CCE UMN 20260128 version

Reviewed-by: Gergo-Bence Lorincz <a200452876@noreply.gitea.eco.tsi-dev.otc-service.com> Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com> Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2026-03-11 15:13:02 +00:00
parent 78f14b668b
commit 218900ecfc
62 changed files with 2092 additions and 1567 deletions
--- a/docs/cce/umn/ALL_META.TXT.json
+++ b/docs/cce/umn/ALL_META.TXT.json
--- a/docs/cce/umn/CLASS.TXT.json
+++ b/docs/cce/umn/CLASS.TXT.json
--- a/docs/cce/umn/cce_01_0300.html
+++ b/docs/cce/umn/cce_01_0300.html
@ -8,7 +8,19 @@
 </th>
 </tr>
 </thead>
-<tbody><tr id="cce_01_0300__row69530118317"><td class="cellrowborder" valign="top" width="19.009999999999998%" headers="mcps1.3.1.2.3.1.1 "><p id="cce_01_0300__p164617189313">2025-12-30</p>
+<tbody><tr id="cce_01_0300__row111071551569"><td class="cellrowborder" valign="top" width="19.009999999999998%" headers="mcps1.3.1.2.3.1.1 "><p id="cce_01_0300__p410735185615">2026-03-11</p>
 </td>
 <td class="cellrowborder" valign="top" width="80.99%" headers="mcps1.3.1.2.3.1.2 "><p id="cce_01_0300__p22962515610">Update:</p>
 <ul id="cce_01_0300__ul157941134115615"><li id="cce_01_0300__li1579416349568">Updated <a href="cce_10_0405.html">Patch Version Release Notes</a></li><li id="cce_01_0300__li45780361560">Updated <a href="cce_10_0617.html">SFS Overview</a></li><li id="cce_01_0300__li17417193505812">Updated <a href="cce_10_0734.html">Configuring an EIP for a Pod in a CCE Turbo Cluster</a></li></ul>
 </td>
 </tr>
 <tr id="cce_01_0300__row16364121616144"><td class="cellrowborder" valign="top" width="19.009999999999998%" headers="mcps1.3.1.2.3.1.1 "><p id="cce_01_0300__p12364181615147">2026-01-28</p>
 </td>
 <td class="cellrowborder" valign="top" width="80.99%" headers="mcps1.3.1.2.3.1.2 "><p id="cce_01_0300__p259124121517">Add:</p>
 <ul id="cce_01_0300__ul15337141716154"><li id="cce_01_0300__li1433761715151">Added <a href="cce_10_0858.html">Redirecting Traffic from an Nginx Ingress to a LoadBalancer Ingress</a></li><li id="cce_01_0300__li14888191745715">Added <a href="cce_10_0850.html">Comparison Between LoadBalancer Ingresses and Nginx Ingresses</a></li></ul>
 </td>
 </tr>
 <tr id="cce_01_0300__row69530118317"><td class="cellrowborder" valign="top" width="19.009999999999998%" headers="mcps1.3.1.2.3.1.1 "><p id="cce_01_0300__p164617189313">2025-12-30</p>
 </td>
 <td class="cellrowborder" valign="top" width="80.99%" headers="mcps1.3.1.2.3.1.2 "><p id="cce_01_0300__p1159438173119">Add:</p>
 <ul id="cce_01_0300__ul25923810310"><li id="cce_01_0300__li185953819317">Added <a href="cce_bulletin_0105.html">Kubernetes 1.33 Release Notes</a>.</li><li id="cce_01_0300__li0892436153316">Added <a href="cce_10_1062.html">Obtaining Pod Network Interfaces in a CCE Turbo Cluster</a>, <a href="cce_10_1063.html">Deploying Hubble for DataPlane V2 Network Observability</a> and <a href="cce_10_1064.html">Enabling Observability for cilium-agent in a Cluster with DataPlane V2 Enabled</a>.</li><li id="cce_01_0300__li686113193414">Added <a href="cce_10_1088.html">Modifying the Node Scale-In Concurrency Settings</a>.</li><li id="cce_01_0300__li171425313415">Added <a href="cce_10_1027.html">Switching the AOM Instance Connected to Grafana</a>.</li><li id="cce_01_0300__li198713463417">Added <a href="cce_10_1060.html">Add-on Upgrade Checks</a>.</li><li id="cce_01_0300__li151091759347">Added <a href="cce_10_0556.html">System Agencies</a> and <a href="cce_10_1069.html">Custom Agencies</a>.</li></ul>
--- a/docs/cce/umn/cce_10_0006.html
+++ b/docs/cce/umn/cce_10_0006.html
@ -23,7 +23,7 @@
 </li></ol>
 </div>
 <div class="section" id="cce_10_0006__section7846281504"><h4 class="sectiontitle">Overview of DaemonSet</h4><p id="cce_10_0006__en-us_topic_0249851114_p441104813815">A DaemonSet runs a pod on each node in a cluster and ensures that there is only one pod. This works well for certain system-level applications such as log collection and resource monitoring since they must run on each node. A good example is kube-proxy.</p>
-<p id="cce_10_0006__en-us_topic_0249851114_p5986375820">DaemonSets are closely related to nodes. If a node becomes faulty, the DaemonSet will not create the same pods on other nodes.</p>
+<p id="cce_10_0006__en-us_topic_0249851114_p5986375820">DaemonSets are closely related to nodes. If a node becomes faulty, the DaemonSet will not migrate the pod on that node to other nodes for re-creation.</p>
 <div class="fignone" id="cce_10_0006__en-us_topic_0249851114_fig27588261914"><span class="figcap"><b>Figure 4 </b>DaemonSet</span><br><span><img id="cce_10_0006__en-us_topic_0249851114_image13336133243518" src="en-us_image_0258871213.png"></span></div>
 </div>
 <div class="section" id="cce_10_0006__section153173319578"><h4 class="sectiontitle">Overview of Jobs and CronJobs</h4><p id="cce_10_0006__en-us_topic_0249851115_p10889736123218">Jobs and CronJobs are Kubernetes resources designed to manage short-lived, one-off tasks that run to completion.</p>
--- a/docs/cce/umn/cce_10_0009.html
+++ b/docs/cce/umn/cce_10_0009.html
@ -69,7 +69,7 @@
 </td>
 <td class="cellrowborder" valign="top" width="24%" headers="mcps1.3.4.2.2.2.1.1.4.2.4.1.2 "><p id="cce_10_0009__en-us_topic_0000001708838110_p15173345163417">www.example.com</p>
 </td>
-<td class="cellrowborder" valign="top" width="54%" headers="mcps1.3.4.2.2.2.1.1.4.2.4.1.3 "><p id="cce_10_0009__en-us_topic_0000001708838110_p1117334583414">Enter the address of the third image repository.</p>
+<td class="cellrowborder" valign="top" width="54%" headers="mcps1.3.4.2.2.2.1.1.4.2.4.1.3 "><p id="cce_10_0009__en-us_topic_0000001708838110_p1117334583414">Enter the address of the third-party image repository.</p>
 </td>
 </tr>
 <tr id="cce_10_0009__en-us_topic_0000001708838110_row41733454343"><td class="cellrowborder" valign="top" width="22%" headers="mcps1.3.4.2.2.2.1.1.4.2.4.1.1 "><p id="cce_10_0009__en-us_topic_0000001708838110_p131731745203413">docker-username</p>
--- a/docs/cce/umn/cce_10_0010.html
+++ b/docs/cce/umn/cce_10_0010.html
@ -19,7 +19,7 @@
 <ul id="cce_10_0010__ul953218444116"><li id="cce_10_0010__li87791418174620">ClusterIP: used to make the Service only reachable from within a cluster.</li><li id="cce_10_0010__li17876227144612">NodePort: used for access from outside a cluster. A NodePort Service is accessed through the port on the node.</li><li id="cce_10_0010__li94953274615">LoadBalancer: used for access from outside a cluster. It is an extension of NodePort, to which a load balancer routes, and external systems only need to access the load balancer.</li></ul>
 <p id="cce_10_0010__p1677717174140">For details about the Service, see <a href="cce_10_0249.html">Service Overview</a>.</p>
 </div>
-<div class="section" id="cce_10_0010__section1248852094313"><a name="cce_10_0010__section1248852094313"></a><a name="section1248852094313"></a><h4 class="sectiontitle">Ingress</h4><p id="cce_10_0010__p96672218193">Services forward requests using TCP and UDP at Layer 4. Ingresses forward requests using HTTP and HTTPS at Layer 7. Domain names and paths can be used for access of finer granularities.</p>
+<div class="section" id="cce_10_0010__section1248852094313"><a name="cce_10_0010__section1248852094313"></a><a name="section1248852094313"></a><h4 class="sectiontitle">Ingress</h4><p id="cce_10_0010__p96672218193">Services forward requests using TCP and UDP at Layer 4. Ingresses forward requests using HTTP and HTTPS at Layer 7, and can achieve finer-grained traffic routing through domain names and paths.</p>
 <div class="fignone" id="cce_10_0010__fig816719454212"><span class="figcap"><b>Figure 3 </b>An ingress and its associated Services</span><br><span><img id="cce_10_0010__en-us_topic_0249851122_image8371183511310" src="en-us_image_0258961458.png"></span></div>
 <p id="cce_10_0010__p174691141141410">For details about the ingress, see <a href="cce_10_0094.html">Ingress Overview</a>.</p>
 </div>
--- a/docs/cce/umn/cce_10_0026.html
+++ b/docs/cce/umn/cce_10_0026.html
@ -5,7 +5,7 @@
 </div>
 <div class="section" id="cce_10_0026__en-us_topic_0179639644_section036851413573"><h4 class="sectiontitle">What Is a Trace?</h4><p id="cce_10_0026__en-us_topic_0179639644_p7344192412579">A trace is an operation log for a cloud service resource, tracked and stored by CTS. Traces record operations such as adding, modifying, or deleting cloud service resources. You can view them to identify who performed operations and when for detailed tracking.</p>
 </div>
-<div class="section" id="cce_10_0026__en-us_topic_0179639644_section19271975203"><h4 class="sectiontitle">Viewing Traces in the Trace List</h4><ol id="cce_10_0026__en-us_topic_0179639644_ol143115612115"><li id="cce_10_0026__en-us_topic_0179639644_li1629194722218"><span>Log in to the management console, click <span><img id="cce_10_0026__en-us_topic_0179639644_image1229124714224" src="en-us_image_0000002359774578.png"></span> in the upper left corner, and choose <strong id="cce_10_0026__en-us_topic_0179639644_b0101171161313">Management &amp; Deployment</strong> &gt; <strong id="cce_10_0026__en-us_topic_0179639644_b17101511131310">Cloud Trace Service</strong>.</span></li><li id="cce_10_0026__en-us_topic_0179639644_li1443115692119"><span>In the navigation pane, choose <strong id="cce_10_0026__en-us_topic_0179639644_b5352121921314">Trace List</strong>.</span></li><li id="cce_10_0026__en-us_topic_0179639644_li1468123811239"><span>In the upper right corner of the page, set a desired query time range: <strong id="cce_10_0026__en-us_topic_0179639644_b192893416490">Last 1 hour</strong>, <strong id="cce_10_0026__en-us_topic_0179639644_b122899464911">Last 1 day</strong>, or <strong id="cce_10_0026__en-us_topic_0179639644_b19289147490">Last 1 week</strong>. You can also click <strong id="cce_10_0026__en-us_topic_0179639644_b328913414912">Customize</strong> to specify a custom time range within the last seven days.</span></li><li id="cce_10_0026__en-us_topic_0179639644_li243155612119"><span>Set filters to search for your desired traces, as shown in <a href="#cce_10_0026__en-us_topic_0179639644_fig139361441134311">Figure 1</a>.</span><p><div class="fignone" id="cce_10_0026__en-us_topic_0179639644_fig139361441134311"><a name="cce_10_0026__en-us_topic_0179639644_fig139361441134311"></a><a name="en-us_topic_0179639644_fig139361441134311"></a><span class="figcap"><b>Figure 1 </b>Filters</span><br><span><img id="cce_10_0026__en-us_topic_0179639644_image14936144112433" src="en-us_image_0000001744598325.png"></span></div>
+<div class="section" id="cce_10_0026__en-us_topic_0179639644_section19271975203"><h4 class="sectiontitle">Viewing Traces in the Trace List</h4><ol id="cce_10_0026__en-us_topic_0179639644_ol143115612115"><li id="cce_10_0026__en-us_topic_0179639644_li1629194722218"><span>Log in to the management console, click <span><img id="cce_10_0026__en-us_topic_0179639644_image1229124714224" src="en-us_image_0000002359774578.png"></span> in the upper left corner, and choose <strong id="cce_10_0026__en-us_topic_0179639644_b0101171161313">Management &amp; Deployment</strong> &gt; <strong id="cce_10_0026__en-us_topic_0179639644_b17101511131310">Cloud Trace Service</strong>.</span></li><li id="cce_10_0026__en-us_topic_0179639644_li1443115692119"><span>In the navigation pane, choose <strong id="cce_10_0026__en-us_topic_0179639644_b5352121921314">Trace List</strong>.</span></li><li id="cce_10_0026__en-us_topic_0179639644_li1468123811239"><span>In the upper right corner of the page, select a desired query time range: <strong id="cce_10_0026__en-us_topic_0179639644_b192893416490">Last 1 hour</strong>, <strong id="cce_10_0026__en-us_topic_0179639644_b122899464911">Last 1 day</strong>, or <strong id="cce_10_0026__en-us_topic_0179639644_b19289147490">Last 1 week</strong>. You can also specify a custom time range within the last seven days.</span></li><li id="cce_10_0026__en-us_topic_0179639644_li243155612119"><span>Set filters to search for your desired traces, as shown in <a href="#cce_10_0026__en-us_topic_0179639644_fig139361441134311">Figure 1</a>.</span><p><div class="fignone" id="cce_10_0026__en-us_topic_0179639644_fig139361441134311"><a name="cce_10_0026__en-us_topic_0179639644_fig139361441134311"></a><a name="en-us_topic_0179639644_fig139361441134311"></a><span class="figcap"><b>Figure 1 </b>Filters</span><br><span><img id="cce_10_0026__en-us_topic_0179639644_image14936144112433" src="en-us_image_0000001744598325.png"></span></div>
 <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_0026__en-us_topic_0179639644_table147746583014" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Trace filtering parameters</caption><thead align="left"><tr id="cce_10_0026__en-us_topic_0179639644_row1877510573019"><th align="left" class="cellrowborder" valign="top" width="18.95%" id="mcps1.3.3.2.4.2.2.2.3.1.1"><p id="cce_10_0026__en-us_topic_0179639644_p1877512593016">Parameter</p>
 </th>
@ -59,7 +59,7 @@
 </p></li><li id="cce_10_0026__en-us_topic_0179639644_li15432145622119"><span>Click <span><img id="cce_10_0026__en-us_topic_0179639644_image9947176447" src="en-us_image_0000001744678489.jpg"></span> on the left of a trace to expand its details.</span><p><p id="cce_10_0026__en-us_topic_0179639644_p1294101714446"></p>
 <p id="cce_10_0026__en-us_topic_0179639644_p1694171715446"><span><img id="cce_10_0026__en-us_topic_0179639644_image1767234653119" src="en-us_image_0000001942942816.png"></span></p>
 <p id="cce_10_0026__en-us_topic_0179639644_p145491156142711"></p>
-</p></li><li id="cce_10_0026__en-us_topic_0179639644_li143245616217"><span>Click <strong id="cce_10_0026__en-us_topic_0179639644_b139145611337">View Trace</strong> in the <strong id="cce_10_0026__en-us_topic_0179639644_b1591756103313">Operation</strong> column. The trace details are displayed.</span><p><p id="cce_10_0026__en-us_topic_0179639644_p1695161714447"><span><img id="cce_10_0026__en-us_topic_0179639644_image1990505483515" src="en-us_image_0000001758618249.png"></span></p>
+</p></li><li id="cce_10_0026__en-us_topic_0179639644_li143245616217"><span>Click <strong id="cce_10_0026__en-us_topic_0179639644_b139145611337">View Trace</strong> in the <strong id="cce_10_0026__en-us_topic_0179639644_b1591756103313">Operation</strong> column. The trace details are displayed.</span><p><p id="cce_10_0026__en-us_topic_0179639644_p1695161714447"><span><img id="cce_10_0026__en-us_topic_0179639644_image1904172011220" src="en-us_image_0000001758618249.png"></span></p>
 </p></li></ol>
 </div>
 <div class="section" id="cce_10_0026__en-us_topic_0179639644_section18501734161612"><h4 class="sectiontitle">Helpful Links</h4><ul id="cce_10_0026__en-us_topic_0179639644_ul19442019172"><li id="cce_10_0026__en-us_topic_0179639644_li547715311275">For details about the key fields in the trace structure, see <a href="https://docs.otc.t-systems.com/cloud-trace-service/umn/user_guide/trace_references/trace_structure.html#cts-03-0010" target="_blank" rel="noopener noreferrer">Trace Structure</a> and <a href="https://docs.otc.t-systems.com/cloud-trace-service/umn/user_guide/trace_references/example_traces.html" target="_blank" rel="noopener noreferrer">Example Traces</a>.</li></ul>
--- a/docs/cce/umn/cce_10_0028.html
+++ b/docs/cce/umn/cce_10_0028.html
@ -176,7 +176,7 @@
 <tr id="cce_10_0028__row111621459112217"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.5.2.2.2.2.2.4.1.1 "><p id="cce_10_0028__p2162105911222"><span id="cce_10_0028__ph75033321522">Reserved Pod IP Per Node</span> (supported by clusters using the VPC networks)</p>
 </td>
 <td class="cellrowborder" valign="top" width="66%" headers="mcps1.3.5.2.2.2.2.2.4.1.2 "><p id="cce_10_0028__p1475043685516">The number of pod IP addresses that can be allocated in the container network (<strong id="cce_10_0028__b154119512711">alpha.cce/fixPoolMask</strong>). This parameter determines the maximum number of pods that can be created on each node. Pods that use the host networks do not occupy the reserved IP addresses.</p>
-<p id="cce_10_0028__p1750912498414">In <a href="cce_10_0348.html#cce_10_0348__li13739132619599">a container network</a>, each pod is assigned a unique IP address. If the number of pod IP addresses reserved for each node is insufficient, pods cannot be created. For details, see <a href="cce_10_0348.html#cce_10_0348__section10770192193714">Number of Allocatable Pod IP Addresses on a Node</a>.</p>
+<p id="cce_10_0028__p1750912498414">In <a href="cce_10_0348.html#cce_10_0348__li13739132619599">a container network</a>, each pod is assigned a unique IP address. If the number of pod IP addresses reserved for each node is insufficient, pods cannot be created. For details, see <a href="cce_10_0348.html#cce_10_0348__section10770192193714">Number of Reserved Pod IP Addresses Per Node</a>.</p>
 </td>
 <td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.5.2.2.2.2.2.4.1.3 "><p id="cce_10_0028__p816218596227">No</p>
 </td>
--- a/docs/cce/umn/cce_10_0059.html
+++ b/docs/cce/umn/cce_10_0059.html
@ -225,7 +225,7 @@ kind: NetworkPolicy
 metadata:
  name: access-ingress3
 spec:
-  podSelector:                  # The rule applies only to pods labeled with <strong id="cce_10_0059__b10740734">role=db</strong>.
+  podSelector:                  # The rule applies only to pods labeled with <strong id="cce_10_0059__b2045362474">role=db</strong>.
    matchLabels:
      role: db
  ingress:                      # This is an ingress rule.
@ -302,7 +302,7 @@ spec:
    - podSelector:              # The rule takes effect for pods with the <strong id="cce_10_0059__b3721808819534">role=web</strong> label.
        matchLabels:
          role: web</pre>
-</li><li id="cce_10_0059__li8782184511358">Run the following command to create the network policy defined the <strong id="cce_10_0059__b14485111255117">access-egress2.yaml</strong> file:<pre class="screen" id="cce_10_0059__screen1778294513513">kubectl apply -f access-egress2.yaml</pre>
+</li><li id="cce_10_0059__li8782184511358">Run the following command to create the network policy defined in the <strong id="cce_10_0059__b14485111255117">access-egress2.yaml</strong> file:<pre class="screen" id="cce_10_0059__screen1778294513513">kubectl apply -f access-egress2.yaml</pre>
 <p id="cce_10_0059__p478264516352">Expected output:</p>
 <pre class="screen" id="cce_10_0059__screen878234533511">networkpolicy.networking.k8s.io/access-egress2 created</pre>
 </li></ol>
--- a/docs/cce/umn/cce_10_0141.html
+++ b/docs/cce/umn/cce_10_0141.html
@ -298,7 +298,7 @@
 <p id="cce_10_0141__en-us_topic_0000001559693890_p0532121144210">v1.29</p>
 <p id="cce_10_0141__en-us_topic_0000001559693890_p82341123174214">v1.30</p>
 </td>
-<td class="cellrowborder" valign="top" width="42.85428542854286%" headers="mcps1.3.16.2.2.4.1.3 "><ul id="cce_10_0141__en-us_topic_0000001559693890_ul16128144911429"><li id="cce_10_0141__en-us_topic_0000001559693890_li1212884911427">Supported xGPU configuration by node pool.</li><li id="cce_10_0141__en-us_topic_0000001559693890_li1712874904213">Supported GPU rendering.</li><li id="cce_10_0141__en-us_topic_0000001559693890_li18254145234218">Clusters v1.30 are supported.</li></ul>
+<td class="cellrowborder" valign="top" width="42.85428542854286%" headers="mcps1.3.16.2.2.4.1.3 "><ul id="cce_10_0141__en-us_topic_0000001559693890_ul16128144911429"><li id="cce_10_0141__en-us_topic_0000001559693890_li1212884911427">Supported xGPU configuration for node pools.</li><li id="cce_10_0141__en-us_topic_0000001559693890_li1712874904213">Supported GPU rendering.</li><li id="cce_10_0141__en-us_topic_0000001559693890_li18254145234218">Clusters v1.30 are supported.</li></ul>
 </td>
 </tr>
 <tr id="cce_10_0141__en-us_topic_0000001559693890_row129815138462"><td class="cellrowborder" valign="top" width="21.432143214321435%" headers="mcps1.3.16.2.2.4.1.1 "><p id="cce_10_0141__en-us_topic_0000001559693890_p86679446461">2.6.4</p>
--- a/docs/cce/umn/cce_10_0154.html
+++ b/docs/cce/umn/cce_10_0154.html
--- a/docs/cce/umn/cce_10_0193.html
+++ b/docs/cce/umn/cce_10_0193.html
@ -383,7 +383,7 @@ workload_balancer_third_party_types: ''</pre>
 <td class="cellrowborder" valign="top" width="28.442844284428443%" headers="mcps1.3.3.2.6.2.1.4.2.5.1.3 "><p id="cce_10_0193__p26241930191112">Used to enable cloud native hybrid deployment.</p>
 </td>
 <td class="cellrowborder" valign="top" width="40.764076407640765%" headers="mcps1.3.3.2.6.2.1.4.2.5.1.4 "><p id="cce_10_0193__p42083564244">This function is disabled by default. Options:</p>
-<ul id="cce_10_0193__ul10325105312018"><li id="cce_10_0193__li13325553122019"><strong id="cce_10_0193__b830851743">true</strong>: The function is enabled.</li><li id="cce_10_0193__li17325195312018"><strong id="cce_10_0193__b1651011720019">false</strong> or empty: The function is disabled.</li></ul>
+<ul id="cce_10_0193__ul10325105312018"><li id="cce_10_0193__li13325553122019"><strong id="cce_10_0193__b432842910">true</strong>: The function is enabled.</li><li id="cce_10_0193__li17325195312018"><strong id="cce_10_0193__b1651011720019">false</strong> or empty: The function is disabled.</li></ul>
 </td>
 </tr>
 <tr id="cce_10_0193__row89239282513"><td class="cellrowborder" valign="top" headers="mcps1.3.3.2.6.2.1.4.2.5.1.1 "><p id="cce_10_0193__p19231228754">oversubscription_method</p>
@ -765,7 +765,7 @@ workload_balancer_third_party_types: ''</pre>
 <p id="cce_10_0193__p6646145622517">This section describes how to configure volcano-scheduler.</p>
 <div class="note" id="cce_10_0193__note13388133393710"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_10_0193__p83326372378">Only Volcano of v1.7.1 and later support this function. </p>
 </div></div>
-<p id="cce_10_0193__p195053623613">Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose <strong id="cce_10_0193__b149962525713">Settings</strong> and click the <strong id="cce_10_0193__b3996145185715">Scheduling</strong> tab. In the <strong id="cce_10_0193__b1399618512575">Select Cluster Scheduler</strong> area, find the expert mode and click <strong id="cce_10_0193__b1899716517572">Try Now</strong>.</p>
+<p id="cce_10_0193__p195053623613">Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose <strong id="cce_10_0193__b081319114263">Settings</strong> and click the <strong id="cce_10_0193__b081317162615">Scheduling</strong> tab. In the <strong id="cce_10_0193__b6813815264">Default Cluster Scheduler</strong> area, find the expert mode and click <strong id="cce_10_0193__b198133152611">Try Now</strong>.</p>
 <p id="cce_10_0193__p112531142104212"></p>
 <p id="cce_10_0193__p1566143416357"></p>
 <ul id="cce_10_0193__ul6676425408"><li id="cce_10_0193__li46762264018">Using <strong id="cce_10_0193__b073919506719">resource_exporter</strong>:<pre class="screen" id="cce_10_0193__screen7651947143817">...
