Constraints on operations across services - Enterprise Distributed Application Service

Constraints on managing Elastic Compute Service (ECS) instances that are purchased by EDAS during a scale-out in an ECS cluster

You must not delete the ESS tag of the ECS instances that are purchased by EDAS during a scale-out.

Constraints on configuring ECS instances when you create an application

When you create an application, you may need to configure a security group for and bind an Server Load Balancer (SLB) instance to the ECS instances of the application. After the ECS instances are created, you may need to log on to the ECS instances. This section describes the constraints on managing ECS instances.

Constraints on modifying system configurations in an ECS cluster: After an application is created, you may log on to an ECS instance of the application to configure the system. You must conform with the following constraints:
- You must not delete the admin user.
- You must not delete the /home/admin configuration.
- You must not stop the following processes on the ECS instance:
  - /home/staragent/bin/staragentd
  - com.alibaba.edas.agent.AgentDaemon
- You must not delete the following crontab files on the ECS instance:
  - bash /home/admin/edas-agent/bin/monitor.sh crontab file of the root user
  - bash /home/admin/edas-agent/bin/rotator.sh crontab file of the admin user
- You must reserve enough free space in the root disk partition.
- If you use the CentOS operating system, make sure that you correctly configure yum repositories.
- If the ECS instance has multiple network interface controllers (NICs) and the application that you use is a High-Speed Service Framework (HSF) application, you must specify the -Dhsf.server.ip parameter for the application to ensure that the registered IP address works. For example, the ECS instance has multiple NICs if Docker is installed. For more information, see Set JVM -D startup parameters.
Constraint on configuring the security group in an ECS cluster: You must not delete or modify the security rules that are created by EDAS.
Constraint on configuring an SLB instance in an ECS cluster: You must not disable the session persistence feature enabled for HTTP listeners by EDAS.
Constraints on using ACR in a Kubernetes cluster:
- To use images in ACR across accounts or across regions, you must configure the aliyun-acr-credential-helper component for ACR.
- You must also add the virtual private cloud (VPC) in which the cluster resides to the access control list (ACL) of the corresponding repository.

Constraints on importing a Kubernetes cluster

Constraints on configuring the security group of the Kubernetes cluster:
- You must ensure that all the nodes in the Kubernetes cluster are in or can connect to the security group of the cluster. For more information, see Why do containers fail to communicate with each other?.
- You must not delete the default rules that are set by ACK for the security group.
Constraints on configuring nodes in the Kubernetes cluster:
- To ensure that the management component of EDAS properly runs in the cluster, you must reserve sufficient CPUs, memory, and pods that can be allocated.
- You must not delete the KubernetesWorkerRole-* RAM role that ACK configures for a node.
Constraints on configuring an SLB instance for API Server of the Kubernetes cluster:
- You must not block access requests from the 100.104.0.0/16 internal addresses.
- You must not delete the built-in tags added to the SLB instance by ACK.
- You must not reuse port 6443 on the SLB instance.
Constraints on managing Helm charts in the Kubernetes cluster:
- You must not delete the ahas-sentinel-pilot, arms-eventer, arms-pilot, or arms-prom component installed by EDAS and all resources installed by these Helm charts.
- You must not install open source oam-runtime, kubevela, keda, or flagger.
- You must not delete or modify Kubernetes resources within the edas-oam-system namespace.
Constraint on managing ClusterRole:
You must not use the ACK console, kubectl, or third-party tools to delete or modify edas-default-cluster-role.
Constraint on managing ClusterRoleBinding:
You must not use the ACK console, kubectl, or third-party tools to delete or modify edas-default-cluster-role-binding, edas-oam-cluster-role-binding, or keda-hpa-controller-external-metrics.
Constraints on managing custom resource definitions (CRDs) and custom resources (CRs):
- You must not directly manage the following CRDs or CRs:
  - alertproviders.flagger.app
  - applicationconfigurations.core.oam.dev
  - applications.oam-domain.alibabacloud.com
  - applicationscopes.core.oam.dev
  - autoscalings.edas.aliyun.oam.com
  - basecomponents.oam-domain.alibabacloud.com
  - canaries.flagger.app
  - componentschematics.core.oam.dev
  - crdreleases.clm.cloudnativeapp.io
  - dynamiclabels.extension.oam.dev
  - imagebuilders.edas.aliyun.oam.com
  - logcollectors.edas.aliyun.oam.com
  - meshtraits.edas.aliyun.oam.com
  - metrictemplates.flagger.app
  - mseruletraits.edas.aliyun.oam.com
  - packageversions.oam-domain.alibabacloud.com
  - rollouts.edas.aliyun.oam.com
  - scaledobjects.keda.k8s.io
  - scalingrules.oam-domain.alibabacloud.com
  - serviceregistrytraits.edas.aliyun.oam.com
  - servicetraits.edas.aliyun.oam.com
  - sources.clm.cloudnativeapp.io
  - traits.core.oam.dev
  - triggerauthentications.keda.k8s.io
  - workloadtypes.core.oam.dev
- You must not modify the aliyunlogconfigs.log.alibabacloud.com resources created by EDAS. The resources have the edas-domain: edas-admin tag.

