service overview - huaweimigrate containerized applications to the cloud. it supports the...

Cloud Container Engine

Service Overview

Issue 01

Date 2020-08-03

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 01 (2020-08-03) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 What Is Cloud Container Engine?........................................................................................1

2 Full-Stack Container Services............................................................................................... 4

3 Product Advantages................................................................................................................ 7

4 Application Scenarios........................................................................................................... 13

5 Constraints.............................................................................................................................. 20

6 Pricing Details........................................................................................................................ 22

7 Permissions Management................................................................................................... 25

8 Basic Concepts........................................................................................................................308.1 Basic Concepts....................................................................................................................................................................... 308.2 Mappings Between CCE and Kubernetes Terms........................................................................................................ 388.3 Regions and AZs.................................................................................................................................................................... 39

9 Related Services.....................................................................................................................42

Cloud Container EngineService Overview Contents

Issue 01 (2020-08-03) Copyright © Huawei Technologies Co., Ltd. ii

1 What Is Cloud Container Engine?

Cloud Container Engine (CCE) provides highly scalable, high-performance,enterprise-class Kubernetes clusters and supports Docker containers. With CCE,you can easily deploy, manage, and scale containerized applications on HUAWEICLOUD.

CCE is deeply integrated with HUAWEI CLOUD services, including high-performance computing (ECS/BMS), network (VPC/EIP/ELB), and storage(EVS/OBS/SFS) services. It supports heterogeneous computing architectures suchas GPU, NPU, Arm, and FPGA. By using multi-AZ and multi-region disasterrecovery, CCE ensures high availability of Kubernetes clusters.

HUAWEI CLOUD is one of world's first Kubernetes Certified Service Providers(KCSPs) and China's first participant in the Kubernetes community. It has longbeen contributing to open-source container communities and taking lead in thecontainer ecosystem. HUAWEI CLOUD is also a founder and platinum member ofCloud Native Computing Foundation (CNCF). CCE is the world's first containerservice to pass the Certified Kubernetes Conformance Program.

You can use CCE by means of the CCE console, kubectl, or Kubernetes APIs. Fordetails, see Figure 1-1.

Cloud Container EngineService Overview 1 What Is Cloud Container Engine?

Issue 01 (2020-08-03) Copyright © Huawei Technologies Co., Ltd. 1

https://console.huaweicloud.com/cce2.0?locale=en-us

https://support.huaweicloud.com/en-us/usermanual-cce/cce_01_0023.html

https://support.huaweicloud.com/en-us/api-cce/cce_02_0001.html

Figure 1-1 Using CCE

FunctionsCCE is a one-stop container platform that provides full-stack container servicesfrom Kubernetes cluster management, lifecycle management of containerizedapplications, application service mesh, and Helm charts to add-on management,application scheduling, and monitoring and O&M.

One-Stop Deployment and O&M

You can create a Kubernetes container cluster in just a few clicks, without needingto set up Docker or Kubernetes environments. Automatic deployment and O&M ofcontainerized applications can be performed all in one place throughout theapplication lifecycle.

Container Cluster Diversity

CCE works closely with heterogeneous infrastructure services, including high-performance Elastic Cloud Server (ECS), Bare Metal Server (BMS), and GPU-Acceleration Cloud Server (GACS) services on HUAWEI CLOUD to offer choices ofclusters: hybrid clusters, Kunpeng clusters, and BMS clusters. You can choose thecluster type best suited to your needs and quickly create clusters while CCEhandles all the complexity of cluster management.

Figure 1-2 Cluster types supported by CCE



Heterogeneous Network Access

Various network access modes and load balancing (layer-4 and layer-7) areavailable to meet scenario-specific needs.

Choices of Persistent Storage Volumes

In addition to using local disk storage, CCE can store workload data usingHUAWEI CLOUD storage services. Currently, the following types of cloud storageare supported: Elastic Volume Service (EVS), Scalable File Service (SFS), ObjectStorage Service (OBS), and SFS Turbo.

Affinity and Anti-affinity Scheduling

You can constrain which AZs and nodes your workloads are eligible or forbiddento be scheduled on. You can also define rules to describe which workloads will orwill not be co-located with your workloads. Affinity scheduling allows workloadsto be physically closer to user location and makes routing paths betweencontainers as short as possible, which in turn reduces network overhead. Anti-affinity scheduling prevents a single point of failure by banning co-location ofinstances belonging to the same workload. It also prevents interfering workloadsfrom affecting each other by not allowing them to run on the same node or AZ.

Flexible Auto Scaling Policies

Clusters and workloads can be resized both manually and automatically. Any autoscaling policies can be flexibly combined to deal with in-the-moment load spikes.

Deep Integration with Kubernetes Ecosystem Tools

CCE works seamlessly with Application Service Mesh (ASM) and Helm.

ASM provides a non-intrusive approach to microservice governance. It supportscomplete lifecycle management and traffic management and is compatible withKubernetes and Istio ecosystems. The out-of-the-box usability allows you to usethe service mesh without code rewrite or manual installation.

Helm is a Kubernetes package manager that makes it simple to deploy andmanage packages (also called charts). A chart is a collection of files that describea related set of Kubernetes resources. The use of charts handles all the complexityin Kubernetes resource installation and management, making it possible toachieve unified resource scheduling and management.

Container DevOps

The Software Repository for Container (SWR) service provides pipelines toautomate the container DevOps process, eliminating the need to manually writeDockerfiles or Kubernetes Manifest. With ContainerOps pipeline templates, youcan define how to build and push container images to repositories and how todeploy container images.

CCE Learning Path

You can click here to learn about the fundamentals about CCE so that you can useCCE and perform O&M with ease.



https://support.huaweicloud.com/en-us/productdesc-swr/swr_03_0001.html

https://support.huaweicloud.com/en-us/qs-cce/cce_qs_0001.html

2 Full-Stack Container Services

As one of the earliest adopters of the container technology, Huawei hasimplemented the technology in multiple internal products since 2013 and startedto widely use Kubernetes in 2014. In this process, Huawei has accumulated richpractical experience and provides fully vetted, full-stack container services forenterprise users to tackle the challenges in the Cloud 2.0 era and migration ofapplications to the cloud.

Based on its practices and contributions to the Kubernetes community, HUAWEICLOUD has been continuously leveraging the cloud native technologies to provideusers with industry-high standardized and portable cloud native services since itslaunch. Currently, HUAWEI CLOUD containers and related services have coveredseven categories in the technical CNCF panorama, including 16 products like CloudContainer Engine (CCE), Cloud Container Instance (CCI), Application OrchestrationService (AOS), Software Repository for Container (SWR), and ApplicationOperations Management (AOM). Figure 2-1 shows the architecture of HUAWEICLOUD container services.

Figure 2-1 HUAWEI CLOUD full-stack container services

Containerized Infrastructure

HUAWEI CLOUD provides enterprise-class container services that are highlycapable, available, and secure. Two CNCF-certified Kubernetes services are

Cloud Container EngineService Overview 2 Full-Stack Container Services


available: CCE and CCI. CCE HCS Online is a localized version of CCE, offeringenterprises with hybrid and dedicated cloud container services using Kubernetes.

Cloud Container Engine (CCE) provides highly scalable, high-performance,enterprise-class Kubernetes clusters and supports Docker containers. CCE is a one-stop container platform that provides full-stack container services fromKubernetes cluster management, lifecycle management of containerizedapplications, application service mesh, and Helm charts to add-on management,application scheduling, and monitoring and O&M. With CCE, you can easilydeploy, manage, and scale containerized applications on HUAWEI CLOUD.

