Help Center/ Cloud Container Engine_Autopilot/ FAQs/ Network Management/ How Do I Configure Security Group Rules for a Cluster?
Updated on 2024-09-30 GMT+08:00

How Do I Configure Security Group Rules for a Cluster?

When a CCE Autopilot cluster is created, two security groups are automatically created, one for master nodes, and the other for elastic network interfaces (ENIs). The security group for master nodes is named in the format of {Cluster name}-cce-control-{Random ID}, and that for ENIs is in the format of {Cluster name}-cce-eni-{Random ID}.

You can modify the security group rules on the VPC console as required. (Log in to the management console, choose Service List > Networking > Virtual Private Cloud. On the page displayed, choose Access Control > Security Groups in the navigation pane, locate the target security groups, and modify their rules.)

  • Modifying or deleting default rules in a security group may affect cluster running. If you need to modify security group rules, do not modify the rules of the port that CCE running depends on.
  • When adding a security group rule, ensure that this rule does not conflict with the existing rules. If there is a conflict, existing rules may become invalid, affecting cluster running.

Security Group for Master Nodes

The security group automatically created for master nodes is named {Cluster name}-cce-control-{Random ID}. Table 1 lists the default ports in the security group.

Table 1 Default ports in the security group of the master nodes

Direction

Port

Source

Description

Modifiable

Modification Suggestion

Inbound

All

IP addresses of this security group

Allow traffic from all IP addresses in this security group

No

None

Outbound

All

All IP addresses: 0.0.0.0/0 or ::/0

Allow traffic on all ports by default.

No

None

Security Group for ENIs

When a CCE Autopilot cluster is created, a security group named {Cluster name}-cce-eni-{Random ID} is automatically created for ENIs. By default, pods in the cluster are associated with this security group. Table 2 lists the default ports in the security group.

Table 2 Default ports in the security group for ENIs

Direction

Port

Source

Description

Modifiable

Modification Suggestion

Inbound

All

IP addresses of this security group

Allow traffic from all IP addresses in this security group

No

None

CIDR block of the master nodes

Allow the master nodes to access kubelet on each worker node, for example, by running kubectl exec {Pod}.

No

None

Outbound

All

All IP addresses: 0.0.0.0/0 or ::/0

Allow traffic on all ports by default.

Yes

If you want to harden security by allowing traffic over specific ports, you can modify the rule to allow these ports. For details, see Hardening Outbound Rules for the Security Group of ENIs.

Hardening Outbound Rules for the Security Group of ENIs

By default, all ENI security groups created by CCE Autopilot allow all outbound traffic. You are advised to retain this configuration. If you want to harden security by allowing traffic over specific ports, configure the ports listed in the following table.

Table 3 Minimum scope for outbound rules in an ENI security group

Port

Allowed CIDR Block

Description

All

IP addresses of this security group

Allow mutual access within the security group so containers can communicate with each other.

TCP port 5443

VPC CIDR block

Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.

TCP port 443

100.125.0.0/16

Access the OBS port or SWR port to pull images.

UDP port 53

100.125.0.0/16

Allow traffic over the port for DNS resolution.

TCP port 443

VPC CIDR block

Pull the images through the SWR endpoint.

All

198.19.128.0/17

Allow worker nodes to access the VPC Endpoint (VPCEP) service.

TCP port 9443

VPC CIDR block

Allow the network add-ons of the worker nodes to access master nodes.