Modifying Cluster Configurations
Cluster configuration parameters are underlying rules that define node behavior, resource allocation, communication rules, and scaling policies in a distributed system. They affect the cluster's performance, stability, scalability, and fault tolerance. You can customize the core components of a CCE cluster by adjusting these parameter settings. The following table lists cluster configuration parameters that you can adjust as needed.
Category |
Description |
---|---|
Control resource scheduling, manage requests, ensure security, and toggle feature statuses to maintain efficient cluster operation and proper resource allocation. Modifying kube-apiserver parameters will restart the cluster and terminate existing persistent connections. Exercise caution when performing this operation. |
|
Manage and optimize resource scheduling, request control, and GPU resource allocation in clusters. You can dynamically adjust scheduling policies based on cluster loads and resource requirements to ensure efficient cluster running and maximize resource utilization. |
|
Control the behavior and synchronization frequency of different controllers in a cluster to optimize cluster resource management and task scheduling. |
|
Network component configurations (supported only by CCE clusters using VPC networks) |
Specify the IP address range that does not require SNAT. This avoids unnecessary SNAT and optimizes network performance. |
Extended controller configurations (supported only by clusters of v1.21 or later) |
Restrict the resource usage in the namespace to ensure fair and reasonable resource allocation. |
Modifying Cluster Configuration Parameters
- Log in to the CCE console. In the navigation pane, choose Clusters.
- Locate the target cluster, click ... to view more operations on the cluster, and choose Manage. This function allows you to modify parameter settings of Kubernetes native components and proprietary components.
- In the Manage Component window, modify the Kubernetes parameter values based on service requirements. For details about the parameters, see Cluster Configuration Parameters.
You can modify the CCE cluster configuration parameters using an API. For details, see API Reference. For details about how to call an API, see Making an API Request.
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/master/configuration
Parameter |
Description |
---|---|
project_id |
Project ID. For details about how to obtain the project ID, see How to Obtain Parameters in the API URI. |
cluster_id |
Cluster ID. For details about how to obtain the cluster ID, see How to Obtain Parameters in the API URI. |
The request body is as follows:
{ "kind" : "Configuration", "apiVersion" : "v3", "metadata" : { "name" : "configuration" }, "spec" : { "packages" : [ { "name" : "kube-apiserver", "configurations" : [ { "name" : "default-not-ready-toleration-seconds", "value" : 300 }, { "name" : "default-unreachable-toleration-seconds", "value" : 300 } ] } ] } }
In the preceding example, the configuration parameters of the cluster server (kube-apiserver) are modified as follows:
- Toleration time for nodes in NotReady state during container migration (default-not-ready-toleration-seconds): 300
- Toleration time for nodes in unreachable state during container migration (default-not-ready-toleration-seconds): 300
Cluster Configuration Parameters
Item |
Parameter |
Description |
Value |
Configuration Method |
---|---|---|---|---|
Toleration time for nodes in NotReady state |
default-not-ready-toleration-seconds |
Tolerance time during which containers can continue running before being automatically evicted if their node becomes unavailable. This setting applies to all containers by default. In a CCE cluster, you can configure separate tolerance policies for different pods for refined management. For details, see Configuring Tolerance Policies. Configuration suggestion: Unless otherwise specified, retain the default settings. Potential risks: If the specified tolerance time is too short, pods may be frequently migrated due to transient issues like network jitter. If the specified tolerance time is too long, services may remain interrupted for an extended period after a node failure. |
Default: 300s |
Console/API |
Toleration time for nodes in unreachable state |
default-unreachable-toleration-seconds |
Tolerance time during which containers can continue running before being automatically evicted if their node cannot be accessed. This setting applies to all containers by default. In a CCE cluster, you can configure separate tolerance policies for different pods for refined management. For details, see Configuring Tolerance Policies. Configuration suggestion: Unless otherwise specified, retain the default settings. Potential risks: If the specified tolerance time is too short, pods may be frequently migrated due to transient issues like network jitter. If the specified tolerance time is too long, services may remain interrupted for an extended period after a node failure. |
Default: 300s |
Console/API |
Maximum number of concurrent modification API calls |
max-mutating-requests-inflight |
Maximum number of concurrent mutating requests. Any requests exceeding the specified value will be rejected. Value 0 indicates that there is no limit on the maximum number of concurrent mutating requests. Configuration suggestion: Retain the default setting. Potential risks: Increasing the value of this parameter may cause overload. |
Manual configuration is no longer supported since cluster v1.21. The value is automatically specified based on the cluster scale.