Cloud Container Instance (CCI) is a serverless container engine that allows youto run containers without creating and managing servers and clusters. With CCI,you only need to manage containerized services running on the Kubernetes. Youcan quickly create and run container workloads on CCI without managing clustersand servers. Because of the serverless architecture, CCI makes containerizedapplications free of operation and maintenance and enables enterprises to focuson service cores.

Containerized Application Lifecycle ManagementHUAWEI CLOUD container services provide full-lifecycle management forcontainerized applications, including application building, storage, delivery,orchestration, O&M, governance, and grayscale release.

Application Operations Management (AOM) is a one-stop, multi-dimensionalO&M management platform for cloud applications. It monitors applications andrelated cloud resources in real time, collects and associates resource metrics, logs,and events to analyze application health statuses, and provides flexible alarmreporting and data visualization. This helps you detect faults in a timely mannerand monitor running statuses of applications, resources, and services in real time.

Software Repository for Container (SWR) provides easy, secure, and reliablemanagement over container images throughout their lifecycles, facilitating thedeployment of containerized services. By using the pipeline function of SWR, youcan directly build container images from the code, which accelerates theapplication cloudification.

ContainerOps is a DevOps orchestration platform for you to clearly define theentire DevOps workflow from source code obtaining to application rolling out,covering key steps like code compiling, image build, grayscale release, andcontainerized deployment. ContainerOps tackles problems in the process of codecompiling, image build, and image deployment in containerized scenarios, furtherimproving R&D, deployment, and O&M efficiency.

Application Orchestration Service (AOS) enables enterprises to automaticallymigrate containerized applications to the cloud. It supports the orchestration ofmainstream cloud services on the HUAWEI CLOUD to create applications andprovision cloud resources in just a few clicks, facilitating efficient applicationreplication and migration onto the cloud.

Application Service Mesh (ASM) is a service mesh platform developed byHUAWEI CLOUD based on Istio. It is seamlessly interconnected with CCE, which isan enterprise-class Kubernetes cluster service. With enhanced usability, reliability,and visualization, it provides out-of-the-box user experience. ASM provides a non-intrusive microservice governance solution that supports full-lifecycle



https://support.huaweicloud.com/en-us/productdesc-cce/cce_productdesc_0001.html

https://support.huaweicloud.com/en-us/productdesc-cci/cci_03_0001.html

https://support.huaweicloud.com/en-us/productdesc-aom/aom_06_0006.html


https://support.huaweicloud.com/en-us/productdesc-containerops/ops_productdesc_0001.html

https://support.huaweicloud.com/en-us/productdesc-aos/aos_productdesc_0001.html

https://support.huaweicloud.com/en-us/productdesc-istio/istio_productdesc_0001.html

management and traffic management and is compatible with the Kubernetes andIstio ecosystems. It hosts functions such as load balancing, outlier detection, andtraffic limiting.

ServiceStage is an application and microservice management platform thatfacilitates application deployment, monitoring, O&M, and governance.ServiceStage provides a full-stack solution for enterprises to develop microservice,mobile, and web applications. This solution helps you easily migrate variousapplications onto the cloud and focus on service innovation to quickly achievedigital transformation.

Vertical Container SolutionsHUAWEI CLOUD container services provide containerized tools, platforms, andsolutions catering to industry demands.

Gene Container Service (GCS) provides cloud genetic sequencing solutions, andsupports mainstream biological genetic sequencing scenarios such as DNA andRNA sequencing and liquid biopsy. Based on light-weight container technology,GCS combines big data and deep learning algorithms to optimize standardalgorithms, providing you with flexible and customizable sequencing processesand highly reliable resources that can be scaled in seconds.

By managing edge nodes of users, Intelligent EdgeFabric (IEF) extends cloudapplications to edge nodes and associates edge and cloud data, meeting customerrequirements for remote control, data processing, analysis, decision-making, andintelligence of edge computing resources. IEF also provides unified on-cloud O&Mcapabilities, such as device/application monitoring and log collection, to offer acomplete edge computing solution that contains integrated services under edge-cloud synergy.

Multi-Cloud Container Platform (MCP) is a platform developed by HUAWEICLOUD drawing years of experience in containerized cloud field and community-advanced cluster federation technologies. It provides multi & hybrid cloudcontainer solutions for unified cluster management across clouds, unifiedapplication deployment and traffic distribution across clusters. It not only resolvesmulti-cloud disaster recovery, but also plays an important role in various scenariosincluding service traffic sharing and separation of services and data, developmentand production, and computing and services.



https://support.huaweicloud.com/en-us/productdesc-servicestage/ss_productdesc_0001.html

https://support.huaweicloud.com/en-us/productdesc-ief/ief_productdesc_0001.html

https://support.huaweicloud.com/en-us/productdesc-mcp/mcp_productdesc_0001.html

3 Product Advantages

Why CCE?CCE is a container service built on popular Docker and Kubernetes technologiesand offers a wealth of features best suited to enterprises' demand for runningcontainer clusters at scale. With unique advantages in system reliability,performance, and compatibility with open-source communities, CCE can suit theparticulars of enterprises interested in building container clouds.

Easy to Use

● Creating a Kubernetes cluster is as easy as a few clicks on the web userinterface (WebUI). The Kubernetes cluster supports management of VMnodes or bare-metal nodes and applies to the scenario where VMs andphysical machines are used together.

● Automatic deployment and O&M of containerized applications can beperformed all in one place throughout the application lifecycle.

● Clusters and workloads can be resized in just a few clicks on the WebUI. Anyauto scaling policies can be flexibly combined to deal with in-the-momentload spikes.

● The WebUI walks you through the steps required to upgrade Kubernetesclusters.

● Support for Application Service Mesh (ASM) and Helm charts offers out-of-the-box usability.

High Performance

● CCE draws on years of field experience in computing, network, storage, andheterogeneous infrastructure. You can concurrently launch containers at scale.

● The bare-metal NUMA architecture and high-speed InfiniBand network cardsyield three- to five-fold improvement in computing performance.

Highly Available and Secure

● Highly available: Each cluster has three master nodes, avoiding a single pointof failure on the cluster control plane. Faults in one or two of the masternodes do not interrupt the whole cluster. Nodes and workloads in a clustercan be load balanced across AZs to form a multi-active architecture thatensures service continuity even when one of the hosts or equipment rooms isdown or an AZ is hit by natural disasters.

Cloud Container EngineService Overview 3 Product Advantages


Figure 3-1 High-availability setup of clusters

● Secure: Clusters are private and completely controlled by users with HUAWEICLOUD accounts and Kubernetes RBAC capabilities deeply integrated. Userscan set different RBAC permissions for sub-users on the GUI.

Open and Compatible

● CCE is built on the open-source Docker technology that automatesdeployment, resource scheduling, service discovery, and dynamic scaling ofcontainerized applications.

● CCE is built on the popular Kubernetes technology and compatible withKubernetes native APIs, kubectl (a command line interface), and Kubernetes/Docker native releases. Updates from Kubernetes and Docker communitiesare regularly incorporated into CCE.



Comparative Analysis of CCE and On-Premises Kubernetes ClusterManagement Systems

Table 3-1 CCE clusters versus on-premises Kubernetes clusters

Area ofFocus

On-PremisesKubernetes ClusterManagement Systems

CCE

Ease of use Cluster management iscomplex. You have tohandle all thecomplexity ininstalling, operating,scaling, configuring,and monitoringKubernetes clustermanagementinfrastructure. Eachcluster upgraderequires tremendousmanual adjustment,imposing a heavyburden on O&Mpersonnel.

Easy to manage and use clustersYou can create and upgradeKubernetes container clusters in just afew clicks, without needing to first setup Docker or Kubernetes environments.Automatic deployment and O&M ofcontainerized applications can beperformed on the console all in oneplace throughout the applicationlifecycle.Support for Application Service Mesh(ASM) and Helm charts offers out-of-the-box usability.Using CCE clusters is as simple aschoosing a container cluster and thejobs that you want to run in the cluster.CCE then completes clustermanagement so you can focus ondeveloping containerized applications.

