How Do I Configure Security Group Rules for a Cluster?
When a CCE Autopilot cluster is created, two security groups are automatically created, one for master nodes, and the other for elastic network interfaces. The security group for master nodes is named in the format of {cluster-name}-cce-control-{random-ID}, and that for network interfaces is named in the format of {cluster-name}-cce-eni-{random-ID}.
You can log in to the VPC console console, choose Access Control > Security Groups in the navigation pane, and modify the security group rules for the cluster based on your security requirements.
- Modifying or deleting default rules in a security group may affect cluster running. If you need to modify security group rules, do not modify the rules of the port that CCE running depends on.
- When adding a security group rule, ensure that this rule does not conflict with the existing rules. If there is a conflict, existing rules may become invalid, affecting cluster running.
Security Group for Master Nodes
The security group automatically created for master nodes is named {cluster-name}-cce-control-{random-ID}. Table 1 lists the default ports in the security group.
|
Direction |
Port |
Source |
Description |
Modifiable |
Modification Suggestion |
|---|---|---|---|---|---|
|
Inbound |
All |
IP addresses of this security group |
Allow traffic from all IP addresses in this security group |
No |
None |
|
Outbound |
All |
All IP addresses: 0.0.0.0/0 or ::/0 |
Allow traffic on all ports by default. |
No |
None |
Security Group for Network Interfaces
When a CCE Autopilot cluster is created, a security group named {cluster-name}-cce-eni-{random-ID} is automatically created for network interfaces. By default, pods in the cluster are associated with this security group. Table 2 lists the default ports in the security group.
|
Direction |
Port |
Source |
Description |
Modifiable |
Modification Suggestion |
|---|---|---|---|---|---|
|
Inbound |
All |
IP addresses of this security group |
Allow traffic from all IP addresses in this security group |
No |
None |
|
CIDR block of the master nodes |
Allow the master nodes to access kubelet on each worker node, for example, by running kubectl exec {Pod}. |
No |
None |
||
|
Outbound |
All |
All IP addresses: 0.0.0.0/0 or ::/0 |
Allow traffic on all ports by default. |
Yes |
If you want to harden security by allowing traffic over specific ports, you can modify the rule to allow these ports. For details, see Modifying Outbound Rules for the Security Group of Network Interfaces. |
Modifying Outbound Rules for the Security Group of Network Interfaces
By default, all security groups created by CCE Autopilot for network interfaces allow all outbound traffic. You are advised to retain this configuration. If you want to harden security by allowing traffic over specific ports, configure the ports listed in the following table.
|
Port |
Allowed CIDR Block |
Description |
|---|---|---|
|
All |
IP addresses of this security group |
Allow mutual access within the security group so containers can communicate with each other. |
|
TCP port 5443 |
VPC CIDR block |
Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. |
|
TCP port 443 |
100.125.0.0/16 |
Access the OBS port or SWR port to pull images. |
|
UDP port 53 |
100.125.0.0/16 |
Allow traffic over the port for DNS resolution. |
|
TCP port 443 |
VPC CIDR block |
Pull the images through the SWR endpoint. |
|
All |
198.19.128.0/17 |
Allow worker nodes to access the VPC Endpoint service. |
|
TCP port 9443 |
VPC CIDR block |
Allow the network add-ons of the worker nodes to access master nodes. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
