Help Center/ Cloud Container Engine/ User Guide (Kuala Lumpur Region)/ Node Pools/ Managing a Node Pool/ Modifying Node Pool Configurations
Updated on 2025-02-28 GMT+08:00
View PDF
Share

Modifying Node Pool Configurations

Notes and Constraints

The default node pool does not support the following management operations.

Configuration Management

CCE allows you to highly customize Kubernetes parameter settings on core components in a cluster. For more information, see kubelet.

This function is supported only in clusters of v1.15 or later. It is not displayed for versions earlier than v1.15.

  1. Log in to the CCE console.
  2. Click the cluster name to access the cluster console. Choose Nodes in the navigation pane. In the right pane, click the Node Pools tab.
  3. Locate the row containing the target node pool and choose More > Manage.
  4. On the Manage Configurations page on the right, modify node pool parameter setting.

    The following parameters can be configured for a node pool:

  5. Click OK.

kubelet

Item

Parameter

Description

Value

Modification

CPU management policy

cpu-manager-policy

CPU management policy configuration. For details, see CPU Scheduling.

  • none: disables pods from exclusively occupying CPUs. Select this value if you want a large pool of shareable CPU cores.
  • static: enables pods to exclusively occupy CPUs. Select this value if your workload is sensitive to latency in CPU cache and scheduling.

Default: none

None

QPS for requests to kube-apiserver

kube-api-qps

Number of queries per second for communication with the API server.

Default: 100

None

Burst for requests to kube-apiserver

kube-api-burst

Maximum number of burst requests sent to the API server per second.

Default: 100

None

Limit on the pods managed by kubelet

max-pods

Maximum number of pods that can run on a node.

None

Limited number of processes in a pod

pod-pids-limit

Maximum number of PIDs that can be used in each pod.

Default: -1, which indicates that the number of PIDs is not limited

None

Whether to use a local IP address as a node's ClusterDNS

with-local-dns

The default ENI IP address of the node will be automatically added to the node's kubelet configuration as the preferred DNS address.

Default: false

None

QPS limit on creating events

event-qps

Number of events that can be generated per second.

Default: 5

None

Upper Limit for Burst Events

event-burst

Upper limit for burst event creation. The number of burst events can be temporarily increased to the specified value.

Default: 10

None

Allowed unsafe sysctls

allowed-unsafe-sysctls

Insecure system configuration allowed.

Starting from v1.17.17, CCE enables pod security policies for kube-apiserver. Add corresponding configurations to allowedUnsafeSysctls of a pod security policy to make the policy take effect. (This configuration is not required for clusters earlier than v1.17.17.) For details, see Example of Enabling Unsafe Sysctls in Pod Security Policy.

Default: []

None

Node oversubscription

over-subscription-resource

Whether to enable node oversubscription.

If this parameter is set to true, node oversubscription is enabled on nodes.
  • For clusters of versions earlier than v1.23.9-r0 or v1.25.4-r0: enabled (true) by default
  • Disabled by default if the cluster version is v1.23.9-r0, v1.25.4-r0, v1.27-r0, or later

None

Hybrid deployment

colocation

Whether to enable hybrid deployment on nodes.

If this parameter is set to true, hybrid deployment is enabled on nodes.
  • For clusters of versions earlier than v1.23.9-r0 or v1.25.4-r0: enabled (true) by default
  • Disabled by default if the cluster version is v1.23.9-r0, v1.25.4-r0, v1.27-r0, or later

None

Topology management policy

topology-manager-policy

Set the topology management policy.

Valid values are as follows:

  • restricted: kubelet accepts only pods that achieve optimal NUMA alignment on the requested resources.
  • best-effort: kubelet preferentially selects pods that implement NUMA alignment on CPU and device resources.
  • none (default): The topology management policy is disabled.
  • single-numa-node: kubelet allows only pods that are aligned to the same NUMA node in terms of CPU and device resources.

Default: none
NOTICE:

Modifying topology-manager-policy and topology-manager-scope will restart kubelet, and the resource allocation of pods will be recalculated based on the modified policy. In this case, running pods may restart or even fail to receive any resources.