|
Console/API |
Maximum number of concurrent non-modification API calls |
max-requests-inflight |
Maximum number of concurrent non-mutating requests. Any requests exceeding the specified value will be rejected. Value 0 indicates that there is no limit on the maximum number of concurrent non-mutating requests. Configuration suggestion: Retain the default setting. Potential risks: Increasing the value of this parameter may cause overload. |
Manual configuration is no longer supported since cluster v1.21. The value is automatically specified based on the cluster scale.
|
Console/API |
NodePort port range |
service-node-port-range |
Port range for a NodePort Service. After changing the value, go to the security group page and change the TCP/UDP port range of node security groups 30000 to 32767. Otherwise, ports other than the default port cannot be accessed externally. Configuration suggestion: Retain the default setting. Potential risks: If the port number is smaller than 20106, a conflict may occur between the port and the CCE health check port, which may further lead to unavailable cluster. If the port number is greater than 32767, a conflict may occur between the port and the ports in net.ipv4.ip_local_port_range, which may further affect the network performance. |
Default: 30000 to 32767 Value range: Min > 20105 Max < 32768 |
Console/API |
Request timeout |
request-timeout |
Request timeout of the kube-apiserver component. Configuration suggestion: Retain the default setting to prevent frequent API timeouts and other exceptions. Applicable cluster version: This parameter is available only in clusters of v1.19.16-r30, v1.21.10-r10, v1.23.8-r10, v1.25.3-r10, or later. |
Default: 1m0s Value range: Min ≥ 1s Max ≤ 1 hour |
Console/API |
Overload control |
support-overload |
Cluster overload control. After this function is enabled, CCE will dynamically adjust concurrent requests based on the resource demands received by master nodes to ensure the stability and reliability of the master nodes and the cluster. Configuration suggestion: Enable this function. In scenarios like short-term request bursts, a cluster may still become overloaded even with overload control enabled. In such cases, you are advised to manage and control access to the cluster promptly. Applicable cluster version: This parameter is available only in clusters of v1.23 or later. |
|
Console/API |
Node restriction add-on |
enable-admission-plugin-node-restriction |
Restrict kubelet to modify only the pods on its own node. This prevents unauthorized operations and enhances isolation in high-security or multi-tenant scenarios. Applicable cluster version: This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. |
Default: true |
Console/API |
Pod node selector add-on |
enable-admission-plugin-pod-node-selector |
Allow cluster administrators to configure default node selectors through namespace annotations. In this way, pods run only on specific nodes and configurations are simplified. Applicable cluster version: This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. |
Default: true |
Console/API |
Pod toleration limit add-on |
enable-admission-plugin-pod-toleration-restriction |
Allow cluster administrators to configure default pod toleration values and limits through namespaces. This enables fine-grained control over pod scheduling and protects key resources. Applicable cluster version: This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. |
Default: false |
Console/API |
API audiences |
api-audiences |
Specify the audiences associated with a ServiceAccount token in service account token volume projection. For details, see the official document. Configuration suggestion: Retain the default setting. To ensure the proper running of the original service account authentication, add audiences instead of deleting existing ones when configuring this parameter. Potential risks: Deleting the original configuration that is still in use or setting it to an incorrect URL may result in a service account authentication failure. Applicable cluster version: This parameter is available only in clusters of v1.23.16-r0, v1.25.11-r0, v1.27.8-r0, v1.28.6-r0, v1.29.2-r0, or later. |
Default value: "https://kubernetes.default.svc.cluster.local" Multiple values can be configured, which are separated by commas (,). |
Console/API |
Service account token issuer identity |
service-account-issuer |
Entity identifier for issuing a service account token, which is the value identified by the iss field in the payload of the service account token. Configuration suggestion: Ensure the configured issuer URL can be accessed in the cluster and trusted by the authentication system in the cluster. Potential risks: If your specified issuer URL is untrusted or inaccessible, the authentication process based on the service account may fail. Applicable cluster version: This parameter is available only in clusters of v1.23.16-r0, v1.25.11-r0, v1.27.8-r0, v1.28.6-r0, v1.29.2-r0, or later. |
Default value: "https://kubernetes.default.svc.cluster.local" Multiple values can be configured, which are separated by commas (,). |
Console/API |
Item |
Parameter |
Description |
Value |
Configuration Method |
---|---|---|---|---|
Default scheduler |
default-scheduler |
Select different schedulers as needed.
|
Default: kube-scheduler |
Console/API |
QPS for communicating with kube-apiserver |
kube-api-qps |
QPS for communicating with kube-apiserver. |
|
Console/API |
Burst for communicating with kube-apiserver |
kube-api-burst |
Burst QPS for communicating with kube-apiserver. |
|
Console/API |
Whether to enable GPU sharing |
enable-gpu-share |
Determine whether to enable GPU sharing as needed.