Scalability You have to manuallyevaluate service loadand cluster healthbefore deciding toresize a cluster.

Managed scaling serviceCCE can automatically resize clustersand workloads as resource usagechanges. Combined use of auto scalingpolicies can flexibly scale clusters andworkloads to meet fluctuatingdemands.

Reliability Only one master nodeis available in a cluster.Once the master nodeis down, the entirecluster as well as allthe applications in thecluster will become outof service.

High availabilityIf the High Availability parameter isset to Yes at cluster creation time,three master nodes will be created inthe cluster, avoiding a single point offailure on the cluster control plane.



Area ofFocus

On-PremisesKubernetes ClusterManagement Systems

CCE

Efficiency You have to eitherbuild imagerepositories or revertto third-party imagerepositories. Imagesare pulled fromrepositories in serial.

Rapid image deployment andcontinuous integrationCCE works with the SoftwareRepository for Container (SWR)service to provide pipelines thatautomate the container DevOpsprocess and eliminate the need tomanually write Dockerfiles orKubernetes manifests. WithContainerOps pipeline templates, youcan define how to build containerimages, push them to repositories, anddeploy container images. Images arepulled from repositories in parallel.

Cost Heavy upfrontinvestment is requiredin installing, managing,and scaling clustermanagementinfrastructure.

Cost effectiveYou only pay for the infrastructureresources required to store and runapplications, as well as the masternodes in the cluster.

Why Containers?Docker is written in the Go programming language designed by Google. Itprovides operating-system-level virtualization: software processes are isolatedfrom each other by using Linux Control Groups (cgroups), namespaces, and UnionFS technologies (for example, AUFS). Everything needed to run a software processis packed into a container. Containers are isolated from each other and from thehost.

Docker has moved forward to enhance container isolation: containers have theirown file systems, and they cannot see each other's processes or networkinterfaces. This simplifies container creation and management.

The traditional virtualization technology provides hardware-level virtualization. Itcreates a set of virtual machines, each with a complete operating system andapplication inside. Containers, on the other hand, do not have their own kerneland all call out to the same kernel of host OS. Furthermore, it is unnecessary todo any kind of virtualization the way it does with VMs. Therefore, Dockercontainers are smaller and faster than VMs.





Figure 3-2 Comparison between Docker containers and VMs

To sum up, Docker containers have many advantages over VMs.

Resource utilization

With no overhead for virtualizing hardware and running a complete OS,containers can outperform VMs in application execution speed, memory loss, andfile storage speed.

Start speed

It takes several minutes to start an application on a VM. Docker containerizedapplications run directly on the host kernel and there is no need to start acomplete operating system along with the applications. The startup time can bereduced to seconds or even milliseconds, greatly saving your time in development,testing, and deployment.

Consistent environment

One of the biggest problems that developers always have to deal with is thedifference in the environments where they run their applications. Differencebetween development, testing, and production environments prevents some bugsfrom being discovered prior to rollout. A Docker container image includeseverything needed to run an application and isolates the application from itsenvironment. Therefore, containerized applications will always run the sameacross development, testing, and production environments.

Continuous delivery and deployment

For DevOps personnel, it would be ideal if applications can run anywhere afterone-time creation or configuration.

Docker provides reliable and frequent container image build and deployment withquick, easy rollbacks (due to image immutability). Developers write Dockerfilesthat contain all the instructions required to build container images and merge up-to-date instructions regularly into Dockerfiles, a practice known as ContinuousIntegration (CI). The Ops team can rapidly deploy images into productionenvironment by letting Docker read instructions from Dockerfiles. The Ops teamcan even follow the Continuous Delivery/Deployment (CD) practice in which every



instruction change is automatically built, tested, and then pushed to a non-production testing environment.

The use of Dockerfiles makes the DevOps process visible to everyone in a DevOpsteam. In this way, the developer team can better understand both users' needsand the problems faced by the Ops team while maintaining the application. Onthe other hand, the Ops team can have some knowledge of the conditions thatmust be met to run the application. The knowledge is helpful when the Opspersonnel deploys container images into production environment.

Portability

Docker ensures environmental consistency across development, testing, andproduction, and so Docker containers can be portable anywhere. They workuniformly, regardless of whether they run on physical machines, virtual machines,public clouds, private clouds, or even laptops. You can migrate applications fromone platform to another without worrying that the environment change will causethe applications unable to work.

Application update

Docker images are composed of layers. Each layer is only stored once anddifferent images can contain the exact same layers. This makes distributionefficient because layers that have already been transferred as part of the firstimage do not need to be transferred again when transferring the other image thatalso has these layers. To update a containerized application, you can either editthe top-most writable layer in the final image or add layers to the base image.Docker collaborates with open-source project teams to maintain a large numberof high-quality official images. You can push them directly into the productionenvironment as final images or add layers on top of them to form new images,greatly reducing the image production cost.

Table 3-2 Containers versus traditional VMs

Feature Containers VMs

Start speed In seconds In minutes

Disk capacity MB GB

Performance Near-native performance Weak

Per-machinecapacity

Thousands of containers Tens of VMs



4 Application Scenarios

Auto Scaling Architecture

Challenges

● During promotions and flash sales, online shopping apps will see a dramaticrise in user access and may soon fall short of cloud computing resources. Howto adapt cloud computing resources automatically to changing demand?

● It is difficult for live video platforms to predict the number of video watchers.Not to mention the complexity in planning how many CPU or memoryresources to invest in advance. Is there any way to start small and easily scalethe live video platforms as CPU or memory usage grows?

● The number of game players increases at 12:00 and 18:00–23:00 every day. Itwould be ideal to automatically scale game apps at a scheduled time.

CCE's Solution

CCE automatically adapts the amount of computing resources to fluctuatingservice load according to custom auto-scaling policies. To scale computingresources at the cluster level, CCE adds or reduces cloud servers. To scalecomputing resources at the workload level, CCE adds or reduces containers.

Benefits of CCE

● Flexible

Allows multiple scaling policies and scales containers within seconds whenspecified conditions are met.

● High availability

Automatically detects the statuses of instances in auto-scaling groups andreplaces unhealthy instances with new ones.

● Low cost

Charges you only for the cloud servers that you use.

Related Services

autoscaler (an add-on used for auto cluster scaling), AOM (a cloud service usedfor workload scaling)

Cloud Container EngineService Overview 4 Application Scenarios


Figure 4-1 How auto scaling works

Microservice GovernanceChallenges

Internet technologies are evolving and complexity in large enterprise systems isgoing beyond what traditional system architecture can handle. The microservicearchitecture has been rising in popularity. The idea behind the microservicearchitecture is to divide complex applications into smaller components calledmicroservices. Microservices are independently developed, deployed, and scaled.The combined use of microservices and containers simplifies microservice deliverywhile improving application reliability and scalability.

However, the complexity in O&M, commissioning, and security management ofthe distributed application architecture increases as the quantity of microservicesgrows. Developers cannot focus on application development. They have to writeadditional code for microservice governance and are often distracted by thetedious task of working out a microservice governance solution and letting it workseamlessly with the existing application.

CCE's Solution

Application service mesh is deeply integrated into CCE. Its out-of-the-box trafficmanagement feature allows you to complete grayscale release, observe yourtraffic, and control the flow of traffic without changing code.

Benefits of CCE

● Out-of-the-box usabilityIstio service mesh can be started in just a few clicks and works seamlesslywith CCE. Once started, Istio service mesh can intelligently control the flow oftraffic.

● Intelligent routing



HTTP/TCP connection policies and security policies can be enforced withoutrequiring you to rewrite code.