Topology management scope

topology-manager-scope

Configure the resource alignment granularity of the topology management policy. Valid values are as follows:

  • container (default)
  • pod

Default: container

Specified DNS configuration file

resolv-conf

DNS resolution configuration file specified by the container

Default: null

None

Timeout for all runtime requests except long-running requests

runtime-request-timeout

Timeout interval of all runtime requests except long-running requests (pull, logs, exec, and attach).

Default: 2m0s

This parameter is available only in clusters of v1.21.10-r0, v1.23.8-r0, v1.25.3-r0, or later versions.

Whether to allow kubelet to pull only one image at a time

serialize-image-pulls

Pull an image in serial mode.

  • false: recommended configuration so that an image can be pulled in parallel mode to improve pod startup.
  • true: allows images to be pulled in serial mode.
  • Enabled by default if the cluster version is earlier than v1.21.12-r0, v1.23.11-r0, v1.27.3-r0 or v1.25.6-r0
  • Disabled by default if the cluster version is v1.21.12-r0, v1.23.11-r0, v1.25.6-r0, v1.27.3-r0, or later

This parameter is available only in clusters of v1.21.10-r0, v1.23.8-r0, v1.25.3-r0, or later versions.

Image repository pull limit per second

registry-pull-qps

QPS upper limit of an image repository.

Default: 5

Value range: 1 to 50

This parameter is available only in clusters of v1.21.10-r0, v1.23.8-r0, v1.25.3-r0, or later versions.

Upper limit of burst image pull

registry-burst

Maximum number of burst image pulls.

Default: 10

The value ranges from 1 to 100 and must be greater than or equal to the value of registry-pull-qps.

This parameter is available only in clusters of v1.21.10-r0, v1.23.8-r0, v1.25.3-r0, or later versions.

Maximum Number of Container Log Files

container-log-max-files

Maximum number of container log files. When the number of existing log files exceeds this value, the earliest log file will be deleted to release space for new log files.

Default: 10

Value range: 2 to 100

This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.28.4-r0, or later versions.

Maximum Container Log File Size

container-log-max-size

Maximum size of a single container log file. When the size of a log file reaches this value, the current log file will be closed and a new log file will be created to continue logging.

Default: 50

Value range: 1 to 4096

This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.28.4-r0, or later versions.

Upper Limit for Image Garbage Collection

image-gc-high-threshold

When the kubelet disk usage reaches this value, kubelet starts to collect image garbage.

Default: 80

Value range: 1 to 100

To disable image garbage collection, set this parameter to 100.

This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.28.4-r0, or later versions.

Lower Limit for Image Garbage Collection

image-gc-low-threshold

When the disk usage reduces to this value, image garbage collection stops.

Default: 70

Value range: 1 to 100

The value of this parameter cannot be greater than the upper limit for image garbage collection.

This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.28.4-r0, or later versions.

Node memory reservation

system-reserved-mem

System memory reservation reserves memory resources for OS system daemons such as sshd and udev.

Default value: automatically calculated, which varies depending on node flavors. For details, see Node Resource Reservation Policy.

The sum of kube-reserved-mem and system-reserved-mem must be less than 50% of the minimum memory of nodes in the node pool.

kube-reserved-mem

Kubernetes memory reservation reserves memory resources for Kubernetes daemons such kubelet and container runtime.

Hard eviction

memory.available

Available memory on a node.

The value is fixed at 100 MiB.

For details, see Node-pressure Eviction.

NOTICE:

Exercise caution when modifying an eviction configuration item. Improper configuration may cause pods to be frequently evicted or fail to be evicted when the node is overloaded.

kubelet can identify the following specific file system identifiers:

  • nodefs: main file system of a node. It is used for local disk volumes, emptyDir volumes that are not supported by memory, and log storage. For example, nodefs contains /var/lib/kubelet/.
  • imagefs: file system partition used by a container engine.

nodefs.available

Percentage of the available capacity in the filesystem used by kubelet.

Default: 10%

Value range: 1% to 99%

nodefs.inodesFree

Percentage of available inodes in the filesystem used by kubelet.

Default: 5%

Value range: 1% to 99%

imagefs.available

Percentage of the available capacity in the filesystem used by container runtimes to store resources such as images.