Applicable cluster version: This parameter is available only in clusters of v1.23.7-r10, v1.25.3-r0, or later. |
Default: true |
Console/API |
Item |
Parameter |
Description |
Value |
Configuration Method |
---|---|---|---|---|
Deployment |
concurrent-deployment-syncs |
Number of deployment objects that are allowed to sync concurrently |
Default: 5 |
Console/API |
Endpoint |
concurrent-endpoint-syncs |
Number of service endpoint syncing operations that will be done concurrently |
Default: 5 |
Console/API |
Concurrent number of garbage collector workers |
concurrent-gc-syncs |
Number of garbage collector workers that can be synchronized concurrently |
Default: 20 |
Console/API |
Job |
concurrent-job-syncs |
Number of job objects that can be synchronized concurrently |
Default: 5 |
Console/API |
CronJob |
concurrent-cron-job-syncs |
Number of scheduled jobs that can be synchronized concurrently |
Default: 5 |
Console/API |
Namespace |
concurrent-namespace-syncs |
Number of namespace objects that can be synchronized concurrently |
Default: 10 |
Console/API |
ReplicaSet |
concurrent-replicaset-syncs |
Number of replica sets that can be synchronized concurrently |
Default: 5 |
Console/API |
ResourceQuota |
concurrent-resource-quota-syncs |
Number of resource quotas that can be synchronized concurrently |
Default: 5 |
Console/API |
Service |
concurrent-service-syncs |
Number of services that can be synchronized concurrently |
Default: 10 |
Console/API |
ServiceAccountToken |
concurrent-serviceaccount-token-syncs |
Number of service account token objects that can be synchronized concurrently |
Default: 5 |
Console/API |
TTLAfterFinished |
concurrent-ttl-after-finished-syncs |
Number of ttl-after-finished workers that can be synchronized concurrently |
Default: 5 |
Console/API |
RC |
concurrent_rc_syncs (used in clusters of v1.19 or earlier) concurrent-rc-syncs (used in clusters of v1.21 through v1.25.3-r0) |
Number of replication controllers that can be synchronized concurrently This parameter is deprecated in clusters of v1.25.3-r0 and later versions. |
Default: 5 |
Console/API |
Number of HPA concurrent requests |
concurrent-horizontal-pod-autoscaler-syncs |
Number of HPA auto scaling requests that can be concurrently processed |
Default 1 for clusters earlier than v1.27 and 5 for clusters of v1.27 or later Value range: 1 to 50 |
Console/API |
HPA synchronization period |
horizontal-pod-autoscaler-sync-period |
Period for the horizontal pod autoscaler to perform auto scaling on pods. A smaller value will result in a faster auto scaling response and higher CPU load. Configuration suggestion: Retain the default setting. Potential risks: A lengthy period can cause the controller to respond slowly, while a short period may overload the cluster control plane. |
Default: 15s |
Console/API |
HPA tolerance |
horizontal-pod-autoscaler-tolerance |
The configuration determines how quickly HPA will act to auto scaling policies. If the parameter is set to 0, auto scaling will be triggered immediately when the related metrics are met. Configuration suggestion: Configure this parameter based on service resource usage. If the service resource usage increases sharply over time, configure a tolerance to prevent unexpected auto scaling in short-term high-resource usage scenarios. |
Default: 0.1 |
Console/API |
HPA CPU initialization period |
horizontal-pod-autoscaler-cpu-initialization-period |
The built-in delay of the HPA for collecting CPU usage after pods start. You can use this parameter to filter out unstable CPU usage data during the early stage of pod startup. This helps prevent incorrect scaling decisions based on momentary peak values. Configuration suggestion: If HPA makes an incorrect scaling decision due to fluctuating CPU usage during pod startup, increase the value of this parameter. Potential risks: A small parameter value may trigger unnecessary scaling based on peak CPU usage, while a large value may cause delayed scaling. Applicable cluster version: This parameter is available only in clusters of v1.23.16-r0, v1.25.11-r0, v1.27.8-r0, v1.28.6-r0, v1.29.2-r0, or later. |
Default: 5 minutes |
Console/API |
HPA initial readiness delay |
horizontal-pod-autoscaler-initial-readiness-delay |
The waiting time before the HPA starts automatic scaling based on pod readiness. Configuration suggestion: To prevent HPA misjudgment caused by pod readiness fluctuations after startup, increase the value of this parameter. Potential risks: If this parameter is set to a small value, an unnecessary scale-out may occur due to CPU data fluctuations when the pod is just ready. If it is set to a large value, the HPA may not respond quickly enough in situations requiring rapid scaling. Applicable cluster version: This parameter is available only in clusters of v1.23.16-r0, v1.25.11-r0, v1.27.8-r0, v1.28.6-r0, v1.29.2-r0, or later. |
Default: 30s |
Console/API |
QPS for communicating with kube-apiserver |
kube-api-qps |
QPS for communicating with kube-apiserver |
|
Console/API |
Burst for communicating with kube-apiserver |
kube-api-burst |
Burst QPS for communicating with kube-apiserver. |
|
Console/API |
Maximum number of terminated pods that can be kept before the Pod GC deletes the terminated pod |
terminated-pod-gc-threshold |