@ -1055,7 +1055,7 @@ workload_balancer_third_party_types: ''</pre>
 <p id="cce_10_0193__en-us_topic_0000001609894173_p13331655366">v1.30</p>
 <p id="cce_10_0193__en-us_topic_0000001609894173_p3332553616">v1.31</p>
 </td>
-<td class="cellrowborder" valign="top" width="51.42%" headers="mcps1.3.8.3.2.4.1.3 "><p id="cce_10_0193__en-us_topic_0000001609894173_p13973151703611">Supported even scheduling on virtual GPUs.</p>
+<td class="cellrowborder" valign="top" width="51.42%" headers="mcps1.3.8.3.2.4.1.3 "><p id="cce_10_0193__en-us_topic_0000001609894173_p13973151703611">Supported even scheduling in virtual GPUs.</p>
 </td>
 </tr>
 <tr id="cce_10_0193__en-us_topic_0000001609894173_row577110132033"><td class="cellrowborder" valign="top" width="15.21%" headers="mcps1.3.8.3.2.4.1.1 "><p id="cce_10_0193__en-us_topic_0000001609894173_p163891031533">1.15.6</p>
--- a/docs/cce/umn/cce_10_0248.html
+++ b/docs/cce/umn/cce_10_0248.html
@ -6,10 +6,14 @@
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="cce_10_0094.html">Ingress Overview</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="cce_10_0850.html">Comparison Between LoadBalancer Ingresses and Nginx Ingresses</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="cce_10_0686.html">LoadBalancer Ingresses</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="cce_10_0692.html">Nginx Ingresses</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="cce_10_0858.html">Redirecting Traffic from an Nginx Ingress to a LoadBalancer Ingress</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
--- a/docs/cce/umn/cce_10_0281.html
+++ b/docs/cce/umn/cce_10_0281.html
@ -80,7 +80,7 @@
 <td class="cellrowborder" valign="top" width="26.082608260826078%" headers="mcps1.3.4.2.5.1.2 "><p id="cce_10_0281__p65344315812">The value of the kubelet configuration parameter <strong id="cce_10_0281__b1053563188">maxPods</strong> is used. For details, see <a href="cce_10_0348.html#cce_10_0348__section16296174054019">Maximum Number of Pods on a Node</a>.</p>
 </td>
 <td class="cellrowborder" valign="top" width="29.002900290029%" headers="mcps1.3.4.2.5.1.3 "><p id="cce_10_0281__p11535183284">The smaller value between the following two options is used:</p>
-<ul id="cce_10_0281__ul25351634816"><li id="cce_10_0281__li12535638810">The value of the kubelet configuration parameter <strong id="cce_10_0281__b453533989">maxPods</strong>. For details, see <a href="cce_10_0348.html#cce_10_0348__section16296174054019">Maximum Number of Pods on a Node</a>.</li><li id="cce_10_0281__li353513319819">Pod IP addresses reserved for each node. For details, see <a href="cce_10_0348.html#cce_10_0348__section10770192193714">Number of Allocatable Pod IP Addresses on a Node</a>.</li></ul>
+<ul id="cce_10_0281__ul25351634816"><li id="cce_10_0281__li12535638810">The value of the kubelet configuration parameter <strong id="cce_10_0281__b453533989">maxPods</strong>. For details, see <a href="cce_10_0348.html#cce_10_0348__section16296174054019">Maximum Number of Pods on a Node</a>.</li><li id="cce_10_0281__li353513319819"><span id="cce_10_0281__ph7434193613110">Pod IP addresses reserved for each node</span>. For details, see <a href="cce_10_0348.html#cce_10_0348__section10770192193714">Number of Reserved Pod IP Addresses Per Node</a>.</li></ul>
 </td>
 <td class="cellrowborder" valign="top" width="28.962896289628965%" headers="mcps1.3.4.2.5.1.4 "><p id="cce_10_0281__p153513586">The smaller value between the following two options is used:</p>
 <ul id="cce_10_0281__ul1853511310814"><li id="cce_10_0281__li1353553787">The value of the kubelet configuration parameter <strong id="cce_10_0281__b3416113711156">maxPods</strong>. For details, see <a href="cce_10_0348.html#cce_10_0348__section16296174054019">Maximum Number of Pods on a Node</a>.</li><li id="cce_10_0281__li1535431582">The number of network interfaces on a node. For details, see <a href="cce_10_0348.html#cce_10_0348__section15702175115573">Number of Node Network Interfaces (Available Only in CCE Turbo Clusters)</a>.</li></ul>
--- a/docs/cce/umn/cce_10_0336.html
+++ b/docs/cce/umn/cce_10_0336.html
@ -4,18 +4,20 @@
 <div id="body0000001118652158"><p id="cce_10_0336__p195616516813"><a href="cce_10_0066.html">CCE Container Storage (Everest)</a> supports custom access keys. In this way, IAM users can use their own custom access keys to mount an OBS volume. </p>
 <div class="section" id="cce_10_0336__section1356645410223"><h4 class="sectiontitle">Prerequisites</h4><ul id="cce_10_0336__ul169942513238"><li id="cce_10_0336__li1799112511235">The <a href="cce_10_0066.html">CCE Container Storage (Everest)</a> version must be 1.2.8 or later.</li><li id="cce_10_0336__li599172552311">The cluster version must be 1.15.11 or later.</li></ul>
 </div>
-<div class="section" id="cce_10_0336__section19922155718332"><h4 class="sectiontitle">Constraints</h4><ul id="cce_10_0336__ul17628134021916"><li id="cce_10_0336__li71531542161916">When an OBS volume is mounted using a custom access key (AK/SK), the access key cannot be deleted or disabled. Otherwise, the service container cannot access the mounted OBS volume.</li><li id="cce_10_0336__li17628174017192">Custom access keys cannot be configured for secure containers.</li></ul>
+<div class="section" id="cce_10_0336__section19922155718332"><h4 class="sectiontitle">Notes and Constraints</h4><ul id="cce_10_0336__ul17628134021916"><li id="cce_10_0336__li71531542161916">When an OBS volume is mounted using custom access keys (AK/SK), the access key cannot be deleted or disabled. Otherwise, the service container cannot access the mounted OBS volume.</li><li id="cce_10_0336__li17628174017192">Custom access keys cannot be configured for secure containers.</li></ul>
 </div>
 <div class="section" id="cce_10_0336__section1045502219184"><h4 class="sectiontitle">Disabling a Global AK</h4><p id="cce_10_0336__p1419516122419">When creating an OBS volume on the console of an earlier version, you need to upload the AK/SK (global access key), which is then used by default for mounting the OBS volume. As a result, all IAM users within your account will use the same key to mount the OBS buckets, and they will have identical permissions on the buckets. However, this setting does not allow you to set different permissions for individual IAM users.</p>
-<p id="cce_10_0336__p3972105715910">If you have uploaded the AK/SK, disable the automatic mounting of global access keys by enabling the <strong id="cce_10_0336__b135023365217">DISABLE_AUTO_MOUNT_SECRET</strong> parameter in the CCE Container Storage (Everest) add-on to prevent IAM users from performing unauthorized operations. In this way, the global access keys uploaded on the console will not be used when you use OBS volumes.</p>
+<p id="cce_10_0336__p3972105715910">If you have uploaded the AK/SK (specifically, if <strong id="cce_10_0336__b13454124614335">paas.longaksk</strong> exists in the <strong id="cce_10_0336__b1218135111339">kube-system</strong> namespace of the cluster), you should disable the global access secret to prevent IAM users from performing unauthorized operations. This ensures that the uploaded global access secret in the console will not be used when OBS volumes are used. <strong id="cce_10_0336__b20581192720255">If you have not uploaded any AK/SK, skip this section.</strong></p>
-<div class="note" id="cce_10_0336__note06431619183416"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cce_10_0336__ul1215320963516"><li id="cce_10_0336__li115389133519">Before enabling <strong id="cce_10_0336__b1296478123519">DISABLE_AUTO_MOUNT_SECRET</strong>, ensure that there are no OBS volumes in the cluster. Workloads using OBS volumes may fail to remount after scaling or restart due to missing access keys, which are blocked by <strong id="cce_10_0336__b1090211415371">DISABLE_AUTO_MOUNT_SECRET</strong>.</li><li id="cce_10_0336__li16153139153517">If <strong id="cce_10_0336__b173114045014">DISABLE_AUTO_MOUNT_SECRET</strong> is set to <strong id="cce_10_0336__b1857414195018">true</strong>, an access key must be specified when a PV or PVC is created. Otherwise, mounting the OBS volume will fail.</li></ul>
+<div class="note" id="cce_10_0336__note1108139105415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cce_10_0336__ul1910810965420"><li id="cce_10_0336__li111084911542">Before disabling the global access secret, ensure that there are no OBS volumes in the cluster. Workloads using OBS volumes may fail to remount after scaling or restart due to missing access keys.</li><li id="cce_10_0336__li21082096542">After the global access secret is disabled, you must specify the access keys when creating a PV and PVC. Otherwise, the OBS volume fails to be mounted.</li></ul>
 </div></div>
-<p id="cce_10_0336__p246512128812">The following steps apply to CCE Container Storage (Everest) 2.<em id="cce_10_0336__i2482110185713">x</em> (2.1.42 or later):</p>
+<p id="cce_10_0336__p13592810115515">To disable the global access secret, do as follows:</p>
-<ol id="cce_10_0336__ol1257699192518"><li id="cce_10_0336__li1557611942510">Log in to the <span id="cce_10_0336__cce_10_0004_ph18314322182">CCE console</span> and click the cluster name to access the cluster console.</li><li id="cce_10_0336__li35762910252">In the navigation pane, choose <strong id="cce_10_0336__b0255478351"><span id="cce_10_0336__text77103384818">Add-ons</span></strong>. In the right pane, find the CCE Container Storage (Everest) add-on and click <strong id="cce_10_0336__b102515475354">Edit</strong>.</li><li id="cce_10_0336__li11577392259">Configure the add-on parameters. Set <strong id="cce_10_0336__b370523719406">Prohibit Global Secret from Mounting Object Storage (disable_auto_mount_secret)</strong> to <strong id="cce_10_0336__b1949164284010">Yes</strong>.</li><li id="cce_10_0336__li357789192515">Click <strong id="cce_10_0336__b970224318403">OK</strong>.</li></ol>
+<ul id="cce_10_0336__ul8428106143719"><li id="cce_10_0336__li1842910613376">Disable the automatic mounting of access secrets in the CCE Container Storage (Everest) add-on by setting <strong id="cce_10_0336__b14642205952716">disable_auto_mount_secret</strong> to <strong id="cce_10_0336__b4642165912719">true</strong>.<p id="cce_10_0336__p191634623720">The following steps apply to CCE Container Storage (Everest) 2.<em id="cce_10_0336__i282483118288">x</em> (2.1.42 or later):</p>
-<p id="cce_10_0336__p26037501482">The following steps apply to CCE Container Storage (Everest) 1.<em id="cce_10_0336__i529435045612">x</em>. (The modified settings cannot be retained during the add-on upgrades. You are advised to use the add-on of 2.<em id="cce_10_0336__i21015311904">x</em>.)</p>
+<ol id="cce_10_0336__ol1416646193719"><li id="cce_10_0336__li111694613719">Log in to the <span id="cce_10_0336__en-us_topic_0000001199181148_ph18314322182">CCE console</span> and click the cluster name to access the cluster console.</li><li id="cce_10_0336__li2171046193715">In the navigation pane, choose <strong id="cce_10_0336__b31431635142812"><span id="cce_10_0336__text20143435152810">Add-ons</span></strong>. In the right pane, find the CCE Container Storage (Everest) add-on and click <strong id="cce_10_0336__b111438356285">Edit</strong>.</li><li id="cce_10_0336__li91712469378">Configure the add-on parameters. Set <strong id="cce_10_0336__b13649124719284">Prohibit Global Secret from Mounting Object Storage (disable_auto_mount_secret)</strong> to <strong id="cce_10_0336__b1364920472289">Yes</strong>.</li><li id="cce_10_0336__li91774623711">Click <strong id="cce_10_0336__b970224318403">OK</strong>.</li></ol>
-<ol id="cce_10_0336__ol421992717247"><li id="cce_10_0336__li138183016247">Use kubectl to access the cluster and run the following command to modify the add-on settings:<pre class="screen" id="cce_10_0336__screen20987635112417">kubectl edit ds everest-csi-driver -nkube-system</pre>
+<p id="cce_10_0336__p517134617377">The following steps apply to CCE Container Storage (Everest) 1.<em id="cce_10_0336__i13539327298">x</em>. The modified settings cannot be retained during the add-on upgrades. You are advised to use the add-on of 2.<em id="cce_10_0336__i235319326299">x</em>.</p>
-</li><li id="cce_10_0336__li9219152792419">Search for <strong id="cce_10_0336__b2682654535208">disable-auto-mount-secret</strong> and set it to <strong id="cce_10_0336__b2639071435208">true</strong>.<p id="cce_10_0336__p7308184242411"><span><img id="cce_10_0336__image24761413575" src="en-us_image_0000002484119690.png"></span></p>
+<ol id="cce_10_0336__ol1017446103719"><li id="cce_10_0336__li917446163715">Use kubectl to access the cluster and run the following command to modify the add-on settings:<pre class="screen" id="cce_10_0336__screen191774633719">kubectl edit ds everest-csi-driver -nkube-system</pre>
-</li><li id="cce_10_0336__li5219162762419">Run <strong id="cce_10_0336__b5290111110577">:wq</strong> to save the settings and exit. Wait until the pod is restarted.</li></ol>
+</li><li id="cce_10_0336__li11710463377">Search for <strong id="cce_10_0336__b4640456292">disable-auto-mount-secret</strong> and set it to <strong id="cce_10_0336__b19641245192916">true</strong>.<p id="cce_10_0336__p2017124619376"><span><img id="cce_10_0336__image71713466373" src="en-us_image_0000002518226090.png"></span></p>
 </li><li id="cce_10_0336__li5178464379">Run <strong id="cce_10_0336__b141214484293">:wq</strong> to save the settings and exit. Wait until the pod is restarted.</li></ol>
 </li><li id="cce_10_0336__li1242814619374">In the <a href="cce_10_0782.html#cce_10_0782__section138274223718">Settings &gt; Cluster Settings</a> area, disable the global access secret of the cluster. The global access secret (<strong id="cce_10_0336__b15227556132916">paas.longaksk</strong>) in the <strong id="cce_10_0336__b82273561299">kube-system</strong> namespace of the cluster will be deleted.</li></ul>
 </div>
 <div class="section" id="cce_10_0336__section4633162355911"><a name="cce_10_0336__section4633162355911"></a><a name="section4633162355911"></a><h4 class="sectiontitle">Obtaining an Access Key</h4><ol id="cce_10_0336__ol481110401303"><li id="cce_10_0336__li481114401906"><span>Access the <span id="cce_10_0336__ph56626221444"><strong id="cce_10_0336__en-us_topic_0000002359963906_b7366185612613"></strong><strong id="cce_10_0336__en-us_topic_0000002359963906_b1522414182271">My Credentials</strong> page</span>.</span></li><li id="cce_10_0336__li68111402005"><span>In the navigation pane, choose <strong id="cce_10_0336__b612017294126">Access Keys</strong>.</span></li><li id="cce_10_0336__li28119401016"><span>Click <strong id="cce_10_0336__b194083251210">Create Access Key</strong>. The <strong id="cce_10_0336__b14412324125">Create Access Key</strong> dialog box is displayed.</span></li><li id="cce_10_0336__li1381116402013"><span>Click <strong id="cce_10_0336__b12537122719392">OK</strong> to download the access key.</span></li></ol>
 </div>
--- a/docs/cce/umn/cce_10_0337.html
+++ b/docs/cce/umn/cce_10_0337.html
@ -4,7 +4,7 @@
 <div id="body0000001543100005"><p id="cce_10_0337__p1149135965615">This section describes how to configure SFS mount options. You can configure mount options in a PV and bind the PV to a PVC. Alternatively, configure mount options in a StorageClass and use the StorageClass to create a PVC. In this way, PVs can be dynamically created and inherit mount options configured in the StorageClass by default.</p>
 <div class="section" id="cce_10_0337__section1940515714420"><h4 class="sectiontitle">Prerequisites</h4><p id="cce_10_0337__p123191440105710">The <a href="cce_10_0066.html">CCE Container Storage (Everest)</a> version must be <strong id="cce_10_0337__b551144215272">1.2.8 or later</strong>. This add-on identifies the mount options and transfers them to the underlying storage resources. The parameter settings take effect only if the underlying storage resources support the specified options.</p>
 </div>
-<div class="section" id="cce_10_0337__section6456132219344"><h4 class="sectiontitle">Constraints</h4><ul id="cce_10_0337__ul6907133813915"><li id="cce_10_0337__li7907173833915">Mount options cannot be configured for secure containers.</li><li id="cce_10_0337__li1190710383398">Due to the restrictions of the NFS protocol, if an SFS volume is mounted to a node for multiple times, link-related mounting parameters (such as <strong id="cce_10_0337__b18585135010446">timeo</strong>) take effect only when the SFS volume is mounted for the first time by default. For example, if the same SFS file system is mounted to multiple pods running on a node, the mounting parameter set later does not overwrite the existing parameter value. If you want to configure different mounting parameters in the preceding scenario, additionally configure the <strong id="cce_10_0337__b1981781710497">nosharecache</strong> parameter.</li></ul>
+<div class="section" id="cce_10_0337__section6456132219344"><h4 class="sectiontitle">Notes and Constraints</h4><ul id="cce_10_0337__ul6907133813915"><li id="cce_10_0337__li7907173833915">Mount options cannot be configured for secure containers.</li><li id="cce_10_0337__li1190710383398">Due to the restrictions of the NFS protocol, if an SFS volume is mounted to a node for multiple times, link-related mounting parameters (such as <strong id="cce_10_0337__b18585135010446">timeo</strong>) take effect only when the SFS volume is mounted for the first time by default. For example, if the same SFS file system is mounted to multiple pods running on a node, the mounting parameter set later does not overwrite the existing parameter value. If you want to configure different mounting parameters in the preceding scenario, additionally configure the <strong id="cce_10_0337__b1981781710497">nosharecache</strong> parameter.</li></ul>
 </div>
 <div class="section" id="cce_10_0337__section14888047833"><a name="cce_10_0337__section14888047833"></a><a name="section14888047833"></a><h4 class="sectiontitle">SFS Volume Mount Options</h4><p id="cce_10_0337__p1373413010222">The Everest add-on in CCE presets the options described in <a href="#cce_10_0337__table128754351546">Table 1</a> for mounting SFS volumes.</p>
@ -67,7 +67,7 @@
 </tbody>
 </table>
 </div>
-<p id="cce_10_0337__p139823178911">You can configure other mount options if needed. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/sfs/sfs_01_1001.html" target="_blank" rel="noopener noreferrer">Mounting an NFS File System to ECSs (Linux)</a>.</p>
+<p id="cce_10_0337__p139823178911">You can configure other mount options if needed. For details, see <a href="https://docs.otc.t-systems.com/scalable-file-service/umn/getting_started/mount_a_file_system/mounting_an_nfs_file_system_to_ecss_linux.html" target="_blank" rel="noopener noreferrer">Mounting an NFS File System to ECSs (Linux)</a>.</p>
 </div>
 <div class="section" id="cce_10_0337__section846811715589"><h4 class="sectiontitle">Configuring Mount Options in a PV</h4><p id="cce_10_0337__p1070219443123">You can use the <strong id="cce_10_0337__b383935145311">mountOptions</strong> field to configure mount options in a PV. The options you can configure in <strong id="cce_10_0337__b1584025185319">mountOptions</strong> are listed in <a href="#cce_10_0337__section14888047833">SFS Volume Mount Options</a>.</p>
 <ol id="cce_10_0337__ol24468432310"><li id="cce_10_0337__li3446143636"><span>Use kubectl to access the cluster. For details, see <a href="cce_10_0107.html">Accessing a Cluster Using kubectl</a>.</span></li><li id="cce_10_0337__li887813482193"><span>Configure mount options in a PV. Example:</span><p><pre class="screen" id="cce_10_0337__screen6878748181916">apiVersion: v1
@ -85,12 +85,13 @@ spec:
  csi:
    driver: nas.csi.everest.io    # Dependent storage driver for the mounting
    fsType: nfs
-    volumeHandle: <i><span class="varname" id="cce_10_0337__varname198781448171915">&lt;your_volume_id&gt;</span></i>   # The ID of the SFS Capacity-Oriented volume
+    volumeHandle: <i><span class="varname" id="cce_10_0337__varname522920403105">&lt;your_volume_id&gt;</span></i>   # The ID of the SFS Capacity-Oriented volume or the file system name when a general purpose file system (SFS 3.0 Capacity-Oriented) is used
    volumeAttributes:
      everest.io/share-export-location: <i><span class="varname" id="cce_10_0337__varname28789482191">&lt;your_location&gt;</span></i>  # Shared path of the SFS volume
      storage.kubernetes.io/csiProvisionerIdentity: everest-csi-provisioner
      everest.io/sfs-version: sfs3.0       # A general purpose file system (SFS 3.0 Capacity-Oriented) is used.
  persistentVolumeReclaimPolicy: Retain    # Reclaim policy
-  storageClassName: <i><span class="varname" id="cce_10_0337__varname1110445125316">csi-nas</span></i>                # StorageClass name. 
+  storageClassName: <i><span class="varname" id="cce_10_0337__varname157391059121013">csi-nas</span></i>                # StorageClass name. <strong id="cce_10_0337__b14739105981013">csi-nas</strong> indicates that SFS Capacity-Oriented is used. <strong id="cce_10_0337__b1173945951014">csi-sfs</strong> indicates that a general purpose file system (SFS 3.0 Capacity-Oriented) is used.
  <strong id="cce_10_0337__b58781748161917">mountOptions:</strong>                            # Mount options
 <strong id="cce_10_0337__b5878134810190">  - <i><span class="varname" id="cce_10_0337__varname787804816194">vers=3</span></i></strong>
 <strong id="cce_10_0337__b13878948191910">  - <i><span class="varname" id="cce_10_0337__varname18878104818196">nolock</span></i></strong>
@ -116,6 +117,7 @@ parameters:
  csi.storage.k8s.io/csi-driver-name: nas.csi.everest.io
  csi.storage.k8s.io/fstype: nfs
 everest.io/share-access-to: <i><span class="varname" id="cce_10_0337__varname1524719214412">&lt;your_vpc_id&gt;</span></i> # VPC ID of the cluster
  everest.io/sfs-version: sfs3.0              # A general purpose file system (SFS 3.0 Capacity-Oriented) is used. This parameter is not required for SFS Capacity-Oriented.