● Visibility into trafficBased on the monitoring data that is collected non-intrusively, Istio servicemesh works closely with HUAWEI CLOUD APM service to provide a panoramicview of your services, including real-time traffic topology, call tracing,performance monitoring, and runtime diagnosis.

Related Services

Elastic Load Balance (ELB), Application Performance Management (APM),Application Operations Management (AOM)

Figure 4-2 Microservice governance

Continuous DevOps DeliveryChallenges

Today's IT industry is growing rapidly and needs to be highly responsive whendiverse, changeable customer needs emerge at scale. Only with fast, continuousintegration can IT industry players stack new features continuously in order togear their products to customer needs. Traditional enterprises and even Internetenterprises may face challenges like low R&D efficiency, outdated tools, and slowrelease when they practice continuous integration (CI). Continuous delivery (CD) isthe secret key that can help them stride out of the dilemma.

CCE's Solution

CCE works with SWR to provide continuous DevOps features that willautomatically complete code compilation, image building, grayscale release, and



containerization based on source code. The continuous DevOps features workseamless with traditional CI/CD systems, making it easier to containerizeapplications.

Benefits of CCE

● Efficient process management

Reduces scripting workload by more than 80% through streamlined processinteraction.

● Flexible integration

Provides various APIs to integrate with existing CI/CD systems, greatlyfacilitating customization.

● High performance

Schedules tasks flexibly with a fully containerized architecture.

Related Services

Software Repository for Container (SWR), Object Storage Service (OBS), VirtualPrivate Network (VPN)

Figure 4-3 How continuous DevOps delivery works



Hybrid Cloud ArchitectureChallenges

● Multi-cloud deployment and disaster recoveryTo achieve high service availability, customers prefer to deploy applications oncontainer services from multiple cloud providers. When a cloud goes dark,application load will be automatically distributed to other clouds.

● Traffic distribution and auto scalingLarge enterprise systems need to span cloud facilities in different regions.They also need to be automatically resizable — they can start small and thenscale up as system load grows. This frees enterprises from the costs ofplanning, purchasing, and maintaining more cloud facilities than needed andtransforms what are commonly large fixed costs into much smaller variablecosts.

● Migration to the cloud and database hostingFinance, security, and other industries with a top concern for dataconfidentiality usually want to keep critical systems in local IDCs whilemoving other systems to the cloud. All systems, no matter in local IDCs or inthe cloud, are expected to be managed using a unified dashboard.

● Separation of development environment from deployment environmentTo ensure IP security, customers want to set up the production environmenton a public cloud while setting up the development environment in a localIDC.

CCE's Solution

Applications and data can be seamlessly migrated between your on-premisesnetwork and the cloud, facilitating resource scheduling and disaster recovery (DR).This is made possible through environment-independent containers, networkconnectivity between private and public clouds, and the ability to collectivelymanage containers on CCE and your private cloud.

Benefits of CCE

● On-Cloud DRMulticloud helps protect systems from outages. When a cloud is faulty,system load is automatically diverted to other clouds to ensure servicecontinuity.

● Automatic traffic distributionAccess latency is reduced by directing user requests to the regional cloudprovider who is closer to where the users are. Once the applications in localIDCs are overloaded, some of the application access requests can bedistributed to the cloud that will automatically create instances of theapplications to meet the fluctuating load.

● Separation of computing from data; capability sharingSensitive service data is separated from general service data. Separation canalso be achieved between the development environment and the productionenvironment, as well as between special computing and general services.Through auto scaling and unified cluster management, the hybrid cloudcombines the resources and technological advantages of the on-premisessystem and the cloud.



● Reduced costThe resource pool on public cloud can respond quickly to load spike. You nolonger need to preserve a large amount of resources in advance and this willsave you big on resource costs.

Related Services

Elastic Cloud Server (ECS), Direct Connect (DC), Virtual Private Network (VPN),Software Repository for Container (SWR)

Figure 4-4 How hybrid cloud works

High-Performance AI Computing

Challenges

For industries such as AI, gene sequencing, and video processing, computing tasksare computing-intensive and usually run on GPUs, bare metal servers, and otherhardware that provides high computing power. These industries opt to runcomputing services on the public cloud where a sea of computing resources isavailable. Meanwhile, to avoid the cost in using computing facilities at scale,general services are run in private cloud.

CCE's Solution

Running containers on high-performance GPU-accelerated cloud serverssignificantly improves AI computing performance by 3 to 5 folds. GPUs are usuallyexpensive and sharing a GPU among containers greatly reduces AI computingcosts. In addition to performance and cost advantages, CCE also offers fullymanaged clusters that will hide all the complexity in deploying and managingyour AI applications so you can focus on high-value development.

Benefits of CCE● High performance

The bare-metal NUMA architecture and high-speed InfiniBand NICs drive athree- to five-fold improvement in AI computing performance.



● Efficient computingGPUs are shared and scheduled among multiple containers, greatly reducingcomputing costs.

● Extensive Field Experience● AI containers are compatible with all mainstream GPU models and have been

used at scale in HUAWEI CLOUD's Enterprise Intelligence (EI) products.

Related Services

GPU-accelerated Cloud Server (GACS), Elastic Load Balance (ELB), Object StorageService (OBS)

Figure 4-5 How AI computing works



5 Constraints

Clusters and Nodes● CCE limits the quantity and capacity of resources for a single user. By default,

you can create a maximum of five clusters in each region. The managementscale of a cluster can be set to 50 nodes, 200 nodes, 1000 nodes, or 2,000nodes (only for hybrid clusters in certain regions). The management scale of acluster cannot be changed after the cluster is created. Exercise caution whenselecting the management scale. To create a cluster with 5,000 nodes, submita service ticket.

For more information on quotas, see Quotas.

● Nodes created during cluster creation support pay-per-use and yearly/monthlybilling, but with the following constraints:

– If the cluster to be created is pay-per-use, the nodes created in the clustermust also be pay-per-use.

– If the cluster to be created is billed on a yearly/monthly basis, nodes inthe cluster are either pay-per-use or billed on a yearly/monthly basis.

– If nodes added after cluster creation are billed on a yearly/monthly basis,they need to be renewed separately from the cluster.

● A hybrid cluster supports EulerOS and CentOS. EulerOS 2.2, EulerOS 2.5,CentOS 7.4, or CentOS 7.6 is recommended.

● A cluster in non-HA mode is unavailable if the master node is faulty, affectingservice functions. Therefore, the non-HA mode is not recommended forcommercial scenarios. You are advised to select the HA mode. For details, seethe parameters for creating a cluster.

● By default, when a cluster is created, security group rules with cce in theirnames will be created. If the rules are deleted or modified, the cluster maybecome unavailable.

● The cluster name, cluster scale, HA switch, network model, CIDR blockconfiguration, and service forwarding mode cannot be modified after thecluster is created. Exercise caution when configuring these parameters.

● By default, the RBAC capability is enabled for CCE clusters. To access resourcesin a cluster, an IAM user needs to obtain the namespace permissions. Fordetails, see Granting Namespace-Level Permissions (Kubernetes RBACAuthorization).

Cloud Container EngineService Overview 5 Constraints


https://console.huaweicloud.com/console/?locale=en-us#/quota


https://support.huaweicloud.com/en-us/usermanual-iaas/en-us_topic_0040259342.html

https://support.huaweicloud.com/en-us/usermanual-cce/cce_01_0028.html#cce_01_0028__table8638121213265



● By default, a collection probe is installed in the CCE cluster so that you canview the logs and monitoring information about cluster resources on the webpage. For details, see Agent Management.

Cluster Scaling● Only worker nodes can be added or reduced during a scaling task.● Before scaling out a cluster, ensure that its available resources (such as ECSs

and EIPs) suffice. If available resources are insufficient, submit a serviceticket to increase the quota.

