API Resource Restrictions on a Template
|
Resource |
Restriction Item |
Description |
Recommended Alternative Solution |
|---|---|---|---|
|
namespaces |
- |
Supported |
For security purposes, CCE Autopilot does not allow you to deployment workloads in the system namespace (such as kube-system). Also, you cannot create, modify, delete, or execute any resources. |
|
nodes |
- |
Supported |
You can query nodes but cannot create, delete, and modify nodes. |
|
persistentvolumeclaims |
- |
Supported |
- |
|
persistentvolumes |
- |
Supported |
- |
|
pods |
hostPath |
Mounting a file on the local host to a pod is not allowed. |
Use emptyDir or cloud storage. |
|
HostNetwork |
Mapping the host port to a pod is not allowed. |
Use load balancing (type=LoadBalancer). |
|
|
HostPID |
Sharing the host's PID namespace to pods is not allowed. |
Users are unaware of the node. Do not need to use the restriction item. |
|
|
HostIPC |
Container processes are not allowed to communicate with processes on the host. |
Users are unaware of the node. Do not need to use the restriction item. |
|
|
NodeName |
Scheduling pods to specific nodes is not allowed. |
Users are unaware of the node. Do not need to use the restriction item. |
|
|
Privileged containers |
Not supported |
- |
|
|
Linux capabilities |
SETPCAP, MKNOD, AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, NET_BIND_SERVICE, SYS_CHROOT, SETFCAP, and SYS_PTRACE are supported. You can also enable NET_RAW, SYS_PTRACE, and NET_ADMIN by setting SecurityContext. |
Use allowed values. |
|
|
Node affinity and anti-affinity |
Pods cannot be scheduled to specified nodes or nodes with certain labels, or a batch of pods cannot be scheduled to nodes with certain labels. The node affinity or the nodeSelector field does not take effect in CCE Autopilot clusters. |
|
|
|
Pod affinity and anti-affinity |
Ineffective |
You do not need to set this parameter. |
|
|
allowPrivilegeEscalation (whether privilege escalation is allowed) |
Not supported |
Keep the default settings. |
|
|
RuntimeClassName |
This parameter does not need to be configured. When RuntimeClassName is specified by an application (except pods), the value is automatically changed to runc supported by the system. |
You do not need to set this parameter. |
|
|
Time zone synchronization (the /etc/localtime file on the host) |
Not supported |
Keep the default settings. |
|
|
serviceaccounts |
- |
System configurations cannot be modified, and system roles cannot be bound. |
Keep the default settings. |
|
services |
- |
Services of the NodePort type are not allowed, and only dedicated load balancer can be used for Services. |
Use load balancing (type=LoadBalancer). |
|
daemonsets |
apps |
DaemonSets are not allowed. |
Deploy multiple images in a pod using sidecars. |
|
deployments |
apps |
Supported. The restricted fields are the same as those in pods. |
Use allowed values. |
|
replicasets |
apps |
Supported. The restricted fields are the same as those in pods. |
Use allowed values. |
|
statefulsets |
apps |
Supported. The restricted fields are the same as those in pods. |
Use allowed values. |
|
cronjobs |
batch |
Supported. The restricted fields are the same as those in pods. |
Use allowed values. |
|
jobs |
batch |
Supported. The restricted fields are the same as those in pods. |
Use allowed values. |
|
clusterrolebindings |
rbac.authorization.k8s.io |
Supported. The system group, system user, and cce-service group cannot be bound. |
Use allowed values. |
|
rolebindings |
rbac.authorization.k8s.io |
Supported. The system group, system user, and cce-service group cannot be bound. |
Use allowed values. |
|
storageclasses |
storage.k8s.io |
OBS and EVS storage classes cannot be created. Other functions are supported. |
Use allowed values. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