 reclaimPolicy: Delete
 volumeBindingMode: Immediate
 <strong id="cce_10_0337__b183867368219">mountOptions:</strong>                            # Mount options
--- a/docs/cce/umn/cce_10_0348.html
+++ b/docs/cce/umn/cce_10_0348.html
@ -20,9 +20,9 @@
 </tr>
 <tr id="cce_10_0348__row1551133515136"><td class="cellrowborder" valign="top" width="24.5024502450245%" headers="mcps1.3.1.3.1.4.1.1 "><p id="cce_10_0348__p125111735161316">VPC network</p>
 </td>
-<td class="cellrowborder" valign="top" width="38.56385638563856%" headers="mcps1.3.1.3.1.4.1.2 "><p id="cce_10_0348__p17511113561318">The smaller value between the <a href="#cce_10_0348__section16296174054019">Maximum Number of Pods on a Node</a> and <a href="#cce_10_0348__section10770192193714">Number of Allocatable Pod IP Addresses on a Node</a></p>
+<td class="cellrowborder" valign="top" width="38.56385638563856%" headers="mcps1.3.1.3.1.4.1.2 "><p id="cce_10_0348__p17511113561318">The smaller value between the <a href="#cce_10_0348__section16296174054019">Maximum Number of Pods on a Node</a> and <a href="#cce_10_0348__section10770192193714">Number of Reserved Pod IP Addresses Per Node</a></p>
 </td>
-<td class="cellrowborder" valign="top" width="36.933693369336936%" headers="mcps1.3.1.3.1.4.1.3 "><p id="cce_10_0348__p07681418131813">To ensure that new pods run smoothly on a node, verify that the maximum number of pods on the node does not exceed the number of allocatable pod IP addresses. If the node lacks sufficient pod IP addresses, new pods will not function properly.</p>
+<td class="cellrowborder" valign="top" width="36.933693369336936%" headers="mcps1.3.1.3.1.4.1.3 "><p id="cce_10_0348__p11914127105413">To ensure that new pods run smoothly on a node, verify that the maximum number of pods on the node does not exceed the number of allocatable pod IP addresses. If the node lacks sufficient pod IP addresses, new pods will not function properly.</p>
 </td>
 </tr>
 <tr id="cce_10_0348__row8486828141416"><td class="cellrowborder" valign="top" width="24.5024502450245%" headers="mcps1.3.1.3.1.4.1.1 "><p id="cce_10_0348__p748714286146">Cloud Native Network 2.0 (for CCE Turbo clusters)</p>
@ -36,7 +36,7 @@
 </table>
 </div>
 </div>
-<div class="section" id="cce_10_0348__section10770192193714"><a name="cce_10_0348__section10770192193714"></a><a name="section10770192193714"></a><h4 class="sectiontitle">Number of Allocatable Pod IP Addresses on a Node</h4><p id="cce_10_0348__p8060118">The number of allocatable pod IP addresses on a node is the maximum number of IP addresses that can be allocated to pods on that node. When creating a cluster in the VPC network model, follow the  and specify the number of pod IP addresses that each node can allocate using <span class="keyword" id="cce_10_0348__keyword94055201118">alpha.cce/fixPoolMask</span>.</p>
+<div class="section" id="cce_10_0348__section10770192193714"><a name="cce_10_0348__section10770192193714"></a><a name="section10770192193714"></a><h4 class="sectiontitle"><span id="cce_10_0348__ph132411266225">Number of Reserved Pod IP Addresses Per Node</span></h4><p id="cce_10_0348__p8060118">When creating a cluster in the VPC network model, follow the  and specify the number of pod IP addresses that each node can allocate using <span class="keyword" id="cce_10_0348__keyword191154012419">alpha.cce/fixPoolMask</span>.</p>
 <p id="cce_10_0348__p36341919183012">The maximum number of pods that can be created on a node is determined by the number of pod IP addresses available for allocation. In a <a href="#cce_10_0348__li13739132619599">containerized environment</a>, each pod requires its own unique IP address. If the node runs out of reserved pod IP addresses, new pods cannot be created. If <strong id="cce_10_0348__b840019354526">hostNetwork: true</strong> is configured in the YAML file, pods will use the <a href="#cce_10_0348__li13752132911597">host network</a> instead of the reserved pod IP addresses. For details, see <a href="#cce_10_0348__section12428143711548">Pod IP Address Allocation Differences Between the Container Network and Host Network</a>.</p>
 <p id="cce_10_0348__p18181516161419">By default, each node in a cluster is assigned a CIDR block from which pod IP addresses are allocated. The usable number of IP addresses for pods within this block is typically the total number of addresses in the CIDR block minus three reserved addresses (including the network address, gateway address, and broadcast address). </p>
 </div>
--- a/docs/cce/umn/cce_10_0365.html
+++ b/docs/cce/umn/cce_10_0365.html
@ -11,12 +11,12 @@
 <p id="cce_10_0365__p6401512172912">For example, the domain name <strong id="cce_10_0365__b14615191116342">www.***.com</strong> has only two dots (smaller than the value of <strong id="cce_10_0365__b3615181113340">ndots</strong>), and therefore the sequence of DNS queries is as follows: <strong id="cce_10_0365__b49831141553">www.***.com.default.svc.cluster.local</strong>, <strong id="cce_10_0365__b1972901117520">www.***.com.svc.cluster.local</strong>, <strong id="cce_10_0365__b1025517755">www.***.com.cluster.local</strong>, and <strong id="cce_10_0365__b1547213231517">www.***.com</strong>. This means that at least seven DNS queries will be initiated before the domain name is resolved into an IP address. It is clear that when many unnecessary DNS queries will be initiated to access an external domain name. There is room for improvement in workload's DNS configuration.</p>
 </li></ul>
 </div>
-<div class="note" id="cce_10_0365__note0509184610213"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_10_0365__p17566125317216">For more information about configuration options in the resolver configuration file used by Linux operating systems, visit <a href="http://man7.org/linux/man-pages/man5/resolv.conf.5.html" target="_blank" rel="noopener noreferrer">http://man7.org/linux/man-pages/man5/resolv.conf.5.html</a>.</p>
+<div class="note" id="cce_10_0365__note0509184610213"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_10_0365__p17566125317216">For details about the configuration items in the Linux DNS resolver configuration file, see <a href="https://man7.org/linux/man-pages/man5/resolv.conf.5.html" target="_blank" rel="noopener noreferrer">https://man7.org/linux/man-pages/man5/resolv.conf.5.html</a>.</p>
 </div></div>
 </div>
 <div class="section" id="cce_10_0365__section782913619427"><h4 class="sectiontitle">Configuring DNS for a Workload Through the Console</h4><p id="cce_10_0365__p195449555558">Kubernetes provides DNS-related configuration options for applications. The use of application's DNS configuration can effectively reduce unnecessary DNS queries in certain scenarios and improve service concurrency. The following procedure uses an Nginx application as an example to describe how to add DNS configurations for a workload on the console.</p>
 <ol id="cce_10_0365__ol1035961215558"><li id="cce_10_0365__li330462393220"><span>Log in to the <span id="cce_10_0365__cce_10_0004_ph18314322182">CCE console</span> and click the cluster name to access the cluster console.</span></li><li id="cce_10_0365__li6526123335515"><span>In the navigation pane, choose <span class="uicontrol" id="cce_10_0365__uicontrol598016521210"><b>Workloads</b></span>. In the upper right corner, click <span class="uicontrol" id="cce_10_0365__uicontrol119819521016"><b>Create Workload</b></span>.</span></li><li id="cce_10_0365__li57661910269"><span>Configure basic information about the workload. For details, see <a href="cce_10_0673.html">Creating a Workload</a>.</span></li><li id="cce_10_0365__li1329014101777"><span>In the <strong id="cce_10_0365__b930822594314">Advanced Settings</strong> area, click the <strong id="cce_10_0365__b1230911258434">DNS</strong> tab and set the following parameters as required:</span><p><ul id="cce_10_0365__ul949817369810"><li id="cce_10_0365__li1049833612819"><strong id="cce_10_0365__b101811532134319">DNS Policy</strong>: The DNS policies provided on the console correspond to the <strong id="cce_10_0365__b1418110328436">dnsPolicy</strong> field in the YAML file. For details, see <a href="#cce_10_0365__table144443315261">Table 1</a>.<ul id="cce_10_0365__ul129381410992"><li id="cce_10_0365__li189271105388"><strong id="cce_10_0365__b16366154317436">Supplement defaults</strong>: corresponds to <strong id="cce_10_0365__b13366154318433">dnsPolicy=ClusterFirst</strong>. Containers can resolve both the cluster-internal domain names registered by a Service and the external domain names exposed to public networks.</li><li id="cce_10_0365__li101722515381"><strong id="cce_10_0365__b3631346124314">Replace defaults</strong>: corresponds to <strong id="cce_10_0365__b206434616432">dnsPolicy=None</strong>. You must configure <strong id="cce_10_0365__b16411464437">IP Address</strong> and <strong id="cce_10_0365__b1564144618438">Search Domain</strong>. Containers only use the user-defined IP address and search domain configurations for domain name resolution.</li><li id="cce_10_0365__li5619793817"><strong id="cce_10_0365__b1737495124310">Inherit defaults</strong>: corresponds to <strong id="cce_10_0365__b1374851164315">dnsPolicy=Default</strong>. Containers use the domain name resolution configuration from the node that pods run on and cannot resolve the cluster-internal domain names.</li></ul>
-</li><li id="cce_10_0365__li153416472231"><strong id="cce_10_0365__b1938365414439">Optional Objects</strong>: The options parameters in the <a href="#cce_10_0365__table16581121652515">dnsConfig field</a>. Each object may have a name property (required) and a value property (optional). After setting the properties, click <span class="uicontrol" id="cce_10_0365__uicontrol79841856174310"><b>confirm to add</b></span>.<ul id="cce_10_0365__ul6501141918503"><li id="cce_10_0365__li59411218105019"><strong id="cce_10_0365__b1264095994315">timeout</strong>: Timeout interval, in seconds.</li><li id="cce_10_0365__li14291172365019"><strong id="cce_10_0365__b1986118614442">ndots</strong>: Number of dots (.) that must be present in a domain name. If a domain name has dots fewer than this value, the operating system will look up the name in the search domain. If not, the name is a fully qualified domain name (FQDN) and will be tried first as an absolute name.</li></ul>
+</li><li id="cce_10_0365__li153416472231"><strong id="cce_10_0365__b1938365414439">Optional Objects</strong>: The options parameters in the <a href="#cce_10_0365__table16581121652515">dnsConfig field</a>. Each object may have a name property (required) and a value property (optional). After setting the properties, click <span class="uicontrol" id="cce_10_0365__uicontrol79841856174310"><b>confirm to add</b></span>.<ul id="cce_10_0365__ul6501141918503"><li id="cce_10_0365__li59411218105019"><strong id="cce_10_0365__b1264095994315">timeout</strong>: Timeout interval, in seconds.</li><li id="cce_10_0365__li14291172365019"><strong id="cce_10_0365__b1986118614442">ndots</strong>: Number of dots (.) that must be present in a domain name. If a domain name has fewer dots than this value, the operating system will look up the name in the search domain. If not, the name is a fully qualified domain name (FQDN) and will be tried first as an absolute name.</li></ul>
 </li><li id="cce_10_0365__li634818276267"><strong id="cce_10_0365__b152585014167">IP Address of DNS Server</strong>: <strong id="cce_10_0365__b9258190181615">nameservers</strong> in <a href="#cce_10_0365__table16581121652515">dnsConfig</a>. You can configure a domain name server for a custom domain name. The value is one or a group of DNS IP addresses.</li><li id="cce_10_0365__li13630845287"><strong id="cce_10_0365__b1868784134518">Search Domain</strong>: <strong id="cce_10_0365__b968794174513">searches</strong> in the <a href="#cce_10_0365__table16581121652515">dnsConfig</a>. A list of DNS search domains for hostname lookup in the pod. This property is optional. When specified, the provided list will be merged into the search domain names generated from the chosen DNS policy in <strong id="cce_10_0365__b144961644104517">dnsPolicy</strong>. Duplicate domain names are removed.</li><li id="cce_10_0365__li11729122617199"><strong id="cce_10_0365__b10852531191913">Host Alias</strong>: Add the mapping between domain names and IP addresses to the local configuration file <strong id="cce_10_0365__b11157101313201">/etc/hosts</strong> of a pod for simplified local domain name resolution. For details, see <a href="https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/" target="_blank" rel="noopener noreferrer">Adding entries to Pod /etc/hosts with HostAliases</a>.</li></ul>
 </p></li><li id="cce_10_0365__li03217211358"><span>Click <span class="uicontrol" id="cce_10_0365__uicontrol162701548154515"><b>Create Workload</b></span>.</span></li></ol>
 </div>
--- a/docs/cce/umn/cce_10_0397.html
+++ b/docs/cce/umn/cce_10_0397.html
@ -16,7 +16,7 @@
 <tbody><tr id="cce_10_0397__row88550371213"><td class="cellrowborder" valign="top" width="26.38%" headers="mcps1.3.3.2.3.2.2.2.4.1.1 "><p id="cce_10_0397__p28551317127">Max. Unavailable Pods (maxUnavailable)</p>
 </td>
 <td class="cellrowborder" valign="top" width="57.32000000000001%" headers="mcps1.3.3.2.3.2.2.2.4.1.2 "><p id="cce_10_0397__p862214317389">The maximum number or percentage of pods that can be unavailable during a rolling upgrade. This also sets the limit for how many running pods can be below the expected number. The default value is <strong id="cce_10_0397__b0236131902112">25%</strong>. During an upgrade, the percentage is converted into an absolute number and <strong id="cce_10_0397__b1986284252113">rounded down</strong>.</p>
-<p id="cce_10_0397__p117681230174412">For example, if <strong id="cce_10_0397__en-us_topic_0249851113_b653412212369">spec.replicas</strong> is set to <strong id="cce_10_0397__en-us_topic_0249851113_b9392523103613">2</strong>, no pods (2 x 0.25 = 0.5, rounded down to 0) can be unavailable. Therefore, during an upgrade, there will always be at least two pods running (2 desired - 0 unavailable). Each old pod is deleted only after a new one is created, ensuring that at least two pods are always running until all pods are updated.</p>
+<p id="cce_10_0397__p117681230174412">For example, if <strong id="cce_10_0397__en-us_topic_0249851113_b653412212369">spec.replicas</strong> is set to <strong id="cce_10_0397__en-us_topic_0249851113_b9392523103613">2</strong>, no pods (2 × 0.25 = 0.5, rounded down to 0) can be unavailable. Therefore, during an upgrade, there will always be at least two pods running (2 desired – 0 unavailable). Each old pod is deleted only after a new one is created, ensuring that at least two pods are always running until all pods are updated.</p>
 </td>
 <td class="cellrowborder" valign="top" width="16.3%" headers="mcps1.3.3.2.3.2.2.2.4.1.3 "><p id="cce_10_0397__p138558313122">This parameter is only available for Deployments and DaemonSets.</p>
 </td>
@ -117,7 +117,7 @@ spec:
 <tbody><tr id="cce_10_0397__row7791110182411"><td class="cellrowborder" valign="top" width="26.38%" headers="mcps1.3.4.3.2.2.3.2.4.1.1 "><p id="cce_10_0397__p147918032412">maxUnavailable</p>
 </td>
 <td class="cellrowborder" valign="top" width="57.32000000000001%" headers="mcps1.3.4.3.2.2.3.2.4.1.2 "><p id="cce_10_0397__cce_10_0397_p862214317389">The maximum number or percentage of pods that can be unavailable during a rolling upgrade. This also sets the limit for how many running pods can be below the expected number. The default value is <strong id="cce_10_0397__cce_10_0397_b0236131902112">25%</strong>. During an upgrade, the percentage is converted into an absolute number and <strong id="cce_10_0397__cce_10_0397_b1986284252113">rounded down</strong>.</p>
-<p id="cce_10_0397__cce_10_0397_p117681230174412">For example, if <strong id="cce_10_0397__cce_10_0397_en-us_topic_0249851113_b653412212369">spec.replicas</strong> is set to <strong id="cce_10_0397__cce_10_0397_en-us_topic_0249851113_b9392523103613">2</strong>, no pods (2 x 0.25 = 0.5, rounded down to 0) can be unavailable. Therefore, during an upgrade, there will always be at least two pods running (2 desired - 0 unavailable). Each old pod is deleted only after a new one is created, ensuring that at least two pods are always running until all pods are updated.</p>
+<p id="cce_10_0397__cce_10_0397_p117681230174412">For example, if <strong id="cce_10_0397__cce_10_0397_en-us_topic_0249851113_b653412212369">spec.replicas</strong> is set to <strong id="cce_10_0397__cce_10_0397_en-us_topic_0249851113_b9392523103613">2</strong>, no pods (2 × 0.25 = 0.5, rounded down to 0) can be unavailable. Therefore, during an upgrade, there will always be at least two pods running (2 desired – 0 unavailable). Each old pod is deleted only after a new one is created, ensuring that at least two pods are always running until all pods are updated.</p>
 </td>
 <td class="cellrowborder" valign="top" width="16.3%" headers="mcps1.3.4.3.2.2.3.2.4.1.3 "><p id="cce_10_0397__p77913012415">This parameter is only available for rolling upgrades.</p>
 </td>
--- a/docs/cce/umn/cce_10_0405.html
+++ b/docs/cce/umn/cce_10_0405.html
--- a/docs/cce/umn/cce_10_0406.html
+++ b/docs/cce/umn/cce_10_0406.html
@ -17,7 +17,7 @@
 </div>
 <div class="section" id="cce_10_0406__section186134814119"><a name="cce_10_0406__section186134814119"></a><a name="section186134814119"></a><h4 class="sectiontitle">Installing the Add-on</h4><div class="note" id="cce_10_0406__note152084181520"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_10_0406__p1752024116150">The Cloud Native Cluster Monitoring add-on automatically selects a deployment mode based on <strong id="cce_10_0406__b1389013472818"><a href="#cce_10_0406__li15556183414307">Data Storage Configuration</a></strong>. This is supported by Cloud Native Cluster Monitoring 3.7.1 or later.</p>
 <ul id="cce_10_0406__ul128792089306"><li id="cce_10_0406__li6656205432717">Original agent mode: Disable <strong id="cce_10_0406__b20127191055812">Local Data Storage</strong> and enable at least one of <strong id="cce_10_0406__b8127210135811">Report Monitoring Data to AOM</strong> and <strong id="cce_10_0406__b111271510125810">Report Monitoring Data to a Third-Party Platform</strong>.</li></ul>
-<ul id="cce_10_0406__ul565575402715"><li id="cce_10_0406__li5655175432710">Original server mode: Enable <strong id="cce_10_0406__b62221736115820">Local data storage</strong> and <strong id="cce_10_0406__b9222536135817">Report Monitoring Data to AOM</strong> or <strong id="cce_10_0406__b19222183615810">Report Monitoring Data to a Third-Party Platform</strong>.</li></ul>
+<ul id="cce_10_0406__ul565575402715"><li id="cce_10_0406__li5655175432710">Original server mode: Enable <strong id="cce_10_0406__b10938825102619">Local Data Storage</strong> and <strong id="cce_10_0406__b59381525132612">Report Monitoring Data to AOM</strong> or <strong id="cce_10_0406__b69384256265">Report Monitoring Data to a Third-Party Platform</strong>.</li></ul>
 </div></div>
 <ol id="cce_10_0406__ol9183433182510"><li id="cce_10_0406__li330462393220"><span>Log in to the <span id="cce_10_0406__cce_10_0004_ph18314322182">CCE console</span> and click the cluster name to access the cluster console.</span></li><li id="cce_10_0406__li13183153352515"><span>In the navigation pane, choose <strong id="cce_10_0406__b51842425265"><span id="cce_10_0406__text51842042102610">Add-ons</span></strong>. Locate <strong id="cce_10_0406__b0184194210265">Cloud Native Cluster Monitoring</strong> on the right and click <span class="uicontrol" id="cce_10_0406__uicontrol51841642172619"><b>Install</b></span>.</span></li><li id="cce_10_0406__li15556183414307"><a name="cce_10_0406__li15556183414307"></a><a name="li15556183414307"></a><span>On the <strong id="cce_10_0406__b1813011813218">Install Add-on</strong> page, enable at least one item in the <span class="uicontrol" id="cce_10_0406__uicontrol738210234336"><b>Data Storage Configuration</b></span> area.</span><p><ul id="cce_10_0406__ul14526143113393"><li id="cce_10_0406__li953119336397"><strong id="cce_10_0406__b143131455124117">Report Monitoring Data to AOM</strong>: Report Prometheus data to AOM. After this function is enabled, you can select the corresponding AOM instance. The collected basic metrics are free of charge. Custom metrics are charged by AOM. To interconnect with AOM, you must have certain permissions. Only <strong id="cce_10_0406__b75491191223">users in the </strong><strong id="cce_10_0406__b1254918920225">admin</strong><strong id="cce_10_0406__b954914912224"> user group</strong> can perform this operation.</li><li id="cce_10_0406__li2526203153919"><strong id="cce_10_0406__b5956191316337">Reporting Monitoring Data to a Third-Party Monitoring Platform</strong>: To report Prometheus data to a third-party monitoring system, you need to enter the address and token of the third-party monitoring system and determine whether to skip certificate authentication.</li><li id="cce_10_0406__li185331058123918"><strong id="cce_10_0406__b108317571412">Local Data Storage</strong>: Select the type and size of a disk for storing monitoring data to store Prometheus data in PVCs in the cluster. <strong id="cce_10_0406__b12961482422">Storage volumes are not deleted along with the add-on.</strong> If <strong id="cce_10_0406__b7247641124717">Local Data Storage</strong> is enabled, all components will be deployed. For details, see <a href="#cce_10_0406__section0377457163618">Components</a>.<div class="note" id="cce_10_0406__note59616874216"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_10_0406__p1197168134212">An available PVC named <strong id="cce_10_0406__b1753452513212">pvc-prometheus-server-0</strong> exists in namespace <strong id="cce_10_0406__b12534925122110">monitoring</strong> and will be used as the storage source.</p>
 </div></div>
--- a/docs/cce/umn/cce_10_0601.html
+++ b/docs/cce/umn/cce_10_0601.html
@ -4,16 +4,16 @@
 <div id="body0000001476735689"><p id="cce_10_0601__p1580045815497">As of Kubernetes v1.24, <a href="https://kubernetes.io/docs/tasks/administer-cluster/migrating-from-dockershim/" target="_blank" rel="noopener noreferrer">dockershim has been deprecated</a>. To maintain compatibility and ensure continued support for future Kubernetes releases, switch your node's container runtime from Docker to the officially endorsed containerd.</p>
 <div class="section" id="cce_10_0601__section744144018509"><h4 class="sectiontitle">Prerequisites</h4><ul id="cce_10_0601__ul14218115112506"><li id="cce_10_0601__li421913518504">At least one cluster that supports containerd nodes has been created. For details, see <a href="cce_10_0462.html#cce_10_0462__section159298451879">Mapping Between Node OSs and Container Engines</a>.</li><li id="cce_10_0601__li13219195116500">There is a Docker node or Docker node pool in your cluster.</li></ul>
 </div>
-<div class="section" id="cce_10_0601__section182271321165216"><h4 class="sectiontitle">Precautions</h4><ul id="cce_10_0601__ul71291829185213"><li id="cce_10_0601__li112942911527">Theoretically, container runtime migration will interrupt services for a short period of time. You should have deployed the services on multiple instances for high availability. In addition, you are advised to test the migration impact in the test environment to minimize potential risks.</li><li id="cce_10_0601__li91291029205214">containerd cannot build images. Do not use the <strong id="cce_10_0601__b554202113210">docker build</strong> command to build images on containerd nodes. For other differences between Docker and containerd, see <a href="cce_10_0462.html">Container Engines</a>.</li></ul>
+<div class="section" id="cce_10_0601__section182271321165216"><h4 class="sectiontitle">Precautions</h4><ul id="cce_10_0601__ul71291829185213"><li id="cce_10_0601__li112942911527">Theoretically, container runtime migration will interrupt services for a short period of time. You should have deployed the services on multiple instances for high availability. In addition, you are advised to test the migration impact in the testing environment to minimize potential risks.</li><li id="cce_10_0601__li91291029205214">containerd cannot build images. Do not use the <strong id="cce_10_0601__b554202113210">docker build</strong> command to build images on containerd nodes. For other differences between Docker and containerd, see <a href="cce_10_0462.html">Container Engines</a>.</li></ul>
 </div>
-<div class="section" id="cce_10_0601__section6271104155311"><h4 class="sectiontitle">Procedure for Migrating Nodes in the Default Node Pool</h4><ol id="cce_10_0601__ol1937611531532"><li id="cce_10_0601__li2438925125418"><span>Log in to the <span id="cce_10_0601__ph154351223121812">CCE console</span> and click the cluster name to access the cluster console.</span></li><li id="cce_10_0601__li159521745431"><span>In the navigation pane, choose <span class="uicontrol" id="cce_10_0601__uicontrol436301393103636"><b>Nodes</b></span>. On the displayed page, click the <strong id="cce_10_0601__b167122270103636">Nodes</strong> tab.</span></li><li id="cce_10_0601__li224719151931"><span>In the node list, select one or more nodes to be reset and choose <strong id="cce_10_0601__b15114124717463">More</strong> &gt; <strong id="cce_10_0601__b0114134711461">Reset Node</strong>.</span></li><li id="cce_10_0601__li17377353145312"><span>Set <strong id="cce_10_0601__b1877359102611">Container Engine</strong> to <strong id="cce_10_0601__b11527221277">containerd</strong>. You can adjust other parameters as required or retain them as set during creation.</span><p><p id="cce_10_0601__p16895735195712"></p>
+<div class="section" id="cce_10_0601__section6271104155311"><h4 class="sectiontitle">Procedure for Migrating Nodes in the Default Node Pool</h4><ol id="cce_10_0601__ol1937611531532"><li id="cce_10_0601__li2438925125418"><span>Log in to the <span id="cce_10_0601__ph154351223121812">CCE console</span> and click the cluster name to access the cluster console.</span></li><li id="cce_10_0601__li159521745431"><span>In the navigation pane, choose <span class="uicontrol" id="cce_10_0601__uicontrol436301393103636"><b>Nodes</b></span>. On the displayed page, click the <strong id="cce_10_0601__b167122270103636">Nodes</strong> tab.</span></li><li id="cce_10_0601__li224719151931"><span>In the node list, select one or more nodes to be reset and choose <strong id="cce_10_0601__b3526340171811">More</strong> &gt; <strong id="cce_10_0601__b195261406188">Reset Node</strong> in the <strong id="cce_10_0601__b115269407182">Operation</strong> column.</span></li><li id="cce_10_0601__li17377353145312"><span>Set <strong id="cce_10_0601__b1877359102611">Container Engine</strong> to <strong id="cce_10_0601__b11527221277">containerd</strong>. You can adjust other parameters as required or retain them as set during creation.</span><p><p id="cce_10_0601__p16895735195712"></p>
-</p></li><li id="cce_10_0601__li13377453165320"><span>If the node status is <strong id="cce_10_0601__b234616127283">Installing</strong>, the node is being reset.</span><p><p id="cce_10_0601__p7674324155719">When the node status is <strong id="cce_10_0601__b1535743492916">Running</strong>, you can see that the node runtime is switched to containerd. You can log in to the node and run containerd commands such as <strong id="cce_10_0601__b18575736105914">crictl</strong> to view information about the containers running on the node.</p>
+</p></li><li id="cce_10_0601__li13377453165320"><span>If the node status is <strong id="cce_10_0601__b234616127283">Installing</strong>, the node is being reset.</span><p><p id="cce_10_0601__p7674324155719">When the node status is <strong id="cce_10_0601__b113311535141819">Running</strong>, you can see that the node runtime is switched to containerd. You can log in to the node and run containerd commands such as <strong id="cce_10_0601__b1033116356188">crictl</strong> to view information about the containers running on the node.</p>
 </p></li></ol>
 </div>
 <div class="section" id="cce_10_0601__section15146182613537"><h4 class="sectiontitle">Procedure for Migrating Nodes in a Custom Node Pool</h4><p id="cce_10_0601__p1515610585119">You can <a href="cce_10_0655.html">copy a node pool</a>, set the container engine of the new node pool to containerd, and keep other configurations the same as those of the original Docker node pool.</p>
-<ol id="cce_10_0601__ol92793615584"><li id="cce_10_0601__li939813320315"><span>Log in to the <span id="cce_10_0601__ph377916274180">CCE console</span> and click the cluster name to access the cluster console.</span></li><li id="cce_10_0601__li1539818332033"><span>In the navigation pane, choose <strong id="cce_10_0601__b72718163444">Nodes</strong>. On the <strong id="cce_10_0601__b198344315441">Node Pools</strong> tab, locate the Docker node pool to be copied and choose <strong id="cce_10_0601__b621817441447">More</strong> &gt; <strong id="cce_10_0601__b108081546164413">Copy</strong>.</span><p><p id="cce_10_0601__p651713391180"></p>
+<ol id="cce_10_0601__ol92793615584"><li id="cce_10_0601__li939813320315"><span>Log in to the <span id="cce_10_0601__ph377916274180">CCE console</span> and click the cluster name to access the cluster console.</span></li><li id="cce_10_0601__li1539818332033"><span>In the navigation pane, choose <strong id="cce_10_0601__b12894165911715">Nodes</strong>. On the <strong id="cce_10_0601__b1989465912178">Node Pools</strong> tab, locate the Docker node pool to be copied and choose <strong id="cce_10_0601__b17894159111718">More</strong> &gt; <strong id="cce_10_0601__b1689465911720">Copy</strong>.</span><p><p id="cce_10_0601__p651713391180"></p>
-</p></li><li id="cce_10_0601__li428117200516"><span>In the <strong id="cce_10_0601__b194212010360">Node </strong><strong id="cce_10_0601__b3732201974712">Configuration</strong> area, set <strong id="cce_10_0601__b18357421471">Container Engine</strong> to <strong id="cce_10_0601__b53921949104718">containerd</strong> and modify other parameter settings as needed to create the node pool.</span><p><p id="cce_10_0601__p16281132011514"></p>
+</p></li><li id="cce_10_0601__li428117200516"><span>In the <strong id="cce_10_0601__b610531991818">Node </strong><strong id="cce_10_0601__b131055192189">Configuration</strong> area, set <strong id="cce_10_0601__b5105161911812">Container Engine</strong> to <strong id="cce_10_0601__b9105181981817">containerd</strong> and modify other parameter settings as needed to create the node pool.</span><p><p id="cce_10_0601__p16281132011514"></p>
-</p></li><li id="cce_10_0601__li207508511714"><span>Scale the number of created containerd node pool to the number of original Docker node pool and delete nodes from the Docker node pool one by one.</span><p><p id="cce_10_0601__p169781612225">Rolling migration is preferred. That is, add some containerd nodes and then delete some Docker nodes until the number of nodes in the new containerd node pool is the same as that in the original Docker node pool.</p>
+</p></li><li id="cce_10_0601__li207508511714"><span>Scale the created containerd node pool as large as the original Docker node pool and delete nodes from the Docker node pool one by one.</span><p><p id="cce_10_0601__p169781612225">Rolling migration is preferred. That is, add some containerd nodes and then delete some Docker nodes until the number of nodes in the new containerd node pool is the same as that in the original Docker node pool.</p>
 <div class="note" id="cce_10_0601__note6534616172212"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_10_0601__p15824723142210">If you have configured node affinity for the workloads deployed on the original Docker nodes or node pool, configure affinity policies for the workloads to run on the new containerd nodes or node pool.</p>
 </div></div>
 </p></li><li id="cce_10_0601__li329715536613"><span>Delete the original Docker node pool.</span></li></ol>
--- a/docs/cce/umn/cce_10_0617.html
+++ b/docs/cce/umn/cce_10_0617.html
@ -5,32 +5,44 @@
 <p id="cce_10_0617__p142061844581">Expandable to petabytes, SFS provides fully hosted shared file storage, highly available and stable to handle data- and bandwidth-intensive applications</p>
