Binding a Security Group to a Pod Using an Annotation

In cloud native network 2.0, pods use VPC network interfaces or supplementary network interfaces for networking, which allow you to configure security groups. You can bind a security group to a pod by adding an annotation to the pod.

You can configure security groups in the following applications.

Application	Annotation	Reference
Configure a pod's network interface security group via an annotation.	yangtse.io/security-group-ids	Create a workload with a security group configured.
Add an additional security group to a pod's network interface via an annotation, while retaining the existing security group.	yangtse.io/additional-security-group-ids	Add an additional security group for the workload.

The priority of the security group bound to a pod using annotation yangtse.io/security-group-ids is higher than those of the security groups in the security group policy (SecurityGroup) and cluster container network configuration (NetworkAttachmentDefinition).

Prerequisites

A CCE Turbo cluster is available and the cluster version meets the following requirements:

v1.23: v1.23.16-r0 or later
v1.25: v1.25.11-r0 or later
v1.27: v1.27.8-r0 or later
v1.28: v1.28.6-r0 or later
v1.29: v1.29.2-r0 or later
Versions later than v1.29

Using kubectl

Create a workload with a security group configured. The security group bound to the pod is subject to the one configured using an annotation.

If the pod has been bound to a security group, the configuration will be overwritten.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
      annotations:
        yangtse.io/security-group-ids: *****  # Security group ID. Use commas (,) to separate multiple security groups.
    spec:
      containers:
        - name: container-0
          image: nginx:alpine
          resources:
            limits:
              cpu: 100m
              memory: 200Mi
            requests:
              cpu: 100m
              memory: 200Mi
      imagePullSecrets:
        - name: default-secret

Add an additional security group for the workload.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
      annotations:
        yangtse.io/additional-security-group-ids: *****  # Security group ID. Use commas (,) to separate multiple security groups.
    spec:
      containers:
        - name: container-0
          image: nginx:alpine
          resources:
            limits:
              cpu: 100m
              memory: 200Mi
            requests:
              cpu: 100m
              memory: 200Mi
      imagePullSecrets:
        - name: default-secret

**Table 1** Annotations for configuring a security group for a pod
Annotation	Description	Value Range
yangtse.io/security-group-ids	Configure a security group for a pod. The security group of the pod is subject to the one configured using this annotation. If the pod already has a security group, the original security group will be overwritten.	Security group IDs. A maximum of five IDs are allowed. Use commas (,) to separate multiple security groups. If this parameter is left blank, no annotation will be used to configure a security group for the pod.
yangtse.io/additional-security-group-ids	Add more security groups to a pod.	Security group IDs. The total number of newly added security group IDs and existing security group IDs cannot exceed 5. Use commas (,) to separate multiple security groups.