VolumesVolumes and the clusters that use the volumes must be in the same region.

For details, see Overview to Storage Management.

Maximum Number of ServicesA maximum of 6,000 Services can be created in each namespace. A Service is aKubernetes resource object that defines a logical set of pods and a policy by whichto access them.

Cloud Container EngineService Overview 5 Constraints


https://console.huaweicloud.com/aom/?locale=en-us#/apm/agent




6 Pricing Details

Billing ItemsCloud Container Engine (CCE) is free of charge. You only pay for the resources(such as nodes) created when you are using CCE. There are two types of billingitems:

1. Clusters: The cluster fee is the cost of resources used by master nodes. Thefee varies with the cluster type and cluster size. Cluster types include VMcluster, BMS cluster, VM cluster (high availability), and BMS cluster (HA).Cluster size (also called management scale) indicates the number of nodes ina cluster.

NO TE

The management scale indicates the number of ECSs or BMSs in a cluster.

For more details, see CCE Pricing Details.2. IaaS resources: The cost of IaaS resources created to run worker nodes in

your cluster is billed. IaaS resources, which are created either manually orautomatically, include ECSs, EVS disks, EIPs, bandwidth, and load balancers.For more pricing details, see Product Pricing Details.

Billing ModesCCE is billed on a pay-per-use or yearly/monthly basis.

● Pay-per-use: It is a pay-after-use mode. Billing starts when a resource isprovisioned and stops when the resource is deleted. You can use cloudresources as required and stop paying for them when you no longer needthem. There is no upfront payment for excess capacity.

Cloud Container EngineService Overview 6 Pricing Details


https://www.huaweicloud.com/en-us/pricing.html?tab=detail#/cce

https://www.huaweicloud.com/en-us/pricing.html?tab=detail#/ecs

NO TE

The following are pricing principles in the case of CCE cluster hibernation or nodeshutdown. Note that there are many types of cluster nodes and ECS is used as anexample.● Cluster hibernation: After a cluster is hibernated, the billing of resources used by

master nodes will stop.● Node shutdown: Worker node billing stops when the node is stopped. Note that

hibernating a cluster will not stop worker nodes in the cluster. To stop an ECS, login to the ECS console. For details, see Stopping a Node.The operation of stopping an ECS is free of charge. After a pay-per-use ECSwithout local disks or FPGAs is stopped, the ECS, its vCPUs, memory, and imagesare not billed. However, other resources used by the ECS, such as EVS disks, EIPs,and bandwidth, are still billed. The vCPU and memory resources of the stoppedECS are reclaimed. When the ECS is restarted, the vCPU and memory resourcesmust be requested again. However, if the resources are insufficient, the restart mayfail. To avoid a restart failure, wait for several minutes before attempting anotherrestart or modify the ECS specifications. After an ECS with local hard disks (suchas enhanced disks and GPUs) and FPGAs is stopped, ECS billing continues andresources such as vCPUs and memory are retained. For details, see ECS Billing.

● Yearly/monthly: It is a pay-before-use mode. Yearly/monthly billing provides amore significant discount than pay-per-use and is recommended for long-term use of cloud services. When you purchase a yearly/monthly package, thesystem will deduct the package cost from your cloud account based on thechosen specifications.

● Billing mode change: The billing mode cannot be changed within the billingcycle.

NO TICE

Clusters follow a tiered pricing plan. Pricing for each tier varies with cluster sizeand type.

Configuration ChangesFrom pay-per-use to yearly/monthly billing: You can change the cluster billingmode from pay-per-use to yearly/monthly billing. After the change, master nodes,worker nodes, and cloud resources (such as EVS disks and EIPs) used by yourcluster will all be billed on a yearly/monthly basis and a new order will begenerated. The nodes and cloud resources will be ready for use immediately afteryou pay for the new order.

From yearly/monthly billing to pay-per-use: Clusters billed on a yearly/monthlybasis cannot change to pay-per-use within the billing cycle. Note that pay-per-useclusters can be directly deleted, but clusters billed on a yearly/monthly basiscannot be deleted. To stop using the clusters billed on a yearly/monthly basis, goto the Billing Center and unsubscribe from them.

Notes

● Cash coupons will not be returned after you downgrade specifications of thecloud servers that are purchased using cash coupons.

● You will need to pay the price difference between the original and newspecifications after upgrading cloud server specifications.




https://support.huaweicloud.com/en-us/productdesc-ecs/ecs_01_0065.html

https://account.huaweicloud.com/usercenter/?locale=en-us#/userindex/retreatManagement

● Downgrading cloud server specifications (the amount of CPU or memoryresources) will impair cloud server performance.

● If you downgrade cloud server specifications and then upgrade it to theoriginal specifications, you will still need to pay the price difference incurredby the upgrade.

FAQsIf you have any further questions, visit the official forum to share with us.



7 Permissions Management

If you need to assign different permissions to employees in your enterprise toaccess your Cloud Container Engine (CCE) resources, Identity and AccessManagement (IAM) is a good choice for fine-grained permissions management.IAM provides identity authentication, permissions management, and accesscontrol, helping you secure access to your HUAWEI CLOUD resources. For moreinformation about IAM, see IAM Service Overview.

You can create IAM users on the IAM console and assign permissions to the usersto control their access to CCE cluster resources. For example, some softwaredevelopers in your enterprise need to use CCE cluster resources but must notdelete them or perform any high-risk operations. In this case, you can create IAMusers for the software developers and grant them only the permissions(ReadOnlyAccess) required for using CCE cluster resources.

If your HUAWEI CLOUD account does not need individual IAM users forpermissions management, you may skip over this chapter.

CCE Permissions

By default, new IAM users do not have permissions assigned. You need to add auser to one or more groups, and attach permissions policies or roles to thesegroups. Users inherit permissions from the groups to which they are added andcan perform specified operations on cloud services based on the permissions.

CCE is a project-level service deployed and accessed in specific physical regions. Toassign CCE permissions to a user group, specify the scope as region-specificprojects and select projects for the permissions to take effect. If All projects isselected, the permissions will take effect for the user group in all region-specificprojects. When accessing CCE, the users need to switch to a region where theyhave been authorized to use the CCE service.

You can grant users permissions by using roles and policies.● Roles: A type of coarse-grained authorization mechanism that defines

permissions related to user responsibilities. This mechanism provides only alimited number of service-level roles for authorization. When using roles togrant permissions, you need to also assign other roles on which thepermissions depend to take effect. However, roles are not an ideal choice forfine-grained authorization and secure access control.

Cloud Container EngineService Overview 7 Permissions Management


https://support.huaweicloud.com/en-us/productdesc-iam/iam_01_0026.html

● Policies: A type of fine-grained authorization mechanism that definespermissions required to perform operations on specific cloud resources undercertain conditions. This mechanism allows for more flexible policy-basedauthorization, meeting requirements for secure access control. For example,you can grant IAM users only the permissions for managing a certain type ofclusters and nodes. Most policies define permissions based on APIs. For theAPI actions supported by CCE, see Permissions Policies and SupportedActions.

Table 7-1 lists all the system permissions supported by CCE.

Kubernetes RBAC policies regulate access to CCE cluster resources, such asworkloads, jobs, Services, and other Kubernetes native resources. For details, seeKubernetes RBAC.

Table 7-1 System permissions supported by CCE

Role/PolicyName

Description Type Dependencies

CCEAdministrator

Read and writepermissions for CCEclusters and allresources(includingworkloads, nodes,jobs, and Services)in the clusters.

Role Users granted permissions of thispolicy must also be grantedpermissions of the followingpolicies:Global service project: OBSBuckets ViewerRegion-specific projects: TenantGuest, Server Administrator, ELBAdministrator, OBS Admin, SFSAdministrator, SWR Admin, andAPM FullAccessNOTE

Users with both CCE Administratorand NAT Gateway Administratorpolicies can use NAT Gatewayfunctions for clusters.