 <ul id="cce_10_0617__ul10598125623816"><li id="cce_10_0617__li3598556163813"><strong id="cce_10_0617__b537118393312">Standard file protocols</strong>: You can mount file systems as volumes to servers, the same as using local directories.</li><li id="cce_10_0617__li45981656153819"><strong id="cce_10_0617__b14788171632410">Data sharing</strong>: The same file system can be mounted to multiple servers, so that data can be shared.</li><li id="cce_10_0617__li1859895616386"><strong id="cce_10_0617__b494142517243">Private network</strong>: Users can access data only in private networks of data centers.</li><li id="cce_10_0617__li1359865617380"><strong id="cce_10_0617__b1895782612291">Capacity and performance</strong>: The capacity of a single file system is high (PB level) and the performance is excellent (ms-level I/O latency).</li><li id="cce_10_0617__li953501813619"><strong id="cce_10_0617__b86341030112914">Use cases</strong>: Deployments/StatefulSets in the ReadWriteMany mode and jobs created for high-performance computing (HPC), media processing, content management, web services, big data analysis, and workload process analysis</li></ul>
 </div>
-<div class="section" id="cce_10_0617__section834645511456"><h4 class="sectiontitle">Performance</h4><p id="cce_10_0617__p24575564399">CCE supports SFS Capacity-Oriented. For more details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/sfs/sfs_01_0005.html" target="_blank" rel="noopener noreferrer">File System Types</a>.</p>
+<div class="section" id="cce_10_0617__section834645511456"><h4 class="sectiontitle">Performance</h4><div class="p" id="cce_10_0617__p24575564399">CCE supports SFS Capacity-Oriented and general-purpose file systems (SFS 3.0 Capacity-Oriented). For more details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/sfs/sfs_01_0005.html" target="_blank" rel="noopener noreferrer">File System Types</a>.<div class="note" id="cce_10_0617__note24185259412"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cce_10_0617__ul338418312448"><li id="cce_10_0617__li938414324413">If SFS Capacity-Oriented is used, you can still create PVs through <a href="cce_10_0619.html#cce_10_0619__section99931811195117">kubectl</a> even if the file system is sold out and cannot be created directly via the CCE console. No new SFS Capacity-Oriented file systems can be created via the console anymore.</li><li id="cce_10_0617__li13384143194411">General purpose file systems (SFS 3.0 Capacity-Oriented) are currently being rolled out across different regions. Their availability may vary depending on the region. If you encounter any issues, contact SFS customer support or wait for further updates. If the region where your application is located already has SFS 3.0 available, use it for new applications and migrate existing SFS Capacity-Oriented file systems to SFS 3.0 as soon as possible to prevent any service disruptions caused by insufficient capacity.</li></ul>
 </div></div>
 </div>
-<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_0617__table96842242313" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Performance</caption><thead align="left"><tr id="cce_10_0617__row36859218231"><th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.2.3.2.3.1.1"><p id="cce_10_0617__p2685162112314">Parameter</p>
+<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_0617__table96842242313" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Performance</caption><thead align="left"><tr id="cce_10_0617__row36859218231"><th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.2.3.2.4.1.1"><p id="cce_10_0617__p2685162112314">Parameter</p>
 </th>
-<th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.2.3.2.3.1.2"><p id="cce_10_0617__p1668518219236">SFS Capacity-Oriented</p>
+<th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.2.3.2.4.1.2"><p id="cce_10_0617__p1668518219236">SFS Capacity-Oriented</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.2.3.2.4.1.3"><p id="cce_10_0617__p7861816205319">General Purpose File System (SFS 3.0 Capacity-Oriented)</p>
 </th>
 </tr>
 </thead>
-<tbody><tr id="cce_10_0617__row1068511202310"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.2.3.2.3.1.1 "><p id="cce_10_0617__p868511272311">Maximum bandwidth</p>
+<tbody><tr id="cce_10_0617__row1068511202310"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.1 "><p id="cce_10_0617__p868511272311">Maximum bandwidth</p>
 </td>
-<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.2.3.2.3.1.2 "><p id="cce_10_0617__p1490415513546">2 GB/s</p>
+<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.2 "><p id="cce_10_0617__p1490415513546">2 GB/s</p>
 </td>
 <td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.3 "><p id="cce_10_0617__p1996531820540">1.25 TB/s</p>
 </td>
 </tr>
-<tr id="cce_10_0617__row568552182317"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.2.3.2.3.1.1 "><p id="cce_10_0617__p10685162152318">Maximum IOPS</p>
+<tr id="cce_10_0617__row568552182317"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.1 "><p id="cce_10_0617__p10685162152318">Maximum IOPS</p>
 </td>
-<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.2.3.2.3.1.2 "><p id="cce_10_0617__p196506714327">2000</p>
+<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.2 "><p id="cce_10_0617__p196506714327">2000</p>
 </td>
 <td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.3 "><p id="cce_10_0617__p378361973219">Million</p>
 </td>
 </tr>
-<tr id="cce_10_0617__row1685172152315"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.2.3.2.3.1.1 "><p id="cce_10_0617__p10685182122315">Latency</p>
+<tr id="cce_10_0617__row1685172152315"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.1 "><p id="cce_10_0617__p10685182122315">Latency</p>
 </td>
-<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.2.3.2.3.1.2 "><p id="cce_10_0617__p11934511163317">3–20 ms</p>
+<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.2 "><p id="cce_10_0617__p11934511163317">3–20 ms</p>
 </td>
 <td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.3 "><p id="cce_10_0617__p59341911163313">10 ms</p>
 </td>
 </tr>
-<tr id="cce_10_0617__row19571517152720"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.2.3.2.3.1.1 "><p id="cce_10_0617__p10571417132715">Maximum capacity</p>
+<tr id="cce_10_0617__row19571517152720"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.1 "><p id="cce_10_0617__p10571417132715">Maximum capacity</p>
 </td>
-<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.2.3.2.3.1.2 "><p id="cce_10_0617__p2754882347">4 PB</p>
+<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.2 "><p id="cce_10_0617__p2754882347">4 PB</p>
 </td>
 <td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.2.3.2.4.1.3 "><p id="cce_10_0617__p860901812341">EB</p>
 </td>
 </tr>
 </tbody>
--- a/docs/cce/umn/cce_10_0619.html
+++ b/docs/cce/umn/cce_10_0619.html
--- a/docs/cce/umn/cce_10_0620.html
+++ b/docs/cce/umn/cce_10_0620.html
--- a/docs/cce/umn/cce_10_0626.html
+++ b/docs/cce/umn/cce_10_0626.html
@ -4,7 +4,7 @@
 <div id="body0000001542900045"><p id="cce_10_0626__p1149135965615">This section describes how to configure SFS Turbo mount options. For SFS Turbo, you can only set mount options in a PV and bind the PV by creating a PVC.</p>
 <div class="section" id="cce_10_0626__section1940515714420"><h4 class="sectiontitle">Prerequisites</h4><p id="cce_10_0626__p123191440105710">The <a href="cce_10_0066.html">CCE Container Storage (Everest)</a> version must be <strong id="cce_10_0626__b551144215272">1.2.8 or later</strong>. This add-on identifies the mount options and transfers them to the underlying storage resources. The parameter settings take effect only if the underlying storage resources support the specified options.</p>
 </div>
-<div class="section" id="cce_10_0626__section6456132219344"><h4 class="sectiontitle">Constraints</h4><ul id="cce_10_0626__cce_10_0337_ul6907133813915"><li id="cce_10_0626__cce_10_0337_li7907173833915">Mount options cannot be configured for secure containers.</li><li id="cce_10_0626__cce_10_0337_li1190710383398">Due to the restrictions of the NFS protocol, if an SFS volume is mounted to a node for multiple times, link-related mounting parameters (such as <strong id="cce_10_0626__cce_10_0337_b18585135010446">timeo</strong>) take effect only when the SFS volume is mounted for the first time by default. For example, if the same SFS file system is mounted to multiple pods running on a node, the mounting parameter set later does not overwrite the existing parameter value. If you want to configure different mounting parameters in the preceding scenario, additionally configure the <strong id="cce_10_0626__cce_10_0337_b1981781710497">nosharecache</strong> parameter.</li></ul>
+<div class="section" id="cce_10_0626__section6456132219344"><h4 class="sectiontitle">Notes and Constraints</h4><ul id="cce_10_0626__cce_10_0337_ul6907133813915"><li id="cce_10_0626__cce_10_0337_li7907173833915">Mount options cannot be configured for secure containers.</li><li id="cce_10_0626__cce_10_0337_li1190710383398">Due to the restrictions of the NFS protocol, if an SFS volume is mounted to a node for multiple times, link-related mounting parameters (such as <strong id="cce_10_0626__cce_10_0337_b18585135010446">timeo</strong>) take effect only when the SFS volume is mounted for the first time by default. For example, if the same SFS file system is mounted to multiple pods running on a node, the mounting parameter set later does not overwrite the existing parameter value. If you want to configure different mounting parameters in the preceding scenario, additionally configure the <strong id="cce_10_0626__cce_10_0337_b1981781710497">nosharecache</strong> parameter.</li></ul>
 </div>
 <div class="section" id="cce_10_0626__section14888047833"><a name="cce_10_0626__section14888047833"></a><a name="section14888047833"></a><h4 class="sectiontitle">SFS Turbo Mount Options</h4><p id="cce_10_0626__p1373413010222">The Everest add-on in CCE presets the options described in <a href="#cce_10_0626__table128754351546">Table 1</a> for mounting SFS Turbo volumes.</p>
--- a/docs/cce/umn/cce_10_0651.html
+++ b/docs/cce/umn/cce_10_0651.html
@ -180,10 +180,10 @@ spec:
 </td>
 <td class="cellrowborder" valign="top" width="10.891089108910892%" headers="mcps1.3.3.7.2.6.1.3 "><p id="cce_10_0651__cce_10_0734_p44251313161317">None</p>
 </td>
-<td class="cellrowborder" valign="top" width="27.722772277227726%" headers="mcps1.3.3.7.2.6.1.4 "><p id="cce_10_0651__cce_10_0734_p11425513171310">Billed by traffic or bandwidth</p>
+<td class="cellrowborder" valign="top" width="27.722772277227726%" headers="mcps1.3.3.7.2.6.1.4 "><p id="cce_10_0651__cce_10_0734_p156839441405">Bandwidth mode.</p>
 <p id="cce_10_0651__cce_10_0734_p1542650153911"><strong id="cce_10_0651__cce_10_0734_b9677193218548">You are advised to configure this parameter.</strong> If this parameter is left blank, no billing mode is specified. In this case, the default value of the EIP API in the region is used.</p>
 </td>
-<td class="cellrowborder" valign="top" width="28.71287128712871%" headers="mcps1.3.3.7.2.6.1.5 "><ul id="cce_10_0651__cce_10_0734_ul3425191331319"><li id="cce_10_0651__cce_10_0734_li842581314135"><strong id="cce_10_0651__cce_10_0734_b6832083759264">bandwidth</strong>: billed by bandwidth</li><li id="cce_10_0651__cce_10_0734_li3425161312138"><strong id="cce_10_0651__cce_10_0734_b2134083209264">traffic</strong>: billed by traffic</li></ul>
+<td class="cellrowborder" valign="top" width="28.71287128712871%" headers="mcps1.3.3.7.2.6.1.5 "><ul id="cce_10_0651__cce_10_0734_ul3425191331319"><li id="cce_10_0651__cce_10_0734_li3425161312138"><strong id="cce_10_0651__cce_10_0734_b2134083209264">traffic</strong>: billed by traffic</li></ul>
 </td>
 </tr>
 <tr id="cce_10_0651__cce_10_0734_row174251913101312"><td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.3.7.2.6.1.1 "><p id="cce_10_0651__cce_10_0734_p64256139139">yangtse.io/eip-bandwidth-name</p>
@ -221,7 +221,7 @@ spec:
 </td>
 <td class="cellrowborder" valign="top" width="33%" headers="mcps1.3.3.8.2.6.1.4 "><p id="cce_10_0651__cce_10_0734_p2241938154014">Whether to allocate an EIP with a pod and bind the EIP to the pod</p>
 </td>
-<td class="cellrowborder" valign="top" width="23%" headers="mcps1.3.3.8.2.6.1.5 "><p id="cce_10_0651__cce_10_0734_p19176125614910"><strong id="cce_10_0651__cce_10_0734_b147445376">false</strong> or <strong id="cce_10_0651__cce_10_0734_b193806545">true</strong></p>
+<td class="cellrowborder" valign="top" width="23%" headers="mcps1.3.3.8.2.6.1.5 "><p id="cce_10_0651__cce_10_0734_p19176125614910"><strong id="cce_10_0651__cce_10_0734_b1441766587">false</strong> or <strong id="cce_10_0651__cce_10_0734_b128089355">true</strong></p>
 </td>
 </tr>
 <tr id="cce_10_0651__cce_10_0734_row12412385407"><td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.3.8.2.6.1.1 "><p id="cce_10_0651__cce_10_0734_p824173815405">yangtse.io/eip-network-type</p>
--- a/docs/cce/umn/cce_10_0734.html
+++ b/docs/cce/umn/cce_10_0734.html
@ -54,7 +54,7 @@ spec:
 <strong id="cce_10_0734__b877721185918">        yangtse.io/pod-with-eip: </strong><em id="cce_10_0734__i1396810193216">"true"</em>  # An EIP will be automatically allocated when the pod is created.
 <strong id="cce_10_0734__b27892110596">        yangtse.io/eip-bandwidth-size: </strong><em id="cce_10_0734__i1062404653214">"5"</em>  # EIP bandwidth
 <strong id="cce_10_0734__b9786218594">        yangtse.io/eip-network-type: </strong><em id="cce_10_0734__i16190124218329">5_bgp</em>  # EIP type
-<strong id="cce_10_0734__b67832118592">        yangtse.io/eip-charge-mode: </strong><em id="cce_10_0734__i482293619321">bandwidth</em>  # EIP billing mode
+<strong id="cce_10_0734__b67832118592">        yangtse.io/eip-charge-mode: </strong><em id="cce_10_0734__i15815172334517"><strong id="cce_10_0734__b89561014164510">traffic</strong></em>  # EIP billing mode
 <strong id="cce_10_0734__b278132175913">        yangtse.io/eip-bandwidth-name: </strong><em id="cce_10_0734__i29048105335">&lt;eip_bandwidth_name&gt;</em>  # EIP bandwidth name
    spec:
      containers:
@ -122,10 +122,10 @@ spec:
 </td>
 <td class="cellrowborder" valign="top" width="10.891089108910892%" headers="mcps1.3.4.5.1.3.2.6.1.3 "><p id="cce_10_0734__p44251313161317">None</p>
 </td>
-<td class="cellrowborder" valign="top" width="27.722772277227726%" headers="mcps1.3.4.5.1.3.2.6.1.4 "><p id="cce_10_0734__p11425513171310">Billed by traffic or bandwidth</p>
+<td class="cellrowborder" valign="top" width="27.722772277227726%" headers="mcps1.3.4.5.1.3.2.6.1.4 "><p id="cce_10_0734__p156839441405">Bandwidth mode.</p>
 <p id="cce_10_0734__p1542650153911"><strong id="cce_10_0734__b9677193218548">You are advised to configure this parameter.</strong> If this parameter is left blank, no billing mode is specified. In this case, the default value of the EIP API in the region is used.</p>
 </td>
-<td class="cellrowborder" valign="top" width="28.71287128712871%" headers="mcps1.3.4.5.1.3.2.6.1.5 "><ul id="cce_10_0734__ul3425191331319"><li id="cce_10_0734__li842581314135"><strong id="cce_10_0734__b6832083759264">bandwidth</strong>: billed by bandwidth</li><li id="cce_10_0734__li3425161312138"><strong id="cce_10_0734__b2134083209264">traffic</strong>: billed by traffic</li></ul>
+<td class="cellrowborder" valign="top" width="28.71287128712871%" headers="mcps1.3.4.5.1.3.2.6.1.5 "><ul id="cce_10_0734__ul3425191331319"><li id="cce_10_0734__li3425161312138"><strong id="cce_10_0734__b2134083209264">traffic</strong>: billed by traffic</li></ul>
 </td>
 </tr>
 <tr id="cce_10_0734__row174251913101312"><td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.4.5.1.3.2.6.1.1 "><p id="cce_10_0734__p64256139139">yangtse.io/eip-bandwidth-name</p>
@ -193,7 +193,7 @@ spec:
 </td>
 <td class="cellrowborder" valign="top" width="33%" headers="mcps1.3.4.5.2.3.2.6.1.4 "><p id="cce_10_0734__p2241938154014">Whether to allocate an EIP with a pod and bind the EIP to the pod</p>
 </td>
-<td class="cellrowborder" valign="top" width="23%" headers="mcps1.3.4.5.2.3.2.6.1.5 "><p id="cce_10_0734__p19176125614910"><strong id="cce_10_0734__b147445376">false</strong> or <strong id="cce_10_0734__b193806545">true</strong></p>
+<td class="cellrowborder" valign="top" width="23%" headers="mcps1.3.4.5.2.3.2.6.1.5 "><p id="cce_10_0734__p19176125614910"><strong id="cce_10_0734__b1441766587">false</strong> or <strong id="cce_10_0734__b128089355">true</strong></p>
 </td>
 </tr>
 <tr id="cce_10_0734__row12412385407"><td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.4.5.2.3.2.6.1.1 "><p id="cce_10_0734__p824173815405">yangtse.io/eip-network-type</p>
@ -289,7 +289,7 @@ metadata:
    yangtse.io/pod-with-eip: "true"  
    yangtse.io/eip-bandwidth-size: "5" 
    yangtse.io/eip-network-type: 5_bgp
-    yangtse.io/eip-charge-mode: bandwidth
+    yangtse.io/eip-charge-mode: traffic
    yangtse.io/eip-bandwidth-name: "xxx"
 spec:
 <strong id="cce_10_0734__b1627019714515">  initContainers:</strong>
--- a/docs/cce/umn/cce_10_0850.html
+++ b/docs/cce/umn/cce_10_0850.html
--- a/docs/cce/umn/cce_10_0858.html
+++ b/docs/cce/umn/cce_10_0858.html
--- a/docs/cce/umn/cce_10_0945.html
+++ b/docs/cce/umn/cce_10_0945.html
@ -169,7 +169,24 @@ kubectl patch daemonset -nkube-system yangtse-cilium --type='json' -p="[{\"op\":
 </th>
 </tr>
 </thead>
-<tbody><tr id="cce_10_0945__row104528515916"><td class="cellrowborder" valign="top" width="16.31%" headers="mcps1.3.6.6.1.6.1.1 "><p id="cce_10_0945__p15519151117911">2.0.2</p>
+<tbody><tr id="cce_10_0945__row47550411742"><td class="cellrowborder" valign="top" width="16.31%" headers="mcps1.3.6.6.1.6.1.1 "><p id="cce_10_0945__p234513502412">2.1.1</p>
 </td>
 <td class="cellrowborder" valign="top" width="7.5200000000000005%" headers="mcps1.3.6.6.1.6.1.2 "><p id="cce_10_0945__p11106134514598">Commercial use</p>
 </td>
 <td class="cellrowborder" valign="top" width="27.21%" headers="mcps1.3.6.6.1.6.1.3 "><p id="cce_10_0945__p17345135011419">v1.27</p>
 <p id="cce_10_0945__p11345105019418">v1.28</p>
 <p id="cce_10_0945__p1634517501148">v1.29</p>
 <p id="cce_10_0945__p183452501245">v1.30</p>
 <p id="cce_10_0945__p2034517505419">v1.31</p>
 <p id="cce_10_0945__p134515501948">v1.32</p>
 <p id="cce_10_0945__p15345750543">v1.33</p>
 </td>
 <td class="cellrowborder" valign="top" width="32.64%" headers="mcps1.3.6.6.1.6.1.4 "><ul id="cce_10_0945__ul163458501243"><li id="cce_10_0945__li3345195019411">Support for only the CCE standard clusters that use VPC networks</li><li id="cce_10_0945__li53454501149">Upgraded Cilium to v1.17.6.</li><li id="cce_10_0945__li193459505415">Support for CCE standard clusters of v1.33</li><li id="cce_10_0945__li43451950448">Custom Cilium parameters</li><li id="cce_10_0945__li834545019414">Configurable Hubble observability</li></ul>
 </td>
 <td class="cellrowborder" valign="top" width="16.32%" headers="mcps1.3.6.6.1.6.1.5 "><p id="cce_10_0945__p8722125918418"><a href="https://docs.cilium.io/en/v1.17/" target="_blank" rel="noopener noreferrer">v1.17</a></p>
 </td>
 </tr>
 <tr id="cce_10_0945__row104528515916"><td class="cellrowborder" valign="top" width="16.31%" headers="mcps1.3.6.6.1.6.1.1 "><p id="cce_10_0945__p15519151117911">2.0.2</p>
 </td>
 <td class="cellrowborder" valign="top" width="7.5200000000000005%" headers="mcps1.3.6.6.1.6.1.2 "><p id="cce_10_0945__p91069459595">OBT</p>
 </td>
@ -185,6 +202,23 @@ kubectl patch daemonset -nkube-system yangtse-cilium --type='json' -p="[{\"op\":
 <td class="cellrowborder" valign="top" width="16.32%" headers="mcps1.3.6.6.1.6.1.5 "><p id="cce_10_0945__p19520121114917"><a href="https://docs.cilium.io/en/v1.17/" target="_blank" rel="noopener noreferrer">v1.17</a></p>
 </td>
 </tr>
 <tr id="cce_10_0945__row59791128353"><td class="cellrowborder" valign="top" width="16.31%" headers="mcps1.3.6.6.1.6.1.1 "><p id="cce_10_0945__p158213369518">1.0.16</p>
 </td>
 <td class="cellrowborder" valign="top" width="7.5200000000000005%" headers="mcps1.3.6.6.1.6.1.2 "><p id="cce_10_0945__p18106945135917">Limited OBT</p>
 </td>
 <td class="cellrowborder" valign="top" width="27.21%" headers="mcps1.3.6.6.1.6.1.3 "><p id="cce_10_0945__p175825361253">v1.27</p>
 <p id="cce_10_0945__p5582936456">v1.28</p>
 <p id="cce_10_0945__p958212362054">v1.29</p>
 <p id="cce_10_0945__p458213360514">v1.30</p>
 <p id="cce_10_0945__p15828361753">v1.31</p>
 <p id="cce_10_0945__p1258217366520">v1.32</p>
 <p id="cce_10_0945__p115821836454">v1.33</p>
 </td>
 <td class="cellrowborder" valign="top" width="32.64%" headers="mcps1.3.6.6.1.6.1.4 "><ul id="cce_10_0945__ul1358216361658"><li id="cce_10_0945__li7582536352">Support for CCE Turbo clusters of v1.33</li></ul>
 </td>
 <td class="cellrowborder" valign="top" width="16.32%" headers="mcps1.3.6.6.1.6.1.5 "><p id="cce_10_0945__p576320431855"><a href="https://docs.cilium.io/en/v1.14/" target="_blank" rel="noopener noreferrer">v1.14</a></p>
 </td>
 </tr>
 <tr id="cce_10_0945__row17558321891"><td class="cellrowborder" valign="top" width="16.31%" headers="mcps1.3.6.6.1.6.1.1 "><p id="cce_10_0945__p15120158897">1.0.15</p>
 </td>
 <td class="cellrowborder" valign="top" width="7.5200000000000005%" headers="mcps1.3.6.6.1.6.1.2 "><p id="cce_10_0945__p810619453596">Limited OBT</p>
--- a/docs/cce/umn/cce_bestpractice_00004.html
+++ b/docs/cce/umn/cce_bestpractice_00004.html
@ -24,11 +24,11 @@
 </div>
 </div></div></div>
 <div class="section" id="cce_bestpractice_00004__section158285913212"><div class="dropdownexpand"><div class="dropdowntitle" onclick="ExpandorCollapseNode(this)"><h4 class="sectiontitle">Single-VPC Multi-Cluster Scenarios</h4></div><div class="dropdowncontext"></div><div class="dropdowncontext"><p id="cce_bestpractice_00004__p92201520336"><strong id="cce_bestpractice_00004__b193873301795">VPC network model</strong></p>
-<div class="p" id="cce_bestpractice_00004__en-us_topic_0099587154_p2017890132517">Pod packets are forwarded through VPC routes. CCE automatically configures a routing table on the VPC routes to each container CIDR block. The network scale is limited by the VPC route table. <a href="#cce_bestpractice_00004__en-us_topic_0099587154_fig69527530400">Figure 4</a> shows the CIDR block planning of the cluster.<ul id="cce_bestpractice_00004__en-us_topic_0099587154_ul882015557241"><li id="cce_bestpractice_00004__li790154610251">VPC CIDR Block: specifies the VPC CIDR block where the cluster resides. The size of this CIDR block affects the maximum number of nodes that can be created in the cluster.</li><li id="cce_bestpractice_00004__li20845848142312">Subnet CIDR Block: The subnet CIDR block in each cluster cannot overlap with the container CIDR block.</li><li id="cce_bestpractice_00004__en-us_topic_0099587154_li13820185572420">Container CIDR Block: If multiple VPC network model clusters exist in a single VPC, the container CIDR blocks of all clusters cannot overlap because the clusters use the same routing table. In this case, if the node security group allows container CIDR block from the peer cluster, pods in one cluster can directly access pods in another cluster through the pod IP addresses.</li><li id="cce_bestpractice_00004__en-us_topic_0099587154_li198211055182410">Service CIDR Block: can be used only in clusters. Therefore, the Service CIDR blocks of different clusters can overlap, but cannot overlap with the cluster subnet CIDR block and container subnet CIDR block.</li></ul>
+<div class="p" id="cce_bestpractice_00004__en-us_topic_0099587154_p2017890132517">Pod packets are forwarded through VPC routes. CCE automatically configures a routing table on the VPC routes to each container CIDR block. The network scale is limited by the VPC route table. <a href="#cce_bestpractice_00004__en-us_topic_0099587154_fig69527530400">Figure 4</a> shows the CIDR block planning of the cluster.<ul id="cce_bestpractice_00004__en-us_topic_0099587154_ul882015557241"><li id="cce_bestpractice_00004__li790154610251">VPC CIDR block: specifies the VPC CIDR block where the cluster resides. The size of this CIDR block affects the maximum number of nodes that can be created in the cluster.</li><li id="cce_bestpractice_00004__li20845848142312">Subnet CIDR block: The subnet CIDR block in each cluster cannot overlap with the container CIDR block.</li><li id="cce_bestpractice_00004__en-us_topic_0099587154_li13820185572420">Container CIDR block: If multiple VPC network model clusters exist in a single VPC, the container CIDR blocks of all clusters cannot overlap because the clusters use the same routing table. In this case, if the node security group allows container CIDR block from the peer cluster, pods in one cluster can directly access pods in another cluster through the pod IP addresses.</li><li id="cce_bestpractice_00004__en-us_topic_0099587154_li198211055182410">Service CIDR block: can be used only in clusters. Therefore, the Service CIDR blocks of different clusters can overlap, but cannot overlap with the cluster CIDR block and container subnet CIDR block.</li></ul>
 <div class="fignone" id="cce_bestpractice_00004__en-us_topic_0099587154_fig69527530400"><a name="cce_bestpractice_00004__en-us_topic_0099587154_fig69527530400"></a><a name="en-us_topic_0099587154_fig69527530400"></a><span class="figcap"><b>Figure 4 </b>VPC network - multi-cluster scenario</span><br><span><img id="cce_bestpractice_00004__en-us_topic_0099587154_image2088115717617" src="en-us_image_0000002484118428.png"></span></div>
 </div>
 <p id="cce_bestpractice_00004__p137155120316"><strong id="cce_bestpractice_00004__b9885618151210">Tunnel network model</strong></p>
-<div class="p" id="cce_bestpractice_00004__en-us_topic_0099587154_p2895124762317">Though at some cost of performance, the tunnel encapsulation enables higher interoperability and compatibility with advanced features (such as network policy-based isolation), meeting the requirements of most applications. <a href="#cce_bestpractice_00004__en-us_topic_0099587154_fig8672112184219">Figure 5</a> shows the CIDR block planning of the cluster.<ul id="cce_bestpractice_00004__ul2493220356"><li id="cce_bestpractice_00004__li24632163511">VPC CIDR Block: specifies the VPC CIDR block where the cluster resides. The size of this CIDR block affects the maximum number of nodes that can be created in the cluster.</li><li id="cce_bestpractice_00004__li154193263512">Subnet CIDR Block: The subnet CIDR block in each cluster cannot overlap with the container CIDR block.</li><li id="cce_bestpractice_00004__li1941632203519">Container CIDR Block: The container CIDR blocks of all clusters can overlap. In this case, pods in different clusters cannot be directly accessed through pod IP addresses. Services are required for accessing pods in different clusters. The LoadBalancer Services are recommended.</li><li id="cce_bestpractice_00004__li16433293512">Service CIDR Block: can be used only in clusters. Therefore, the Service CIDR blocks of different clusters can overlap, but cannot overlap with the cluster CIDR block and container subnet CIDR block.</li></ul>
+<div class="p" id="cce_bestpractice_00004__en-us_topic_0099587154_p2895124762317">Though at some cost of performance, the tunnel encapsulation enables higher interoperability and compatibility with advanced features (such as network policy-based isolation), meeting the requirements of most applications. <a href="#cce_bestpractice_00004__en-us_topic_0099587154_fig8672112184219">Figure 5</a> shows the CIDR block planning of the cluster.<ul id="cce_bestpractice_00004__ul2493220356"><li id="cce_bestpractice_00004__li24632163511">VPC CIDR block: specifies the VPC CIDR block where the cluster resides. The size of this CIDR block affects the maximum number of nodes that can be created in the cluster.</li><li id="cce_bestpractice_00004__li154193263512">Subnet CIDR block: The subnet CIDR block in each cluster cannot overlap with the container CIDR block.</li><li id="cce_bestpractice_00004__li1941632203519">Container CIDR block: The container CIDR blocks of all clusters can overlap. In this case, pods in different clusters cannot be directly accessed through pod IP addresses. Services are required for accessing pods in different clusters. The LoadBalancer Services are recommended.</li><li id="cce_bestpractice_00004__li16433293512">Service CIDR block: can be used only in clusters. Therefore, the Service CIDR blocks of different clusters can overlap, but cannot overlap with the cluster CIDR block and container subnet CIDR block.</li></ul>
 <div class="fignone" id="cce_bestpractice_00004__en-us_topic_0099587154_fig8672112184219"><a name="cce_bestpractice_00004__en-us_topic_0099587154_fig8672112184219"></a><a name="en-us_topic_0099587154_fig8672112184219"></a><span class="figcap"><b>Figure 5 </b>Tunnel network - multi-cluster scenario</span><br><span><img id="cce_bestpractice_00004__en-us_topic_0099587154_image14998656164117" src="en-us_image_0000002516078397.png"></span></div>
 </div>
 <p id="cce_bestpractice_00004__p63888102047"><strong id="cce_bestpractice_00004__b13940172119169">Cloud Native 2.0 network model</strong> (CCE Turbo Clusters)</p>
@ -52,7 +52,7 @@
 <p id="cce_bestpractice_00004__en-us_topic_0099587154_p15295194916354">Pay attention to the following:</p>
 <ul id="cce_bestpractice_00004__en-us_topic_0099587154_ul62952049133517"><li id="cce_bestpractice_00004__en-us_topic_0099587154_li132959494355">The VPC CIDR blocks of the clusters at the two ends must not overlap.</li><li id="cce_bestpractice_00004__en-us_topic_0099587154_li10295134911351">The container CIDR blocks of all clusters can overlap, so do the Service CIDR blocks.</li><li id="cce_bestpractice_00004__li7133184674417">If the request end cluster uses the tunnel network, check whether the node security group in the target cluster allows the VPC CIDR block (including the node subnets) of the request end cluster. If yes, nodes in one cluster can access nodes in another cluster. However, pods in different clusters cannot be directly accessed using pod IP addresses. Access between pods in different clusters requires Services. The LoadBalancer Services are recommended.</li><li id="cce_bestpractice_00004__li1402173261818">You need to add routes for accessing the peer network CIDR block to the VPC routing tables at both ends. For example, you need to add a route for accessing the CIDR block of VPC 2 to the route table of VPC 1, and add a route for accessing VPC 1 to the route table of VPC 2. After the route of the VPC CIDR block is added, the pod can access a node in another cluster, for example, through the port of a NodePort Service.</li></ul>
 <p id="cce_bestpractice_00004__p209815311458"><strong id="cce_bestpractice_00004__b4607167620">Clusters using Cloud Native 2.0 networks (CCE Turbo clusters)</strong></p>
-<div class="p" id="cce_bestpractice_00004__p1397317227577">After creating a VPC peering connection, add routes of the VPC peering connection to both ends so that the two VPCs can communicate with each other. Pay attention to the following:<ul id="cce_bestpractice_00004__ul444535518468"><li id="cce_bestpractice_00004__li0546156124619">The VPC CIDR blocks of the clusters at the two ends must not overlap.</li><li id="cce_bestpractice_00004__li05461256184611">If the request end cluster uses the Cloud Native 2.0 network, check whether the elastic network interface security group (named in the format of <em id="cce_bestpractice_00004__i1224239712">{Cluster name}</em><strong id="cce_bestpractice_00004__b1359418281170">-cce-eni-</strong><em id="cce_bestpractice_00004__i4889113120714">{Random ID}</em>) of the target cluster allows the VPC CIDR block (including the node subnets and container CIDR block) of the request end cluster. If yes, pods in one cluster can directly access pods in another cluster through the pod IP addresses. Similarly, if nodes in the clusters at the two ends of the VPC peering need to access each other, allow the VPC CIDR block of the peer cluster in the node security group (named in the format of <em id="cce_bestpractice_00004__i1390972512914">{Cluster name}</em><strong id="cce_bestpractice_00004__b15173112311913">-cce-node-</strong><em id="cce_bestpractice_00004__i102291420490">{Random ID}</em>).</li><li id="cce_bestpractice_00004__li13671664125">You need to add routes for accessing the peer network CIDR block to the VPC routing tables at both ends. For example, you need to add a route for accessing the CIDR block of VPC 2 to the route table of VPC 1, and add a route for accessing VPC 1 to the route table of VPC 2. After the route of the VPC CIDR block is added, the pod can access pod IP addresses or nodes in another cluster.</li></ul>
