Help Center/ Cloud Container Engine_Autopilot/ User Guide/ Helm Chart/ API Resource Restrictions on a Template
Updated on 2024-11-08 GMT+08:00

API Resource Restrictions on a Template

Resource

Restriction Item

Description

Recommended Alternative Solution

namespaces

-

Supported

For security purposes, CCE Autopilot does not allow you to deployment workloads in the system namespace (such as kube-system). Also, you cannot create, modify, delete, or execute any resources.

nodes

-

Supported

You can query nodes but cannot create, delete, and modify nodes.

persistentvolumeclaims

-

Supported

-

persistentvolumes

-

Supported

-

pods

hostPath

Mounting a file on the local host to a pod is not allowed.

Use emptyDir or cloud storage.

HostNetwork

Mapping the host port to a pod is not allowed.

Use load balancing (type=LoadBalancer).

HostPID

Sharing the host's PID namespace to pods is not allowed.

Users are unaware of the node. Do not need to use the restriction item.

HostIPC

Container processes are not allowed to communicate with processes on the host.

Users are unaware of the node. Do not need to use the restriction item.

NodeName

Scheduling pods to specific nodes is not allowed.

Users are unaware of the node. Do not need to use the restriction item.

Privileged containers

Not supported

-

Linux capabilities

SETPCAP, MKNOD, AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, SETGID, SETUID, NET_BIND_SERVICE, SYS_CHROOT, SETFCAP, and SYS_PTRACE are supported.

You can also enable NET_RAW, SYS_PTRACE, and NET_ADMIN by setting SecurityContext.

Use allowed values.

Node affinity and anti-affinity

Pods cannot be scheduled to specified nodes or nodes with certain labels, or a batch of pods cannot be scheduled to nodes with certain labels.

The node affinity or the nodeSelector field does not take effect in CCE Autopilot clusters.

  • You do not need to specify a node for scheduling, but you can specify a pod to an AZ.
  • A batch of pods can be scheduled to multiple AZs.

Pod affinity and anti-affinity

Ineffective

You do not need to set this parameter.

allowPrivilegeEscalation (whether privilege escalation is allowed)

Not supported

Keep the default settings.

RuntimeClassName

This parameter does not need to be configured. When RuntimeClassName is specified by an application (except pods), the value is automatically changed to runc supported by the system.

You do not need to set this parameter.

Time zone synchronization (the /etc/localtime file on the host)

Not supported

Keep the default settings.

serviceaccounts

-

System configurations cannot be modified, and system roles cannot be bound.

Keep the default settings.

services

-

Services of the NodePort type are not allowed, and only dedicated load balancer can be used for Services.

Use load balancing (type=LoadBalancer).

daemonsets

apps

DaemonSets are not allowed.

Deploy multiple images in a pod using sidecars.

deployments

apps

Supported. The restricted fields are the same as those in pods.

Use allowed values.

replicasets

apps

Supported. The restricted fields are the same as those in pods.

Use allowed values.

statefulsets

apps

Supported. The restricted fields are the same as those in pods.

Use allowed values.

cronjobs

batch

Supported. The restricted fields are the same as those in pods.

Use allowed values.

jobs

batch

Supported. The restricted fields are the same as those in pods.

Use allowed values.

clusterrolebindings

rbac.authorization.k8s.io

Supported. The system group, system user, and cce-service group cannot be bound.

Use allowed values.

rolebindings

rbac.authorization.k8s.io

Supported. The system group, system user, and cce-service group cannot be bound.

Use allowed values.

storageclasses

storage.k8s.io

OBS and EVS storage classes cannot be created. Other functions are supported.

Use allowed values.