
          diff --git a/docs/cce/umn/cce_bestpractice_10024.html b/docs/cce/umn/cce_bestpractice_10024.html index 1febfa26e..98758782b 100644 --- a/docs/cce/umn/cce_bestpractice_10024.html +++ b/docs/cce/umn/cce_bestpractice_10024.html @@ -55,16 +55,16 @@
          -

          Upgrading the Cluster Version

          As the CCE cluster version evolves, new overload protection features and optimizations are regularly introduced. It is recommended that you promptly upgrade your clusters to the latest version. For details, see Process and Method of Upgrading a Cluster.

          +

          Upgrading the Cluster Version

          As the CCE cluster version evolves, new overload protection features and optimizations are regularly introduced. It is recommended that you promptly upgrade your clusters to the latest version. For details, see Process and Method of Upgrading a Cluster.

          -

          Enabling Overload Control

          After overload control is enabled, concurrent LIST requests outside the system will be dynamically controlled based on the resource demands received by master nodes to ensure the stable running of the master nodes and the cluster.

          +

          Enabling Overload Control

          After overload control is enabled, concurrent LIST requests outside the system will be dynamically controlled based on the resource demands received by master nodes to ensure the stable running of the master nodes and the cluster.

          For details, see Cluster Overload Control.

          -

          Enabling Observability

          Observability is crucial for maintaining the reliability and stability of clusters. By using monitoring, alarms, and logs, administrators can gain a better understanding of the clusters' performance, promptly identify any issues, and take corrective action in a timely manner.

          +

          Enabling Observability

          Observability is crucial for maintaining the reliability and stability of clusters. By using monitoring, alarms, and logs, administrators can gain a better understanding of the clusters' performance, promptly identify any issues, and take corrective action in a timely manner.

          Monitoring configurations

          • You can check the monitoring information about master nodes on the Overview page of the CCE cluster console.
          -

          Controlling Data Volume of Resources

          When the resource data volume in a cluster is too large, it can negatively impact etcd performance, including data read and write latency. Additionally, if the data volume of a single type of resource is too large, the control plane consumes a significant number of resources when a client requests all the resources. To avoid these issues, it is recommended that you keep both the etcd data volume and the data volume of a single type of resources under control.

          +

          Controlling Data Volume of Resources

          When the resource data volume in a cluster is too large, it can negatively impact etcd performance, including data read and write latency. Additionally, if the data volume of a single type of resource is too large, the control plane consumes a significant number of resources when a client requests all the resources. To avoid these issues, it is recommended that you keep both the etcd data volume and the data volume of a single type of resources under control.

          @@ -104,9 +104,9 @@
          Table 1 Recommended maximum etcd data volume for different cluster scales

          Cluster Scale

          -

          Clearing Unused Resources

          To prevent a large number of pending pods from consuming extra resources on the control plane, it is recommended that you promptly clear up Kubernetes resources that are no longer in use, such as ConfigMaps, Secrets, and PVCs.

          +

          Clearing Unused Resources

          To prevent a large number of pending pods from consuming extra resources on the control plane, it is recommended that you promptly clear up Kubernetes resources that are no longer in use, such as ConfigMaps, Secrets, and PVCs.

          -

          Optimizing the Client Access Mode

          • To avoid frequent LIST queries, it is best to use the client cache mechanism when retrieving cluster resource data multiple times. It is recommended that you communicate with clusters using informers and listers. For details, see client-go documentation.

            If a LIST query must be used, you can:

            +

            Optimizing the Client Access Mode

            • To avoid frequent LIST queries, it is best to use the client cache mechanism when retrieving cluster resource data multiple times. It is recommended that you communicate with clusters using informers and listers. For details, see client-go documentation.

              If a LIST query must be used, you can:

              • Obtain needed data from the kube-apiserver cache first and avoid making additional queries on etcd data. For clusters earlier than v1.23.8-r0 and v1.25.3-r0, you can set resourceVersion to 0. In clusters of v1.23.8-r0, v1.25.3-r0, and later versions, CCE has improved the way data is retrieved and ensured that the cached data is up to date. By default, you can access the required data from the cache.
              • Accurately define the query scope to avoid retrieving irrelevant data and using unnecessary resources. For example:
                # client-go Code example for obtaining pods in a specified namespace
 k8sClient.CoreV1().Pods("<your-namespace>").List(metav1.ListOptions{})
 # kubectl Command example for obtaining pods in a specified namespace
@@ -115,11 +115,11 @@ kubectl get pods -n 
              • Use the more efficient Protobuf format instead of the JSON format. By default, Kubernetes returns objects serialized to JSON with content type application/json. This is the default serialization format for the API. However, clients may request the more efficient Protobuf representation of these objects for better performance. For details, see Alternate representations of resources.
            -

            Changing the Cluster Scale

            If the resource usage on the master nodes in a cluster remains high for a long time, for example, the memory usage is greater than 85%, it is recommended that you promptly increase the cluster management scale. This will prevent the cluster from becoming overloaded during sudden traffic surges. For details, see Changing Cluster Scale.

            +

            Changing the Cluster Scale

            If the resource usage on the master nodes in a cluster remains high for a long time, for example, the memory usage is greater than 85%, it is recommended that you promptly increase the cluster management scale. This will prevent the cluster from becoming overloaded during sudden traffic surges. For details, see Changing Cluster Scale.

            • The performance of the master nodes improves and their specifications become higher as the management scale of a cluster increases.
            • The CCE cluster management scale is the maximum number of nodes that a cluster can manage. It is used as a reference during service deployment planning, and the actual quantity of nodes in use may not reach the maximum number of nodes selected. The actual scale depends on various factors, including the type, quantity, and size of resource objects in the cluster, as well as the number of external accesses to the cluster control plane.
            -

            Splitting the Cluster

            The Kubernetes architecture has a performance bottleneck, meaning that the scale of a single cluster cannot be expanded indefinitely. If your cluster has 2,000 worker nodes, it is necessary to split the services and deploy them across multiple clusters. If you encounter any issues with splitting a cluster, submit a service ticket for technical support.

