How Do I Configure Security Group Rules for a Cluster?
When a CCE Autopilot cluster is created, two security groups are automatically created, one for master nodes, and the other for elastic network interfaces (ENIs). The security group for master nodes is named in the format of {Cluster name}-cce-control-{Random ID}, and that for ENIs is in the format of {Cluster name}-cce-eni-{Random ID}.
You can modify the security group rules on the VPC console as required. (Log in to the management console, choose Service List > Networking > Virtual Private Cloud. On the page displayed, choose Access Control > Security Groups in the navigation pane, locate the target security groups, and modify their rules.)
- Modifying or deleting default rules in a security group may affect cluster running. If you need to modify security group rules, do not modify the rules of the port that CCE running depends on.
- When adding a security group rule, ensure that this rule does not conflict with the existing rules. If there is a conflict, existing rules may become invalid, affecting cluster running.
Security Group for Master Nodes
The security group automatically created for master nodes is named {Cluster name}-cce-control-{Random ID}. Table 1 lists the default ports in the security group.
|
Direction |
Port |
Source |
Description |
Modifiable |
Modification Suggestion |
|---|---|---|---|---|---|
|
Inbound |
All |
IP addresses of this security group |
Allow traffic from all IP addresses in this security group |
No |
None |
|
Outbound |
All |
All IP addresses: 0.0.0.0/0 or ::/0 |
Allow traffic on all ports by default. |
No |
None |
Security Group for ENIs
When a CCE Autopilot cluster is created, a security group named {Cluster name}-cce-eni-{Random ID} is automatically created for ENIs. By default, pods in the cluster are associated with this security group. Table 2 lists the default ports in the security group.
|
Direction |
Port |
Source |
Description |
Modifiable |
Modification Suggestion |
|---|---|---|---|---|---|
|
Inbound |
All |
IP addresses of this security group |
Allow traffic from all IP addresses in this security group |
No |
None |
|
CIDR block of the master nodes |
Allow the master nodes to access kubelet on each worker node, for example, by running kubectl exec {Pod}. |
No |
None |
||
|
Outbound |
All |
All IP addresses: 0.0.0.0/0 or ::/0 |
Allow traffic on all ports by default. |
Yes |
If you want to harden security by allowing traffic over specific ports, you can modify the rule to allow these ports. For details, see Hardening Outbound Rules for the Security Group of ENIs. |
Hardening Outbound Rules for the Security Group of ENIs
By default, all ENI security groups created by CCE Autopilot allow all outbound traffic. You are advised to retain this configuration. If you want to harden security by allowing traffic over specific ports, configure the ports listed in the following table.
|
Port |
Allowed CIDR Block |
Description |
|---|---|---|
|
All |
IP addresses of this security group |
Allow mutual access within the security group so containers can communicate with each other. |
|
TCP port 5443 |
VPC CIDR block |
Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. |
|
TCP port 443 |
100.125.0.0/16 |
Access the OBS port or SWR port to pull images. |
|
UDP port 53 |
100.125.0.0/16 |
Allow traffic over the port for DNS resolution. |
|
TCP port 443 |
VPC CIDR block |
Pull the images through the SWR endpoint. |
|
All |
198.19.128.0/17 |
Allow worker nodes to access the VPC Endpoint (VPCEP) service. |
|
TCP port 9443 |
VPC CIDR block |
Allow the network add-ons of the worker nodes to access master nodes. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
