Configuring Cluster Security Group Rules
CCE is a universal container platform. Its default security group rules apply to common scenarios. When a cluster is created, a security group is automatically created for the master node and worker node, separately. The security group name of the master node is {Cluster name}-cce-control-{Random ID}, and the security group name of the worker node is {Cluster name}-cce-node-{Random ID}. If a CCE Turbo cluster is used, an additional ENI security group named {Cluster name}-cce-eni-{Random ID} will be created.
You can log in to the management console, choose Service List > Networking > Virtual Private Cloud > Access Control > Security Groups, locate the security group of the cluster, and modify the security group rules as required.
The default security group rules of the clusters using different networks are as follows:
- Security Group Rules of a Cluster Using a VPC Network
- Security Group Rules of a Cluster Using the Tunnel Network
- Security Group Rules of a CCE Turbo Cluster Using the Cloud Native Network 2.0
Modifying or deleting rules in a security group may affect cluster running. Exercise caution when performing this operation. If you need to modify security group rules, do not modify the rules of the port on which CCE running depends.
Security Group Rules of a Cluster Using a VPC Network
Security group of a worker node
A security group named {Cluster name}-cce-node-{Random ID} is automatically created for each worker node. For details about the default ports, see Table 1.
Direction |
Port |
Default Source Address |
Description |
Modifiable |
Modification Suggestion |
---|---|---|---|---|---|
Inbound rules |
All UDP ports |
VPC CIDR block |
Allow access between worker nodes and between worker nodes and the master node. |
No |
N/A |
All TCP ports |
|||||
All ICMP ports |
Security group of the master node |
Allow the master node to access worker nodes. |
No |
N/A |
|
TCP port range: 30000 to 32767 |
All IP addresses: 0.0.0.0/0 |
Allow access from NodePort. |
Yes |
Allow access from VPC, container, and ELB CIDR blocks. |
|
UDP port range: 30000 to 32767 |
|||||
All ports |
Container CIDR block |
Allow access between nodes and containers. |
No |
N/A |
|
All ports |
Security group of worker nodes |
Allow access between worker nodes. |
No |
N/A |
|
TCP port 22 |
All IP addresses: 0.0.0.0/0 |
Allow SSH access to ECSs. |
Recommended |
N/A |
|
Outbound rule |
All ports |
All IP addresses: 0.0.0.0/0 |
Allow traffic on all ports by default. You are advised to retain this setting. |
Yes |
If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules. |
Security group of the master node
A security group named {Cluster name}-cce-control-{Random ID} is automatically created for the master node. For details about the default ports, see Table 2.
Direction |
Port |
Default Source Address |
Description |
Modifiable |
Modification Suggestion |
---|---|---|---|---|---|
Inbound rules |
TCP port 5444 |
VPC CIDR block |
Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. |
No |
N/A |
TCP port 5444 |
Container CIDR block |
||||
TCP port 9443 |
VPC CIDR block |
Allow the network add-on of a worker node to access the master node. |
No |
N/A |
|
TCP port 5443 |
All IP addresses: 0.0.0.0/0 |
Allow kube-apiserver of the master node to listen to worker nodes. |
Recommended |
The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh. |
|
TCP port 8445 |
VPC CIDR block |
Allow the storage add-on of a worker node to access the master node. |
No |
N/A |
|
All ports |
IP addresses of this security group |
Allow traffic from all IP addresses of this security group. |
No |
N/A |
|
Outbound rule |
All ports |
All IP addresses: 0.0.0.0/0 |
Allow traffic on all ports by default. |
No |
N/A |
Security Group Rules of a Cluster Using the Tunnel Network
Security group of a worker node
A security group named {Cluster name}-cce-node-{Random ID} is automatically created for each worker node. For details about the default ports, see Table 3.
Direction |
Port |
Default Source Address |
Description |
Modifiable |
Modification Suggestion |
---|---|---|---|---|---|
Inbound rules |
UDP port 4789 |
All IP addresses: 0.0.0.0/0 |
Allow access between containers. |
No |
N/A |
TCP port 10250 |
CIDR block of the master node |
Allow the master node to access kubelet on a worker node, for example, by running kubectl exec {pod}. |
No |
N/A |
|
TCP port range: 30000 to 32767 |
All IP addresses: 0.0.0.0/0 |
Allow access from NodePort. |
Yes |
Allow access from VPC, container, and ELB CIDR blocks. |
|
UDP port range: 30000 to 32767 |
|||||
TCP port 22 |
All IP addresses: 0.0.0.0/0 |
Allow SSH access to ECSs. |
Recommended |
N/A |
|
All ports |
IP addresses of this security group |
Allow traffic from all IP addresses of this security group. |
No |
N/A |
|
Outbound rule |
All ports |
All IP addresses: 0.0.0.0/0 |
Allow traffic on all ports by default. You are advised to retain this setting. |
Yes |
If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules. |
Security group of the master node
A security group named {Cluster name}-cce-control-{Random ID} is automatically created for the master node. For details about the default ports, see Table 4.