            +

            Splitting the Cluster

            The Kubernetes architecture has a performance bottleneck, meaning that the scale of a single cluster cannot be expanded indefinitely. If your cluster has 2,000 worker nodes, it is necessary to split the services and deploy them across multiple clusters. If you encounter any issues with splitting a cluster, submit a service ticket for technical support.

            Summary

            When running services on Kubernetes clusters, their performance and availability are influenced by various factors, including the cluster scale, number and size of resources, and resource access. CCE has optimized cluster performance and availability based on cloud native practices and has developed measures to protect against cluster overload. You can use these measures to ensure that your services run stably and reliably over the long term.

            diff --git a/docs/cce/umn/cce_bulletin_0027.html b/docs/cce/umn/cce_bulletin_0027.html index a5b80ff1d..279b86f03 100644 --- a/docs/cce/umn/cce_bulletin_0027.html +++ b/docs/cce/umn/cce_bulletin_0027.html @@ -1,6 +1,6 @@ -

            Kubernetes 1.23 Release Notes

            +

            Kubernetes 1.23 (EOM) Release Notes

            This section describes the updates in CCE Kubernetes 1.23.

            Resource Changes and Deprecations

            Kubernetes v1.23 Release Notes

            • FlexVolume is deprecated. Use CSI.
            • HorizontalPodAutoscaler v2 is promoted to GA, and HorizontalPodAutoscaler API v2 is gradually stable in version 1.23. The HorizontalPodAutoscaler v2beta2 API is not recommended. Use the v2 API.
            • PodSecurity moves to beta, replacing the deprecated PodSecurityPolicy. PodSecurity is an admission controller that enforces pod security standards on pods in the namespace based on specific namespace labels that set the enforcement level. PodSecurity is enabled by default in version 1.23.
            diff --git a/docs/cce/umn/cce_bulletin_0058.html b/docs/cce/umn/cce_bulletin_0058.html index 08803838f..b61a43074 100644 --- a/docs/cce/umn/cce_bulletin_0058.html +++ b/docs/cce/umn/cce_bulletin_0058.html @@ -1,6 +1,6 @@ -

            Kubernetes 1.25 Release Notes

            +

            Kubernetes 1.25 (EOM) Release Notes

            This section describes the changes made in Kubernetes 1.25 compared with Kubernetes 1.23.

            Indexes

            diff --git a/docs/cce/umn/cce_bulletin_0059.html b/docs/cce/umn/cce_bulletin_0059.html index dc5e3c0a8..52a2cd04c 100644 --- a/docs/cce/umn/cce_bulletin_0059.html +++ b/docs/cce/umn/cce_bulletin_0059.html @@ -1,7 +1,7 @@

            Kubernetes 1.27 Release Notes

            -

            CCE allows you to create Kubernetes clusters 1.27. This section describes the changes made in Kubernetes 1.27 compared with Kubernetes 1.25.

            +

            CCE allows you to create Kubernetes 1.27 clusters. This section describes the changes made in Kubernetes 1.27 compared with Kubernetes 1.25.

            Indexes

            New Features

            Kubernetes 1.27
            • SeccompDefault is stable.

              To use SeccompDefault, add the --seccomp-default command line flag using kubelet on each node. If this feature is enabled, the RuntimeDefault profile will be used for all workloads by default, instead of the Unconfined (seccomp disabled) profile.

              diff --git a/docs/cce/umn/cce_bulletin_0068.html b/docs/cce/umn/cce_bulletin_0068.html index 37315ca56..96d0ddeb4 100644 --- a/docs/cce/umn/cce_bulletin_0068.html +++ b/docs/cce/umn/cce_bulletin_0068.html @@ -1,7 +1,7 @@

              Kubernetes 1.28 Release Notes

              -

              CCE allows you to create Kubernetes clusters 1.28. This section describes the changes made in Kubernetes 1.28.

              +

              CCE allows you to create Kubernetes 1.28 clusters. This section describes the changes made in Kubernetes 1.28.

              Indexes

              Important Notes

              • In Kubernetes 1.28, the scheduling framework is improved to reduce useless retries. The overall scheduling performance is enhanced. If a custom scheduler plugin is used in a cluster, you can perform the adaptation upgrade following instructions in GitHub.
              • The Ceph FS in-tree plugin has been deprecated in Kubernetes 1.28 and will be removed in Kubernetes 1.31. (The community does not plan to support CSI migration.) Use Ceph CSI driver instead.
              • The Ceph RBD in-tree plugin has been deprecated in Kubernetes 1.28 and will be removed in Kubernetes 1.31. (The community does not plan to support CSI migration.) Use RBD Ceph CSI driver instead.
              diff --git a/docs/cce/umn/cce_bulletin_0089.html b/docs/cce/umn/cce_bulletin_0089.html index 9526fa8d9..943593144 100644 --- a/docs/cce/umn/cce_bulletin_0089.html +++ b/docs/cce/umn/cce_bulletin_0089.html @@ -1,8 +1,8 @@

              Kubernetes 1.29 Release Notes

              -

              CCE allows you to create Kubernetes clusters 1.29. This section describes the changes made in Kubernetes 1.29.

              -

              Indexes

              +

              CCE allows you to create Kubernetes 1.29 clusters. This section describes the changes made in Kubernetes 1.29.

              +

              Indexes

              New and Enhanced Features

              • The load balancer IP mode for Services is in the alpha state.

                The load balancer IP mode for Services is promoted to alpha. Kubernetes 1.29 adds the ipMode field to the Services' status field for configuring traffic forwarding from Services within a cluster to pods. If ipMode is set to VIP, traffic delivered to a node with the destination set to the load balancer's IP address and port will be redirected to the target node by kube-proxy. If it is set to Proxy, traffic delivered to a node will be sent to the load balancer and then redirected to the target node by the load balancer. This feature addresses the issue of load balancer functions being missed due to traffic bypassing it. For details, see Load Balancer IP Mode for Services.

              • The nftables proxy mode is in the alpha state.

                The nftables proxy mode is promoted to alpha. This feature allows kube-proxy to run in nftables mode. In this mode, kube-proxy configures packet forwarding rules using the nftables API of the kernel netfilter subsystem. For details, see nftables proxy mode.

