Binding a Security Group to a Pod Using an Annotation
In cloud native network 2.0, pods use VPC network interfaces or supplementary network interfaces for networking, which allow you to configure security groups. You can bind a security group to a pod by adding an annotation to the pod.
You can configure security groups in the following applications.
Application |
Annotation |
Reference |
---|---|---|
Configure a pod's network interface security group via an annotation. |
yangtse.io/security-group-ids |
|
Add an additional security group to a pod's network interface via an annotation, while retaining the existing security group. |
yangtse.io/additional-security-group-ids |

The priority of the security group bound to a pod using annotation yangtse.io/security-group-ids is higher than those of the security groups in the security group policy (SecurityGroup) and cluster container network configuration (NetworkAttachmentDefinition).
Prerequisites
- v1.23: v1.23.16-r0 or later
- v1.25: v1.25.11-r0 or later
- v1.27: v1.27.8-r0 or later
- v1.28: v1.28.6-r0 or later
- v1.29: v1.29.2-r0 or later
- Versions later than v1.29
Using kubectl
- Create a workload with a security group configured. The security group bound to the pod is subject to the one configured using an annotation.
If the pod has been bound to a security group, the configuration will be overwritten.
apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx annotations: yangtse.io/security-group-ids: ***** # Security group ID. Use commas (,) to separate multiple security groups. spec: containers: - name: container-0 image: nginx:alpine resources: limits: cpu: 100m memory: 200Mi requests: cpu: 100m memory: 200Mi imagePullSecrets: - name: default-secret
- Add an additional security group for the workload.
apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx annotations: yangtse.io/additional-security-group-ids: ***** # Security group ID. Use commas (,) to separate multiple security groups. spec: containers: - name: container-0 image: nginx:alpine resources: limits: cpu: 100m memory: 200Mi requests: cpu: 100m memory: 200Mi imagePullSecrets: - name: default-secret
Annotation |
Description |
Value Range |
---|---|---|
yangtse.io/security-group-ids |
Configure a security group for a pod. The security group of the pod is subject to the one configured using this annotation. If the pod already has a security group, the original security group will be overwritten. |
Security group IDs. A maximum of five IDs are allowed. Use commas (,) to separate multiple security groups. If this parameter is left blank, no annotation will be used to configure a security group for the pod. |
yangtse.io/additional-security-group-ids |
Add more security groups to a pod. |
Security group IDs. The total number of newly added security group IDs and existing security group IDs cannot exceed 5. Use commas (,) to separate multiple security groups. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.