Configuring a Node Pool

Notes and Constraints

The default node pool DefaultPool does not support the following management operations.

Configuring Kubernetes Parameters

CCE allows you to highly customize Kubernetes parameter settings on core components in a cluster. For more information, see kubelet.

This function is supported only in clusters of v1.15 and later. It is not displayed for clusters earlier than v1.15.

  1. Log in to the CCE console.
  2. Click the cluster name and access the cluster console. Choose Nodes in the navigation pane and click the Node Pools tab on the right.
  3. Choose More > Manage next to the node pool name.
  4. On the Manage Component page on the right, change the values of the following Kubernetes parameters:

    Table 1 kubelet

    Parameter

    Description

    Default Value

    Remarks

    cpu-manager-policy

    CPU management policy configuration. For details, see CPU Core Binding.

    • none: disables pods from exclusively occupying CPUs. Select this value if you want a large pool of shareable CPU cores.
    • static: enables pods to exclusively occupy CPUs. Select this value if your workload is sensitive to latency in CPU cache and scheduling.

    none

    -

    kube-api-qps

    Query per second (QPS) to use while talking with kube-apiserver.

    100

    -

    kube-api-burst

    Burst to use while talking with kube-apiserver.

    100

    -

    max-pods

    Maximum number of pods managed by kubelet.

    40

    20

    -

    pod-pids-limit

    PID limit in Kubernetes

    -1

    -

    with-local-dns

    Whether to use the local IP address as the ClusterDNS of the node.

    false

    -

    event-qps

    QPS limit for event creation

    5

    -

    allowed-unsafe-sysctls

    Insecure system configuration allowed.

    Starting from v1.17.17, CCE enables pod security policies for kube-apiserver. You need to add corresponding configurations to allowedUnsafeSysctls of a pod security policy to make the policy take effect. (This configuration is not required for clusters earlier than v1.17.17.) For details, see Example of Enabling Unsafe Sysctls in Pod Security Policy.

    []

    -

    kube-reserved-mem

    system-reserved-mem

    Reserved node memory.

    Depends on node specifications. For details, see Formula for Calculating the Reserved Resources of a Node.

    The sum of kube-reserved-mem and system-reserved-mem is less than half of the memory.

    topology-manager-policy

    Set the topology management policy.

    Valid values are as follows:

    • restricted: kubelet accepts only pods that achieve optimal NUMA alignment on the requested resources.
    • best-effort: kubelet preferentially selects pods that implement NUMA alignment on CPU and device resources.
    • none (default): The topology management policy is disabled.
    • single-numa-node: kubelet allows only pods that are aligned to the same NUMA node in terms of CPU and device resources.

    none

    The values can be modified during the node pool lifecycle.

    NOTICE:

    Exercise caution when modifying topology-manager-policy and topology-manager-scope will restart kubelet and recalculate the resource allocation of pods based on the modified policy. As a result, running pods may restart or even fail to receive any resources.

    topology-manager-scope

    Set the resource alignment granularity of the topology management policy. Valid values are as follows:

    • container (default)
    • pod

    Container

    resolv-conf

    DNS resolution configuration file specified by a container

    The default value is null.

    -

    runtime-request-timeout

    Timeout interval of all runtime requests except long-running requests (pull, logs, exec, and attach).

    The default value is 2m0s.

    -

    registry-pull-qps

    Maximum number of image pulls per second.

    The default value is 5.

    The value ranges from 1 to 50.

    registry-burst

    Maximum number of burst image pulls.

    The default value is 10.

    The value ranges from 1 to 100 and must be greater than or equal to the value of registry-pull-qps.

    serialize-image-pulls

    When this function is enabled, kubelet is notified to pull only one image at a time.

    The default value is true.

    -
    Table 2 kube-proxy

    Parameter

    Description

    Default Value

    Remarks

    conntrack-min

    sysctl -w net.nf_conntrack_max

    131072

    -

    conntrack-tcp-timeout-close-wait

    sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close_wait

    1h0m0s

    -
    Table 3 Network components (available only for CCE Turbo clusters)

    Parameter

    Description

    Default Value

    Remarks

    nic-threshold

    Low threshold of the number of bound ENIs:High threshold of the number of bound ENIs

    NOTE:

    This parameter is being discarded. Use the dynamic pre-binding parameters of the other four ENIs.

    Default: 0:0

    -

    nic-minimum-target

    Minimum number of ENIs bound to a node at the node pool level

    Default: 10

    -

    nic-maximum-target

    Maximum number of ENIs pre-bound to a node at the node pool level

    Default: 0

    -

    nic-warm-target

    Number of ENIs pre-bound to a node at the node pool level

    Default: 2

    -

    nic-max-above-warm-target

    Reclaim number of ENIs pre-bound to a node at the node pool level

    Default: 2

    -
    Table 4 Pod security group in a node pool (available only for CCE Turbo clusters)

    Parameter

    Description

    Default Value

    Remarks

    security_groups_for_nodepool
    • Default security group used by pods in a node pool. You can enter the security group ID. If this parameter is not set, the default security group of the cluster container network is used. A maximum of five security group IDs can be specified at the same time, separated by semicolons (;).
    • The priority of the security group is lower than that of the security group configured for Security Groups.

    -

    -
    Table 5 Docker (available only for node pools that use Docker)

    Parameter

    Description

    Default Value

    Remarks

    native-umask

    `--exec-opt native.umask

    normal

    Cannot be changed.

    docker-base-size

    `--storage-opts dm.basesize

    0

    Cannot be changed.

    insecure-registry

    Address of an insecure image registry

    false

    Cannot be changed.

    limitcore

    Maximum size of a core file in a container. The unit is byte.

    If not specified, the value is infinity.

    5368709120

    -

    default-ulimit-nofile

    Limit on the number of handles in a container

    {soft}:{hard}

    The value cannot exceed the value of the kernel parameter nr_open and cannot be a negative number.

    You can run the following command to obtain the kernel parameter nr_open:

    sysctl -a | grep nr_open

  5. Click OK.
Parent topic: Managing a Node Pool