                @@ -32,6 +32,9 @@

                API Changes and Removals

                • The time zone of a newly created cron job cannot be configured using TZ or CRON_TZ in .spec.schedule. Use .spec.timeZone instead. Cron jobs that have been created are not affected by this change.
                • The alpha API ClusterCIDR is removed.
                • The startup parameter --authentication-config is added to kube-apiserver to specify the address of the AuthenticationConfiguration file. This startup parameter is mutually exclusive with the --oidc-* startup parameter.
                • The API version kubescheduler.config.k8s.io/v1beta3 of KubeSchedulerConfiguration is removed. Migrate kube-scheduler configuration files to kubescheduler.config.k8s.io/v1.
                • The CEL expressions are added to v1alpha1 AuthenticationConfiguration.
                • The ServiceCIDR type is added. It allows you to dynamically configure the IP address range used by a cluster to allocate the Service ClusterIPs.
                • The startup parameters --conntrack-udp-timeout and --conntrack-udp-timeout-stream are added to kube-proxy. They are options for configuring the kernel parameters nf_conntrack_udp_timeout and nf_conntrack_udp_timeout_stream.
                • Support for CEL expressions is added to WebhookMatchCondition of v1alpha1 AuthenticationConfiguration.
                • The type of PVC.spec.Resource is changed from ResourceRequirements to VolumeResourceRequirements.
                • onPodConditions in PodFailurePolicyRule is marked as optional.
                • The API version flowcontrol.apiserver.k8s.io/v1beta3 of FlowSchema and PriorityLevelConfiguration has been promoted to flowcontrol.apiserver.k8s.io/v1, and the following changes have been made:
                  • PriorityLevelConfiguration: The .spec.limited.nominalConcurrencyShares field defaults to 30 if the field is omitted. To ensure compatibility with 1.28 API servers, specifying an explicit 0 value is not allowed in the v1 version in 1.29. In 1.30, explicit 0 values will be allowed in this field in the v1 API. The flowcontrol.apiserver.k8s.io/v1beta3 APIs are deprecated and will no longer be served in 1.32.
                • The kube-proxy command line document is updated. kube-proxy does not bind any socket to the IP address specified by --bind-address.
                • The selectorSpread scheduler plugin is replaced by podTopologySpread.
                • If CSI-Node-Driver is not running, NodeStageVolume calls will be retried.
                • ValidatingAdmissionPolicy type checking now supports CRDs. To use this feature, the ValidatingAdmissionPolicy feature gate must be enabled.
                • The startup parameter --nf-conntrack-tcp-be-liberal is added to kube-proxy. You can configure it by setting the kernel parameter nf_conntrack_tcp_be_liberal.
                • The startup parameter --init-only is added to kube-proxy. Setting the flag makes kube-proxy init container run in the privileged mode, perform its initial configuration, and then exit.
                • The fileSystem field of container is added to the response body of CRI. It specifies the file system usage of a container. Originally, the fileSystem field contains only the file system of the container images.
                • All built-in cloud providers are disabled by default. If you still need to use them, you can configure the DisableCloudProviders and DisableKubeletCloudCredentialProvider feature gates to disable or enable cloud providers.
                • --node-ips can be used in kubelet to configure IPv4/IPv6 dual-stack. If --cloud-provider is set to external, you are allowed to use --node-ips to configure IPv4/IPv6 dual-stack for node IP addresses. To use --node-ips, you need to enable the CloudDualStackNodeIPs feature gate.
                +

                Incompatible Changes

                In Kubernetes 1.29, the startup behavior of kube-proxy has been modified. This update allows kube-proxy to use a value smaller than the node sysctl setting. For example, if the kernel value of nf_conntrack_max on a node is set to 1000000, but kube-proxy calculates a value of 131072, the value 131072 calculated by kube-proxy will be used.

                +

                Community PR: https://github.com/kubernetes/kubernetes/pull/120448

                +

                Enhanced Kubernetes 1.29 on CCE

                During a version maintenance period, CCE periodically updates Kubernetes 1.29 and provides enhanced functions.

                For details about cluster version updates, see Patch Versions.

                diff --git a/docs/cce/umn/cce_bulletin_0095.html b/docs/cce/umn/cce_bulletin_0095.html index 9f50a9ccd..aa9917414 100644 --- a/docs/cce/umn/cce_bulletin_0095.html +++ b/docs/cce/umn/cce_bulletin_0095.html @@ -1,7 +1,7 @@

                Kubernetes 1.30 Release Notes

                -

                CCE allows you to create Kubernetes clusters 1.30. This section describes the changes made in Kubernetes 1.30.

                +

                CCE allows you to create Kubernetes 1.30 clusters. This section describes the changes made in Kubernetes 1.30.

                Indexes

                New and Enhanced Features

                • Webhook matching expression is in the GA state.

                  The Webhook matching expression feature is advanced to GA. This feature enables admission webhooks to be matched based on specific conditions, providing control over the triggering conditions of the webhooks in a more precise granularity. For details, see Dynamic Admission Control.

                  diff --git a/docs/cce/umn/cce_bulletin_0099.html b/docs/cce/umn/cce_bulletin_0099.html index b7bab5199..cb9dc5a3a 100644 --- a/docs/cce/umn/cce_bulletin_0099.html +++ b/docs/cce/umn/cce_bulletin_0099.html @@ -1,7 +1,7 @@

                  Kubernetes 1.31 Release Notes

                  -

                  CCE allows you to create Kubernetes clusters 1.31. This section describes the changes made in Kubernetes 1.31.

                  +

                  CCE allows you to create Kubernetes 1.31 clusters. This section describes the changes made in Kubernetes 1.31.

                  Indexes

                  New and Enhanced Features

                  • Start ordinal of StatefulSets is in the General Availability (GA) state.