Default: 10%

Value range: 1% to 99%

imagefs.inodesFree

Percentage of available inodes in the filesystem used by container runtimes to store resources such as images.

This parameter is left blank by default.

Value range: 1% to 99%

pid.available

Percentage of allocatable PIDs reserved for pods.

Default: 10%

Value range: 1% to 99%

Soft eviction

memory.available

Available memory on a node.

The value must be greater than the hard eviction value of the same parameter, and the eviction grace period (evictionSoftGracePeriod) must be configured accordingly.

This parameter is left blank by default.

Value range: 100 to 1000000

nodefs.available

Percentage of the available capacity in the filesystem used by kubelet.

The value must be greater than the hard eviction value of the same parameter, and the eviction grace period (evictionSoftGracePeriod) must be configured accordingly.

This parameter is left blank by default.

Value range: 1% to 99%

nodefs.inodesFree

Percentage of available inodes in the filesystem used by kubelet.

The value must be greater than the hard eviction value of the same parameter, and the eviction grace period (evictionSoftGracePeriod) must be configured accordingly.

This parameter is left blank by default.

Value range: 1% to 99%

imagefs.available

Percentage of the available capacity in the filesystem used by container runtimes to store resources such as images.

The value must be greater than the hard eviction value of the same parameter, and the eviction grace period (evictionSoftGracePeriod) must be configured accordingly.

This parameter is left blank by default.

Value range: 1% to 99%

imagefs.inodesFree

Percentage of available inodes in the filesystem used by container runtimes to store resources such as images.

The value must be greater than the hard eviction value of the same parameter, and the eviction grace period (evictionSoftGracePeriod) must be configured accordingly.

This parameter is left blank by default.

Value range: 1% to 99%

pid.available

Percentage of allocatable PIDs reserved for pods.

The value must be greater than the hard eviction value of the same parameter, and the eviction grace period (evictionSoftGracePeriod) must be configured accordingly.

This parameter is left blank by default.

Value range: 1% to 99%

kube-proxy

Item

Parameter

Description

Value

Modification

Maximum number of connection tracking entries

conntrack-min

Maximum number of connection tracking entries

To obtain the value, run the following command:

sysctl -w net.nf_conntrack_max

Default: 131072

None

Wait time of a closed TCP connection

conntrack-tcp-timeout-close-wait

Wait time of a closed TCP connection

To obtain the value, run the following command:

sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close_wait

Default: 1h0m0s

None

Docker (Available Only for Docker Node Pools)

Item

Parameter

Description

Value

Modification

Container umask

native-umask

The default value normal indicates that the umask value of the started container is 0022.

Default: normal

The parameter value cannot be changed.

Available data space for a single container

docker-base-size

Maximum data space that can be used by each container.

Default: 0

The parameter value cannot be changed.

Insecure image source address

insecure-registry

Whether an insecure image source address can be used.

false

The parameter value cannot be changed.

Maximum size of a container core file

limitcore

Maximum size of a core file in a container. The unit is byte.

If not specified, the value is infinity.

Default: 5368709120

None

Limit on the number of handles in a container

default-ulimit-nofile

Maximum number of handles that can be used in a container.

Default: {soft}:{hard}

The value cannot exceed the value of the kernel parameter nr_open and cannot be a negative number.

You can run the following command to obtain the kernel parameter nr_open:

sysctl -a | grep nr_open

Image pull timeout

image-pull-progress-timeout

If the image fails to be pulled before time outs, the image pull will be canceled.

Default: 1m0s

This parameter is supported in v1.25.3-r0 and later.

Maximum Number of Concurrent Requests for Downloading an Image at a Time

max-concurrent-downloads

This parameter specifies the maximum number of concurrent requests for downloading an image at a time.

Default: 3

Value range: 1 to 20

If this parameter is set to a large value, the network performance of other services on the node may be affected or the disk I/O and CPU usage may increase.

This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.

Maximum Container Log File Size

max-size

Maximum size of a container log file to be dumped. When the size of a log file reaches this value, the current log file will be closed and a new log file will be created to continue logging.