+<div class="p" id="cce_bestpractice_00004__p1397317227577">After creating a VPC peering connection, add routes of the VPC peering connection to both ends so that the two VPCs can communicate with each other. Pay attention to the following:<ul id="cce_bestpractice_00004__ul444535518468"><li id="cce_bestpractice_00004__li0546156124619">The VPC CIDR blocks of the clusters at the two ends must not overlap.</li><li id="cce_bestpractice_00004__li05461256184611">If the request end cluster uses the Cloud Native 2.0 network, check whether the elastic network interface security group (named in the format of <em id="cce_bestpractice_00004__i1224239712">{Cluster name}</em><strong id="cce_bestpractice_00004__b1359418281170">-cce-eni-</strong><em id="cce_bestpractice_00004__i4889113120714">{Random ID}</em>) of the target cluster allows the VPC CIDR block (including the node subnets and container CIDR block) of the request end cluster. If yes, pods in one cluster can directly access pods in another cluster through pod IP addresses. Similarly, if nodes in the clusters at the two ends of the VPC peering need to access each other, allow the VPC CIDR block of the peer cluster in the node security group (named in the format of <em id="cce_bestpractice_00004__i1390972512914">{Cluster name}</em><strong id="cce_bestpractice_00004__b15173112311913">-cce-node-</strong><em id="cce_bestpractice_00004__i102291420490">{Random ID}</em>).</li><li id="cce_bestpractice_00004__li13671664125">You need to add routes for accessing the peer network CIDR block to the VPC routing tables at both ends. For example, you need to add a route for accessing the CIDR block of VPC 2 to the route table of VPC 1, and add a route for accessing VPC 1 to the route table of VPC 2. After the route of the VPC CIDR block is added, the pod can access pod IP addresses or nodes in another cluster.</li></ul>
 </div>
 <p id="cce_bestpractice_00004__p5105185914319"><strong id="cce_bestpractice_00004__b173711231101014">Clusters using different networks</strong></p>
 <p id="cce_bestpractice_00004__p11655618103912">If clusters using different networks need to communicate with each other across VPCs, every one of them may serve as the request end or destination end. Pay attention to the following:</p>
--- a/docs/cce/umn/cce_bestpractice_0006.html
+++ b/docs/cce/umn/cce_bestpractice_0006.html
@ -21,7 +21,7 @@ API Version:1.35
 <div class="note" id="cce_bestpractice_0006__note89901713101415"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_bestpractice_0006__p1991131361419">Download the environment required by the application.</p>
 </div></div>
 <ol id="cce_bestpractice_0006__ol173142620419"><li id="cce_bestpractice_0006__li1774314119619"><span>Download Tomcat, JDK, and MongoDB installation packages of the specific versions.</span><p><ol type="a" id="cce_bestpractice_0006__ol1766215521666"><li id="cce_bestpractice_0006__li14463415333">Download JDK 1.8.<p id="cce_bestpractice_0006__p12862174218338"><a name="cce_bestpractice_0006__li14463415333"></a><a name="li14463415333"></a>Download address: <a href="https://www.oracle.com/java/technologies/jdk8-downloads.html" target="_blank" rel="noopener noreferrer">https://www.oracle.com/java/technologies/jdk8-downloads.html</a>.</p>
-</li><li id="cce_bestpractice_0006__li4766155315518">Download Tomcat 7.0 from <a href="http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.82/bin/apache-tomcat-7.0.82.tar.gz" target="_blank" rel="noopener noreferrer">http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.82/bin/apache-tomcat-7.0.82.tar.gz</a>.</li><li id="cce_bestpractice_0006__li15306161318614">Download MongoDB 3.2 from <a href="https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-3.2.9.tgz" target="_blank" rel="noopener noreferrer">https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-3.2.9.tgz</a>.</li></ol>
+</li><li id="cce_bestpractice_0006__li4766155315518">Download Tomcat 7.0 from <a href="https://archive.apache.org/dist/tomcat/tomcat-7/v7.0.82/bin/apache-tomcat-7.0.82.tar.gz" target="_blank" rel="noopener noreferrer">https://archive.apache.org/dist/tomcat/tomcat-7/v7.0.82/bin/apache-tomcat-7.0.82.tar.gz</a>.</li><li id="cce_bestpractice_0006__li15306161318614">Download MongoDB 3.2 from <a href="https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-3.2.9.tgz" target="_blank" rel="noopener noreferrer">https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-rhel70-3.2.9.tgz</a>.</li></ol>
 </p></li><li id="cce_bestpractice_0006__li4699271588"><span>Log in as user <strong id="cce_bestpractice_0006__b7490132544418">root</strong> to the device running Docker.</span></li><li id="cce_bestpractice_0006__li5541955"><span>Run the following commands to create the directory where the application is to be stored: For example, set the directory to <strong id="cce_bestpractice_0006__b16506121810401">apptest</strong>.</span><p><p id="cce_bestpractice_0006__p1543624854918"><strong id="cce_bestpractice_0006__b192895317179">mkdir apptest</strong></p>
 <p id="cce_bestpractice_0006__p164638508496"><strong id="cce_bestpractice_0006__b10292203111172">cd apptest</strong></p>
 </p></li><li id="cce_bestpractice_0006__li9663957664"><span>Use Xshell to save the downloaded dependency files to the <strong id="cce_bestpractice_0006__b1322811288407">apptest</strong> directory.</span></li><li id="cce_bestpractice_0006__li2046116913533"><span>Run the following commands to decompress the dependency files:</span><p><p id="cce_bestpractice_0006__p1647617536536"><strong id="cce_bestpractice_0006__b1447514329544">tar -zxf apache-tomcat-7.0.82.tar.gz</strong></p>
--- a/docs/cce/umn/cce_bestpractice_00198.html
+++ b/docs/cce/umn/cce_bestpractice_00198.html
@ -128,7 +128,7 @@ tmpfs                         tmpfs     1.8G   75M  1.8G   5% /tmp
 NAME                MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
 sda                   8:0    0   50G  0 disk 
 └─sda1                8:1    0   50G  0 part /
-<strong id="cce_bestpractice_00198__b1294212664615">sdb</strong>                   8:16   0  150G  0 disk      # The data disk has been expanded to 150 GiB, but 50 GiB space is free.
+<strong id="cce_bestpractice_00198__b1294212664615">sdb</strong>                   8:16   0  150G  0 disk      # The data disk has been expanded to 150 GiB, but 50-GiB space is not allocated.
 ├─<strong id="cce_bestpractice_00198__b4744112513594">vgpaas-dockersys  </strong>253:0    0   90G  0 lvm  /var/lib/containerd
 └─vgpaas-kubernetes 253:1    0   10G  0 lvm  /mnt/paas/kubernetes/kubelet</pre>
 </li><li id="cce_bestpractice_00198__li0198144861813">Expand the disk capacity.<p id="cce_bestpractice_00198__p921474831812"><a name="cce_bestpractice_00198__li0198144861813"></a><a name="li0198144861813"></a>Add the new disk capacity to the <strong id="cce_bestpractice_00198__b847894461815">dockersys</strong> logical volume used by the container engine.</p>
@ -228,7 +228,7 @@ vda                                   8:0    0   50G  0 disk
 NAME                MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
 sda                   8:0    0   50G  0 disk 
 └─sda1                8:1    0   50G  0 part /
-<strong id="cce_bestpractice_00198__b97111847164619">sdb               </strong>    8:16   0  200G  0 disk <strong id="cce_bestpractice_00198__b1471194794611"> </strong>     #The data disk has been expanded to 200 GiB, but 50 GiB space is not allocated.
+<strong id="cce_bestpractice_00198__b97111847164619">sdb               </strong>    8:16   0  200G  0 disk <strong id="cce_bestpractice_00198__b1471194794611"> </strong>     #The data disk has been expanded to 200 GiB, but 50-GiB space is not allocated.
 ├─vgpaas-dockersys  253:0    0  140G  0 lvm  /var/lib/containerd
 └─<strong id="cce_bestpractice_00198__b78625430594">vgpaas-kubernetes 253:1  </strong>  0   10G  0 lvm  /mnt/paas/kubernetes/kubelet</pre>
 </p></li><li id="cce_bestpractice_00198__li1484615201963"><span>Perform the following operations on the node to add the new disk capacity to the kubelet space:</span><p><ol type="a" id="cce_bestpractice_00198__ol9436123915403"><li id="cce_bestpractice_00198__li74361439134015">Expand the PV capacity so that LVM can identify the new EVS capacity. <i><span class="varname" id="cce_bestpractice_00198__varname18436123914011">/dev/sdb</span></i> specifies the physical volume where kubelet is located.<pre class="screen" id="cce_bestpractice_00198__screen124362391402">pvresize <i><span class="varname" id="cce_bestpractice_00198__varname1643683919401">/dev/sdb</span></i></pre>
--- a/docs/cce/umn/cce_bestpractice_00222.html
+++ b/docs/cce/umn/cce_bestpractice_00222.html
@ -96,7 +96,7 @@
 </td>
 <td class="cellrowborder" valign="top" width="64.35643564356435%" headers="mcps1.3.5.5.5.3.2.4.1.2 "><p id="cce_bestpractice_00222__en-us_topic_0226102195_en-us_topic_0213478735_en-us_topic_0118066459_a3b17669b0bd94aa8a54f42eca14b43f3">Specifies the desired region. Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.</p>
 </td>
-<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.5.5.5.3.2.4.1.3 "><p id="cce_bestpractice_00222__p16116141744919">N/A</p>
+<td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.5.5.5.3.2.4.1.3 "><p id="cce_bestpractice_00222__p16116141744919">-</p>
 </td>
 </tr>
 <tr id="cce_bestpractice_00222__en-us_topic_0226102195_en-us_topic_0213478735_en-us_topic_0118066459_row33493172163645"><td class="cellrowborder" valign="top" width="17.82178217821782%" headers="mcps1.3.5.5.5.3.2.4.1.1 "><p id="cce_bestpractice_00222__en-us_topic_0226102195_en-us_topic_0213478735_en-us_topic_0118066459_p48204032163921">Name</p>
@ -147,7 +147,7 @@
 </td>
 <td class="cellrowborder" valign="top" width="64%" headers="mcps1.3.5.5.5.4.2.4.1.2 "><p id="cce_bestpractice_00222__en-us_topic_0226102195_en-us_topic_0213478735_en-us_topic_0118066459_p1031941715315">Select <strong id="cce_bestpractice_00222__en-us_topic_0226102195_b1420421315360">Enable</strong> for <strong id="cce_bestpractice_00222__en-us_topic_0226102195_b2020481343617">IPv6 CIDR Block</strong>. An IPv6 CIDR block will be automatically assigned to the subnet. IPv6 cannot be disabled after the subnet is created. Currently, you are not allowed to specify a custom IPv6 CIDR block.</p>
 </td>
-<td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.5.5.5.4.2.4.1.3 "><p id="cce_bestpractice_00222__en-us_topic_0226102195_en-us_topic_0213478735_en-us_topic_0118066459_p6108303521">N/A</p>
+<td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.5.5.5.4.2.4.1.3 "><p id="cce_bestpractice_00222__en-us_topic_0226102195_en-us_topic_0213478735_en-us_topic_0118066459_p6108303521">-</p>
 </td>
 </tr>
 <tr id="cce_bestpractice_00222__row2056165611438"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.5.5.5.4.2.4.1.1 "><p id="cce_bestpractice_00222__p1056219566433">Associated Route Table</p>
@ -210,7 +210,7 @@
 </td>
 <td class="cellrowborder" valign="top" width="67%" headers="mcps1.3.7.4.5.2.2.4.1.2 "><p id="cce_bestpractice_00222__en-us_topic_0226102195_en-us_topic_0213478735_en-us_topic_0118066459_p133381925181915">Specifies the desired region. Regions are geographic areas that are physically isolated from each other. The networks inside different regions are not connected to each other, so resources cannot be shared across different regions. For lower network latency and faster access to your resources, select the region nearest you.</p>
 </td>
-<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.7.4.5.2.2.4.1.3 "><p id="cce_bestpractice_00222__p246911555014">N/A</p>
+<td class="cellrowborder" valign="top" width="17%" headers="mcps1.3.7.4.5.2.2.4.1.3 "><p id="cce_bestpractice_00222__p246911555014">-</p>
 </td>
 </tr>
 <tr id="cce_bestpractice_00222__en-us_topic_0226102195_en-us_topic_0213478735_row5999335163114"><td class="cellrowborder" valign="top" width="16%" headers="mcps1.3.7.4.5.2.2.4.1.1 "><p id="cce_bestpractice_00222__en-us_topic_0226102195_en-us_topic_0213478735_en-us_topic_0118066459_p4338102521919">Bandwidth</p>
--- a/docs/cce/umn/cce_bestpractice_0310.html
+++ b/docs/cce/umn/cce_bestpractice_0310.html
@ -66,7 +66,7 @@ aws_secret_access_key = {SK}</pre>
 </td>
 <td class="cellrowborder" valign="top" width="79.89%" headers="mcps1.3.4.5.5.2.2.2.3.1.2 "><p id="cce_bestpractice_0310__p2028718451307">Specify the OBS bucket configurations, including <strong id="cce_bestpractice_0310__b0594173273420">region</strong>, <strong id="cce_bestpractice_0310__b58055334347">s3ForcePathStyle</strong>, <strong id="cce_bestpractice_0310__b37768341349">s3Url</strong>, and more.</p>
 <ul id="cce_bestpractice_0310__ul19273319254"><li id="cce_bestpractice_0310__li69203342512"><strong id="cce_bestpractice_0310__b6880182920348">region</strong>: the region where the OBS bucket is located.<ul id="cce_bestpractice_0310__ul397654142519"><li id="cce_bestpractice_0310__li129745472513">Configure this parameter based on the actual region, for example, <strong id="cce_bestpractice_0310__b16275012123516">eu-de</strong>.</li></ul>
-</li><li id="cce_bestpractice_0310__li13446105932511"><strong id="cce_bestpractice_0310__b11106947163913">s3ForcePathStyle</strong>: If this parameter is set to <strong id="cce_bestpractice_0310__b79204943917">false</strong>, a bucket domain name in the virtual-hosted–style is used. The bucket name is directly embedded in the access domain name, for example, <em id="cce_bestpractice_0310__i13271117124018">{bucket-name}</em><strong id="cce_bestpractice_0310__b17246162012404">.obs.</strong><em id="cce_bestpractice_0310__i15167123114010">{region}.{domain}</em><strong id="cce_bestpractice_0310__b93582610408">.com</strong>.</li><li id="cce_bestpractice_0310__li1836613451280"><strong id="cce_bestpractice_0310__b1623016595408">s3Url</strong>: API access address of the OBS bucket.<ul id="cce_bestpractice_0310__ul1469417582286"><li id="cce_bestpractice_0310__li2694135872817">The value is in the format of <strong id="cce_bestpractice_0310__b658402998">http://obs.</strong><em id="cce_bestpractice_0310__i1274335345">{region}</em><strong id="cce_bestpractice_0310__b8973203410430">otc.t-systems.com</strong>. It is determined by the region where the OBS bucket is located. For example, if the region is <strong id="cce_bestpractice_0310__b19129142194312">eu-de</strong>, the parameter value is <span class="parmvalue" id="cce_bestpractice_0310__parmvalue61301142104310"><b>http://obs.eu-de.otc.t-systems.com</b></span>.</li></ul>
+</li><li id="cce_bestpractice_0310__li13446105932511"><strong id="cce_bestpractice_0310__b11106947163913">s3ForcePathStyle</strong>: If this parameter is set to <strong id="cce_bestpractice_0310__b79204943917">false</strong>, a bucket domain name in the virtual-hosted–style is used. The bucket name is directly embedded in the access domain name, for example, <em id="cce_bestpractice_0310__i13271117124018">{bucket-name}</em><strong id="cce_bestpractice_0310__b17246162012404">.obs.</strong><em id="cce_bestpractice_0310__i15167123114010">{region}.{domain}</em><strong id="cce_bestpractice_0310__b93582610408">.com</strong>.</li><li id="cce_bestpractice_0310__li1836613451280"><strong id="cce_bestpractice_0310__b1623016595408">s3Url</strong>: API access address of the OBS bucket.<ul id="cce_bestpractice_0310__ul1469417582286"><li id="cce_bestpractice_0310__li2694135872817">The value is in the format of <strong id="cce_bestpractice_0310__b1527301344">http://obs.</strong><em id="cce_bestpractice_0310__i890275010">{region}</em><strong id="cce_bestpractice_0310__b8973203410430">otc.t-systems.com</strong>. It is determined by the region where the OBS bucket is located. For example, if the region is <strong id="cce_bestpractice_0310__b19129142194312">eu-de</strong>, the parameter value is <span class="parmvalue" id="cce_bestpractice_0310__parmvalue61301142104310"><b>http://obs.eu-de.otc.t-systems.com</b></span>.</li></ul>
 </li></ul>
 </td>
 </tr>
--- a/docs/cce/umn/cce_bestpractice_0312.html
+++ b/docs/cce/umn/cce_bestpractice_0312.html
@ -7,7 +7,7 @@
 </p></li><li id="cce_bestpractice_0312__li1960315315492"><span>Run the following command to modify the workload and replace the <strong id="cce_bestpractice_0312__b0644124213411">image</strong> field in the YAML file with the image path:</span><p><pre class="screen" id="cce_bestpractice_0312__screen1160343174917">kubectl edit deploy wordpress</pre>
 </p></li><li id="cce_bestpractice_0312__li160363184919"><span>Check the running status of the workload.</span></li></ol>
 </div>
-<div class="section" id="cce_bestpractice_0312__section41282507482"><a name="cce_bestpractice_0312__section41282507482"></a><a name="section41282507482"></a><h4 class="sectiontitle">Updating Services</h4><p id="cce_bestpractice_0312__p1560383174913">After the cluster is migrated, the Service of the source cluster may fail to take effect. You can perform the following operations to update the Service. If ingresses are configured in the source cluster, connect the new cluster to ELB again after the migration. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual2/cce/cce_10_0252.html" target="_blank" rel="noopener noreferrer">Using kubectl to Create a LoadBalancer Ingress</a>.</p>
+<div class="section" id="cce_bestpractice_0312__section41282507482"><a name="cce_bestpractice_0312__section41282507482"></a><a name="section41282507482"></a><h4 class="sectiontitle">Updating Services</h4><p id="cce_bestpractice_0312__p1560383174913">After the cluster is migrated, the Service of the source cluster may fail to take effect. You can perform the following operations to update the Service. If ingresses are configured in the source cluster, connect the new cluster to ELB again after the migration. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual2/cce/cce_10_0252.html" target="_blank" rel="noopener noreferrer">Creating a LoadBalancer Ingress Using kubectl</a>.</p>
 <ol id="cce_bestpractice_0312__ol1960423184919"><li id="cce_bestpractice_0312__li1660418319490"><span>Connect to the cluster using kubectl.</span></li><li id="cce_bestpractice_0312__li5604636499"><span>Edit the YAML file of the corresponding Service to change the Service type and port number.</span><p><pre class="screen" id="cce_bestpractice_0312__screen66048315494">kubectl edit svc wordpress</pre>
 <div class="p" id="cce_bestpractice_0312__p1860411394913">To update load balancer resources, connect to ELB again. Add the annotations by following the procedure in <a href="https://docs.otc.t-systems.com/en-us/usermanual2/cce/cce_10_0681.html" target="_blank" rel="noopener noreferrer">Creating a LoadBalancer Service</a>.<pre class="screen" id="cce_bestpractice_0312__screen106043304914">annotations: 
  kubernetes.io/elb.class: union # Shared load balancer
--- a/docs/cce/umn/cce_bestpractice_0315.html
+++ b/docs/cce/umn/cce_bestpractice_0315.html
@ -8,17 +8,17 @@
 <div>
 <ul class="ullinks">
-<li class="ulchildlink"><strong><a href="cce_bestpractice_0317.html">Configuration Suggestions on CCE Cluster Security</a></strong><br>
+<li class="ulchildlink"><strong><a href="cce_bestpractice_0317.html">Using CCE Clusters Securely</a></strong><br>
 </li>
-<li class="ulchildlink"><strong><a href="cce_bestpractice_0318.html">Configuration Suggestions on CCE Node Security</a></strong><br>
+<li class="ulchildlink"><strong><a href="cce_bestpractice_0318.html">Using Nodes Securely in a CCE Cluster</a></strong><br>
 </li>
-<li class="ulchildlink"><strong><a href="cce_bestpractice_10046.html">Configuration Suggestions on CCE Container Runtime Security</a></strong><br>
+<li class="ulchildlink"><strong><a href="cce_bestpractice_10046.html">Using Container Runtimes Securely in a CCE Cluster</a></strong><br>
 </li>
-<li class="ulchildlink"><strong><a href="cce_bestpractice_0319.html">Configuration Suggestions on CCE Container Security</a></strong><br>
+<li class="ulchildlink"><strong><a href="cce_bestpractice_0319.html">Using Containers Securely in a CCE Cluster</a></strong><br>
 </li>
-<li class="ulchildlink"><strong><a href="cce_bestpractice_10047.html">Configuration Suggestions on CCE Container Image Security</a></strong><br>
+<li class="ulchildlink"><strong><a href="cce_bestpractice_10047.html">Using Images Securely in a CCE Cluster</a></strong><br>
 </li>
-<li class="ulchildlink"><strong><a href="cce_bestpractice_0320.html">Configuration Suggestions on CCE Secret Security</a></strong><br>
+<li class="ulchildlink"><strong><a href="cce_bestpractice_0320.html">Using Secrets Securely in a CCE Cluster</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="cce_bestpractice_0333.html">Using OIDC to Authenticate Workloads in a CCE Cluster</a></strong><br>
 </li>
--- a/docs/cce/umn/cce_bestpractice_0317.html
+++ b/docs/cce/umn/cce_bestpractice_0317.html
--- a/docs/cce/umn/cce_bestpractice_0318.html
+++ b/docs/cce/umn/cce_bestpractice_0318.html
@ -1,36 +1,36 @@
 <a name="cce_bestpractice_0318"></a><a name="cce_bestpractice_0318"></a>
-<h1 class="topictitle1">Configuration Suggestions on CCE Node Security</h1>
+<h1 class="topictitle1">Using Nodes Securely in a CCE Cluster</h1>
-<div id="body8662426"><div class="section" id="cce_bestpractice_0318__en-us_topic_0000001226756285_section125731371643"><h4 class="sectiontitle">Preventing Nodes from Being Exposed to Public Networks</h4><ul id="cce_bestpractice_0318__en-us_topic_0000001226756285_ul5635110999"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li263516104912">Do not bind an EIP to a node unless necessary to reduce the attack surface.</li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li5635151014915">If an EIP must be used, properly configure the firewall or security group rules to restrict access of unnecessary ports and IP addresses.</li></ul>
+<div id="body8662426"><div class="section" id="cce_bestpractice_0318__en-us_topic_0000001226756285_section125731371643"><h4 class="sectiontitle">Preventing Nodes from Being Exposed to the Internet</h4><ul id="cce_bestpractice_0318__en-us_topic_0000001226756285_ul5635110999"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li263516104912">Do not bind an EIP to a node to reduce the attack surface unless necessary.</li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li5635151014915">If an EIP must be used, properly configure the firewall or security group rules to restrict access of unnecessary ports and IP addresses.</li></ul>
 <p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p10325152114429">You may have configured the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b18197848171612">kubeconfig.json</strong> file on a node in your cluster. kubectl can use the certificate and private key in this file to control the entire cluster. You are advised to delete unnecessary files from the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b8108142218165">/root/.kube</strong> directory on the node to prevent malicious use.</p>
 <p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p12555543184410">rm -rf /root/.kube</p>
 </div>
-<div class="section" id="cce_bestpractice_0318__en-us_topic_0000001226756285_section144410272047"><h4 class="sectiontitle">Hardening VPC Security Group Rules</h4><p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p114652430149">CCE is a universal container platform. Its default security group rules apply to common scenarios. Based on security requirements, you can harden the security group rules set for CCE clusters on the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b91050271851712">Security Groups</strong> page of <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b13847012151712">Network Console</strong>.</p>
+<div class="section" id="cce_bestpractice_0318__en-us_topic_0000001226756285_section144410272047"><h4 class="sectiontitle">Hardening VPC Security Group Rules</h4><p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p114652430149">CCE is a universal container platform. Its default security group rules apply to general scenarios. You can harden the security group rules set for CCE clusters based on security requirements on the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b91050271851712">Security Groups</strong> page of <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b13847012151712">Network Console</strong>.</p>
 </div>
-<div class="section" id="cce_bestpractice_0318__en-us_topic_0000001226756285_section896012361718"><h4 class="sectiontitle">Hardening Nodes on Demand</h4><p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p164510477111">CCE cluster nodes use the default settings of open-source OSs. After a node is created, you need to perform security hardening according to your service requirements.</p>
+<div class="section" id="cce_bestpractice_0318__en-us_topic_0000001226756285_section896012361718"><h4 class="sectiontitle">Hardening Node Security on Demand</h4><p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p164510477111">CCE cluster nodes use the default settings of open-source OSs. After a node is created, you need to perform security hardening according to your service requirements.</p>
-<p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p54515474120">In CCE, you can perform hardening as follows:</p>
+<p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p54515474120">You can use either of the following ways to harden node security on CCE:</p>
-<ul id="cce_bestpractice_0318__en-us_topic_0000001226756285_ul19571142909"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li109576421702">Use the post-installation script after the node is created. For details, see the description about <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b1059324225113">Post-installation Script</strong> in <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b188320484515">Advanced Settings</strong> when creating a node. This script is user-defined.</li></ul>
+<ul id="cce_bestpractice_0318__en-us_topic_0000001226756285_ul19571142909"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li109576421702">Use the post-installation script after the node is created. For details, see the description about <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b1059324225113">Post-installation Script</strong> in <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b188320484515">Advanced Settings</strong> during node creation. This script is user-defined.</li></ul>
 </div>
-<div class="section" id="cce_bestpractice_0318__en-us_topic_0000001226756285_section71961744466"><h4 class="sectiontitle">Forbidding Containers to Obtain Host Machine Metadata</h4><p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p796335218252">If a single CCE cluster is shared by multiple users to deploy containers, containers cannot access the management address (169.254.169.254) of OpenStack, preventing containers from obtaining metadata of host machines.</p>
+<div class="section" id="cce_bestpractice_0318__en-us_topic_0000001226756285_section71961744466"><h4 class="sectiontitle">Forbidding Containers to Obtain the Node Metadata</h4><p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p796335218252">If multiple users deploy containers in the same CCE cluster, ensure that the containers cannot access the OpenStack management address (169.254.169.254) to prevent them from obtaining the node metadata.</p>
-<p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p12964195242515">For details about how to restore the metadata, see the "Notes" section in <a href="https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0042400609.html" target="_blank" rel="noopener noreferrer">Obtaining Metadata</a>.</p>
+<p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p12964195242515">For details about how to restore the metadata, see the "Notes" section in <a href="https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0042400609.html" target="_blank" rel="noopener noreferrer">Obtaining ECS Details Using Metadata</a>.</p>
-<div class="warning" id="cce_bestpractice_0318__en-us_topic_0000001226756285_note896420520252"><span class="warningtitle"><img src="public_sys-resources/warning_3.0-en-us.png"> </span><div class="warningbody"><p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p13964195213257">This solution may affect the password change on the ECS console. Therefore, you must verify the solution before rectifying the fault.</p>
+<div class="warning" id="cce_bestpractice_0318__en-us_topic_0000001226756285_note896420520252"><span class="warningtitle"><img src="public_sys-resources/warning_3.0-en-us.png"> </span><div class="warningbody"><p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p13964195213257">This restoration may affect the password change on the ECS console. Therefore, you must verify the function before the restoration.</p>
 </div></div>
 <ol id="cce_bestpractice_0318__en-us_topic_0000001226756285_ol4410181419216"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li1041011148211"><span>Obtain the network model and container CIDR of the cluster.</span><p><p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p188112716215">On the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b209605371582">Clusters</strong> page of the CCE console, view the network model and container CIDR of the cluster.</p>
 <p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p1655182952116"></p>
-</p></li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li54171921142111"><span>Prevent the container from obtaining host metadata.</span><p><ul id="cce_bestpractice_0318__en-us_topic_0000001226756285_ul8334817122417"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li153344176247">VPC network<ol type="a" id="cce_bestpractice_0318__en-us_topic_0000001226756285_ol1709147182414"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li1709134714249">Log in to each node in the cluster as user <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b1421113391590">root</strong> and run the following command:<pre class="screen" id="cce_bestpractice_0318__en-us_topic_0000001226756285_screen9109045192317">iptables -I OUTPUT -s {container_cidr} -d 169.254.169.254 -j REJECT</pre>
+</p></li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li54171921142111"><span>Prevent the container from obtaining the node metadata.</span><p><ul id="cce_bestpractice_0318__en-us_topic_0000001226756285_ul8334817122417"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li153344176247">In a cluster using a VPC network<ol type="a" id="cce_bestpractice_0318__en-us_topic_0000001226756285_ol1709147182414"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li1709134714249">Log in to each node in the cluster as user <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b1421113391590">root</strong> and run the following command:<pre class="screen" id="cce_bestpractice_0318__en-us_topic_0000001226756285_screen9109045192317">iptables -I OUTPUT -s {container_cidr} -d 169.254.169.254 -j REJECT</pre>
 <p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p66011853192413"><em id="cce_bestpractice_0318__en-us_topic_0000001226756285_i16814423101420">{container_cidr}</em> indicates the container CIDR block of the cluster, for example, <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b0814182331412">10.0.0.0/16</strong>.</p>
 <p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p884725717242">To ensure configuration persistence, write the command to the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b1685417405716">/etc/rc.local</strong> script.</p>
 </li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li1370914471249">Run the following commands in the container to access the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b10687111245713">userdata</strong> and <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b446151617575">metadata</strong> interfaces of OpenStack and check whether the request is intercepted:<pre class="screen" id="cce_bestpractice_0318__en-us_topic_0000001226756285_screen159624507230">curl 169.254.169.254/openstack/latest/meta_data.json
 curl 169.254.169.254/openstack/latest/user_data</pre>
 </li></ol>
-</li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li146002216241">Container tunnel network<ol type="a" id="cce_bestpractice_0318__en-us_topic_0000001226756285_ol1773441712518"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li107344176256">Log in to each node in the cluster as user <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b34872417577">root</strong> and run the following command:<pre class="screen" id="cce_bestpractice_0318__en-us_topic_0000001226756285_screen1119181152410">iptables -I FORWARD -s {container_cidr} -d 169.254.169.254 -j REJECT</pre>