                    StatefulSet start ordinal is advanced to GA. By default, each pod in a StatefulSet is assigned an integer ordinal from 0. With this feature, you can configure a start ordinal for each pod. For details, see Start ordinal.

                    diff --git a/docs/cce/umn/cce_bulletin_0169.html b/docs/cce/umn/cce_bulletin_0169.html index a8403e129..40ce29ed2 100644 --- a/docs/cce/umn/cce_bulletin_0169.html +++ b/docs/cce/umn/cce_bulletin_0169.html @@ -4,6 +4,8 @@
                      +
                    • Notice of the NVIDIA Container Toolkit Container Escape Vulnerabilities (CVE-2025-23266 and CVE-2025-23267)
                      +
                    • Vulnerability Fixing Policies
                    • Linux Polkit Privilege Escalation Vulnerability (CVE-2021-4034)
                      diff --git a/docs/cce/umn/cce_faq_00020.html b/docs/cce/umn/cce_faq_00020.html index 278886554..f289f7d93 100644 --- a/docs/cce/umn/cce_faq_00020.html +++ b/docs/cce/umn/cce_faq_00020.html @@ -3,7 +3,7 @@

                      How Do I Rectify Failures When the NVIDIA Driver Is Used to Start Containers on GPU Nodes?

                      Did a Resource Scheduling Failure Event Occur on a Cluster Node?

                      Symptom

                      A node is running properly and has GPU resources. However, the following error information is displayed:

                      -

                      0/9 nodes are available: 9 insufficient nvidia.com/gpu

                      +

                      0/9 nodes are available: 9 insufficient nvida.com/gpu

                      Analysis

                      1. Check whether the node is attached with NVIDIA label.

                        diff --git a/docs/cce/umn/cce_faq_00089.html b/docs/cce/umn/cce_faq_00089.html index de42156f2..0e10669a2 100644 --- a/docs/cce/umn/cce_faq_00089.html +++ b/docs/cce/umn/cce_faq_00089.html @@ -1,7 +1,7 @@

                        Can I Create a CCE Node Without Adding a Data Disk to the Node?

                        -
                        • If System Component Storage is set to System Disk, you do not need to add a data disk.
                        • Data disks are required if System Component Storage is set to Data Disk.

                          A data disk dedicated for kubelet and the container engine will be attached to a new node. By default, CCE uses LVM to manage data disks. With LVM, you can adjust the disk space ratio for different resources on a data disk.

                          +
                          • If System Component Storage is set to System Disk, you do not need to add a data disk.
                          • Data disks are required if System Component Storage is set to Data Disk.

                            A data disk dedicated for kubelet and the container engine will be attached to a new node. By default, CCE uses LVM to manage data disks. With LVM, you can adjust the disk space ratio for different resources on a data disk.

                            If the data disk is uninstalled or damaged, the container engine will malfunction and the node becomes unavailable.

                          diff --git a/docs/cce/umn/cce_faq_00404.html b/docs/cce/umn/cce_faq_00404.html index ad19d35f9..e48cc7e88 100644 --- a/docs/cce/umn/cce_faq_00404.html +++ b/docs/cce/umn/cce_faq_00404.html @@ -24,7 +24,7 @@

                      Description

                      The exit code ranges from 0 to 255.

                      -
                      • If the exit code is 0, the container exits normally.
                      • Generally, if the abnormal exit is caused by the program, the exit code ranges from 1 to 128. In special scenarios, the exit code ranges from 129 to 255.
                      • When a program exits due to external interrupts, the exit code ranges from 129 to 255. When the operating system sends an interrupt signal to the program, the exist code is the interrupt signal value plus 128. For example, if the interrupt signal value of SIGKILL is 9, the exit status code is 137 (9 + 128).
                      • If the exist code is not in the range of 0 to 255, for example, exit(-1), the exit code is automatically converted to a value that is within this range.

                        If the exist code is a positive number, the conversion formula is as follows:

                        +
                        • If the exit code is 0, the container exits normally.
                        • Generally, if the abnormal exit is caused by the program, the exit code ranges from 1 to 128. In special scenarios, the exit code ranges from 129 to 255.
                        • When a program exits due to external interrupts, the exit code ranges from 129 to 255. When the operating system sends an interrupt signal to the program, the exit code is the interrupt signal value plus 128. For example, if the interrupt signal value of SIGKILL is 9, the exit status code is 137 (9 + 128).
                        • If the exit code is not in the range of 0 to 255, for example, exit(-1), the exit code is automatically converted to a value that is within this range.

                          If the exit code is a positive number, the conversion formula is as follows:

                          code % 256

                          If the exit code is a negative number, the conversion formula is as follows:

                          256 - (|code| % 256)
                          diff --git a/docs/cce/umn/cce_faq_00468.html b/docs/cce/umn/cce_faq_00468.html index e4430e4b2..6ac9cc6de 100644 --- a/docs/cce/umn/cce_faq_00468.html +++ b/docs/cce/umn/cce_faq_00468.html @@ -4,7 +4,7 @@

                          Fault Locating

                          CCE allows you to locate a node fault using the CCE Node Problem Detector add-on (Locating a Node Fault Using the CCE Node Problem Detector Add-on). You can also refer to Locating a Node Fault by Performing a Self-Check to locate the fault.

                          If the fault persists, submit a service ticket.

                          -

                          Locating a Node Fault Using the CCE Node Problem Detector Add-on

                          CCE provides an add-on called CCE Node Problem Detector for you to locate faults occurred with nodes. In 1.16.0 and later versions of this add-on, a large number of check items have been added. They allow you to detect the exceptions of resources and components on nodes and locate the faults.

                          +

                          Locating a Node Fault Using the CCE Node Problem Detector Add-on

                          CCE provides an add-on called CCE Node Problem Detector for you to locate faults occurred with nodes. In 1.16.0 and later versions of this add-on, a large number of check items have been added. They allow you to detect the exceptions of resources and components on nodes and locate the faults.

                          It is strongly recommended that you install this add-on or upgrade it to version 1.16.0 or later.

                          With this add-on, if an exception occurs with a node, you can view the abnormal metrics on the console.

                          You can also view the events reported by the add-on in node events and locate the faults based on the events.

                          @@ -134,7 +134,7 @@
      -

      Locating a Node Fault by Performing a Self-Check

      Figure 1 Performing a self-check
      +

      Locating a Node Fault by Performing a Self-Check

      Figure 1 Performing a self-check
      1. Log in to the CCE console.
      2. Click the cluster name to access the cluster console. Choose Nodes in the navigation pane. In the right pane, click the Nodes tab.
      3. Locate the row containing the target node, choose More > View YAML in the Operation column, and check the Status field of the node.