Direction |
Port |
Default Source Address |
Description |
Modifiable |
Modification Suggestion |
---|---|---|---|---|---|
Inbound rules |
UDP port 4789 |
All IP addresses: 0.0.0.0/0 |
Allow access between containers. |
No |
N/A |
TCP port 5444 |
VPC CIDR block |
Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. |
No |
N/A |
|
TCP port 5444 |
Container CIDR block |
||||
TCP port 9443 |
VPC CIDR block |
Allow the network add-on of a worker node to access the master node. |
No |
N/A |
|
TCP port 5443 |
All IP addresses: 0.0.0.0/0 |
Allow kube-apiserver of the master node to listen to worker nodes. |
Recommended |
The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh. |
|
TCP port 8445 |
VPC CIDR block |
Allow the storage add-on of a worker node to access the master node. |
No |
N/A |
|
All ports |
IP addresses of this security group |
Allow traffic from all IP addresses of this security group. |
No |
N/A |
|
Outbound rule |
All ports |
All IP addresses: 0.0.0.0/0 |
Allow traffic on all ports by default. |
No |
N/A |
Security Group Rules of a CCE Turbo Cluster Using the Cloud Native Network 2.0
Security group of a worker node
A security group named {Cluster name}-cce-node-{Random ID} is automatically created for each worker node. For details about the default ports, see Table 5.
Direction |
Port |
Default Source Address |
Description |
Modifiable |
Modification Suggestion |
---|---|---|---|---|---|
Inbound rules |
TCP port 10250 |
CIDR block of the master node |
Allow the master node to access kubelet on a worker node, for example, by running kubectl exec {pod}. |
No |
N/A |
TCP port range: 30000 to 32767 |
All IP addresses: 0.0.0.0/0 |
Allow access from NodePort. |
Yes |
Allow access from VPC, container, and ELB CIDR blocks. |
|
UDP port range: 30000 to 32767 |
|||||
TCP port 22 |
All IP addresses: 0.0.0.0/0 |
Allow SSH access to ECSs. |
Recommended |
N/A |
|
All ports |
IP addresses of this security group |
Allow traffic from all IP addresses of this security group. |
No |
N/A |
|
All ports |
Subnet CIDR block of the master node |
Allow traffic from all source IP addresses in the subnet CIDR block of the master node. |
No |
N/A |
|
Outbound rule |
All ports |
All IP addresses: 0.0.0.0/0 |
Allow traffic on all ports by default. You are advised to retain this setting. |
Yes |
If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules. |
Security group of the master node
A security group named {Cluster name}-cce-control-{Random ID} is automatically created for the master node. For details about the default ports, see Table 6.
Direction |
Port |
Default Source Address |
Description |
Modifiable |
Modification Suggestion |
---|---|---|---|---|---|
Inbound rules |
TCP port 5444 |
All IP addresses: 0.0.0.0/0 |
Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. |
No |
N/A |
TCP port 5444 |
VPC CIDR block |
No |
N/A |
||
TCP port 9443 |
VPC CIDR block |
Allow the network add-on of a worker node to access the master node. |
No |
N/A |
|
TCP port 5443 |
All IP addresses: 0.0.0.0/0 |
Allow kube-apiserver of the master node to listen to worker nodes. |
Recommended |
The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh. |
|
TCP port 8445 |
VPC CIDR block |
Allow the storage add-on of a worker node to access the master node. |
No |
N/A |
|
All ports |
IP addresses of this security group |
Allow traffic from all IP addresses of this security group. |
No |
N/A |
|
All ports |
Subnet CIDR block of the master node |
Allow traffic from all source IP addresses in the subnet CIDR block of the master node. |
No |
N/A |
|
Outbound rule |
All ports |
All IP addresses: 0.0.0.0/0 |
Allow traffic on all ports by default. |
No |
N/A |
Security group of an ENI
An additional security group named {Cluster name}-cce-eni-{Random ID} is created for a CCE Turbo cluster. For details about the default ports, see Table 7.
Direction |
Port |
Default Source Address |
Description |
Modifiable |
Modification Suggestion |
---|---|---|---|---|---|
Inbound rules |
All ports |
IP addresses of this security group |
Allow traffic from all IP addresses of this security group. |
No |
N/A |
VPC CIDR block |
Allow traffic from all IP addresses of the VPC CIDR block. |
No |
N/A |
||
Outbound rule |
All ports |
All IP addresses: 0.0.0.0/0 |
Allow traffic on all ports by default. |
No |
N/A |
Hardening Outbound Rules
By default, all security groups created by CCE allow all the outbound traffic. You are advised to retain this configuration. If you want to harden security by allowing traffic only on specific ports, remember to allow ports listed in the following table.
Port |
Allowed CIDR |
Description |
---|---|---|
UDP port 53 |
DNS server of the subnet |
Allow traffic on the port for domain name resolution. |
UDP port 4789 (required only for clusters that use the Tunnel network) |
All IP addresses |
Allow access between containers. |
TCP port 5443 |
CIDR block of the master node |
Allow kube-apiserver of the master node to listen to worker nodes. |
TCP port 5444 |
CIDR blocks of the VPC and container |
Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. |
TCP port 6443 |
CIDR block of the master node |
None |
TCP port 8445 |
VPC CIDR block |
Allow the storage add-on of a worker node to access the master node. |
TCP port 9443 |
VPC CIDR block |
Allow the network add-on of a worker node to access the master node. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot