DocsICP FilingConsole
官方文档
首页

Cross-service operation constraints

更新时间:
复制 MD 格式
产品详情
我的收藏

Enterprise Distributed Application Service (EDAS) manages resources across Elastic Compute Service (ECS), Container Service for Kubernetes (ACK), Server Load Balancer (SLB), and Container Registry (ACR). Modifying these managed resources outside of EDAS can break application deployment, scaling, and monitoring.

Governing principle: Only modify EDAS-managed resources through the EDAS console. Changes made through other consoles, kubectl, or third-party tools may not persist and can cause unexpected failures.

How to identify EDAS-managed resources: In Kubernetes clusters, resources created by EDAS carry the edas-domain: edas-admin or edas-domain label. Do not modify or delete any resource with this label.

Constraint overview

Cluster typeResourceKey constraint
ECSECS instances (scale-out)Do not delete the ESS label on instances purchased by EDAS
ECSSystem configurationDo not delete the admin user, critical processes, or crontab entries
ECSSecurity groupDo not delete or modify security rules created by EDAS
ECSSLBDo not disable session persistence for HTTP listeners
KubernetesACRConfigure aliyun-acr-credential-helper for cross-account or cross-region image access
KubernetesSecurity groupDo not delete default ACK security group rules
KubernetesNodesReserve enough CPU, memory, and Pods for EDAS management components
KubernetesAPI Server SLBDo not block 100.104.0.0/16 or reuse port 6443
KubernetesHelm chartsDo not uninstall EDAS-deployed charts or install conflicting open source components
KubernetesRBACDo not modify EDAS ClusterRoles or ClusterRoleBindings
KubernetesCRDs and CRsDo not directly manage EDAS-owned CRDs or CRs
KubernetesIngress, ConfigMap, SecretDo not modify resources with the edas-domain label
KubernetesSLB bindingDo not modify Service resources or SLB instances purchased by EDAS
KubernetesDeployment YAMLSpecific fields, labels, and environment variables are reserved; some modifications are allowed
KubernetesHPAConfigure auto scaling only through the EDAS console

ECS cluster constraints

ECS instances purchased during scale-out

Do not delete the ESS label on ECS instances that EDAS purchases during a scale-out. Removing this label prevents EDAS from tracking and managing the instance lifecycle.

System configuration

After you create an application and log on to an ECS instance, follow these rules to keep EDAS agents and system services running:

  • Do not delete the admin user.

  • Do not delete the /home/admin configuration.

  • Do not stop the following processes:

    • /home/staragent/bin/staragentd

    • com.alibaba.edas.agent.AgentDaemon

  • Do not delete the following crontab entries:

    • bash /home/admin/edas-agent/bin/monitor.sh crontab file of the root user

    • bash /home/admin/edas-agent/bin/rotator.sh crontab file of the admin user

  • Reserve enough free space in the root disk partition.

  • If you use CentOS, make sure that yum repositories are configured correctly.

  • If the ECS instance has multiple network interface controllers (NICs) -- for example, when Docker is installed -- and the application uses the High-Speed Service Framework (HSF), specify the -Dhsf.server.ip parameter so that the registered IP address works as expected. For more information, see Set JVM -D startup parameters.

  • Keep the system clock accurate within 15 seconds. A larger drift disrupts communication with the EDAS registry.

    • If you use an ECS advanced security group, enable UDP port 123 for outbound traffic so that Network Time Protocol (NTP) can synchronize the clock.

Security group

Do not delete or modify security rules that EDAS creates. Removing these rules can block communication between EDAS and your application instances.

SLB

Do not disable session persistence on HTTP listeners that EDAS enables. Disabling session persistence can cause routing issues for your applications.

Kubernetes cluster constraints

ACR image access

To pull images from ACR across accounts or across regions, complete both of the following steps:

  1. Configure the aliyun-acr-credential-helper component.

  2. Add the virtual private cloud (VPC) of the cluster to the access control list (ACL) of the target repository.

Importing a Kubernetes cluster

Security group

Node configuration

  • Reserve enough CPU, memory, and Pods for the EDAS management components to run in the cluster.

  • Do not delete the KubernetesWorkerRole-* RAM role that ACK assigns to nodes.

SLB for API Server

  • Do not block access requests from the 100.104.0.0/16 internal address range.

  • Do not delete the built-in labels that ACK adds to the SLB instance.

  • Do not reuse port 6443 on the SLB instance. This port is reserved for the API Server.

Helm charts

  • Do not uninstall the following Helm charts installed by EDAS, or delete any resources they manage:

    • ahas-sentinel-pilot

    • arms-eventer

    • arms-pilot

    • arms-prom

  • Do not install the open source versions of oam-runtime, kubevela, keda, or flagger. These conflict with the versions that EDAS manages and can cause deployment failures.

  • Do not delete or modify any Kubernetes resources in the edas-oam-system namespace.

ClusterRole

Do not use the ACK console, kubectl, or third-party tools to delete or modify edas-default-cluster-role.

