CCE Clusters Should Not Use EIPs
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
cce-endpoint-public-access |
|
Identifier |
CCE Clusters Should Not Use EIPs |
|
Description |
If a CCE cluster is attached an EIP, this cluster is non-compliant. |
|
Tag |
cce |
|
Trigger Type |
Configuration change |
|
Filter Type |
cce.clusters |
|
Rule Parameters |
None |
Application Scenarios
Do not attach EIPs to your CCE clusters unless they must communicate over the public network. This reduces the attack surface and the risk of sensitive data leakage.
If an EIP must be used, properly configure the firewall or security group rules to restrict access of unnecessary ports and IP addresses. In this case you do not need to this policy. For details, seeConfiguration Suggestions on CCE Node Security.
Solution
Unbind EIPs from CCE cluster nodes. If you need to remotely log in to the cluster nodes, use the Huawei Cloud Bastion Host service as a transit to connect to the cluster nodes. For details, see How Do I Prevent Cluster Nodes from Being Exposed to Public Networks?
Rule Logic
- If an EIP is bound to your CCE cluster, this cluster is non-compliant.
- If no EIP is bound to your CCE cluster, this cluster is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
