API Resource Restrictions on a Template

Updated on 2025-01-03 GMT+08:00

View PDF

Resource	Restriction Item	Description	Recommended Alternative Solution
namespaces	-	Supported	For security purposes, CCE Autopilot does not allow you to deployment workloads in the system namespace (such as kube-system). Also, you cannot create, modify, delete, or execute any resources.
nodes	-	Supported	You can query nodes but cannot create, delete, and modify nodes.
persistentvolumeclaims	-	Supported	-
persistentvolumes	-	Supported	-
pods	hostPath	Mounting a file on the local host to a pod is not allowed.	Use emptyDir or cloud storage.
	HostNetwork	Mapping the host port to a pod is not allowed.	Use load balancing (type=LoadBalancer).
	HostPID	Sharing the host's PID namespace to pods is not allowed.	Users are unaware of the node. There is no need to use the restriction item.
	HostIPC	Container processes are not allowed to communicate with processes on the host.	Users are unaware of the node. There is no need to use the restriction item.
	NodeName	Scheduling pods to specific nodes is not allowed.	Users are unaware of the node. There is no need to use the restriction item.
	Privileged containers	Not supported	-
	Linux capabilities	SETPCAP, MKNOD, AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, NET_BIND_SERVICE, SYS_CHROOT, SETFCAP, and SYS_PTRACE are supported. You can also enable NET_RAW, SYS_PTRACE, and NET_ADMIN by setting SecurityContext.	Use allowed values.
	Node affinity and anti-affinity	Pods cannot be scheduled to specified nodes or nodes with certain labels, or a batch of pods cannot be scheduled to nodes with certain labels. The node affinity or the nodeSelector field does not take effect in CCE Autopilot clusters.	You do not need to specify a node for scheduling, but you can specify a pod to an AZ. A batch of pods can be scheduled to multiple AZs.
	Pod affinity and anti-affinity	Ineffective	You do not need to set this parameter.
	allowPrivilegeEscalation (whether privilege escalation is allowed)	Not supported	Keep the default settings.
	RuntimeClassName	This parameter does not need to be configured. When RuntimeClassName is specified by an application (except pods), the value is automatically changed to runc supported by the system.	You do not need to set this parameter.
	Time zone synchronization (the /etc/localtime file on the host)	Not supported	Keep the default settings.
serviceaccounts	-	System configurations cannot be modified, and system-defined roles cannot be bound.	Keep the default settings.
services	-	Services of the NodePort type are not allowed, and only dedicated load balancer can be used for Services.	Use load balancing (type=LoadBalancer).
daemonsets	apps	DaemonSets are not allowed.	Deploy multiple images in a pod using sidecars.
deployments	apps	Supported. The restricted fields are the same as those in pods.	Use allowed values.
replicasets	apps	Supported. The restricted fields are the same as those in pods.	Use allowed values.
statefulsets	apps	Supported. The restricted fields are the same as those in pods.	Use allowed values.
cronjobs	batch	Supported. The restricted fields are the same as those in pods.	Use allowed values.
jobs	batch	Supported. The restricted fields are the same as those in pods.	Use allowed values.
clusterrolebindings	rbac.authorization.k8s.io	Supported. The system group, system user, and cce-service group cannot be bound.	Use allowed values.
rolebindings	rbac.authorization.k8s.io	Supported. The system group, system user, and cce-service group cannot be bound.	Use allowed values.
storageclasses	storage.k8s.io	OBS and EVS storage classes cannot be created. Other functions are supported.	Use allowed values.