ClusterRoleBinding

Do not use the ACK console, kubectl, or third-party tools to delete or modify the following ClusterRoleBindings:

  • edas-default-cluster-role-binding

  • edas-oam-cluster-role-binding

  • keda-hpa-controller-external-metrics

Custom resource definitions (CRDs) and custom resources (CRs)

Do not directly manage the following CRDs or CRs. EDAS owns their lifecycle, and manual changes are overwritten during application updates:

  • alertproviders.flagger.app

  • applicationconfigurations.core.oam.dev

  • applications.oam-domain.alibabacloud.com

  • applicationscopes.core.oam.dev

  • autoscalings.edas.aliyun.oam.com

  • basecomponents.oam-domain.alibabacloud.com

  • canaries.flagger.app

  • componentschematics.core.oam.dev

  • crdreleases.clm.cloudnativeapp.io

  • dynamiclabels.extension.oam.dev

  • imagebuilders.edas.aliyun.oam.com

  • logcollectors.edas.aliyun.oam.com

  • meshtraits.edas.aliyun.oam.com

  • metrictemplates.flagger.app

  • mseruletraits.edas.aliyun.oam.com

  • packageversions.oam-domain.alibabacloud.com

  • rollouts.edas.aliyun.oam.com

  • scaledobjects.keda.k8s.io

  • scalingrules.oam-domain.alibabacloud.com

  • serviceregistrytraits.edas.aliyun.oam.com

  • servicetraits.edas.aliyun.oam.com

  • sources.clm.cloudnativeapp.io

  • traits.core.oam.dev

  • triggerauthentications.keda.k8s.io

  • workloadtypes.core.oam.dev

Do not modify the aliyunlogconfigs.log.alibabacloud.com resource created by EDAS. This resource has the edas-domain: edas-admincode label.

Ingress resources

Do not modify Ingress resources that EDAS creates. These resources carry the edas-domain: edas-admin or edas-domain label.

ConfigMap and Secret resources

Do not modify ConfigMap or Secret resources that EDAS creates. These resources carry the edas-domain: edas-admin or edas-domain label.

SLB binding

  • Do not use the ACK console, kubectl, or third-party tools to delete or modify Service resources that EDAS creates. These resources carry the edas-domain: edas-admin label. For more information, see Service FAQ.

  • Do not use the SLB console to delete or modify SLB instances purchased by EDAS.

  • Do not use the SLB console to delete or modify HTTP listeners on SLB instances purchased by EDAS.

Deployment YAML

When you edit the YAML of a Deployment that EDAS manages, only the operations listed under Allowed operations are safe. All other modifications may be overwritten or may cause deployment failures.

Forbidden operations

  • Do not use the ACK console, kubectl, or third-party tools to delete or modify Deployment resources that EDAS creates. These resources carry the edas-domain: edas-admin label.

  • Do not modify the following Deployment metadata and spec fields: apiVersion, kind, name, namespace, uid, resourceVersion, selfLink, generation, creationTimestamp, ownerReferences, managedFields, selector, strategy, revisionHistoryLimit, progressDeadlineSeconds, Status

  • Do not delete or modify the following EDAS-specific labels and annotations in a Deployment or its Pod template:

    • edas-domain

    • edas.aliyun.oam.com/rollout-name

    • edas.aliyun.oam.com/rollout-namespace

    • edas.aliyun.oam.com/rollout-revision

    • edas.appid

    • edas.controlplane

    • edas.oam.acname

    • edas.oam.acversion

    • edas.oam.basecomponent

    • deployment.kubernetes.io/revision

    • ARMSApmAppId

    • ARMSApmLicenseKey

    • app

    • edas.component

    • edas.groupid

    • version

    • edas.revision

    • sidecar.istio.io/inject

  • Do not modify the HostPath volume that stores disk mounting configurations. To change disk mounting, use the deployment feature in the EDAS console.

  • Do not rename the group-1 container.

  • Do not modify the following reserved environment variables: POD_IP, HOST_IP, EDAS_APP_ID, EDAS_PROJECT_NAME, EDAS_GROUP_ID, EDAS_APP_NAME, EDAS_AC_NAME, EDAS_ECC_ID, EDAS_JM_CONTAINER_ID, EDAS_PACKAGE_VERSION, EDAS_AHAS_APPNAME, EDAS_DPATH_OPTS, EDAS_GRAY_OPTS, ALIBABA_ALIWARE_NAMESPACE, ALIBABA_ALIWARE_ENDPOINT_URL, ALIBABA_ALIWARE_ENDPOINT_PORT, ALIBABA_DEPLOY_VERSION, profiler.micro.service.canary.enable, profiler.micro.service.metadata.report.enable, profiler.micro.service.auth.enable

  • Do not modify the volume-edas-certs volume.

  • Do not modify the restartPolicy, schedulerName, or runtimeClassName field.

Allowed operations

  • Modify the replicas field to scale applications in or out.

  • Modify emptyDir volumes to share files across containers.

  • Add sidecar containers. Keep the group-1 container at the top of the container list.

  • Modify the hostAlias field to resolve custom domain names.

  • Modify nodeAffinity, podAffinity, and podAntiAffinity to control Pod scheduling.

  • Modify the toleration field to manage node scheduling.

  • Add custom labels and annotations to enable specific features.

Horizontal Pod Autoscaling (HPA)

  • Configure HPA only through the auto scaling feature in the EDAS console. Do not use the ACK console, kubectl, or third-party tools to configure HPA resources for EDAS applications.

  • Do not delete HPA resources created by EDAS. The ownerReferences of these resources is set to ScaledObject.

  • After you enable auto scaling, do not directly modify the replicas field of a Deployment. The HPA controller manages replicas automatically.

Previous:Enterprise Distributed Application Service FAQNext:What do I do if an error message appears in a frontend window?