+</li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li146002216241">In a cluster using a container tunnel network<ol type="a" id="cce_bestpractice_0318__en-us_topic_0000001226756285_ol1773441712518"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li107344176256">Log in to each node in the cluster as user <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b34872417577">root</strong> and run the following command:<pre class="screen" id="cce_bestpractice_0318__en-us_topic_0000001226756285_screen1119181152410">iptables -I FORWARD -s {container_cidr} -d 169.254.169.254 -j REJECT</pre>
 <p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p117923213256"><em id="cce_bestpractice_0318__en-us_topic_0000001226756285_i11402123791415">{container_cidr}</em> indicates the container CIDR block of the cluster, for example, <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b1840343761412">10.0.0.0/16</strong>.</p>
 <p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p1865472210250">To ensure configuration persistence, write the command to the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b660983617578">/etc/rc.local</strong> script.</p>
 </li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li973418171252">Run the following commands in the container to access the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b1440934025718">userdata</strong> and <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b34103401577">metadata</strong> interfaces of OpenStack and check whether the request is intercepted:<pre class="screen" id="cce_bestpractice_0318__en-us_topic_0000001226756285_screen3787166102414">curl 169.254.169.254/openstack/latest/meta_data.json
 curl 169.254.169.254/openstack/latest/user_data</pre>
 </li></ol>
-</li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li222510111340">CCE Turbo cluster<p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p121461314163415"><a name="cce_bestpractice_0318__en-us_topic_0000001226756285_li222510111340"></a><a name="en-us_topic_0000001226756285_li222510111340"></a>No additional configuration is required for a cluster of a version earlier than v1.23.13-r0, v1.25.8-r0, v1.27.5-r0, or v1.28.3-r0.</p>
+</li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li222510111340">In a CCE Turbo cluster<p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p121461314163415"><a name="cce_bestpractice_0318__en-us_topic_0000001226756285_li222510111340"></a><a name="en-us_topic_0000001226756285_li222510111340"></a>No additional configuration is required for a cluster of a version earlier than v1.23.13-r0, v1.25.8-r0, v1.27.5-r0, or v1.28.3-r0.</p>
-<div class="p" id="cce_bestpractice_0318__en-us_topic_0000001226756285_p14180194713152">For a cluster of v1.23.13-r0, v1.25.8-r0, v1.27.5-r0, v1.28.3-r0, or later version, log in to the CCE console, click the cluster name to access the cluster console. In the navigation pane, choose <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b153719566713">Settings</strong>, click the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b185371856176">Network</strong> tab, and view the value of <span class="uicontrol" id="cce_bestpractice_0318__en-us_topic_0000001226756285_uicontrol553718561771"><b>Pod Access to Metadata</b></span>.<ul id="cce_bestpractice_0318__en-us_topic_0000001226756285_ul9721740128"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li142401352511">If <span class="uicontrol" id="cce_bestpractice_0318__en-us_topic_0000001226756285_uicontrol6185125211210"><b>Pod Access to Metadata</b></span> is not enabled, no additional configuration is required. The container has been disabled from obtaining the node metadata.</li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li16689718201219">If <span class="uicontrol" id="cce_bestpractice_0318__en-us_topic_0000001226756285_uicontrol415362951311"><b>Pod Access to Metadata</b></span> is enabled, take the following steps to disable the container from obtaining the node metadata:<ol type="a" id="cce_bestpractice_0318__en-us_topic_0000001226756285_ol11828145411135"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li682815441312">Log in to each node in the cluster as user <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b1582515160562">root</strong> and run the following command:<pre class="screen" id="cce_bestpractice_0318__en-us_topic_0000001226756285_screen88281754181310">iptables -I FORWARD -s {container_cidr} -d 169.254.169.254 -j REJECT</pre>
+<div class="p" id="cce_bestpractice_0318__en-us_topic_0000001226756285_p14180194713152">For a cluster of v1.23.13-r0, v1.25.8-r0, v1.27.5-r0, v1.28.3-r0, or a later version, log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b153719566713">Settings</strong>, click the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b185371856176">Network</strong> tab, and view the value of <span class="uicontrol" id="cce_bestpractice_0318__en-us_topic_0000001226756285_uicontrol553718561771"><b>Pod Access to Metadata</b></span>.<ul id="cce_bestpractice_0318__en-us_topic_0000001226756285_ul9721740128"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li142401352511">If <span class="uicontrol" id="cce_bestpractice_0318__en-us_topic_0000001226756285_uicontrol6185125211210"><b>Pod Access to Metadata</b></span> is not enabled, no additional configuration is required. The container cannot obtain the node metadata.</li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li16689718201219">If <span class="uicontrol" id="cce_bestpractice_0318__en-us_topic_0000001226756285_uicontrol415362951311"><b>Pod Access to Metadata</b></span> is enabled, take the following steps to prevent the container from obtaining the node metadata:<ol type="a" id="cce_bestpractice_0318__en-us_topic_0000001226756285_ol11828145411135"><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li682815441312">Log in to each node in the cluster as user <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b1582515160562">root</strong> and run the following command:<pre class="screen" id="cce_bestpractice_0318__en-us_topic_0000001226756285_screen88281754181310">iptables -I FORWARD -s {container_cidr} -d 169.254.169.254 -j REJECT</pre>
 <p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p382815411320"><em id="cce_bestpractice_0318__en-us_topic_0000001226756285_i718630195616">{container_cidr}</em> indicates the container CIDR block of the cluster, for example, <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b11863010563">10.0.0.0/16</strong>.</p>
 <p id="cce_bestpractice_0318__en-us_topic_0000001226756285_p1882816542133">To ensure configuration persistence, write the command to the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b145714431564">/etc/rc.local</strong> script.</p>
 </li><li id="cce_bestpractice_0318__en-us_topic_0000001226756285_li582811543136">Run the following commands in the container to access the <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b122661564577">userdata</strong> and <strong id="cce_bestpractice_0318__en-us_topic_0000001226756285_b226676145713">metadata</strong> interfaces of OpenStack and check whether the request is intercepted:<pre class="screen" id="cce_bestpractice_0318__en-us_topic_0000001226756285_screen88281354121310">curl 169.254.169.254/openstack/latest/meta_data.json
--- a/docs/cce/umn/cce_bestpractice_0319.html
+++ b/docs/cce/umn/cce_bestpractice_0319.html
@ -1,14 +1,14 @@
 <a name="cce_bestpractice_0319"></a><a name="cce_bestpractice_0319"></a>
-<h1 class="topictitle1">Configuration Suggestions on CCE Container Security</h1>
+<h1 class="topictitle1">Using Containers Securely in a CCE Cluster</h1>
 <div id="body8662426"><div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section33548184212"><h4 class="sectiontitle">Controlling the Pod Scheduling Scope</h4><p class="msonormal" id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1217894319312">The nodeSelector or nodeAffinity is used to limit the range of nodes to which applications can be scheduled, preventing the entire cluster from being threatened due to the exceptions of a single application. </p>
-<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p5698145519813">To achieve strong isolation, like in logical multi-tenancy situations, it is important to have system add-ons run on separate nodes or node pools. This helps keep them separated from service pods and reduces the risk of privilege escalation within a cluster. To do this, you can set the node affinity policy to either <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1430511234219">Node Affinity</strong> or <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b17635224421">Specified Node Pool Scheduling</strong> on the add-on installation page.</p>
+<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p5698145519813">To achieve strong isolation, like in logical multi-tenancy situations, it is important to have system add-ons run on separate nodes or node pools. This helps keep them separated from service pods and reduces the risk of privilege escalation within a cluster. To do this, you can set the node affinity policy to either <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1430511234219">Specify node</strong> or <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b17635224421">Specify node pool</strong> on the add-on installation page.</p>
 <p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1698172210917"></p>
 </div>
-<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section9957027632"><h4 class="sectiontitle">Suggestions on Container Security Configuration</h4><ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul41585571516"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li8158145795119">Set the computing resource limits (<strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b17893201319579">request</strong> and <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1373971695720">limit</strong>) of a container. This prevents the container from occupying too many resources and affecting the stability of the host and other containers on the same node.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li215885745115">Unless necessary, do not mount sensitive host directories to containers, such as <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b141203032451659">/</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b183322389551659">/boot</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b57887466051659">/dev</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b77225877051659">/etc</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b88598197751659">/lib</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b213844612151659">/proc</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b152215198251659">/sys</strong>, and <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b124051750451659">/usr</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li18158557195120">Do not run the sshd process in containers unless necessary.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11158175795118">Unless necessary, it is not recommended that containers and hosts share the network namespace.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1415885795117">Unless necessary, it is not recommended that containers and hosts share the process namespace.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1415825775116">Unless necessary, it is not recommended that containers and hosts share the IPC namespace.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11158057155119">Unless necessary, it is not recommended that containers and hosts share the UTS namespace.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1615835735113">Unless necessary, do not mount the sock file of Docker to any container.</li></ul>
+<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section9957027632"><h4 class="sectiontitle">Ensuring Container Security</h4><ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul41585571516"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li8158145795119">Configure compute resource request and limit for a container. This prevents the container from occupying too many resources and affecting the stability of the node and other containers on the same node.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li215885745115">Unless necessary, do not mount sensitive node directories, such as <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b141203032451659">/</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b183322389551659">/boot</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b57887466051659">/dev</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b77225877051659">/etc</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b88598197751659">/lib</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b213844612151659">/proc</strong>, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b152215198251659">/sys</strong>, and <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b124051750451659">/usr</strong>, to a container.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li18158557195120">Unless necessary, do not run the sshd process in a container.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11158175795118">Unless necessary, do not share the network namespace between containers and nodes.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1415885795117">Unless necessary, do not share the process namespace between containers and nodes.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1415825775116">Unless necessary, do not share the IPC namespace between containers and nodes.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11158057155119">Unless necessary, do not share the UTS namespace between containers and nodes.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1615835735113">Unless necessary, do not mount the sock file of Docker to any container.</li></ul>
 </div>
-<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section19516391833"><h4 class="sectiontitle">Container Permission Access Control</h4><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p59421020105220">When using a containerized application, comply with the minimum privilege principle and properly set securityContext of Deployments or StatefulSets.</p>
+<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section19516391833"><h4 class="sectiontitle">Controlling Access Permissions</h4><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p59421020105220">When using a containerized application, comply with the principle of least privilege (PoLP) and properly configure <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1916950113215">securityContext</strong> of Deployments or StatefulSets.</p>
-<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul9942132020520"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li39421020175218">Configure runAsUser to specify a non-root user to run a container.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li69421020195211">Configure privileged to prevent containers being used in scenarios where privilege is not required.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li494272085219">Configure capabilities to accurately control the privileged access permission of containers.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li16491224125218">Configure allowPrivilegeEscalation to disable privilege escape in scenarios where privilege escalation is not required for container processes.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li51923552117">Configure seccomp to restrict the container syscalls. For details, see <a href="https://kubernetes.io/docs/tutorials/security/seccomp/" target="_blank" rel="noopener noreferrer">Restrict a Container's Syscalls with seccomp</a> in the official Kubernetes documentation.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1550815525214">Configure ReadOnlyRootFilesystem to protect the root file system of a container.<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p12216113113328"><a name="cce_bestpractice_0319__en-us_topic_0000001181182498_li1550815525214"></a><a name="en-us_topic_0000001181182498_li1550815525214"></a>Example YAML for a Deployment:</p>
+<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul9942132020520"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li39421020175218">Configure runAsUser to specify a non-root user to run a container.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li69421020195211">Configure privileged to prevent containers from being used in scenarios where privilege is not required.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li494272085219">Configure capabilities to accurately control the privileged access permission of containers.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li16491224125218">Configure allowPrivilegeEscalation to disable privilege escape in scenarios where privilege escalation is not required for container processes.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li51923552117">Configure seccomp to restrict the container syscalls. For details, see <a href="https://kubernetes.io/docs/tutorials/security/seccomp/" target="_blank" rel="noopener noreferrer">Restrict a Container's Syscalls with seccomp</a> in the official Kubernetes documentation.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1550815525214">Configure ReadOnlyRootFilesystem to protect the root file system of a container.<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p12216113113328"><a name="cce_bestpractice_0319__en-us_topic_0000001181182498_li1550815525214"></a><a name="en-us_topic_0000001181182498_li1550815525214"></a>Example YAML for a Deployment:</p>
 <pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen17607650143219">apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -64,30 +64,30 @@ spec:
          name: tmpfs-example-001 </pre>
 </li></ul>
 </div>
-<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section4598201610719"><h4 class="sectiontitle">Restricting the Access of Service Containers to the Management Plane</h4><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p4249134517356">To avoid unnecessary service interruption when restricting the service containers on a node from accessing the Kubernetes management plane, consider the following:</p>
+<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section4598201610719"><h4 class="sectiontitle">Restricting Service Container Access to the Management Plane</h4><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p4249134517356">To avoid unnecessary service interruption when restricting the service containers on a node from accessing the Kubernetes management plane, consider the following:</p>
 <ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul11765151811356"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1914819715404"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b15733144164016">Check whether any containers on the node require access to the cluster management plane.</strong><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p8582171174113">Once you have restricted the service containers on the node from accessing the management plane, all containers on that node will be unable to access the kube-apiserver of the cluster. Before making the configuration, make sure that none of the containers on the node need to access the kube-apiserver of the cluster.</p>
-<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1875288114017">Keep in mind that certain CCE add-ons, like CCE Advanced HPA, still require access to kube-apiserver. It is not recommended that you configure the access restriction on a node where such add-ons are running.</p>
+<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1875288114017">Keep in mind that certain CCE add-ons, like CCE Advanced HPA, still require access to kube-apiserver. It is not recommended that you configure the access restriction on a node where such add-on pods are running.</p>
 </li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li168971415154013"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b207461213134015">Configure taints and affinity for the node.</strong><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1831621764013">If the service containers on the node do not need to access kube-apiserver, it is recommended that you configure labels and taints for the node. Additionally, configure <a href="https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/" target="_blank" rel="noopener noreferrer">taints, tolerations</a>, and <a href="https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity" target="_blank" rel="noopener noreferrer">node affinity</a> for the containers on the node. This will prevent other containers from being scheduled to that node, thus avoiding service exceptions.</p>
 </li></ul>
 <p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p15180141523414">To restrict the service containers on a node from accessing the management plane, take the following steps:</p>
 <ol id="cce_bestpractice_0319__en-us_topic_0000001181182498_ol345485831912"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li92971066014"><span>Obtain the container CIDR block and private API server address.</span><p><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p188112716215">On the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b9183440101218">Clusters</strong> page of the CCE console, click the name of the cluster to find the information on the details page.</p>
 <p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1655182952116"></p>
-</p></li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1315175383514"><span>Configure access rules.</span><p><ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul5714615363"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li0714510362">CCE cluster: Log in to each node in the cluster as user <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1154145944310">root</strong> and run the following command:<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul2206102094315"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11206820114310">VPC network<pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen1826691752418">iptables -I OUTPUT -s {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i17492042294">container_cidr</em>} -d {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i349212421792">Private API server IP</em>} -j REJECT</pre>
+</p></li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1315175383514"><span>Configure access rules.</span><p><ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul5714615363"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li0714510362">CCE standard cluster: Log in to each node in the cluster as user <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1154145944310">root</strong> and run the following command:<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul2206102094315"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11206820114310">VPC network<pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen1826691752418">iptables -I OUTPUT -s {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i17492042294">container_cidr</em>} -d {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i349212421792">Private API server IP</em>} -j REJECT</pre>
 </li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li82061820194315">Container tunnel network<pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen1857421916242">iptables -I FORWARD -s {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i134061451191213">container_cidr</em>} -d {<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i124061510122">Private API server IP</em>} -j REJECT</pre>
 </li></ul>
-<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p8208153174219"><em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i15254153715117">{container_cidr}</em> indicates the container CIDR of the cluster, for example, 10.0.0.0/16.</p>
+<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p8208153174219"><em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i7732938113910">{container_cidr}</em> indicates the container CIDR block of the cluster, for example, <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1973210386391">10.0.0.0/16</strong>.</p>
 <p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p5208185310428">To ensure configuration persistence, write the command to the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b0858451111319">/etc/rc.local</strong> script.</p>
-</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li733435163615">CCE Turbo cluster: Add an outbound rule to the ENI security group of the cluster.<ol type="a" id="cce_bestpractice_0319__en-us_topic_0000001181182498_ol123861440174012"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li918013301419">Log in to the VPC console.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li2818950104114">In the navigation pane, choose <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b91461011173920">Access Control</strong> &gt; <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b5146141173916">Security Groups</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li63861940144014">Locate the ENI security group corresponding to the cluster and name it in the format of <em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i10839114974011">{Cluster name}</em><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b499875215402">-cce-eni-</strong><em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i34781256154010">{Random ID}</em>. Click the security group name and configure rules.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li13675153018426">Click the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b4216203274119">Outbound Rules</strong> tab and click <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1955812384412">Add Rule</strong> to add an outbound rule for the security group.<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul73315409442"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li19331194034410"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b683713449419">Priority</strong>: Set it to <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b383815449413">1</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1112454664411"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b32151523420">Action</strong>: Select <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1354197174212">Deny</strong>, indicating that the access to the destination address is denied.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li117055284415"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b398410139421">Type</strong>: Select <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1034131516424">IPv4</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1031585754411"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b9967023124218">Protocol &amp; Port</strong>: Enter <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b193881126174217">5443</strong> based on the port in the intranet API server address.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li105282124517"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1818453554214">Destination</strong>: Select <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1391014144218">IP address</strong> and enter the IP address of the internal API server.</li></ul>
+</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li733435163615">CCE Turbo cluster: Add an outbound rule to the network interface security group of the cluster.<ol type="a" id="cce_bestpractice_0319__en-us_topic_0000001181182498_ol123861440174012"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li918013301419">Log in to the VPC console.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li2818950104114">In the navigation pane, choose <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b91461011173920">Access Control</strong> &gt; <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b5146141173916">Security Groups</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li63861940144014">Locate the network interface security group of the cluster and name it in the format of <em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i10839114974011">{Cluster name}</em><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b499875215402">-cce-eni-</strong><em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i34781256154010">{Random ID}</em>. Click the security group name and configure rules.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li13675153018426">Click the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b4216203274119">Outbound Rules</strong> tab and click <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1955812384412">Add Rule</strong> to add an outbound rule to the security group.<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul73315409442"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li19331194034410"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b683713449419">Priority</strong>: Set it to <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b383815449413">1</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1112454664411"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b32151523420">Action</strong>: Select <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1354197174212">Deny</strong>, indicating that the access to the destination address is denied.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li117055284415"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b398410139421">Type</strong>: Select <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1034131516424">IPv4</strong>.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1031585754411"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b9967023124218">Protocol &amp; Port</strong>: Enter <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b193881126174217">5443</strong> based on the port in the intranet API server address.</li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li105282124517"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1818453554214">Destination</strong>: Select <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1391014144218">IP address</strong> and enter the IP address of the internal API server.</li></ul>
 </li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li8174161724713">Click <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b17639451153810">OK</strong>.</li></ol>
 </li></ul>
 </p></li><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li8454105818194"><span>Run the following command in the container to access kube-apiserver and check whether the request is intercepted:</span><p><pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen198782045205215">curl -k https://<em id="cce_bestpractice_0319__en-us_topic_0000001181182498_i0393123151412">{Private API server IP}</em>:5443</pre>
 </p></li></ol>
 </div>
-<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section1053282084016"><h4 class="sectiontitle">Properly Setting Volume Propagation</h4><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1151465341714">When mounting a host path, set the propagation mode to <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1390755111422">None</strong>. Exercise caution when using the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b990055574612">Bidirectional</strong> mode.</p>
+<div class="section" id="cce_bestpractice_0319__en-us_topic_0000001181182498_section1053282084016"><h4 class="sectiontitle">Properly Configuring Volume Propagation</h4><p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p1151465341714">When mounting a host path, set the propagation mode to <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b627813416355">None</strong>. <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b114276613519">Bidirectional</strong> should be used with caution.</p>
-<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p21639579178">The <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b972510624713">mountPropagation</strong> field in <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b20601161144713">Container.volumeMounts</strong> controls the mount propagation feature of a volume. Value options are as follows:</p>
