Updated on 2025-08-25 GMT+08:00

CCE Clusters Should Not Use EIPs

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

cce-endpoint-public-access

Identifier

CCE Clusters Should Not Use EIPs

Description

If a CCE cluster is attached an EIP, this cluster is non-compliant.

Tag

cce

Trigger Type

Configuration change

Filter Type

cce.clusters

Rule Parameters

None

Application Scenarios

Do not attach EIPs to your CCE clusters unless they must communicate over the public network. This reduces the attack surface and the risk of sensitive data leakage.

If an EIP must be used, properly configure the firewall or security group rules to restrict access of unnecessary ports and IP addresses. In this case you do not need to this policy. For details, seeConfiguration Suggestions on CCE Node Security.

Solution

Unbind EIPs from CCE cluster nodes. If you need to remotely log in to the cluster nodes, use the Huawei Cloud Bastion Host service as a transit to connect to the cluster nodes. For details, see How Do I Prevent Cluster Nodes from Being Exposed to Public Networks?

Rule Logic

  • If an EIP is bound to your CCE cluster, this cluster is non-compliant.
  • If no EIP is bound to your CCE cluster, this cluster is compliant.