Help Center> Cloud Container Engine> User Guide> New Console> Networking> SecurityGroups

SecurityGroups

When the Cloud Native Network 2.0 model is used, pods use Huawei Cloud VPC ENIs or sub-ENIs for networking. You can directly bind security groups and EIPs to pods. CCE provides a custom resource object named SecurityGroup for you to associate security groups with pods in CCE. You can customize workloads with specific security isolation requirements using SecurityGroups.

Notes and Constraints

This function is supported for CCE Turbo clusters of v1.19 and later. Upgrade your CCE Turbo clusters if their versions are earlier than v1.19.
A workload can be bound to a maximum of five security groups.

Using kubectl

Use kubectl to connect to the cluster. For details, see Connecting to a Cluster Using kubectl.

Create a description file named securitygroup-demo.yaml.

vi securitygroup-demo.yaml

For example, create the following SecurityGroup to bind all nginx workloads with two security groups 64566556-bd6f-48fb-b2c6-df8f44617953 and 5451f1b0-bd6f-48fb-b2c6-df8f44617953 that have been created in advance. An example is as follows:

apiVersion: crd.yangtse.cni/v1
kind: SecurityGroup
metadata:
  name: demo
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: nginx    
  securityGroups:
  - id: 64566556-bd6f-48fb-b2c6-df8f44617953
  - id: 5451f1b0-bd6f-48fb-b2c6-df8f44617953

Table 1 describes the parameters in the YAML file.

**Table 1** Description
Field	Description	Mandatory
apiVersion	API version. The value is crd.yangtse.cni/v1.	Yes
kind	Type of the object to be created.	Yes
metadata	Metadata definition of the resource object.	Yes
name	Name of the SecurityGroup.	Yes
namespace	Name of the namespace.	Yes
Spec	Detailed description of the SecurityGroup.	Yes
podselector	Used to define the workload to be associated with security groups in the SecurityGroup.	Yes
SecurityGroups	Security group ID.	Yes

Run the following command to create the SecurityGroup:

kubectl create -f securitygroup-demo.yaml

If the following information is displayed, the SecurityGroup is being created.
```
securitygroup.crd.yangtse.cni/demo created
```

Run the following command to view the SecurityGroup:

kubectl get sg

If the name of the created SecurityGroup is demo in the command output, the SecurityGroup is created successfully.

NAME                       POD-SELECTOR                      AGE
all-no                     map[matchLabels:map[app:nginx]]   4h1m
s001test                   map[matchLabels:map[app:nginx]]   19m
demo                       map[matchLabels:map[app:nginx]]   2m9s

Parent topic: Networking

Last Article: Network Policies

Next Article: Adding a Secondary VPC CIDR Block for a Cluster

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English

Help Center

SecurityGroups

Notes and Constraints

Using kubectl