Updated on 2024-11-12 GMT+08:00

Cluster Access

Access Mode

  • kubectl: You need to download and configure the kubectl and kubeconfig configuration files first, and then use kubectl to access a Kubernetes cluster. For details, see Connecting to a Cluster Using kubectl.
  • EIP: You can bind an EIP to the cluster API server. Then, the cluster API server can access the public network.
    • Binding an EIP to a cluster could bring the cluster potential access risks from the public network. You are advised to harden the inbound rule of port 5443 for the master node security group. For details, see How Can I Configure a Security Group Rule in a Cluster?
    • This operation will restart kube-apiserver and update the cluster access certificate (kubeconfig). Do not perform any operations on the cluster during this time.
  • Custom SAN: The Subject Alternative Name (SAN) allows multiple values (including IP addresses and domain names) to be associated with certificates. After the custom SAN is configured in the cluster access certificate, the cluster can be accessed using the domain names or IP addresses specified by the SAN. For details, see Accessing a Cluster Using a Custom Domain Name.

    This operation will restart kube-apiserver and update the cluster access certificate (kubeconfig). Do not perform any operations on the cluster during this time.

Authentication

CCE allows you to download the X509 certificate, which contains the client.key, client.crt, and ca.crt files. Keep your certificate secure.

For details about how to use a certificate to access clusters, see Accessing a Cluster Using an X.509 Certificate.

Server Request Settings

Table 1 Parameters

Item

Parameter

Description

Value

Maximum Number of Concurrent Modification API Calls

max-mutating-requests-inflight

Maximum number of concurrent modification API calls. Any requests that exceeding the specified value will be rejected by the server.

The value 0 specifies that there is no limitation on the maximum number of concurrent modification calls. This parameter is related to the cluster scale. You are advised not to change the value.

Manual configuration is no longer supported since clusters of v1.21. The value is automatically specified based on the cluster scale:

  • 200 for clusters with 50 or 200 worker nodes
  • 500 for clusters with 1000 worker nodes
  • 1000 for clusters with 2000 worker nodes

Maximum Number of Concurrent Non-Modification API Calls

max-requests-inflight

Maximum number of concurrent non-modification API calls. Any requests that exceeding the specified value will be rejected by the server.

The value 0 specifies that there is no limitation on the maximum number of concurrent non-modification calls. This parameter is related to the cluster scale. You are advised not to change the value.

Manual configuration is no longer supported since clusters of v1.21. The value is automatically specified based on the cluster scale:

  • 400 for clusters with 50 or 200 worker nodes
  • 1000 for clusters with 1000 worker nodes
  • 2000 for clusters with 2000 worker nodes

Request Timeout

request-timeout

Default request timeout interval of kube-apiserver. Exercise caution when changing the value of this parameter. Ensure that the changed value is proper to prevent frequent API timeout or other errors.

This parameter is available only in clusters of v1.19.16-r30, v1.21.10-r10, v1.23.8-r10, v1.25.3-r10, and later versions.

Default:

1m0s

Options:

Min ≥ 1s

Max ≤ 1 hour

Overload Control

support-overload

Cluster overload control. If enabled, concurrent requests will be dynamically controlled based on the resource demands received by master nodes to ensure the stable running of the master nodes and the cluster. For details, see Enabling Overload Control for a Cluster.

This parameter is available only in clusters of v1.23 or later.

NOTE:

In particular scenarios, such as request burst over a short period of time, a cluster could still be overloaded even though overload control is enabled for it. In such cases, you are advised to manage and control access to the cluster in a timely manner.

None