        The node is in the NotReady state.

        • Check the node status and verify whether the value of PIDPressure, DiskPressure, or MemoryPressure becomes True. If any of them becomes True, you can find the appropriate solution based on the exception keyword.
        • Check the key components on the node and the logs of these components. The key components on a node include a kubelet and the node runtime (Docker or containerd). For details, see Checking Key Components of the Node.
          • Check the kubelet.

            Check whether the kubelet and its logs are normal. If there is an exception, see Abnormal kubelet.

          • Check the runtime (Docker or containerd).
            • Check the runtime of the node. If you are not sure whether the runtime is Docker or containerd, log in to the CCE console and view the runtime of the node.
            • If there is an exception, see Abnormal Runtime.
            @@ -149,20 +149,20 @@

      Common Problems and Troubleshooting Methods

      -

      Checking a Node

      1. Log in to the CCE console.
      2. Click the name of the target cluster to access the cluster console.
      3. In the navigation pane, choose Nodes. In the right pane, click the Nodes tab, locate the row containing the unavailable node, and view its status. (If NPD 1.6.10 or a later version is installed in the cluster, you will see a message indicating that the metrics for the unavailable node are abnormal. In this case, you can move the cursor to the upper part to view the specific problem. If the add-on is not installed, you can rectify the fault by referring to the check items.)
      +

      Checking a Node

      1. Log in to the CCE console.
      2. Click the name of the target cluster to access the cluster console.
      3. In the navigation pane, choose Nodes. In the right pane, click the Nodes tab, locate the row containing the unavailable node, and view its status. (If NPD 1.6.10 or a later version is installed in the cluster, you will see a message indicating that the metrics for the unavailable node are abnormal. In this case, you can move the cursor to the upper part to view the specific problem. If the add-on is not installed, you can rectify the fault by referring to the check items.)
      -

      Checking the Node Monitoring Data

      1. Log in to the CCE console.
      2. Click the name of the target cluster to access the cluster console.
      3. In the navigation pane, choose Nodes. In the right pane, click the Nodes tab, locate the row containing the abnormal node, and click Monitor in the Operation column.

        On the top of the displayed page, click More Monitoring Data to go to the AOM console and view historical monitoring records. If the CPU or memory usage of the node is too high, it can lead to high network latency or trigger system OOM, causing the node to be marked as unavailable.

        +

        Checking the Node Monitoring Data

        1. Log in to the CCE console.
        2. Click the name of the target cluster to access the cluster console.
        3. In the navigation pane, choose Nodes. In the right pane, click the Nodes tab, locate the row containing the abnormal node, and click Monitor in the Operation column.

          On the top of the displayed page, click More Monitoring Data to go to the AOM console and view historical monitoring records. If the CPU or memory usage of the node is too high, it can lead to high network latency or trigger system OOM, causing the node to be marked as unavailable.

        -

        Checking the Node Events

        1. Log in to the CCE console.
        2. Click the name of the target cluster to access the cluster console.
        3. In the navigation pane, choose Nodes. In the right pane, click the Nodes tab, locate the row containing the abnormal node, click View Events in the Operation column, and check whether any abnormal event is reported. (The NPD add-on must be installed.)
        +

        Checking the Node Events

        1. Log in to the CCE console.
        2. Click the name of the target cluster to access the cluster console.
        3. In the navigation pane, choose Nodes. In the right pane, click the Nodes tab, locate the row containing the abnormal node, click View Events in the Operation column, and check whether any abnormal event is reported. (The NPD add-on must be installed.)
        -

        Verifying Whether the ECS Has Been Deleted or Is Faulty

        1. Log in to the CCE console, click the name of the target cluster to access the cluster console, and view the name of the unavailable node.
        2. Log in to the ECS console, search for the node, and check the ECS status.
          • If the ECS has been deleted, go back to the CCE console, delete the node from the node list, and create another one.
          • If the ECS is stopped or frozen, restore it first. It takes about 3 minutes to restore the node.
          • If the ECS is faulty, restart it to rectify the fault.
          • If the ECS is available, rectify the fault by referring to Checking Key Components of the Node.
          +

          Verifying Whether the ECS Has Been Deleted or Is Faulty

          1. Log in to the CCE console, click the name of the target cluster to access the cluster console, and view the name of the unavailable node.
          2. Log in to the ECS console, search for the node, and check the ECS status.
            • If the ECS has been deleted, go back to the CCE console, delete the node from the node list, and create another one.
            • If the ECS is stopped or frozen, restore it first. It takes about 3 minutes to restore the node.
            • If the ECS is faulty, restart it to rectify the fault.
            • If the ECS is available, rectify the fault by referring to Checking Key Components of the Node.
          -

          Verifying Whether the ECS Can Be Logged In

          1. Log in to the ECS console.
          2. Check whether the node name displayed on the ECS console is the same as that on the VM and whether the password or key can be used to log in to the node.

            If the node names are inconsistent and the password or key cannot be used to log in to the node, Cloud-Init problems occurred when the ECS was created. In this case, you can restart the node and then submit a service ticket to the ECS personnel to locate the root cause.

            +

            Verifying Whether the ECS Can Be Logged In

            1. Log in to the ECS console.
            2. Check whether the node name displayed on the ECS console is the same as that on the VM and whether the password or key can be used to log in to the node.

              If the node names are inconsistent and the password or key cannot be used to log in to the node, Cloud-Init problems occurred when the ECS was created. In this case, you can restart the node and then submit a service ticket to the ECS personnel to locate the root cause.