+<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p21639579178">The <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b972510624713">mountPropagation</strong> field in <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b20601161144713">Container.volumeMounts</strong> controls the mount propagation behavior of a volume. Value options are:</p>
-<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul1516385719175"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1916335711713"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b44739474471">None</strong>: the default value, equal to the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b44537569561">private</strong> mount propagation option described in <a href="https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt" target="_blank" rel="noopener noreferrer">Linux kernel documentation</a>. This volume mount will not receive any subsequent mounts that are mounted to this volume or any of its subdirectories by the host. In similar fashion, no mounts created by the container will be visible on the host.</li></ul>
+<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul1516385719175"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li1916335711713"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b44739474471">None</strong>: the default value and corresponds to the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b16606174215359">private</strong> mount propagation option in the <a href="https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt" target="_blank" rel="noopener noreferrer">Linux kernel documentation</a>. After the volume is mounted, the pod will not see any subsequent mount changes made on the node for this volume or any of its subdirectories. Likewise, any mounts created by the pod will not be visible on the node.</li></ul>
-<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul216413575174"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li201641657121716"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1390293285217">HostToContainer</strong>: equal to the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b26945118578">rslave</strong> mount propagation option described in <a href="https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt" target="_blank" rel="noopener noreferrer">Linux kernel documentation</a>. This volume mount will receive all subsequent mounts that are mounted to this volume or any of its subdirectories. In other words, if the host mounts anything inside the volume mount, the container will see it mounted there. If a Bidirectional pod mounts anything to the same volume, this change is visible to all HostToContainer pods.</li></ul>
+<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul216413575174"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li201641657121716"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1390293285217">HostToContainer</strong>: corresponds to the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1979671283611">rslave</strong> mount propagation option in the <a href="https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt" target="_blank" rel="noopener noreferrer">Linux kernel documentation</a>. After the volume is mounted, the pod will see any subsequent mount operations performed on the node for this volume or its subdirectories. If the node mounts anything inside this volume, the pod will be able to see it. If a pod is configured with <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1626511331361">Bidirectional</strong> and mounts something on the same volume, pods using <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b779353683610">HostToContainer</strong> will also see those changes.</li></ul>
-<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul4164135715172"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11294133204416"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b176246112311">Bidirectional</strong>: equal to the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b1762501116317">rshared</strong> mount propagation option described in <a href="https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt" target="_blank" rel="noopener noreferrer">Linux kernel documentation</a>. All volume mounts created by the container will be propagated back to the host and to all containers of all pods that use the same volume.<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p141597917447">Bidirectional mount propagation can be dangerous. It can damage the host operating system and therefore it is allowed only in privileged containers. An example is as follows:</p>
+<ul id="cce_bestpractice_0319__en-us_topic_0000001181182498_ul4164135715172"><li id="cce_bestpractice_0319__en-us_topic_0000001181182498_li11294133204416"><strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b176246112311">Bidirectional</strong>: corresponds to the <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b039545043614">rshared</strong> mount propagation option in the <a href="https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt" target="_blank" rel="noopener noreferrer">Linux kernel documentation</a>. Mounts created inside the pod are propagated back to the node and to all containers in all pods that use the same volume.<p id="cce_bestpractice_0319__en-us_topic_0000001181182498_p141597917447">Using <strong id="cce_bestpractice_0319__en-us_topic_0000001181182498_b230716122377">Bidirectional</strong> can damage the node OS. So it is only allowed in privileged containers. An example is as follows:</p>
 <pre class="screen" id="cce_bestpractice_0319__en-us_topic_0000001181182498_screen15528121124015">apiVersion: v1
 kind: Pod
 metadata:
--- a/docs/cce/umn/cce_bestpractice_0320.html
+++ b/docs/cce/umn/cce_bestpractice_0320.html
@ -1,8 +1,8 @@
 <a name="cce_bestpractice_0320"></a><a name="cce_bestpractice_0320"></a>
-<h1 class="topictitle1">Configuration Suggestions on CCE Secret Security</h1>
+<h1 class="topictitle1">Using Secrets Securely in a CCE Cluster</h1>
-<div id="body8662426"><p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p1417445419489">Currently, CCE has configured static encryption for secret resources. The secrets created by users will be encrypted and stored in etcd of the CCE cluster. Secrets can be used in two modes: environment variable and file mounting. No matter which mode is used, CCE still transfers the configured data to users. Therefore, it is recommended that:</p>
+<div id="body8662426"><p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p1417445419489">CCE now provides static encryption for secrets. Secrets created by users are encrypted and stored in the clusters' etcd. Currently, Secrets are mainly used as environment variables or through file mounts. Regardless of which method is used, CCE always delivers the data exactly as you originally configured it. Therefore, it is advised to:</p>
-<ol id="cce_bestpractice_0320__en-us_topic_0000001226820653_ol1623210174919"><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li1723210024914">Do not record sensitive information in logs.</li><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li11631235175718">For the secret that uses the file mounting mode, the default file permission mapped in the container is 0644. Configure stricter permissions for the file. For example:<pre class="screen" id="cce_bestpractice_0320__en-us_topic_0000001226820653_screen5811165542417">apiversion: v1
+<ol id="cce_bestpractice_0320__en-us_topic_0000001226820653_ol1623210174919"><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li1723210024914">Avoid logging any sensitive information.</li><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li11631235175718">Configure stricter permissions if secrets are used through file mounts and the default file permission inside the container is 0644. An example is as follows:<pre class="screen" id="cce_bestpractice_0320__en-us_topic_0000001226820653_screen5811165542417">apiversion: v1
 kind: Pod
 metadata:
  name: mypod
@ -18,8 +18,8 @@ spec:
    secret:
      secretName: mysecret
      defaultMode: 256</pre>
-<p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p5704161113526">In <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b3442210171617">defaultMode: 256</strong>, <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b621011134166">256</strong> is a decimal number, which corresponds to the octal number <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b95878507176">0400</strong>.</p>
+<p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p5704161113526">In <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b1528439103517">defaultMode: 256</strong>, <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b22803983520">256</strong> is a decimal number, which corresponds to the octal number <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b52863917353">0400</strong>.</p>
-</li><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li7471855165910">When the file mounting mode is used, configure the secret file name to hide the file in the container.<pre class="screen" id="cce_bestpractice_0320__en-us_topic_0000001226820653_screen20995191015261">apiVersion: v1
+</li><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li7471855165910">Hide secrets in containers by customizing the file names when mounting them as files.<pre class="screen" id="cce_bestpractice_0320__en-us_topic_0000001226820653_screen20995191015261">apiVersion: v1
 kind: Secret
 metadata:
  name: dotfile-secret
@ -47,8 +47,8 @@ spec:
      readOnly: true
      mountPath: "/etc/secret-volume"</pre>
 <p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p1714103816314">In this way, <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b16102141115168">.secret-file</strong> cannot be seen by running <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b16213141451617">ls -l</strong> in the <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b12102161112164">/etc/secret-volume/</strong> directory, but can be viewed by running <strong id="cce_bestpractice_0320__en-us_topic_0000001226820653_b5729161715164">ls -al</strong>.</p>
-</li><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li97928435333">Encrypt sensitive information before creating a secret and decrypt the information when using it.</li></ol>
+</li><li id="cce_bestpractice_0320__en-us_topic_0000001226820653_li97928435333">Encrypt sensitive data by yourself before creating secrets and decrypt them only when needed.</li></ol>
-<div class="section" id="cce_bestpractice_0320__en-us_topic_0000001226820653_section6268104520397"><h4 class="sectiontitle">Using a Bound ServiceAccount Token to Access a Cluster</h4><p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p12148028135412">The secret-based ServiceAccount token does not support expiration time or auto update. In addition, after the mounting pod is deleted, the token is still stored in the secret. Token leakage may incur security risks. A bound ServiceAccount token is recommended for CCE clusters of version 1.23 or later. In this mode, the expiration time can be set and is the same as the pod lifecycle, reducing token leakage risks. An example is as follows:</p>
+<div class="section" id="cce_bestpractice_0320__en-us_topic_0000001226820653_section6268104520397"><h4 class="sectiontitle">Using a Bound Service Account Token to Access a Cluster</h4><p id="cce_bestpractice_0320__en-us_topic_0000001226820653_p12148028135412">Service account tokens based on secrets do not support expiration settings or automatic updates. Because they are stored in secrets, the tokens remain in the secrets even after the pods are deleted. This can pose a security risk if the tokens are leaked. For CCE clusters v1.23 or later, it is advised to use bound service account tokens. They support token expiration settings and align the tokens' lifecycle with the pods, reducing the risk of credential leakage. An example is as follows:</p>
 <pre class="screen" id="cce_bestpractice_0320__en-us_topic_0000001226820653_screen17607650143219">apiVersion: apps/v1
 kind: Deployment
 metadata:
--- a/docs/cce/umn/cce_bestpractice_0333.html
+++ b/docs/cce/umn/cce_bestpractice_0333.html
@ -2,30 +2,32 @@
 <h1 class="topictitle1">Using OIDC to Authenticate Workloads in a CCE Cluster</h1>
 <div id="body8662426"><p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p8060118">Workload identities enable workloads within a cluster to act as IAM users, granting them access to cloud services without the need for an IAM account's AK/SK. This helps minimize security risks.</p>
-<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p133991341154613">This section describes how to use workload identities in CCE.</p>
+<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p133991341154613">This section describes how to use workload identities in a CCE cluster.</p>
 <div class="section" id="cce_bestpractice_0333__en-us_topic_0000001280331044_section49971247102212"><h4 class="sectiontitle">Notes and Constraints</h4><p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p0113115311228">The cluster version must be v1.19.16 or later.</p>
 </div>
 <div class="section" id="cce_bestpractice_0333__en-us_topic_0000001280331044_section7702113994719"><h4 class="sectiontitle">Procedure</h4><ol id="cce_bestpractice_0333__en-us_topic_0000001280331044_ol579915915514"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li779955918512"><span>Obtain the signature public key of the cluster service account token from CCE. For details, see <a href="#cce_bestpractice_0333__en-us_topic_0000001280331044_section5937204594820">Step 1: Obtain the Signature Public Key of the CCE Cluster</a>.</span></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li167994591853"><span>Create an identity provider on IAM. For details, see <a href="#cce_bestpractice_0333__en-us_topic_0000001280331044_section18167152865013">Step 2: Configure an Identity Provider</a>.</span></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li126302035862"><span>Obtain an IAM token from the workload and simulate an IAM user to access a cloud service. For details, see <a href="#cce_bestpractice_0333__en-us_topic_0000001280331044_section38531454152611">Step 3: Use a Workload Identity</a>.</span><p><div class="p" id="cce_bestpractice_0333__en-us_topic_0000001280331044_p787014352060">The figure below shows the workflow.<div class="fignone" id="cce_bestpractice_0333__en-us_topic_0000001280331044_fig20726184218517"><span class="figcap"><b>Figure 1 </b>Workflow</span><br><span><img class="eddx" id="cce_bestpractice_0333__en-us_topic_0000001280331044_image1649015753718" src="en-us_image_0000002101396665.png"></span><ol type="a" id="cce_bestpractice_0333__en-us_topic_0000001280331044_ol24641834105515"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li6180180133316">Obtain the public key issued by the cluster and register the cluster token controller as an IAM identity provider.<ul id="cce_bestpractice_0333__en-us_topic_0000001280331044_ul198881838101919"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li11889143891913">The default identity provider of the clusters is <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b88891385417">https://kubernetes.default.svc.cluster.local</strong>.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li488916384198">If <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol072395111516"><b>OIDC Provider</b></span> is enabled in <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol0832103014232"><b>Overview</b></span> &gt; <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b136219375312">Connection Information</strong> of the cluster, you can obtain the identity provider URL in <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol174901858111918"><b>Service Account Issuer (service-account-issuer)</b></span> in <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol2059973182012"><b>Settings</b></span> &gt; <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b335818305337">Kubernetes</strong> of the cluster.</li></ul>
-</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li129734217388">Request the service account to generate an OIDC token.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li1452635010549">Deploy the application pod and mount the OIDC token to it.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li94781434556">Use the OIDC token to access IAM from the pod and obtain a temporary IAM token.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li876464142311">Use the IAM token to access other cloud service resources from the pod.</li></ol>
+</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li129734217388">Request the service account to generate the corresponding OIDC token.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li1452635010549">Deploy the application pod and mount the OIDC token to it.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li94781434556">Use the OIDC token to access IAM from the pod and obtain a temporary IAM token.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li876464142311">Use the IAM token to access other cloud service resources from the pod.</li></ol>
 </div>
 </div>
 </p></li></ol>
 </div>
-<div class="section" id="cce_bestpractice_0333__en-us_topic_0000001280331044_section5937204594820"><a name="cce_bestpractice_0333__en-us_topic_0000001280331044_section5937204594820"></a><a name="en-us_topic_0000001280331044_section5937204594820"></a><h4 class="sectiontitle">Step 1: Obtain the Signature Public Key of the CCE Cluster</h4><ol id="cce_bestpractice_0333__en-us_topic_0000001280331044_ol101813212495"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li21811421174917"><span>Use kubectl to access the target cluster.</span></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li9289123894912"><span>Obtain the public key:</span><p><pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen14863120363"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b486317204613">kubectl get --raw /openid/v1/jwks</strong></pre>
+<div class="section" id="cce_bestpractice_0333__en-us_topic_0000001280331044_section5937204594820"><a name="cce_bestpractice_0333__en-us_topic_0000001280331044_section5937204594820"></a><a name="en-us_topic_0000001280331044_section5937204594820"></a><h4 class="sectiontitle">Step 1: Obtain the Signature Public Key of the CCE Cluster</h4><ol id="cce_bestpractice_0333__en-us_topic_0000001280331044_ol101813212495"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li21811421174917"><span>Use kubectl to access the cluster.</span></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li9289123894912"><span>Obtain the public key.</span><p><pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen14863120363"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b486317204613">kubectl get --raw /openid/v1/jwks</strong></pre>
 <p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p146244171265">The returned result is the public key of the cluster. The following is an example of the command output:</p>
 <pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen12415145418495"># kubectl get --raw /openid/v1/jwks
 {"keys":[{"use":"sig","kty":"RSA","kid":"*****","alg":"RS256","n":"*****","e":"AQAB"}]}</pre>
 </p></li></ol>
 </div>
-<div class="section" id="cce_bestpractice_0333__en-us_topic_0000001280331044_section18167152865013"><a name="cce_bestpractice_0333__en-us_topic_0000001280331044_section18167152865013"></a><a name="en-us_topic_0000001280331044_section18167152865013"></a><h4 class="sectiontitle">Step 2: Configure an Identity Provider</h4><ol id="cce_bestpractice_0333__en-us_topic_0000001280331044_ol169921827125113"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li1099232713516"><span>Log in to the IAM console, choose <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b9236174431318">Identity Providers</strong> in the navigation pane, and click <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b167449499132">Create Identity Provider</strong> in the upper right corner. On the displayed page, set <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b15803011146">Protocol</strong> to <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b510665171414">OpenID Connect</strong> and <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b125951516161417">SSO Type</strong> to <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b4189192211413">Virtual user</strong> and click <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol176618269597"><b>OK</b></span>.</span></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li19516032145116"><span>In the identity provider list, locate the row containing the new identity provider and click <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b156001642101720">Modify</strong> in the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b118454443177">Operation</strong> column to modify the identity provider information.</span><p><p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p192233582812"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b13421111182812">Access Type</strong>: Select <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b10856131974017">Programmatic access</strong>.</p>
+<div class="section" id="cce_bestpractice_0333__en-us_topic_0000001280331044_section18167152865013"><a name="cce_bestpractice_0333__en-us_topic_0000001280331044_section18167152865013"></a><a name="en-us_topic_0000001280331044_section18167152865013"></a><h4 class="sectiontitle">Step 2: Configure an Identity Provider</h4><ol id="cce_bestpractice_0333__en-us_topic_0000001280331044_ol169921827125113"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li1099232713516"><span>Log in to the IAM console. In the navigation pane, choose <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b9236174431318">Identity Providers</strong>. In the right pane, click <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b167449499132">Create Identity Provider</strong> in the upper right corner. On the displayed page, set <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b15803011146">Protocol</strong> to <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b510665171414">OpenID Connect</strong> and <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b125951516161417">SSO Type</strong> to <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b4189192211413">Virtual user</strong> and click <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol176618269597"><b>OK</b></span>.</span><p><p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p186167418717"></p>
 <p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p5110653162412"></p>
 </p></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li19516032145116"><span>In the identity provider list, locate the row containing the new identity provider, click <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b156001642101720">Modify</strong> in the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b118454443177">Operation</strong> column, and modify the identity provider information.</span><p><p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p192233582812"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b13421111182812">Access Type</strong>: Select <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b10856131974017">Programmatic access</strong>.</p>
 <p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p3372331793"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b513416273402">Configuration Information</strong></p>
 <ul id="cce_bestpractice_0333__en-us_topic_0000001280331044_ul1116031018107"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li10160111091015"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1343011158350">Identity Provider URL</strong>: The default identity provider of the cluster is <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1536811576105">https://kubernetes.default.svc.cluster.local</strong>.<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p1316995102111">If <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol199581045133313"><b>OIDC Provider</b></span> is enabled in <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol4958174563320"><b>Overview</b></span> &gt; <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b2958745123310">Connection Information</strong> of the cluster, you can obtain the identity provider URL in <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol17958445123317"><b>Service Account Issuer (service-account-issuer)</b></span> in <span class="uicontrol" id="cce_bestpractice_0333__en-us_topic_0000001280331044_uicontrol17958945153315"><b>Settings</b></span> &gt; <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b19581545133318">Kubernetes</strong> of the cluster.</p>
 </li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li1316010104103"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b41062448516">Client ID</strong>: Enter a client ID, which will be used when you create a container.<div class="caution" id="cce_bestpractice_0333__en-us_topic_0000001280331044_note891311093913"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p491381014392">A client ID cannot contain only digits. If the client ID consists only of digits, enclose it in double quotation marks ("") when editing the YAML file for the workload. For example, if the client ID is <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b18623346617">123456789</strong>, it should be entered as <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1797717255611">"123456789"</strong> in the YAML file.</p>
 </div></div>
 </li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li716181081018"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b118391894118">Signing Key</strong>: Enter the JWKS of the CCE cluster obtained in <a href="#cce_bestpractice_0333__en-us_topic_0000001280331044_section5937204594820">Step 1: Obtain the Signature Public Key of the CCE Cluster</a>.</li></ul>
-<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p1473116851817"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b121951410135017">Identity Conversion Rules</strong></p>
+<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p1473116851817"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b121951410135017">Identity Mapping Rules</strong></p>
-<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p1313710396203">An identity conversion rule maps the service account of a workload to an IAM user.</p>
+<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p1313710396203">An identity mapping rule maps the service account of a workload to an IAM user.</p>
-<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p14941493198">For example, create a service account named <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b6560164125712">oidc-token</strong> in namespace <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1927464214583">default</strong> of the cluster and map it to user group <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b36434556584">demo</strong>. If you use the identity provider ID to access cloud services, you have the permissions of the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b146721164599">demo</strong> user group. The attribute must be <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b102312813599">sub</strong>. The value is in the format of <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1235254055912">system:serviceaccount:<em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i560819482594">Namespace</em>:<em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i1081912510594">ServiceAccountName</em></strong>.</p>
+<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p14941493198">For example, create a service account named <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b6560164125712">oidc-token</strong> in the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1927464214583">default</strong> namespace of the cluster and map it to the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b36434556584">demo</strong> user group. If you use the identity provider ID to access cloud services, you have the permissions of the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b146721164599">demo</strong> user group. The attribute must be <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b102312813599">sub</strong>. The value is in the format of <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1235254055912">system:serviceaccount:<em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i560819482594">Namespace</em>:<em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i1081912510594">ServiceAccountName</em></strong>.</p>
 <p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p112811543142019"></p>
 <p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p13923398244">Rules are in the JSON format as follows:</p>
@ -55,11 +57,11 @@
 ]</pre>
 </p></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li760095010819"><span>Click <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1698218221414">OK</strong>.</span></li></ol>
 </div>
-<div class="section" id="cce_bestpractice_0333__en-us_topic_0000001280331044_section38531454152611"><a name="cce_bestpractice_0333__en-us_topic_0000001280331044_section38531454152611"></a><a name="en-us_topic_0000001280331044_section38531454152611"></a><h4 class="sectiontitle">Step 3: Use a Workload Identity</h4><ol id="cce_bestpractice_0333__en-us_topic_0000001280331044_ol92519363810"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li22512361189"><span>Create a service account, whose name must be the value of <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b16730532141816">ServiceAccountName</strong> set in <a href="#cce_bestpractice_0333__en-us_topic_0000001280331044_section18167152865013">Step 2: Configure an Identity Provider</a>.</span><p><pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen18815185611257">apiVersion: v1
+<div class="section" id="cce_bestpractice_0333__en-us_topic_0000001280331044_section38531454152611"><a name="cce_bestpractice_0333__en-us_topic_0000001280331044_section38531454152611"></a><a name="en-us_topic_0000001280331044_section38531454152611"></a><h4 class="sectiontitle">Step 3: Use a Workload Identity</h4><ol id="cce_bestpractice_0333__en-us_topic_0000001280331044_ol92519363810"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li22512361189"><span>Create a service account. The name must be the value of <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b16730532141816">ServiceAccountName</strong> set in <a href="#cce_bestpractice_0333__en-us_topic_0000001280331044_section18167152865013">Step 2: Configure an Identity Provider</a>.</span><p><pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen18815185611257">apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: oidc-token</pre>
-</p></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li1699820499812"><span>Mount the identity provider to the workload and obtain the OIDC token file.</span><p><div class="p" id="cce_bestpractice_0333__en-us_topic_0000001280331044_p64351501683">An example is as follows:<pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen581317401580">apiVersion: apps/v1
+</p></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li1699820499812"><span>Mount the service account token to the workload and obtain the OIDC token file.</span><p><div class="p" id="cce_bestpractice_0333__en-us_topic_0000001280331044_p64351501683">An example is as follows:<pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen581317401580">apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nginx
@ -79,7 +81,7 @@ spec:
      - name: container-1
        image: nginx:latest
        volumeMounts:
-        - mountPath: "/var/run/secrets/tokens"     # Mount the service account token generated by Kubernetes to the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b12458612155518">/var/run/secrets/tokens/oidc-token</strong> file.
+        - mountPath: "/var/run/secrets/tokens"     # Mount the Kubernetes-generated service account token to <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b12458612155518">/var/run/secrets/tokens/oidc-token</strong>.
          name: oidc-token
      imagePullSecrets:
      - name: default-secret
@ -91,18 +93,18 @@ spec:
          sources:
          - serviceAccountToken:
              audience: client_id   # Must be the client ID of the identity provider.
