How Do I Harden the Automatically Created Security Group Rules for CCE Cluster Nodes?
CCE is a universal container platform. Its default security group rules apply to common scenarios. When a cluster is created, a security group is automatically created for the master node and worker node, separately. The security group name of the master node is {Cluster name}-cce-control-{Random ID}, and the security group name of the worker node is {Cluster name}-cce-node-{Random ID}. If a CCE Turobo cluster is used, an additional ENI security group named {Cluster name}-cce-eni-{Random ID} is created.
Log in to the management console, choose Service List > Network > Virtual Private Cloud. On the Network Console, choose Access Control > Security Groups, locate the security group rule of the CCE cluster, and modify and harden the security group rule.
For a security group automatically created by CCE, the default outbound rule allows all ports. For details about the ports allowed by an inbound rule, see Security Group Rules for the Master Node and Security Group Rules for Worker Nodes.
Modifying or deleting security group rules may affect cluster running. Exercise caution when performing this operation. If you need to modify security group rules, do not modify the rules of the port on which CCE running depends.
Security Group Rules for the Master Node
The security group name of the master node is {Cluster name}-cce-control-{Random ID}. The following figure shows the default inbound rule. All source IP addresses defined in the security group must be permitted. For details about the ports, see Table 1.
|
Port |
Default Source Address |
Description |
Modifiable |
Modification Suggestion |
|---|---|---|---|---|
|
TCP: 5444 |
VPC CIDR block and container CIDR block |
Service port of kube-apiserver, which provides lifecycle management for Kubernetes resources. |
Not recommended |
N/A |
|
UDP: 4789 (required only for clusters using the container tunnel network model) |
All IP addresses |
Used for network access between containers. |
Not recommended |
N/A |
|
TCP: 9443 |
VPC CIDR block |
Used by the networking add-on of a worker node to access the master node. |
Not recommended |
N/A |
|
TCP: 5443 |
All IP addresses |
Port to which kube-apiserver of the master node listens. |
Yes |
The two ports must permit requests from VPC and container CIDR blocks and the control plane CIDR block of the hosted service mesh. |
|
TCP: 8445 |
VPC CIDR block |
Used by the storage add-on of a worker node to access the master node. |
Not recommended |
N/A |
|
All |
Current security group or VPC CIDR block |
Traffic from the source IP addresses defined in the security group must be allowed. |
Not recommended |
N/A |
By default, port 5443 allows access from all CIDR blocks. If you need to harden the security group, reserve port 5443 to allow access from the 198.19.128.0/20 CIDR block to use the CloudShell. CloudShell is implemented based on VPC Endpoint (VPCEP). If port 5443 does not allow access from the 198.19.128.0/20 CIDR block, the cluster cannot be accessed. For more information about VPCEP security groups, click here.
Security Group Rules for Worker Nodes
The security group name of a worker node is {Cluster name}-cce-node-{Random ID}. The following figure shows the default inbound rule. Traffic from all source IP addresses defined in the security group must be allowed. For details about the ports, see Table 2.
|
Port |
Default Source Address |
Description |
Modifiable |
Modification Suggestion |
|---|---|---|---|---|
|
UDP: 4789 (required only for clusters using the container tunnel network model) |
All IP addresses |
Used for network access between containers. |
Not recommended |
N/A |
|
TCP: 10250 |
IP address of the master node |
Used by the master node to proactively access kubelet of the node (for example, by running kubectl exec {pod}). |
Not recommended |
N/A |
|
TCP: 30000-32767 UDP: 30000-32767 |
All IP addresses |
Default access port range of the NodePort Service in the cluster. |
Yes |
These ports must permit requests from VPC, container, and ELB CIDR blocks. |
|
TCP: 22 |
All IP addresses |
Port that allows remote access to Linux ECSs using SSH. |
Modification is recommended. |
When CloudShell is used to remotely log in to a node, the 198.19.128.0/20 CIDR block must be permitted. |
|
All |
Current security group or VPC CIDR block |
Traffic from the source IP addresses defined in the security group must be allowed. |
Not recommended |
N/A |
ENI Security Group Rules
A security group named {Cluster name}-cce-eni-{Random ID} will be created for the CCE Turobo cluster. The following figure shows the default inbound rule. For details about the ports, see Table 3.
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.