Default: 50

Value range: 1 to 4096

If this parameter is set to a small value, important logs may be lost. If this parameter is set to a large value, too much disk space may be occupied.

This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.

Maximum Number of Container Log Files

max-file

Maximum number of log files that can be retained in a container. When the number of existing log files exceeds this value, the earliest log file will be deleted to release space for new log files.

Default: 20

Value range: 2 to 100

If this parameter is set to a small value, important logs may be lost. If this parameter is set to a large value, too much disk space may be occupied.

This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.

Modify Image Repository Configuration

registry-mirrors

You can configure one or multiple substitute image repositories to be selected when obtaining images from the container runtime.

Default: []

Enter an IP address or domain name starting with http:// or https:// for a substitute image repository.

For example, if you use the on-premises image repositories with IP addresses http://example.com and https://example.com, respectively, as the substitute repositories of the default repository, the parameter value is ["http://example.com,https://example.com"].
  • To speed up image pulling, you can use an on-premises image repository as a substitute.
  • To improve fault tolerance and availability, you can configure multiple substitute image repositories.
NOTICE:

If a substitute image repository is configured incorrectly, containers may not be able to pull the necessary image.

This parameter is available only in clusters of v1.23.18-r10, v1.25.16-r0, v1.27.16-r0, v1.28.13-r0, v1.29.8-r0, v1.30.4-r0, or later versions.

containerd (Available Only for containerd Node Pools)

Item

Parameter

Description

Value

Modification

Maximum size of a container core file

limitcore

Maximum size of a core file in a container. The unit is byte.

If not specified, the value is infinity.

Default: 5368709120

None

Limit on the number of handles in a container

default-ulimit-nofile

Maximum number of handles that can be used in a container.

Default: 1048576

The value cannot exceed the value of the kernel parameter nr_open and cannot be a negative number.

You can run the following command to obtain the kernel parameter nr_open:

sysctl -a | grep nr_open

Image pull timeout

image-pull-progress-timeout

If the image fails to be pulled before time outs, the image pull will be canceled.

Default: 1m0s

This parameter is supported in v1.25.3-r0 and later.

Verification on insure skips

insecure_skip_verify

Whether to skip repository certificate verification.

Default: false

The parameter value cannot be changed.

Maximum Number of Concurrent Requests for Downloading an Image at a Time

max-concurrent-downloads

This parameter specifies the maximum number of concurrent requests for downloading an image at a time.

Default: 3

Value range: 1 to 20

If this parameter is set to a large value, the network performance of other services on the node may be affected or the disk I/O and CPU usage may increase.

This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.

Maximum Container Log Line Size

max-container-log-line-size

Maximum log line size of a container, in the unit of bytes. The log lines exceeding the limit will be split into multiple lines.

Default: 16384

Value range: 1 to 2097152

A larger value will lead to more containerd memory consumption.

This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.

Modify Image Repository Configuration

registry-mirrors

You can configure one or multiple substitute image repositories to be selected when obtaining images from the container runtime.

If you do not specify this parameter, the docker.io image repository will be used by default, and the SWR image repository will be used as a substitute.

An image repository must be an IP address or domain name. A substitute image repository must be an IP address or domain name starting with http:// or https://.
  • Add local image repositories for faster image pulling.
  • Configure multiple image repositories for higher fault tolerance and availability.

This parameter is available only in clusters of v1.23.17-r0, v1.25.12-r0, v1.27.9-r0, v1.28.7-r0, v1.29.3-r0, or later versions.

NOTICE:

If the image repository or its substitute is configured incorrectly, containers may not be able to pull the necessary image.

Certificate Authentication Skipped Image Repository

insecure-registries

When you specify image repositories, you can bypass security certificate-based authentication. This is typically done to connect to an insecure or self-signed image repository.

This parameter is left blank by default.

Enter an IP address or domain name.
  • Use this function only in development or test environments, not in production environments.
  • Enable this option only when using a self-signed certificate or when attempting to access a private image repository that cannot obtain an authorized certificate.

This parameter is available only in clusters of v1.23.17-r0, v1.25.12-r0, v1.27.9-r0, v1.28.7-r0, v1.29.3-r0, or later versions.
Parent topic: Managing a Node Pool