Help Center/ Cloud Container Engine/ User Guide/ Networking/ Container Networks/ Cloud Native Network 2.0 Settings/ Configuring a Security Group for a Workload in a CCE Turbo Cluster/ Comparison of Workload Security Group Configuration Methods
Updated on 2025-09-15 GMT+08:00
View PDF

Comparison of Workload Security Group Configuration Methods

In CCE Turbo clusters, pods can be directly bound to security groups using VPC network interfaces or supplementary network interfaces. CCE Turbo provides multi-dimensional security group binding methods to meet your service needs.

If multiple security group configuration methods are used, the method with the highest priority will be applied. In the table below, smaller values indicate higher priorities.

Table 1 Comparison between methods for configuring workload security groups

Priority

How to Configure

Application and Advantage

Constraint

1

Binding a Security Group to a Pod Using an Annotation
  • This method is suitable for debugging services.
  • Security groups added using this method can be used by other configuration methods.
  • Newly added security groups apply only to new pods. To apply the configuration to existing pods, they must be rebuilt.
  • Pre-bound container network interfaces cannot be associated with a target security group.

2

Binding a Security Group to a Workload Using a Security Group Policy
  • This method applies to the entire namespace and requires workloads within the namespace.
  • Security group settings can be updated for pods in real time. This eliminates the need to rebuild existing pods.

Pre-bound container network interfaces cannot be associated with a target security group.

3

Using Node Pool Settings to Bind the Default Security Group to Pods in the Node Pool
  • Services are classified by node pool. You may need to configure associated scheduling policies based on your services.
  • Pre-bound container network interfaces can be associated with a target security group.
  • Newly added security groups apply only to new pods. To apply the configuration to existing pods, they must be rebuilt.
  • Only newly bound container network interfaces on the node can be associated with a target security group.

4

Binding a Subnet and Security Group to a Namespace or Workload Using a Container Network Configuration
  • This method applies to the entire cluster and supports multiple namespaces.
  • Security groups can be configured with subnets.
  • Newly added security groups apply only to new pods. To apply the configuration to existing pods, they must be rebuilt.
  • Pre-bound container network interfaces cannot be associated with a target security group.

5

Default network interface security group of a Turbo cluster (For details about security group rules, see Security Group Rules in a CCE Turbo Cluster That Uses the Cloud Native 2.0 Network Model.)
  • This method is the default configuration. If your cluster requires general security hardening, you can directly modify the rules in the default security group.
  • Pre-bound container network interfaces can be associated with a target security group.

None
Parent Topic: Configuring a Security Group for a Workload in a CCE Turbo Cluster