            -

            Checking the Node Security Group

            • The node security group was changed.
              1. Log in to the VPC console. In the navigation pane, choose Access Control > Security Groups and find the master node security group of the cluster.
              2. Search for the name of the security group that contains the cluster name and -cce-control-. The name of a master node security group is in the format of cluster-name-cce-control-random-ID.
              3. Check whether the security group rules have been changed. For details about security groups, see How Can I Configure a Security Group Rule for a Cluster?
              +

              Checking the Node Security Group

              • The node security group was changed.
                1. Log in to the VPC console. In the navigation pane, choose Access Control > Security Groups and find the master node security group of the cluster.
                2. Search for the name of the security group that contains the cluster name and -cce-control-. The name of a master node security group is in the format of cluster-name-cce-control-random-ID.
                3. Check whether the security group rules have been changed. For details about security groups, see How Can I Configure a Security Group Rule for a Cluster?
              • The node security group rules must contain a policy that allows the communication between the master nodes and the worker nodes.
                • Check whether such a security group policy is present.
                • When adding a node to the cluster, add the security group rules listed in Table 2 to the cluster-name-cce-control-random-ID security group to ensure the availability of the added node. This is necessary if a secondary CIDR block is added to the VPC of the node subnet and the subnet is in the secondary CIDR block. However, if a secondary CIDR block has already been added to the VPC during cluster creation, this step is not required.
                • For details about security groups, see How Can I Configure a Security Group Rule for a Cluster?
                  @@ -199,10 +199,10 @@ -

                  Checking the Disks Attached to the Node

                  • By default, a 100-GiB data disk is attached to a node for runtime purposes. You have the option to attach additional data disks to the node if needed. If the data disk is detached or damaged, the runtime becomes abnormal and the node becomes unavailable.
                  +

                  Checking the Disks Attached to the Node

                  • By default, a 100-GiB data disk is attached to a node for runtime purposes. You have the option to attach additional data disks to the node if needed. If the data disk is detached or damaged, the runtime becomes abnormal and the node becomes unavailable.
                  • You need to check whether the data disks of the node are detached from it. If they are, you are advised to create a node and delete the unavailable node. (To minimize risks, you are not advised to perform operations on the CCE nodes through the ECS console.)
                  -

                  Checking Key Components of the Node

                  kubelet

                  +

                  Checking Key Components of the Node

                  kubelet

                  • Check the kubelet.

                    Log in to the target node, run the following command on it, and check the kubelet:

                    systemctl status kubelet

                    The following shows an example of the expected output.

                    @@ -238,7 +238,7 @@
                  -

                  Verifying Whether the Node DNS Address Is Properly Configured

                  • Log in to the target node and check whether any domain name resolution failure is recorded in /var/log/cloud-init-output.log:
                    cat /var/log/cloud-init-output.log | grep resolv
                    +

                    Verifying Whether the Node DNS Address Is Properly Configured

                    • Log in to the target node and check whether any domain name resolution failure is recorded in /var/log/cloud-init-output.log:
                      cat /var/log/cloud-init-output.log | grep resolv

                      If information similar to the following is displayed, the domain name cannot be resolved:

                      Could not resolve host: xxx ; Unknown error
                    • Ping the domain name that cannot be resolved on the node:
                      ping xxx
                      @@ -247,7 +247,7 @@

                    Common Issues and Solutions

                    -

                    PID Pressure

                    Possible cause

                    +

                    PID Pressure

                    Possible cause

                    The pods on the node are using up a large number of PIDs, causing a shortage of available PIDs on the node. By default, CCE reserves 10% of the available PIDs for pods.

                    Symptom

                    If the number of available PIDs on a node is lower than the specified value of pid.available, the PIDPressure of the node will be set to True, resulting in the eviction of pods running on that node. For details about node eviction, see Node-pressure Eviction.

                    @@ -264,7 +264,7 @@ ps -eLf|awk '{print $2}' | sort -rn| head -n 1 #: Check the processes that use t

                    The first column shows the number of PIDs used by each process, while the second column displays the current process IDs. You can locate the process and associated pods with the given process ID, analyze the reason for excessive PID usage, and optimize the relevant code accordingly.

                  • Reduce the load of the node.
                  • To restart the node, go to the ECS console and restart it. (Be cautious when restarting the node because it may cause interruptions to your services.)
                  -

                  Memory Pressure

                  Possible cause

                  +

                  Memory Pressure

                  Possible cause

                  The pods on the node are using up a large amount of memory, causing a shortage of available memory on the node. By default, the available memory of a CCE node is 100 MiB.

                  Symptom

                  • If the number of available memory resources on a node is lower than the specified value of memory.available, the MemoryPressure of the node will be set to True, resulting in the eviction of pods running on that node. For details about node eviction, see Node-pressure Eviction.
                  • If the memory of a node is not enough, the following message will show:
                    • The value of MemoryPressure becomes True.
                    • When some pods on the node are evicted:
                      • You can see "The node was low on resource: memory" in the events of the evicted pods.
                      • You can see "attempting to reclaim memory" in the node events.
                      @@ -273,7 +273,7 @@ ps -eLf|awk '{print $2}' | sort -rn| head -n 1 #: Check the processes that use t

                      Solution

                      • Check the node memory usage through the node monitoring data, identify the time when the exception occurs, and verify if there is any memory leak in the processes on the node. For details, see Checking the Node Monitoring Data.
                      • Reduce the load of the node.
                      • To restart the node, go to the ECS console and restart it. (Be cautious when restarting the node because it may cause interruptions to your services.)
                  -

                  Disk Pressure

                  Possible cause

                  +

                  Disk Pressure

                  Possible cause

                  The root file system, image file system, or container file system on the node is consuming excessive disk space and inodes, surpassing the eviction threshold. This leads to the nodefs.available, nodefs.inodesFree, imagefs.available, or imagefs.inodesFree metric met the eviction threshold, causing disk pressure. The table below shows the default values for these parameters.
                  Table 2 Security group rules to be added

                  Protocol and Port
                  @@ -322,7 +322,7 @@ ps -eLf|awk '{print $2}' | sort -rn| head -n 1 #: Check the processes that use t

                  Solution

                  • View the node disk usage through the node monitoring data, identify the time when the exception occurs, and check if processes on the node are consuming excessive disk space. For details, see Checking the Node Monitoring Data.
                  • If a large number of files are not deleted from the node disks, delete these files.
                  • Restrict the ephemeral-storage configurations of the pods based on service requirements.
                  • Use cloud storage services instead of hostPath volumes.
                  • Expand the capacity of the node disks.
                  • Reduce the load of the node.
                  -

                  Abnormal kubelet

                  Possible cause

                  +

                  Abnormal kubelet

                  Possible cause

                  The kubelet process is not functioning properly or the kubelet configuration is improper. Typically, CCE has set up health checks for kubelet as a default configuration. There is a greater chance of startup failure if the configuration is incorrect.