-              expirationSeconds: 7200       # Expiry period
+              expirationSeconds: 7200       # Expiration time
-              path: oidc-token              # Path name, which can be customized</pre>
+              path: oidc-token              # Path name. You can change it as needed.</pre>
 </div>
-</p></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li1597836795"><span>After the creation is complete, log in to the container. The content of the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b20348529161919">/var/run/secrets/tokens/oidc-token</strong> file is the service account token generated by Kubernetes.</span><p><div class="note" id="cce_bestpractice_0333__en-us_topic_0000001280331044_note209921935201012"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p999210357107">If the service account token is used for more than 24 hours or 80% of its expiry period, kubelet will automatically rotate the service account token.</p>
+</p></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li1597836795"><span>After the creation is complete, log in to the container. The content of the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b20348529161919">/var/run/secrets/tokens/oidc-token</strong> file is the service account token generated by Kubernetes.</span><p><div class="note" id="cce_bestpractice_0333__en-us_topic_0000001280331044_note209921935201012"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p999210357107">If the service account token is valid for more than 24 hours or 80% of its expiration time, kubelet will automatically rotate the service account token.</p>
 </div></div>
 </p></li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li89609511115"><span>Use the OIDC token to call the API for <a href="https://docs.otc.t-systems.com/en-us/api/iam/iam_13_0605.html" target="_blank" rel="noopener noreferrer">Obtaining a Token with an OpenID Connect ID Token</a>. The <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b21822532317">X-Subject-Token</strong> field in the response header is the IAM token. Then, you can use this token to access cloud services.</span><p><p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p8607177517">The following shows an example:</p>
 <pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen12632921195416">curl -i --location --request POST 'https://<strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b181044375517"><i><span class="varname" id="cce_bestpractice_0333__en-us_topic_0000001280331044_varname2037412543141">{{iam endpoint}}</span></i></strong>/v3.0/OS-AUTH/id-token/tokens' \
 --header '<strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1067820478568">X-Idp-Id: <i><span class="varname" id="cce_bestpractice_0333__en-us_topic_0000001280331044_varname8889551205611">workload_identity</span></i></strong>' \
 --header 'Content-Type: application/json' \
 --data @<strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1830152521417"><i><span class="varname" id="cce_bestpractice_0333__en-us_topic_0000001280331044_varname216110454146">token_body.json</span></i></strong></pre>
-<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p467644104113">Specifically:</p>
+<p id="cce_bestpractice_0333__en-us_topic_0000001280331044_p467644104113">Where:</p>
-<ul id="cce_bestpractice_0333__en-us_topic_0000001280331044_ul1167285918426"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li12672145944213"><em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i169162411237">{{iam endpoint}}</em> indicates the endpoint of IAM. For details, see <a href="https://docs.otc.t-systems.com/regions-and-endpoints/index.html" target="_blank" rel="noopener noreferrer">Regions and Endpoints</a>.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li0673259144213"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b1014313549424">workload_identity</strong> is the identity provider name, which is the same as that configured in <a href="#cce_bestpractice_0333__en-us_topic_0000001280331044_section18167152865013">Step 2: Configure an Identity Provider</a>.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li067305914215"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b756886131510">token_body.json</strong> is a local file and its content is as follows:<pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen16886553181715"> { 
+<ul id="cce_bestpractice_0333__en-us_topic_0000001280331044_ul1167285918426"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li12672145944213"><em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i169162411237">{{iam endpoint}}</em> indicates the endpoint of IAM. For details, see <a href="https://docs.otc.t-systems.com/regions-and-endpoints/index.html" target="_blank" rel="noopener noreferrer">Regions and Endpoints</a>.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li0673259144213"><em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i19622335114818">workload_identity</em> is the identity provider name, which is the same as that configured in <a href="#cce_bestpractice_0333__en-us_topic_0000001280331044_section18167152865013">Step 2: Configure an Identity Provider</a>.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li067305914215"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b756886131510">token_body.json</strong> is a local file and its content is as follows:<pre class="screen" id="cce_bestpractice_0333__en-us_topic_0000001280331044_screen16886553181715"> { 
   "auth" : { 
     "id_token" : { 
       <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b19576175817239">"id" : <i><span class="varname" id="cce_bestpractice_0333__en-us_topic_0000001280331044_varname1664085112234">"eyJhbGciOiJSU..."</span></i></strong>
@ -115,7 +117,7 @@ spec:
     } 
   } 
 }</pre>
-<ul id="cce_bestpractice_0333__en-us_topic_0000001280331044_ul13736243111515"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li78261142171516"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b032813144018">$.auth.id_token.id</strong>: The value is the content of the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b44381120303">/var/run/secrets/tokens/oidc-token</strong> file in the container.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li84505580153"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b128181328002">$.auth.scope.project.id</strong>: indicates the project ID. To obtain the value, see <a href="https://docs.otc.t-systems.com/en-us/api2/cce/cce_02_0341.html" target="_blank" rel="noopener noreferrer">Obtaining a Project ID</a>.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li850012382164"><strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b13463169118">$.auth.scope.project.name</strong>: indicates the project name.</li></ul>
+<ul id="cce_bestpractice_0333__en-us_topic_0000001280331044_ul13736243111515"><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li78261142171516"><em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i53877507484">$.auth.id_token.id</em>: The value is the content of the <strong id="cce_bestpractice_0333__en-us_topic_0000001280331044_b44381120303">/var/run/secrets/tokens/oidc-token</strong> file in the container.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li84505580153"><em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i2084885344812">$.auth.scope.project.id</em>: indicates the project ID. To obtain the value, see <a href="https://docs.otc.t-systems.com/en-us/api2/cce/cce_02_0341.html" target="_blank" rel="noopener noreferrer">Obtaining a Project ID</a>.</li><li id="cce_bestpractice_0333__en-us_topic_0000001280331044_li850012382164"><em id="cce_bestpractice_0333__en-us_topic_0000001280331044_i6878175934819">$.auth.scope.project.name</em>: indicates the project name.</li></ul>
 </li></ul>
 </p></li></ol>
 </div>
--- a/docs/cce/umn/cce_bestpractice_10046.html
+++ b/docs/cce/umn/cce_bestpractice_10046.html
@ -1,7 +1,7 @@
 <a name="cce_bestpractice_10046"></a><a name="cce_bestpractice_10046"></a>
-<h1 class="topictitle1">Configuration Suggestions on CCE Container Runtime Security</h1>
+<h1 class="topictitle1">Using Container Runtimes Securely in a CCE Cluster</h1>
-<div id="body8662426"><p id="cce_bestpractice_10046__en-us_topic_0000002011467409_p86371427142211">Container technology uses Linux namespaces and cgroups to isolate and control resources between containers and nodes. Namespaces provide kernel-level isolation, allowing processes to be restricted from accessing specific sets of resources, such as file systems, networks, processes, and users. Cgroups are a Linux kernel feature that manages and limits the usage of resources, such as CPU, memory, disk, and network, to prevent a single process from consuming too many resources and negatively impacting the overall system performance.</p>
+<div id="body8662426"><p id="cce_bestpractice_10046__en-us_topic_0000002011467409_p86371427142211">Container technology uses Linux namespaces and cgroups to isolate and control resources between containers and nodes. Namespaces provide kernel-level isolation, allowing processes to be restricted from accessing specific sets of resources, such as file systems, networks, processes, and users. cgroups are a Linux kernel feature that manages and limits the usage of resources, such as CPU, memory, disk, and network, to prevent a single process from consuming too many resources and negatively impacting the overall system performance.</p>
 <p id="cce_bestpractice_10046__en-us_topic_0000002011467409_p86254211222">While namespaces and cgroups isolate resources between containers and nodes in an environment, node resources are not visible to containers. However, this isolation does not provide true security isolation because containers share the kernels of their nodes. If a container exhibits malicious behavior or a kernel vulnerability is exploited by attackers, the container may breach resource isolation. This can result in the container escaping and potentially compromising the node and other containers on the node.</p>
 <p id="cce_bestpractice_10046__en-us_topic_0000002011467409_p1062114211229">To enhance runtime security, there are various mechanisms that can be used to detect and prevent malicious activities in containers. These mechanisms, such as capabilities, seccomp, AppArmor, and SELinux, can be integrated into Kubernetes. By using these mechanisms, container security can be improved and potential threats can be minimized.</p>
 <div class="section" id="cce_bestpractice_10046__en-us_topic_0000002011467409_section14284116132316"><h4 class="sectiontitle">Capabilities</h4><p id="cce_bestpractice_10046__en-us_topic_0000002011467409_p2240558172317">Capabilities are a permission mechanism that enables a process to perform certain system operations without requiring full root permissions. This mechanism divides root permissions into smaller, independent permissions known as capabilities. By doing so, the process only obtains the minimum permission set necessary to complete its tasks. This approach enhances system security and helps mitigate potential security risks.</p>
--- a/docs/cce/umn/cce_bestpractice_10047.html
+++ b/docs/cce/umn/cce_bestpractice_10047.html
@ -1,31 +1,31 @@
 <a name="cce_bestpractice_10047"></a><a name="cce_bestpractice_10047"></a>
-<h1 class="topictitle1">Configuration Suggestions on CCE Container Image Security</h1>
+<h1 class="topictitle1">Using Images Securely in a CCE Cluster</h1>
 <div id="body8662426"><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p1233921013112">Container images are the primary defense against external attacks and are crucial for securing applications, systems, and the entire supply chain. If an image is insecure, it can become a vulnerability for attackers to exploit. This can lead to the container escaping to its node, allowing attackers to access sensitive data on the node or use it as a launching pad to gain control over the entire cluster or tenant account. This section describes some recommended configurations to mitigate such risks.</p>
-<div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section1515719173112"><h4 class="sectiontitle">Minimizing a Container Image</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p126015354113">To improve container image security, it is recommended that you remove any unnecessary binary files. When using an unknown image from Docker Hub, you are advised to review the image content with a tool like Dive. Dive provides layer-by-layer details of an image, helping to identify potential security risks. For details, see <a href="https://github.com/wagoodman/dive" target="_blank" rel="noopener noreferrer">Dive</a>.</p>
+<div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section1515719173112"><h4 class="sectiontitle">Minimizing a Container Image</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p126015354113">To improve container image security, remove any unnecessary binary files. When using an unknown image from Docker Hub, you are advised to review the image with a tool like Dive. Dive provides layer-by-layer details of an image, helping to identify potential security risks. For details, see <a href="https://github.com/wagoodman/dive" target="_blank" rel="noopener noreferrer">Dive</a>.</p>
-<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p460116358115">For improved security, it is recommended that you delete binary files with setuid and setgid permissions, because these can be exploited to elevate permissions. It is also wise to remove shell tools and applications that could be used maliciously, like nc and curl. To locate files with setuid and setgid bits, use the following command:</p>
+<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p460116358115">For improved security, it is advised to remove binary files with setuid and setgid permissions because they can be exploited to elevate permissions. It is also wise to remove shell tools and applications that could be used maliciously, like nc and curl. To locate files with setuid and setgid bits, use the following command:</p>
 <pre class="screen" id="cce_bestpractice_10047__en-us_topic_0000002011542813_screen4601133510112">find / -perm /6000 -type f -exec ls -ld {} \;</pre>
 <p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p360173510118">To remove special permissions from the obtained files, add the following command to your container image:</p>
 <pre class="screen" id="cce_bestpractice_10047__en-us_topic_0000002011542813_screen1488117394113">RUN find / -xdev -perm /6000 -type f -exec chmod a-s {} \; || true</pre>
 </div>
-<div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section49410521858"><h4 class="sectiontitle">Using Multi-Stage Builds</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p135031313464">Multi-stage builds are a great way to create container images efficiently, especially in the CI process. With multi-stage builds, you can perform lint checks on source code or static code analysis during the build process, providing quick feedback to developers. There is no need to wait for the entire build to finish.</p>
+<div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section49410521858"><h4 class="sectiontitle">Using Multi-Stage Builds</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p135031313464">Multi-stage builds are a great way to create container images efficiently, especially in the CI process. With multi-stage builds, you can perform lint checks on source code or analyze static code during the builds, providing quick feedback to developers. There is no need to wait for the entire build to finish.</p>
-<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p950315131616">Multi-stage builds offer significant security advantages by allowing developers to include only necessary components in container images, excluding build tools and other unnecessary binary files. This approach reduces the attack surface of images and improves overall security.</p>
+<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p950315131616">Multi-stage builds offer significant security advantages by allowing developers to include only necessary components in container images that will be pushed to container registries, excluding build tools and other unnecessary binary files. This approach reduces the attack surface of images and improves overall security.</p>
-<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p550314138615">For more information about the concepts, best practices, and advantages of multi-stage builds, see the <a href="https://docs.docker.com/develop/develop-images/multistage-build/" target="_blank" rel="noopener noreferrer">Docker documentation</a>. This will help you create streamlined and secure container images while optimizing development and deployment processes.</p>
+<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p550314138615">For details about the concepts, best practices, and advantages of multi-stage builds, see the <a href="https://docs.docker.com/develop/develop-images/multistage-build/" target="_blank" rel="noopener noreferrer">Docker documentation</a>. This will help you create streamlined, secure container images while optimizing development and deployment processes.</p>
 </div>
 <div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section25611654664"><h4 class="sectiontitle">Using SWR</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p19140201073">SWR provides easy, secure, reliable management of container images throughout their lifecycles, featuring image push, pull, and deletion.</p>
 <p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p36217119818">SWR stands out for its precise permissions management, allowing administrators to customize access permissions for different users with read, edit, and manage levels. This ensures image security and compliance, meeting the needs of team collaboration.</p>
-<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p7621911582">Additionally, SWR offers automatic deployment capabilities. You can set a trigger to automatically deploy updated image versions. When a new image version is released, SWR automatically triggers the application that uses the image in CCE to update it, streamlining CI/CD.</p>
+<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p7621911582">Additionally, SWR offers automatic deployment capabilities. Triggers help you automatically update applications that were created from images with updated tags. After a new image tag is released, SWR automatically triggers the update of the application that was created from the image on CCE, streamlining CI/CD.</p>
-<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p106421814284">To further enhance SWR's security and flexibility, fine-grained permissions control can be added to IAM users. </p>
+<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p106421814284">To further enhance SWR's security and flexibility, precisely control the IAM user permissions. </p>
 </div>
 <div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section168448713915"><h4 class="sectiontitle">Scanning an Image Using SWR</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p149216391992">With SWR, you can easily scan and secure your images with just a few clicks. Image scanning provides a thorough security check for your private images in repositories. It detects potential vulnerabilities and offers rectification suggestions.</p>
 </div>
-<div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section1097016560107"><h4 class="sectiontitle">Using an Image Signature and Configuring a Signature Verification Policy</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p25309247125">Image signature verification is a security measure that confirms whether a container image has been tampered with after its creation. The image creator can sign the image content, and a user can verify the image's integrity and source by checking the signature.</p>
+<div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section1097016560107"><h4 class="sectiontitle">Using an Image Signature and Configuring a Signature Verification Policy</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p25309247125">Image signature verification is a security measure that confirms whether a container image has been tampered with after its creation. The image creator can sign the image content, and users can verify the image's integrity and source by checking the signature.</p>
 <p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p139921417191310">This verification is crucial in maintaining container image security. By using image signature verification, organizations can guarantee the security and reliability of their containerized applications and safeguard them from potential security risks.</p>
 </div>
-<div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section39242498131"><h4 class="sectiontitle">Adding the USER Instruction to a Dockerfile to Run Commands as a Non-root User</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p14595132715206">Properly configuring user permissions during container build and deployment can greatly enhance container security. This not only helps prevent potential malicious activities, but also aligns with the principle of least privilege (PoLP).</p>
+<div class="section" id="cce_bestpractice_10047__en-us_topic_0000002011542813_section39242498131"><h4 class="sectiontitle">Adding the USER Instruction to a Dockerfile and Running Commands as a Non-root User</h4><p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p14595132715206">Configuring proper user permissions during container build and deployment can greatly enhance container security. This not only helps prevent potential malicious activities, but also aligns with the PoLP.</p>
-<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p1626020517135">By setting the USER instruction in Dockerfiles, subsequent commands are executed as non-root users, which is a standard security practice.</p>
+<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p1626020517135">By setting the USER instruction in Dockerfiles, subsequent commands can be executed as non-root users, which is a standard security practice.</p>
-<ul id="cce_bestpractice_10047__en-us_topic_0000002011542813_ul201511810185"><li id="cce_bestpractice_10047__en-us_topic_0000002011542813_li161512821810">Limited permissions: Running a container as a non-root user can also mitigate potential security risks, because attackers cannot gain full control over the node even if the container is attacked.</li><li id="cce_bestpractice_10047__en-us_topic_0000002011542813_li10151108101814">Restricted access: Non-root users typically have limited permissions, which restrict their access to and operation capabilities on node resources.</li></ul>
+<ul id="cce_bestpractice_10047__en-us_topic_0000002011542813_ul201511810185"><li id="cce_bestpractice_10047__en-us_topic_0000002011542813_li161512821810">Limited permissions: Running a container as a non-root user can mitigate potential security risks because attackers cannot gain full control over the node even if the container is attacked.</li><li id="cce_bestpractice_10047__en-us_topic_0000002011542813_li10151108101814">Restricted access: Non-root users typically have limited permissions, which restrict their access to and operations on node resources.</li></ul>
-<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p11799653111917">In addition to Dockerfiles, the <strong id="cce_bestpractice_10047__en-us_topic_0000002011542813_b1389865641417">securityContext</strong> field in <strong id="cce_bestpractice_10047__en-us_topic_0000002011542813_b51155941417">podSpec</strong> of Kubernetes can be used to configure user and group IDs and enforce security policies during container deployment.</p>
+<p id="cce_bestpractice_10047__en-us_topic_0000002011542813_p11799653111917">In addition to Dockerfiles, you can use the <strong id="cce_bestpractice_10047__en-us_topic_0000002011542813_b1389865641417">securityContext</strong> field in <strong id="cce_bestpractice_10047__en-us_topic_0000002011542813_b51155941417">podSpec</strong> of Kubernetes to configure user and group IDs and enforce security policies during container deployment.</p>
 </div>
 </div>
 <div>
--- a/docs/cce/umn/cce_bulletin_0059.html
+++ b/docs/cce/umn/cce_bulletin_0059.html
--- a/docs/cce/umn/cce_bulletin_0095.html
+++ b/docs/cce/umn/cce_bulletin_0095.html
@ -7,7 +7,7 @@
 <div class="section" id="cce_bulletin_0095__en-us_topic_0000002011393057_section14972102702312"><a name="cce_bulletin_0095__en-us_topic_0000002011393057_section14972102702312"></a><a name="en-us_topic_0000002011393057_section14972102702312"></a><h4 class="sectiontitle">New and Enhanced Features</h4><ul id="cce_bulletin_0095__en-us_topic_0000002011393057_ul765217383916"><li id="cce_bulletin_0095__en-us_topic_0000002011393057_li165213813916">Webhook matching expression is in the GA state.<p id="cce_bulletin_0095__en-us_topic_0000002011393057_p897192710149"><a name="cce_bulletin_0095__en-us_topic_0000002011393057_li165213813916"></a><a name="en-us_topic_0000002011393057_li165213813916"></a>The Webhook matching expression feature is advanced to GA. This feature enables admission webhooks to be matched based on specific conditions, providing control over the triggering conditions of the webhooks in a more precise granularity. For details, see <a href="https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchConditions" target="_blank" rel="noopener noreferrer">Dynamic Admission Control</a>.</p>
 </li><li id="cce_bulletin_0095__en-us_topic_0000002011393057_li865210381493">Pod scheduling readiness is in the GA state.<p id="cce_bulletin_0095__en-us_topic_0000002011393057_p592202931417"><a name="cce_bulletin_0095__en-us_topic_0000002011393057_li865210381493"></a><a name="en-us_topic_0000002011393057_li865210381493"></a>The pod scheduling readiness feature is advanced to GA. With this feature, you can add custom scheduling gates to a pod and manage when to remove them. The pod will only be deemed ready for scheduling once all scheduling gates have been removed. For details, see <a href="https://kubernetes.io/docs/concepts/scheduling-eviction/pod-scheduling-readiness/" target="_blank" rel="noopener noreferrer">Pod Scheduling Readiness</a>.</p>
 </li><li id="cce_bulletin_0095__en-us_topic_0000002011393057_li665220381690">Validating admission policies are in the GA state.<p id="cce_bulletin_0095__en-us_topic_0000002011393057_p1514043014148"><a name="cce_bulletin_0095__en-us_topic_0000002011393057_li665220381690"></a><a name="en-us_topic_0000002011393057_li665220381690"></a>Validating admission policies are advanced to GA. This feature allows you to declare the validating admission policies of resources using Common Expression Language (CEL). For details, see <a href="https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/" target="_blank" rel="noopener noreferrer">Validating Admission Policy</a>.</p>
-</li><li id="cce_bulletin_0095__en-us_topic_0000002011393057_li2652938698">Horizontal pod auto scaling based on container resource metrics is in the GA state.<p id="cce_bulletin_0095__en-us_topic_0000002011393057_p1968103010148"><a name="cce_bulletin_0095__en-us_topic_0000002011393057_li2652938698"></a><a name="en-us_topic_0000002011393057_li2652938698"></a>The horizontal pod auto scaling feature based on container resource metrics is advanced to GA. This feature allows HPA to configure auto scaling based on the resource usage of each container within a pod, rather than just the overall resource usage of the pod. This makes it easier to set scaling thresholds for the most critical containers in a pod. For details, see <a href="https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#container-resource-metrics" target="_blank" rel="noopener noreferrer">Container resource metrics</a>.</p>
+</li><li id="cce_bulletin_0095__en-us_topic_0000002011393057_li2652938698">Horizontal pod auto scaling based on container resource metrics is in the GA state.<p id="cce_bulletin_0095__en-us_topic_0000002011393057_p1968103010148"><a name="cce_bulletin_0095__en-us_topic_0000002011393057_li2652938698"></a><a name="en-us_topic_0000002011393057_li2652938698"></a>The horizontal pod auto scaling feature based on container resource metrics is advanced to GA. This feature allows HPA to configure auto scaling based on the resource usage of each container within a pod, rather than just the overall resource usage of the pod. This makes it easier to set scaling thresholds for the most critical containers in a pod. For details, see <a href="https://kubernetes.io/docs/concepts/workloads/autoscaling/horizontal-pod-autoscale/#container-resource-metrics" target="_blank" rel="noopener noreferrer">Container resource metrics</a>.</p>
 </li><li id="cce_bulletin_0095__en-us_topic_0000002011393057_li13653123819916">The legacy ServiceAccount token cleaner is in the GA state.<p id="cce_bulletin_0095__en-us_topic_0000002011393057_p20718123181413"><a name="cce_bulletin_0095__en-us_topic_0000002011393057_li13653123819916"></a><a name="en-us_topic_0000002011393057_li13653123819916"></a>The legacy ServiceAccount token cleaner feature is advanced to GA. It runs as part of <strong id="cce_bulletin_0095__en-us_topic_0000002011393057_b748611411213">kube-controller-manager</strong> and checks every 24 hours to see if any auto-generated legacy ServiceAccount token has not been used in a specific amount of time (one year by default, specified by <strong id="cce_bulletin_0095__en-us_topic_0000002011393057_b448681415215">--legacy-service-account-token-clean-up-period</strong>). If so, the cleaner marks those tokens as invalid and adds the <strong id="cce_bulletin_0095__en-us_topic_0000002011393057_b1313225330113048">kubernetes.io/legacy-token-invalid-since</strong> label whose value is the current date. If an invalid token is not used for a specific period of time (one year by default, specified by <strong id="cce_bulletin_0095__en-us_topic_0000002011393057_b4920114518211">--legacy-service-account-token-clean-up-period</strong>), the cleaner deletes it. For details, see <a href="https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#legacy-serviceaccount-token-cleaner" target="_blank" rel="noopener noreferrer">Legacy ServiceAccount token cleaner</a>.</p>
 </li><li id="cce_bulletin_0095__en-us_topic_0000002011393057_li165363811915">The minimum domain in the pod topology spread is in the GA state.<p id="cce_bulletin_0095__en-us_topic_0000002011393057_p117118322145"><a name="cce_bulletin_0095__en-us_topic_0000002011393057_li165363811915"></a><a name="en-us_topic_0000002011393057_li165363811915"></a>The minimum domain feature in pod topology spread is advanced to GA. This feature allows you to configure a minimum number of domains that meet specific conditions by using the <strong id="cce_bulletin_0095__en-us_topic_0000002011393057_b19750111135614">minDomains</strong> field in the pod configuration. If the number of domains that match the load topology constraints exceeds the <strong id="cce_bulletin_0095__en-us_topic_0000002011393057_b06211615105711">minDomains</strong> value, this field will not affect the settings. However, if the number of domains that match the load topology constraints is less than the <strong id="cce_bulletin_0095__en-us_topic_0000002011393057_b28891724165810">minDomains</strong> value, the global minimum value is set to 0, which represents the minimum number of matched pods in domains that meet the conditions. To prevent pods from being scheduled when topology constraints are not met, this field must be used together with <strong id="cce_bulletin_0095__en-us_topic_0000002011393057_b20648813303">whenUnsatisfiable: DoNotSchedule</strong>. For details, see <a href="https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#spread-constraint-definition" target="_blank" rel="noopener noreferrer">Spread constraint definition</a>.</p>
 </li></ul>
--- a/docs/cce/umn/cce_faq_00015.html
+++ b/docs/cce/umn/cce_faq_00015.html
@ -124,7 +124,7 @@ spec:
 NAME                MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
 sda                   8:0    0   50G  0 disk 
 └─sda1                8:1    0   50G  0 part /
-<strong id="cce_faq_00015__cce_bestpractice_00198_b1294212664615">sdb</strong>                   8:16   0  150G  0 disk      # The data disk has been expanded to 150 GiB, but 50 GiB space is free.
+<strong id="cce_faq_00015__cce_bestpractice_00198_b1294212664615">sdb</strong>                   8:16   0  150G  0 disk      # The data disk has been expanded to 150 GiB, but 50-GiB space is not allocated.
 ├─<strong id="cce_faq_00015__cce_bestpractice_00198_b4744112513594">vgpaas-dockersys  </strong>253:0    0   90G  0 lvm  /var/lib/containerd
 └─vgpaas-kubernetes 253:1    0   10G  0 lvm  /mnt/paas/kubernetes/kubelet</pre>
 </li><li id="cce_faq_00015__cce_bestpractice_00198_li0198144861813">Expand the disk capacity.<p id="cce_faq_00015__cce_bestpractice_00198_p921474831812"><a name="cce_faq_00015__cce_bestpractice_00198_li0198144861813"></a><a name="cce_bestpractice_00198_li0198144861813"></a>Add the new disk capacity to the <strong id="cce_faq_00015__cce_bestpractice_00198_b847894461815">dockersys</strong> logical volume used by the container engine.</p>
--- a/docs/cce/umn/cce_faq_00018.html
+++ b/docs/cce/umn/cce_faq_00018.html
@ -135,7 +135,7 @@
 NAME                MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
 sda                   8:0    0   50G  0 disk 
 └─sda1                8:1    0   50G  0 part /
-<strong id="cce_faq_00018__cce_bestpractice_00198_b1294212664615">sdb</strong>                   8:16   0  150G  0 disk      # The data disk has been expanded to 150 GiB, but 50 GiB space is free.
+<strong id="cce_faq_00018__cce_bestpractice_00198_b1294212664615">sdb</strong>                   8:16   0  150G  0 disk      # The data disk has been expanded to 150 GiB, but 50-GiB space is not allocated.
 ├─<strong id="cce_faq_00018__cce_bestpractice_00198_b4744112513594">vgpaas-dockersys  </strong>253:0    0   90G  0 lvm  /var/lib/containerd
 └─vgpaas-kubernetes 253:1    0   10G  0 lvm  /mnt/paas/kubernetes/kubelet</pre>
 </li><li id="cce_faq_00018__cce_bestpractice_00198_li0198144861813">Expand the disk capacity.<p id="cce_faq_00018__cce_bestpractice_00198_p921474831812"><a name="cce_faq_00018__cce_bestpractice_00198_li0198144861813"></a><a name="cce_bestpractice_00198_li0198144861813"></a>Add the new disk capacity to the <strong id="cce_faq_00018__cce_bestpractice_00198_b847894461815">dockersys</strong> logical volume used by the container engine.</p>
--- a/docs/cce/umn/cce_faq_00027.html
+++ b/docs/cce/umn/cce_faq_00027.html
@ -30,7 +30,7 @@
 </div>
 </li></ul>
 </div>
-<div class="section" id="cce_faq_00027__en-us_topic_0089615102_s29366dd7fe2e4257bd9481f435155270"><h4 class="sectiontitle">Check Item 2: EIP Quota</h4><p id="cce_faq_00027__p687661615816"><strong id="cce_faq_00027__b1867423122">Symptom</strong></p>
+<div class="section" id="cce_faq_00027__en-us_topic_0089615102_s29366dd7fe2e4257bd9481f435155270"><h4 class="sectiontitle">Check Item 2: EIP Quota</h4><p id="cce_faq_00027__p687661615816"><strong id="cce_faq_00027__b1132778408">Symptom</strong></p>
 <p id="cce_faq_00027__en-us_topic_0089615102_a0d47456e1aad4d29bb57c7f8a20a9537">When a node is added, <strong id="cce_faq_00027__b0361182514583">EIP</strong> is set to <strong id="cce_faq_00027__b3801418588">Auto create</strong>. The node cannot be created, and a message indicating that EIPs are insufficient is displayed.</p>
 <p id="cce_faq_00027__p14193184013582"><strong id="cce_faq_00027__b1447762118136">Solution</strong></p>
 </div>
@ -55,7 +55,7 @@
 <div class="section" id="cce_faq_00027__section151436672018"><h4 class="sectiontitle">Check Item 5: Private DNS Resolution</h4><p id="cce_faq_00027__p14867208172014">During node creation, software packages are downloaded from OBS via the domain name. A private DNS server must be used to resolve the OBS domain name. Therefore, the DNS server address of the subnet where the node resides must be set to a private DNS server address so that the node can access the private DNS server. By default, the private DNS server is used when you create a subnet. However, if you have modified the subnet DNS, verify that <strong id="cce_faq_00027__b11314175135011">the DNS server in use can resolve the OBS domain name</strong>. If it cannot, you will need to use the private DNS server.</p>
 <p id="cce_faq_00027__p54435175485">To confirm and modify the DNS of the subnet where the node resides, take the following steps:</p>
 <ol id="cce_faq_00027__ol768103818481"><li id="cce_faq_00027__li9293104917265"><span>Log in to the <span id="cce_faq_00027__ph688145518506">CCE console</span> and click the cluster name to access the cluster console.</span></li><li id="cce_faq_00027__li498893095814"><span>View the node subnet.</span><p><ul id="cce_faq_00027__ul2284124345811"><li id="cce_faq_00027__li10284124315585">For the default node pool: In the navigation pane, choose <span class="uicontrol" id="cce_faq_00027__uicontrol895415120519"><b>Overview</b></span>. In the <span class="uicontrol" id="cce_faq_00027__uicontrol995491145115"><b>Networking Configuration</b></span> area, view the subnet name.<p id="cce_faq_00027__p153942523556"></p>
-<p id="cce_faq_00027__p8342145518013"><span><img id="cce_faq_00027__image103262281714" src="en-us_image_0000002516198045.png"></span></p>
+<p id="cce_faq_00027__p8342145518013"></p>
 </li><li id="cce_faq_00027__li881854635910">For a custom node pool: In the navigation pane, choose <span class="uicontrol" id="cce_faq_00027__uicontrol103241555011"><b>Node Pools</b></span>. On the <span class="uicontrol" id="cce_faq_00027__uicontrol9567142913612"><b>Node Pools</b></span> tab, click the node pool name and view the subnet name. A node pool may be associated with multiple subnets.<p id="cce_faq_00027__p204161331008"></p>
 <p id="cce_faq_00027__p9390125191512"></p>
 </li></ul>
--- a/Show More
+++ b/Show More