CCEFullAccess

Read and writepermissions for CCEclusters, includingcreating, deleting,and updating acluster.

Policy None.

CCEReadOnlyAccess

Read-onlypermissions for CCEclusters.

Policy None.





https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Table 7-2 Common operations supported by CCE system policies

Operation CCEReadOnlyAccess

CCE FullAccess CCEAdministrator

Creating a cluster x √ √

Deleting a cluster x √ √

Updating a cluster, forexample, updatingcluster node schedulingparameters andproviding RBAC supportto clusters

x √ √

Upgrading a cluster x √ √

Waking up a cluster x √ √

Hibernating a cluster x √ √

Listing all clusters √ √ √

Querying cluster details √ √ √

Adding a node x √ √

Deleting one or morenodes

x √ √

Updating a cluster node,for example, updatingthe node name

x √ √

Querying node details √ √ √

Listing all nodes √ √ √

Listing all jobs √ √ √

Deleting one or morecluster jobs

x √ √

Querying job details √ √ √

Creating a storagevolume

x √ √

Deleting a storagevolume

x √ √

Performing operationson all Kubernetesresources of a cluster(for details, seePermissionsManagement)

√ √ √







Performing alloperations on an ElasticCloud Server (ECS)

x √ √

Performing alloperations on ElasticVolume Service (EVS)disksEVS disks can beattached to cloudservers and scaled to ahigher capacitywhenever needed.

x √ √

Performing alloperations on a VirtualPrivate Cloud (VPC),including enhanced ELBA cluster must run in aVPC. When creating anamespace, you need tocreate or associate aVPC for the namespaceso that all containers inthe namespace will runin the VPC.

x √ √

Viewing details of allresources on an ECSIn CCE, a node is an ECSwith multiple EVS disks.

√ √ √

Listing all resources onan ECS

√ √ √

Viewing details about allEVS disk resources EVSdisks can be attached tocloud servers and scaledto a higher capacitywhenever needed.

√ √ √

Listing all EVS resources √ √ √





Viewing details about allVPC resources (includingenhanced ELB)A cluster must run in aVPC. When creating anamespace, you need tocreate or associate aVPC for the namespaceso that all containers inthe namespace will runin the VPC.

√ √ √

Viewing details about allVPC resources (includingenhanced ELB)

√ √ √

Viewing details about allElastic Load Balance(ELB) resources

x x √

Listing all ELB resources x x √

Viewing Scalable FileService (SFS) resourcedetails

√ √ √

Listing all SFS resources √ √ √

Viewing ApplicationOperationsManagement (AOM)resource details

√ √ √

Listing AOM resources √ √ √

Performing alloperations on AOM autoscaling rules

√ √ √

Helpful Links● IAM Service Overview● Granting Cluster-level Permissions● Permissions Policies and Supported Actions



https://support.huaweicloud.com/en-us/productdesc-iam/iam_01_0026.html



8 Basic Concepts

8.1 Basic ConceptsCCE provides highly scalable, high-performance, enterprise-class Kubernetesclusters and supports Docker containers. With CCE, you can easily deploy, manage,and scale containerized applications on HUAWEI CLOUD.

The graphical CCE console enables E2E user experiences. In addition, CCE supportsnative Kubernetes APIs and kubectl. Before using CCE, you are advised tounderstand related basic concepts.

Cluster

A cluster is a group of one or more cloud servers (also known as nodes) in thesame subnet. It has all the cloud resources (including VPCs and computeresources) required for running containers.

Node

A node is a cloud server (virtual or physical machine) running an instance of theDocker Engine. Containers are deployed, run, and managed on nodes. The nodeagent (kubelet) runs on each node to manage container instances on the node.The number of nodes in a cluster can be scaled.

Node Pool

A node pool contains one node or a group of nodes with identical configuration ina cluster.

Virtual Private Cloud (VPC)

A VPC is a logically isolated virtual network that facilitates secure internal networkmanagement and configurations. Resources in the same VPC can communicatewith each other, but those in different VPCs cannot communicate with each otherby default. VPCs provide the same network functions as physical networks andalso advanced network services, such as elastic IP addresses and security groups.

Cloud Container EngineService Overview 8 Basic Concepts


Security GroupA security group is a collection of access control rules for ECSs that have the samesecurity protection requirements and are mutually trusted in a VPC. After asecurity group is created, you can create different access rules for the securitygroup to protect the ECSs that are added to this security group.

For more information, see Security Group.

Relationship Between Clusters, VPCs, Security Groups, and Nodes

As shown in Figure 8-1, a region may comprise of multiple VPCs. A VPC consistsof one or more subnets. The subnets communicate with each other through asubnet gateway. A cluster is created in a subnet. There are three scenarios:● Different clusters are created in different VPCs.● Different clusters are created in the same subnet.● Different clusters are created in different subnets.

Figure 8-1 Relationship between clusters, VPCs, security groups, and nodes

PodA pod is the smallest and simplest unit in the Kubernetes object model that youcreate or deploy. A pod encapsulates an application container (or, in some cases,multiple containers), storage resources, a unique network IP address, and optionsthat govern how the containers should run.



https://support.huaweicloud.com/en-us/productdesc-vpc/vpc_Concepts_0005.html

Figure 8-2 Pod

ContainerA container is a running instance of a Docker image. Multiple containers can runon one node. Containers are actually software processes. Unlike traditionalsoftware processes, containers have separate namespace and do not run directlyon a host.

WorkloadA workload is an abstract model of a group of pods in Kubernetes. Kubernetesclassifies workloads into Deployment, StatefulSet, DaemonSet, job and cron job.

● Deployment: Pods are completely independent of each other and functionallyidentical. They feature auto scaling and rolling upgrade. Typical examplesinclude Nginx and WordPress.

● StatefulSet: Pods are not completely independent of each other. They havestable persistent storage, and feature orderly deployment and deletion.Typical examples include MySQL-HA and etcd.

● DaemonSet: A DaemonSet ensures that all or some nodes run a pod. It isapplicable to pods running on every node. Typical examples include Ceph,Fluentd, and Prometheus Node Exporter.

● Job: It is a one-time task that runs to completion. It can be executedimmediately after being created. Before creating a workload, you can executea job to upload an image to the image repository.

● Cron job: It runs a job periodically on a given schedule. You can perform timesynchronization for all active nodes at a fixed time point.



Figure 8-3 Relationship between workloads and pods

OrchestrationAn orchestration template describes the definitions and dependencies between agroup of container services. You can use orchestration templates to deploy andmanage multi-container applications and non-containerized applications.

ImageDocker creates an industry standard for packaging containerized applications.Docker images are like templates that include everything needed to runcontainers, and are used to create Docker containers. In other words, Dockerimage is a special file system that includes everything needed to run containers:programs, libraries, resources, and configuration files. It also containsconfiguration parameters (such as anonymous volumes, environment variables,and users) required within a container runtime. An image does not contain anydynamic data. Its content remains unchanged after being built. When deployingcontainerized applications, you can use images from Docker Hub, HUAWEICLOUD, Software Repository for Container (SWR) and your private imageregistries. For example, a Docker image can contain a complete Ubuntu operatingsystem, in which only the required programs and dependencies are installed.

Docker images become Docker containers at runtime, that is, Docker containersare created from Docker images. Containers can be created, started, stopped,deleted, and suspended.




Figure 8-4 Relationship between images, containers, and workloads

NamespaceA namespace is an abstract collection of resources and objects. It enablesresources to be organized into non-overlapping groups. Multiple namespaces canbe created inside a cluster and isolated from each other. This enables namespacesto share the same cluster services without affecting each other. Examples:

● You can deploy workloads in a development environment into onenamespace, and deploy workloads in a test environment into anothernamespace.