                  Symptom

                  kubelet is inactive.

                  @@ -334,7 +334,7 @@ ps -eLf|awk '{print $2}' | sort -rn| head -n 1 #: Check the processes that use t

                  -

                  Abnormal Runtime

                  Possible cause

                  +

                  Abnormal Runtime

                  Possible cause

                  The Docker or containerd configuration or process is not functioning properly.

                  Symptom

                  • Docker
                    • Docker is inactive.
                    • Docker is active and running, but the node is experiencing issues and not functioning properly, resulting in abnormal behavior. In this case, the docker ps or docker exec command fails to be executed.
                    • The value of RuntimeOffline of the node becomes True.
                    @@ -355,7 +355,7 @@ journalctl -u docker journalctl -u containerd
                  -

                  Abnormal NTP

                  Possible cause

                  +

                  Abnormal NTP

                  Possible cause

                  The NTP process is abnormal.

                  Symptom

                  • chronyd is inactive.
                  • The value of NTPProblem becomes True.
                  @@ -365,7 +365,7 @@ journalctl -u containerd
                • If the chronyd status is still abnormal after the restart, log in to the node and view the chronyd logs:
                  journalctl -u chronyd
                  • -

                  Abnormal Node Restart

                  Possible cause

                  +

                  Abnormal Node Restart

                  Possible cause

                  The node is experiencing abnormal load.

                  Symptom

                  During the restart, the node is in the NotReady state.

                  @@ -375,7 +375,7 @@ journalctl -u containerd

                • View the node monitoring data and locate the abnormal resource based on the restart time of the node. For details, see Checking the Node Monitoring Data.
                • Check the kernel logs and locate the fault based on the restart time.
                  • -

                  Abnormal Node Network

                  Possible cause

                  +

                  Abnormal Node Network

                  Possible cause

                  The node is experiencing abnormal running status, incorrect security group configuration, or excessive network load.

                  Symptom

                  • The node cannot be logged in to.
                  • The node is in the Unknown state.
                  @@ -384,7 +384,7 @@ journalctl -u containerd
                • If the network load of the node is too high, perform the following operations:
                  • View the node networking through the node monitoring data and check whether the pods on the node are consuming excessive network bandwidth.
                  • Use network policies to control network traffic of the pods on the node.
                  • -

                  Abnormal PLEG

                  Possible cause

                  +

                  Abnormal PLEG

                  Possible cause

                  The pod lifecycle event generator (PLEG) records different events in the lifecycle of a pod, such as the pod startup and termination. The error "PLEG is not healthy" is usually due to abnormal runtime processes on the node or issues with the systemd version on the node.

                  Symptom

                  • The node is in the NotReady state.
                  • You can see the following information in the kubelet logs:
                    skipping pod synchronization - PLEG is not healthy: pleg was last seen active 3m17.028393648s ago; threshold is 3m0s.
                    @@ -392,7 +392,7 @@ journalctl -u containerd

                    Solution

                    • Restart Docker or containerd and kubelet in sequence and then check whether the node is restored.
                    • If the node is not restored after the restart of the key components, restart the node. (Be cautious when restarting the node because it may cause interruptions to your services.)
                  -

                  Node Overloaded

                  Possible cause

                  +

                  Node Overloaded

                  Possible cause

                  The node resources are not enough for pod scheduling.

                  Symptom

                  If there are not enough scheduling resources available on the node, pod scheduling will fail and the following error information will be displayed: (Only errors related to common resources are listed.)
                  • Insufficient CPUs in a cluster: 0/2 nodes are available: 2 Insufficient cpu
                  • Insufficient memory in a cluster: 0/2 nodes are available: 2 Insufficient memory
                  • Insufficient temporary storage space in a cluster: 0/2 nodes are available: 2 Insufficient ephemeral-storage
                  @@ -429,7 +429,7 @@ Allocated resources:
                  If the resources on a node are not enough for pod scheduling, reduce the node load through either of the following ways:
                  • Delete unnecessary pods.
                  • Restrict the resource configurations of pods based on service requirements.
                  • Add more nodes to the cluster.
                  -

                  Restricted Node Scheduling with the node.kubernetes.io/route-unreachable Taint

                  Possible cause

                  +

                  Restricted Node Scheduling with the node.kubernetes.io/route-unreachable Taint

                  Possible cause

                  The network infrastructure's route tables allow the container networks in a cluster that uses the VPC network model to be accessible. A newly created CCE node has network isolation support. If the node network is not functioning properly, the system will automatically add the node.kubernetes.io/route-unreachable taint to the node and remove it once the network is ready. If the node.kubernetes.io/route-unreachable taint remains for an extended period, it indicates abnormal network connectivity for the node.

                  Symptom

                  A newly created node is restricted for scheduling for a long time.

                  @@ -464,7 +464,7 @@ spec:

                  After the container is started, log in to another normal node and ping the IP address of the container. If the communication is abnormal, go to the next step.

                • On the Route Tables page of the VPC console, check whether the node route has been added, whether the next hop type is cloud container, and whether the next hop is the node name. If the node route is present in the route table but the node is still unable to connect to the network, it suggests a potential problem with the underlying network. In such situations, submit a service ticket to the networking team for assistance.
                • If the fault persists, submit a service ticket to CCE for troubleshooting.
                  • -

                  Node Unavailable Due to OOM

                  Possible cause

                  +

                  Node Unavailable Due to OOM

                  Possible cause

                  Many containers are scheduled onto a node, using up all its resources and causing an OOM issue. This issue is primarily seen on nodes running the Docker container engine.