Number of terminated pods that can exist in a cluster. When the number of terminated pods exceeds the expected threshold, the excess terminated pods will be automatically deleted. If this parameter is set to 0, all terminated pods will be retained. |
Default: 1000 Value range: 10 to 12500 If the cluster version is v1.21.11-r40, v1.23.8-r0, v1.25.6-r0, v1.27.3-r0, or later, the value range is changed to 0 to 100000. |
Console/API |
Unhealthy AZ threshold |
unhealthy-zone-threshold |
If the number of not-ready nodes exceeds the specified threshold in a given AZ, that AZ will be marked as unhealthy. In such unhealthy AZs, the frequency of service migration for faulty nodes will be reduced to prevent further negative impacts caused by large-scale migrations during major fault scenarios. Configuration suggestion: Retain the default setting. Potential risks: If the parameter is set to a large value, pods in unhealthy AZs will be migrated in a large scale, which can lead to risks such as overloading the cluster. Applicable cluster version: This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. |
Default: 0.55 Value range: 0 to 1 |
Console/API |
Node eviction rate |
node-eviction-rate |
The maximum number of pods that can be evicted per second when a node is faulty in a healthy AZ. The default value is 0.1, indicating that pods from at most one node can be evicted every 10 seconds. Configuration suggestion: Ensure that the number of pods migrated in each batch does not exceed 300. If the parameter is set to a large value, the cluster may be overloaded. Additionally, if too many pods are evicted, they cannot be rescheduled, which will slow down fault recovery. Applicable cluster version: This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. |
Default: 0.1 |
Console/API |
Secondary node eviction rate |
secondary-node-eviction-rate |
The maximum number of pods that can be evicted per second when a node is faulty in an unhealthy AZ. The default value is 0.01, indicating that pods from at most one node can be evicted every 100 seconds. Configuration suggestion: Configure this parameter to be one-tenth of node-eviction-rate. Potential risks: For nodes in an unhealthy AZ, there is no need to set this parameter to a large value. Doing so may result in overloaded clusters. Applicable cluster version: This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. |
Default: 0.01 |
Console/API |
Large cluster threshold |
large-cluster-size-threshold |
The criterion for determining whether a cluster is a large-scale cluster. If the number of nodes in a cluster exceeds the value of this parameter, the cluster is considered a large-scale cluster. Configuration suggestion: For the clusters with a large number of nodes, configure a relatively larger value than the default one for higher performance and faster responses of controllers. Retain the default value for small clusters. Before adjusting the value of this parameter in a production environment, check the impact of the change on cluster performance in a test environment. Potential risks: In a large-scale cluster, kube-controller-manager adjusts specific configurations to optimize the performance of the cluster. Setting an excessively small threshold for small clusters will deteriorate the cluster performance. Applicable cluster version: This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. |
Default: 50 |
Console/API |
Item |
Parameter |
Description |
Value |
Configuration Method |
---|---|---|---|---|
Retaining the non-masqueraded CIDR block of the original pod IP address |
nonMasqueradeCIDRs |
In a CCE cluster using the VPC network model, if a container in the cluster needs to access externally, the source pod IP address must be masqueraded as the IP address of the node where the pod resides through SNAT. After the configuration, the node will not perform SNAT on IP addresses within the specified CIDR block by default. By default, nodes in a cluster do not perform SNAT on packets destined for the private CIDR blocks 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. Instead, these packets are directly transferred using the upper-layer VPC. These three CIDR blocks are considered internal networks within the cluster and are reachable at Layer 3 by default. Applicable cluster version: This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. |
Default: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16
NOTE:
To enable cross-node pod access, the CIDR block of the node where the target pod runs must be added. Similarly, to enable cross-ECS pod access in a VPC, the CIDR block of the ECS where the target pod runs must be added. |
Console/API |
Item |
Parameter |
Description |
Value |
Configuration Method |
---|---|---|---|---|
Whether to enable resource quota management |
enable-resource-quota |
Determine whether to automatically create a ResourceQuota when creating a namespace. With quota management, you can control the number of workloads of each type and the upper limits of resources in a namespace or related dimensions.
Configuration suggestion: In high-concurrency scenarios (for example, batch creation of pods), resource quota management may cause some requests to fail due to conflicts. This function should not be enabled unless necessary. If you enable it, ensure that the request client has a retry mechanism. |
Default: false |
Console/API |
References
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.