● Pods, Services, ReplicationControllers, and Deployments belong to anamespace (named default, by default), whereas nodes andPersistentVolumes do not belong to any namespace.



ServiceA Service is an abstract method that exposes a group of applications running on apod as network services.

Kubernetes provides you with a service discovery mechanism without modifyingapplications. In this mechanism, Kubernetes provides pods with their own IPaddresses and a single DNS for a group of pods, and balances load between them.

Kubernetes allows you to specify a Service of a required type. The values andactions of different types of Services are as follows:

● ClusterIP: ClusterIP Service, as the default Service type, is exposed throughthe internal IP address of the cluster. If this mode is selected, Services can beaccessed only within the cluster.

● NodePort: NodePort Services are exposed through the IP address and staticport of each node. The NodePort Service is routed to the ClusterIP Service,and the ClusterIP Service is automatically created. By sending a request to<NodeIP>:<NodePort>, you can access a NodePort Service from outside of acluster.

● LoadBalancer (ELB): LoadBalancer (ELB) Service is exposed by using the loadbalancer of the cloud provider. External load balancers can route requests tothe NodePort and ClusterIP Services.

● DNAT: A DNAT gateway translates addresses for cluster nodes and allowsmultiple cluster nodes to share an EIP. DNAT Services provide higher reliabilitythan EIP-based NodePort Services in which the EIP is bound to a single nodeand once the node is down, all inbound requests to the workload will bedistributed.

Layer-7 Load Balancing (Ingress)An ingress is a set of routing rules for requests entering a cluster. It providesServices with URLs, load balancing, SSL termination, and HTTP routing for externalaccess to the cluster.

Network PolicyNetwork policies provide policy-based network control to isolate applications andreduce the attack surface. A network policy uses label selectors to simulatetraditional segmented networks and controls traffic between them and trafficfrom outside.

ConfigMapA ConfigMap is used to store configuration data or configuration files as key-valuepairs. ConfigMaps are similar to secrets, but provide a means of working withstrings that do not contain sensitive information.

SecretSecrets resolve the configuration problem of sensitive data such as passwords,tokens, and keys, and will not expose the sensitive data in images or pod specs. Asecret can be used as a volume or an environment variable.



Label

A label is a key-value pair and is associated with an object, for example, a pod.Labels are used to identify special features of objects and are meaningful to users.However, labels have no direct meaning to the kernel system.

Label Selector

Label selector is the core grouping mechanism of Kubernetes. It identifies a groupof resource objects with the same characteristics or attributes through the labelselector client or user.

Annotation

Annotations are defined in key-value pairs as labels are.

Labels have strict naming rules. They define the metadata of Kubernetes objectsand are used by label selectors.

Annotations are additional user-defined information for external tools to searchfor a resource object.

PersistentVolume

A PersistentVolume (PV) is a network storage in a cluster. Similar to a node, it isalso a cluster resource.

PersistentVolumeClaim

A PV is a storage resource, and a PersistentVolumeClaim (PVC) is a request for aPV. PVC is similar to pod. Pods consume node resources, and PVCs consume PVresources. Pods request CPU and memory resources, and PVCs request datavolumes of a specific size and access mode.

Auto Scaling - HPA

Horizontal Pod Autoscaling (HPA) is a function that implements horizontal scalingof pods in Kubernetes. The scaling mechanism of ReplicationController can beused to scale your Kubernetes clusters.

mcore

A millicore, abbreviated as mcore, is one thousandth of a CPU core. Generally, theCPU usage of a containerized workload is measured in mcores.

Affinity and Anti-Affinity

If an application is not containerized, multiple components of the application mayrun on the same virtual machine and processes communicate with each other.However, in the case of containerization, software processes are packed intodifferent containers and each container has its own lifecycle. For example, thetransaction process is packed into a container while the monitoring/loggingprocess and local storage process are packed into other containers. If closely



related container processes run on distant nodes, routing between them will becostly and slow.

● Affinity: Containers are scheduled onto the nearest node. For example, ifapplication A and application B frequently interact with each other, it isnecessary to use the affinity feature to keep the two applications as close aspossible or even let them run on the same node. In this way, no performanceloss will occur due to slow routing.

● Anti-affinity: Instances of the same application spread across different nodesto achieve higher availability. Once a node is down, instances on other nodesare not affected. For example, if an application has multiple replicas, it isnecessary to use the anti-affinity feature to deploy the replicas on differentnodes. In this way, no single point of failure will occur.

Node AffinityBy selecting labels, you can schedule pods to specific nodes.

Node Anti-AffinityBy selecting labels, you can prevent pods from being scheduled to specific nodes.

Pod AffinityYou can deploy pods onto the same node to reduce consumption of networkresources.

Pod Anti-AffinityYou can deploy pods of a workload onto different nodes to reduce the impact ofsystem breakdowns. Anti-affinity deployment is also recommended for workloadsthat may interfere with each other.

Resource QuotaResource quotas are used to limit the resource usage of users.

Resource Limit (LimitRange)By default, all containers in Kubernetes have no CPU or memory limit. LimitRange(limits for short) is used to add a resource limit to a namespace, including theminimum, maximum, and default amounts of resources. When a pod is created,resources are allocated according to the limits parameters.

Environment VariableAn environment variable is a variable whose value can affect the way a runningcontainer will behave. A maximum of 30 environment variables can be defined atcontainer creation time. You can modify environment variables even afterworkloads are deployed, increasing flexibility in workload configuration.

The function of setting environment variables on CCE is the same as that ofspecifying ENV in a Dockerfile.



Istio-based Application Service Mesh (ASM)

Istio is an open platform that connects, secures, controls, and observesmicroservices.

Istio-based ASM is integrated into CCE and provides a non-intrusive approach tomicroservice governance. It supports complete lifecycle management and trafficmanagement, and is compatible with Kubernetes and Istio ecosystems. You canstart ASM in just a few clicks. Then ASM intelligently controls the flow of traffic byusing a variety of features including load balancing, circuit breakers, and ratelimiting. The built-in support for canary release, blue-green release, and otherforms of grayscale release enables you to automate release management all inone place. Based on the monitoring data that is collected non-intrusively, ASMworks closely with HUAWEI CLOUD Application Performance Management(APM) to provide a panoramic view of your services, including real-time traffictopology, tracing, performance monitoring, and runtime diagnosis.

8.2 Mappings Between CCE and Kubernetes TermsKubernetes (K8s) is an open-source system for automating deployment, scaling,and management of container clusters. It is a container orchestration tool and aleading solution based on the distributed architecture of the container technology.Kubernetes is built on the open-source Docker technology that automatesdeployment, resource scheduling, service discovery, and dynamic scaling ofcontainerized applications.

This topic describes the mappings between CCE and Kubernetes terms.

Table 8-1 Mappings between CCE and Kubernetes terms

CCE Kubernetes

Cluster Cluster

Node Node

Node pool NodePool

Container Container

Image Image

Namespace Namespace

Deployment Deployment

StatefulSet StatefulSet

DaemonSet DaemonSet

Job Job

Cron job CronJob

Pod Pod



https://support.huaweicloud.com/en-us/productdesc-apm/apm_06_0006.html

https://support.huaweicloud.com/en-us/productdesc-apm/apm_06_0006.html

CCE Kubernetes

Service Service

ClusterIP Cluster IP

NodePort NodePort

LoadBalancer LoadBalancer

Layer-7 load balancing Ingress

Network policy NetworkPolicy

Chart Template

ConfigMap ConfigMap

Secret Secret

Label Label

Label selector LabelSelector

Annotation Annotation

Volume PersistentVolume

PersistentVolumeClaim PersistentVolumeClaim

Auto scaling HPA

Node affinity NodeAffinity

Node anti-affinity NodeAntiAffinity

Pod affinity PodAffinity

Pod anti-affinity PodAntiAffinity

Webhook Webhook

Endpoint Endpoint

Quota Resource Quota

Resource limit Limit Range

8.3 Regions and AZs

Definition

A region and availability zone (AZ) identify the location of a data center. You cancreate resources in a specific region and AZ.