                  Symptom

                  If a node in the cluster is assigned too many containers, the node OS might crash, rendering the node unavailable. You may see the information similar to the following after logging in to the node with VNC.

                  diff --git a/docs/cce/umn/cce_productdesc_0002.html b/docs/cce/umn/cce_productdesc_0002.html index 64de2ef6d..5e080f88b 100644 --- a/docs/cce/umn/cce_productdesc_0002.html +++ b/docs/cce/umn/cce_productdesc_0002.html @@ -411,8 +411,8 @@

                  Namespace-level Permissions (Assigned by Using Kubernetes RBAC)

                  You can regulate users' or user groups' access to Kubernetes resources in a single namespace based on their Kubernetes RBAC roles. The RBAC API declares four kinds of Kubernetes objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding, which are described as follows:

                  -
                  • Role: defines a set of rules for accessing Kubernetes resources in a namespace.
                  • RoleBinding: defines the relationship between users and roles.
                  • ClusterRole: defines a set of rules for accessing Kubernetes resources in a cluster (including all namespaces).
                  • ClusterRoleBinding: defines the relationship between users and cluster roles.
                  -

                  Role and ClusterRole specify actions that can be performed on specific resources. RoleBinding and ClusterRoleBinding bind roles to specific users, user groups, or ServiceAccounts. See the following figure.

                  +
                  • Roles: define a set of rules for accessing Kubernetes resources in a namespace.
                  • RoleBindings: define the relationship between users and roles.
                  • ClusterRoles: define a set of rules for accessing Kubernetes resources in a cluster (including all namespaces).
                  • ClusterRoleBindings: define the relationship between users and cluster roles.
                  +

                  Roles and ClusterRoles specify actions that can be performed on specific resources. RoleBindings and ClusterRoleBindings bind Roles to specific users, user groups, or service accounts.

                  Figure 1 Role binding
                  On the CCE console, you can assign permissions to a user or user group to access resources in one or multiple namespaces. By default, the CCE console provides the following ClusterRoles:
                  • view (read-only): read-only permissions on most resources in all or selected namespaces.
                  • edit (development): read-write permissions on most resources in all or selected namespaces. If this ClusterRole is configured for all namespaces, its capability is the same as the O&M permission.
                  • admin (O&M): read and write permissions on most resources in all namespaces, and read-only permission on nodes, storage volumes, namespaces, and quota management.
                  • cluster-admin (administrator): read and write permissions on all resources in all namespaces.
                  • drainage-editor: drain a node.
                  • drainage-viewer: view the nodal drainage status but cannot drain a node.
                  diff --git a/docs/cce/umn/cce_productdesc_0003.html b/docs/cce/umn/cce_productdesc_0003.html index 2c88a440f..ad5645ebf 100644 --- a/docs/cce/umn/cce_productdesc_0003.html +++ b/docs/cce/umn/cce_productdesc_0003.html @@ -3,7 +3,7 @@

                  Product Advantages

                  Why CCE?

                  CCE is a container service developed on Docker and Kubernetes. It offers a wide range of features that allow you to run containers on a large scale. CCE containers are highly reliable, have high-performance, and compatible with open-source communities, making them an ideal choice for enterprise needs.

                  Easy to Use

                  -
                  • Creating CCE clusters (CCE standard, CCE Turbo, and CCE Autopilot) is a breeze with just a few clicks on the web page. You can deploy VMs in a cluster.
                  • CCE automates deployment and O&M of containerized applications throughout their lifecycle.
                  • You can resize clusters and workloads by setting auto scaling policies. In-the-moment load spikes are no longer headaches.
                  • The console walks you through the steps to upgrade Kubernetes clusters.
                  • CCE seamlessly integrates with Helm charts and add-ons to provide an out-of-the-box user experience.
                  +
                  • Creating CCE clusters (including CCE standard and Turbo clusters) is a breeze with just a few clicks on the web page. You can deploy VMs in a cluster.
                  • CCE automates deployment and O&M of containerized applications throughout their lifecycle.
                  • You can resize clusters and workloads by setting auto scaling policies. In-the-moment load spikes are no longer headaches.
                  • The console walks you through the steps to upgrade Kubernetes clusters.
                  • CCE seamlessly integrates with Helm charts and add-ons to provide an out-of-the-box user experience.

                  High Performance

                  • CCE draws on years of field experience in compute, networking, storage, and heterogeneous infrastructure and provides you high-performance cluster services. You can concurrently launch containers at scale.
                  • AI computing is 3x to 5x better with NUMA BMSs and high-speed InfiniBand network cards.

                  Highly Available and Secure

                  diff --git a/docs/cce/umn/cce_productdesc_0005.html b/docs/cce/umn/cce_productdesc_0005.html index 1ba0cba77..aa1547802 100644 --- a/docs/cce/umn/cce_productdesc_0005.html +++ b/docs/cce/umn/cce_productdesc_0005.html @@ -68,7 +68,7 @@
                  diff --git a/docs/cce/umn/en-us_image_0000002218820614.png b/docs/cce/umn/en-us_image_0000002218820614.png deleted file mode 100644 index 9e12041d4..000000000 Binary files a/docs/cce/umn/en-us_image_0000002218820614.png and /dev/null differ diff --git a/docs/cce/umn/en-us_image_0000002365047420.png b/docs/cce/umn/en-us_image_0000002365047420.png new file mode 100644 index 000000000..64702c0ad Binary files /dev/null and b/docs/cce/umn/en-us_image_0000002365047420.png differ diff --git a/docs/cce/umn/en-us_image_0258392378.png b/docs/cce/umn/en-us_image_0258392378.png index f0282b314..19286cd5f 100644 Binary files a/docs/cce/umn/en-us_image_0258392378.png and b/docs/cce/umn/en-us_image_0258392378.png differ diff --git a/docs/cce/umn/en-us_image_0261301557.png b/docs/cce/umn/en-us_image_0261301557.png index 35845e128..0678930e6 100644 Binary files a/docs/cce/umn/en-us_image_0261301557.png and b/docs/cce/umn/en-us_image_0261301557.png differ diff --git a/docs/cce/umn/en-us_image_0262051194.png b/docs/cce/umn/en-us_image_0262051194.png index bfa5d1f87..5eb51260f 100644 Binary files a/docs/cce/umn/en-us_image_0262051194.png and b/docs/cce/umn/en-us_image_0262051194.png differ

                  Parameter

                  Supported OS

                  EulerOS

                  -

                  HCE 2.0

                  +

                  HCE OS 2.0

                  HCE OS 2.0