Constraint on managing Ingresses in a Kubernetes cluster

You must not modify the Ingress resources created by EDAS. The resources have the edas-domain: edas-admin or edas-domain tag.

Constraint on managing configurations in a Kubernetes cluster:

You must not modify the ConfigMap and Secret resources created by EDAS. The resources have the edas-domain: edas-admin or edas-domain tag.

Constraints on binding an SLB instance in a Kubernetes cluster:

You must not use the ACK console, kubectl, or third-party tools to delete or modify the Service resources created by EDAS. The resources have the edas-domain: edas-admin tag. For more information, see Service FAQ.
You must not use the SLB console to delete or modify the SLB instances purchased by EDAS .
You must not use the SLB console to delete or modify the HTTP listeners of the SLB instances purchased by EDAS .

Constraints on editing YAML files in a Kubernetes cluster:

Operations that are forbidden:
- You must not use the ACK console, kubectl, or third-party tools to delete or modify the Deployment resources created by EDAS. The resources have the edas-domain: edas-admin tag.
- You must not modify the apiVersion, kind, name, namespace, uid, resourceVersion, selfLink, generation, creationTimestamp, ownerReferences, managedFields, selector, strategy, revisionHistoryLimit, or progressDeadlineSeconds fields of a Deployment. You must not modify the information in the Status field.
- You must not delete or modify the following EDAS-specific labels and annotations of a deployment, including the EDAS-specific labels and annotations in a pod template:
  - edas-domain
  - edas.aliyun.oam.com/rollout-name
  - edas.aliyun.oam.com/rollout-namespace
  - edas.aliyun.oam.com/rollout-revision
  - edas.appid
  - edas.controlplane
  - edas.oam.acname
  - edas.oam.acversion
  - edas.oam.basecomponent
  - deployment.kubernetes.io/revision
  - ARMSApmAppId
  - ARMSApmLicenseKey
  - app
  - edas.component
  - edas.groupid
  - version
  - edas.revision
  - sidecar.istio.io/inject
- You must not modify the HostPath volume of a Deployment that records the configurations of disk mounting. You can modify the configurations by using the deployment feature in the EDAS console.
- You must not modify the name of the group-1 container of a Deployment.
- You must not modify the following environment variables reserved by EDAS:
  - POD_IP
  - HOST_IP
  - EDAS_APP_ID
  - EDAS_PROJECT_NAME
  - EDAS_GROUP_ID
  - EDAS_APP_NAME
  - EDAS_AC_NAME
  - EDAS_ECC_ID
  - EDAS_JM_CONTAINER_ID
  - EDAS_PACKAGE_VERSION
  - EDAS_AHAS_APPNAME
  - EDAS_DPATH_OPTS
  - EDAS_GRAY_OPTS
  - ALIBABA_ALIWARE_NAMESPACE
  - ALIBABA_ALIWARE_ENDPOINT_URL
  - ALIBABA_ALIWARE_ENDPOINT_PORT
  - ALIBABA_DEPLOY_VERSION
  - profiler.micro.service.canary.enable
  - profiler.micro.service.metadata.report.enable
  - profiler.micro.service.auth.enable
- You must not modify the volume named volume-edas-certs that records the configurations of disk mounting.
- You must not modify the restartPolicy, schedulerName, or runtimeClassName field of a Deployment.
Operations that are allowed:
- You can modify the replicas field for a Deployment to scale out or scale in applications.
- You can modify the emptyDir volume of a Deployment that records the configurations of disk mounting to share files across containers.
- You can add multiple containers for a Deployment to enable the sidecar feature. However, you must ensure that the group-1 container is at the top of the container list.
- You can modify the hostAlias field of a Deployment to resolve a custom domain name.
- You can modify the nodeAffinity, podAffinity, and podAntiAffinity fields of a Deployment to specify the scheduling policy.
- You can modify the toleration field of a Deployment to manage the scheduling.
- You can add labels and annotations to a Deployment to enable specific features.

Constraints on managing Horizontal Pod Autoscaling (HPA) in a Kubernetes cluster

You must not use the ACK console, kubectl, or third-party tools to configure HPA resources for EDAS applications. You must configure HPA resources by using the auto scaling feature in the EDAS console.
You must not delete or modify the HPA resources created by EDAS. The ownerReferences field of the resources is set to ScaleObject.
After you enable auto scaling, you must not directly modify the replicas field of a Deployment.