● Regions are divided based on geographical location and network latency.Public services, such as Elastic Cloud Server (ECS), Elastic Volume Service



(EVS), Object Storage Service (OBS), Virtual Private Cloud (VPC), Elastic IP(EIP), and Image Management Service (IMS), are shared within the sameregion. Regions are classified as universal regions and dedicated regions. Auniversal region provides universal cloud services for common domains. Adedicated region provides services of the same type only or for specificdomains.

● An AZ contains one or more physical data centers. Each AZ has independentcooling, fire extinguishing, moisture-proof, and electricity facilities. Within anAZ, computing, network, storage, and other resources are logically dividedinto multiple clusters. AZs in a region are interconnected through high-speedoptic fibers. This is helpful if you will deploy systems across AZs to achievehigher availability.

Figure 8-5 shows the relationship between the region and AZ.

Figure 8-5 Regions and AZs

HUAWEI CLOUD provides services in many regions around the world. You canselect a region and AZ as needed. For more information, see HUAWEI CLOUDProducts.

How to Select a Region?When selecting a region, consider the following factors:

● LocationSelect a region close to you or your target users to reduce network latencyand improve access rate. Chinese mainland regions provide basically the sameinfrastructure, BGP network quality, as well as operations and configurationson resources. If you or your target users are in the Chinese mainland, you donot need to consider the network latency differences when selecting a region.– If you or your target users are in the Asia Pacific region, except the

Chinese mainland, select the AP-Hong-Kong, AP-Bangkok, or AP-Singapore region.

– If you or your target users are in South Africa, select the AF-Johannesburg region.

– If you or your target users are in Europe, select the EU-Paris region.● Resource price

Resource prices may vary in different regions. For details, see Product PricingDetails.



https://www.huaweicloud.com/en-us/product/

https://www.huaweicloud.com/en-us/product/

https://www.huaweicloud.com/en-us/pricing.html

https://www.huaweicloud.com/en-us/pricing.html

Selecting an AZWhen deploying resources, consider your applications' requirements on disasterrecovery (DR) and network latency.

● For high DR capability, deploy resources in different AZs within the sameregion.

● For low network latency, deploy resources in the same AZ.

Regions and EndpointsWhen using an API to access resources, you must specify a region and endpoint.For details, see Regions and Endpoints.



https://developer.huaweicloud.com/en-us/endpoint

9 Related Services

CCE works with the following cloud services and requires permissions to accessthem.

Figure 9-1 Relationships between CCE and other services

Elastic Cloud Server (ECS)An ECS is a computing server consisting of CPUs, memory, images, and EVS disks,and it allows on-demand allocation and auto scaling. Huwei ECS service integratesVPC, virtual firewalls, and multi-data-copy capabilities to build up an efficient,reliable, and secure computing environment to ensure that your services can bestably and continuously running.

An ECS with multiple EVS disks is a node in CCE. You can choose ECS specificationsduring node creation.

Cloud Container EngineService Overview 9 Related Services


For more information, see Elastic Cloud Server (ECS).

Virtual Private Cloud (VPC)A virtual private cloud (VPC) is a secure, isolated, logical network on HUAWEICLOUD. You can create security groups and subnets, configure IP address ranges,specify bandwidth sizes, and assign Elastic IP addresses (EIPs) in a VPC.

A VPC provides a logically isolated virtual network environment for ECSs. WithVPC, you have full control over your virtual networks, for example, assigning EIPs,creating subnets, configuring DHCP, and configuring security groups. In addition,VPCs can be connected to traditional data centers through VPN or leased lines toflexibly integrate resources.

For security reasons, all clusters created by CCE must run in VPCs. When creatinga namespace, you need to create a VPC or bind an existing VPC to the namespaceso all containers in the namespace will run in this VPC.

Elastic Load Balance (ELB)ELB automatically distributes access traffic to multiple cloud servers to balancethe loads. It enhances an application's fault tolerance and service continuity.

CCE works with ELB to load balance a workload's access requests across multiplepods of the workload.

When ELB is used, the load balancer's address, instead of the workload address, isexposed to users. User requests first arrive at ELB via a public network and thenrouted by ELB to different pods of the workload.

NAT GatewayThe NAT Gateway service provides source network address translation (SNAT) forcontainer instances in a VPC. The SNAT feature translates private IP addresses ofthese container instances to the same EIP, which is a public IP address reachableon Internet.

You can define SNAT rules on the NAT gateway to let containers access theInternet.

Software Repository for Container (SWR)The SWR service provides easy, secure, and reliable management of containerimages throughout their lifecycles, facilitating quick deployment of containerizedservices.

An image repository is used to store and manage Docker images.

You can create workloads from images in Software Repository for Container(SWR).

Elastic Volume Service (EVS)EVS disks can be attached to cloud servers and scale to a higher capacitywhenever needed.



https://support.huaweicloud.com/en-us/productdesc-ecs/en-us_topic_0013771112.html

https://support.huaweicloud.com/en-us/productdesc-vpc/en-us_topic_0013748729.html

https://support.huaweicloud.com/en-us/productdesc-elb/en-us_topic_0015479966.html

https://support.huaweicloud.com/en-us/productdesc-natgateway/en-us_topic_0086739762.html



An ECS with multiple EVS disks is a node in CCE. You can choose ECS specificationsduring node creation.

For more information, see Elastic Volume Service (EVS).

Object Storage Service (OBS)OBS provides stable, secure, cost-efficient, and object-based cloud storage for dataof any size. With OBS, you can create, modify, and delete buckets, as well asuploading, downloading, and deleting objects.

CCE allows you to create an OBS volume and attach it to a path inside a container.

For more information, see Object Storage Service (OBS).

Scalable File Service (SFS)SFS provides shared, fully managed file storage. Compatible with the Network FileSystem protocol, SFS file systems can elastically scale up to petabytes, thusensuring top performance of data-intensive and bandwidth-intensive applications.

You can use SFS file systems as persistent storage for containers and attach thefile systems to containers when creating a workload.

For more information, see Scalable File Service (SFS).

Application Operations Management (AOM)AOM is a one-stop O&M platform that monitors applications and resources in realtime. By analyzing dozens of metrics and correlation between alarms and logs,AOM helps you quickly locate faults.

AOM collects container log files in formats like .log from CCE and dumps them toAOM. On the AOM console, you can easily query and view log files. In addition,AOM monitors CCE resource usage. When CCE resource usage reaches a presetthreshold, CCE will trigger auto scaling.

For information, see Application Operations Management (AOM).

Cloud Trace Service (CTS)CTS records operations on cloud service resources, allowing users to query, audit,and backtrack the resource operation requests initiated from the managementconsole or open APIs as well as responses to the requests.

For information, see Cloud Trace Service (CTS).



https://support.huaweicloud.com/en-us/productdesc-evs/en-us_topic_0014580741.html

https://support.huaweicloud.com/en-us/productdesc-obs/en-us_topic_0045853681.html

https://support.huaweicloud.com/en-us/productdesc-sfs/en-us_topic_0034428718.html

https://support.huaweicloud.com/en-us/productdesc-aom/aom_06_0006.html

https://support.huaweicloud.com/en-us/productdesc-cts/cts_01_0001.html

service overview - huaweimigrate containerized applications to the cloud. it supports the...

Documents