Updated on 2024-01-04 GMT+08:00

Configuring Cluster Security Group Rules

CCE is a universal container platform. Its default security group rules apply to common scenarios. When a cluster is created, a security group is automatically created for the master node and worker node, separately. The security group name of the master node is {Cluster name}-cce-control-{Random ID}, and the security group name of the worker node is {Cluster name}-cce-node-{Random ID}. If a CCE Turbo cluster is used, an additional ENI security group named {Cluster name}-cce-eni-{Random ID} will be created.

You can log in to the management console, choose Service List > Networking > Virtual Private Cloud. On the page displayed, choose Access Control > Security Groups in the navigation pane, locate the security group of the cluster, and modify the security group rules as required.

The default security group rules of the clusters using different networks are as follows:

  • Modifying or deleting security group rules may affect cluster running. Exercise caution when performing this operation. If you need to modify security group rules, do not modify the rules of the port on which CCE running depends.
  • When adding a new security group rule to a cluster, ensure that the new rule does not conflict with the original rules. Otherwise, the original rules may become invalid, affecting the cluster running.

Security Group Rules of a Cluster Using a VPC Network

Security group of a worker node

A security group named {Cluster name}-cce-node-{Random ID} is automatically created for each worker node. For details about the default ports, see Table 1.

Table 1 Default ports in the security group for a worker node that uses a VPC network

Direction

Port

Default Source Address

Description

Modifiable

Modification Suggestion

Inbound rules

All UDP ports

VPC CIDR block

Used for mutual access between worker nodes and between a worker node and a master node.

No

N/A

All TCP ports

All ICMP ports

Security group of the master node

Used for the master node to access worker nodes.

No

N/A

TCP port range: 30000 to 32767

All IP addresses: 0.0.0.0/0

Default access port range of the NodePort Service in the cluster.

Yes

These ports must permit requests from VPC, container, and ELB CIDR blocks.

UDP port range: 30000 to 32767

All

Container CIDR block

Used for mutual access between nodes and containers.

No

N/A

All

Security group of worker nodes

Used for mutual access between worker nodes.

No

N/A

TCP port 22

All IP addresses: 0.0.0.0/0

Port that allows remote access to Linux ECSs using SSH.

Recommended

N/A

Outbound rule

All

All IP addresses: 0.0.0.0/0

Allow traffic on all ports by default. You are advised to retain this setting.

Yes

If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules.

Security group of the master node

A security group named {Cluster name}-cce-control-{Random ID} is automatically created for the master node. For details about the default ports, see Table 2.

Table 2 Default ports in the security group for the master node that uses a VPC network

Direction

Port

Default Source Address

Description

Modifiable

Modification Suggestion

Inbound rules

TCP port 5444

VPC CIDR block

Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.

No

N/A

TCP port 5444

Container CIDR block

TCP port 9443

VPC CIDR block

Allow the network add-on of a worker node to access the master node.

No

N/A

TCP port 5443

All IP addresses: 0.0.0.0/0

Allow kube-apiserver of the master node to listen to the worker nodes.

Recommended

The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh.

TCP port 8445

VPC CIDR block

Allow the storage add-on of a worker node to access the master node.

No

N/A

All

IP addresses of this security group

Allow traffic from all IP addresses of this security group.

No

N/A

Outbound rule

All

All IP addresses: 0.0.0.0/0

Allow traffic on all ports by default.

No

N/A

Security Group Rules of a Cluster Using the Tunnel Network

Security group of a worker node

A security group named {Cluster name}-cce-node-{Random ID} is automatically created for each worker node. For details about the default ports, see Table 3.

Table 3 Default ports in the security group for a worker node that uses a tunnel network

Direction

Port

Default Source Address

Description

Modifiable

Modification Suggestion

Inbound rules

UDP port 4789

All IP addresses: 0.0.0.0/0

Allow access between containers.

No

N/A

TCP port 10250

CIDR block of the master node

Allow the master node to access kubelet on a worker node, for example, by running kubectl exec {pod}.

No

N/A

TCP port range: 30000 to 32767

All IP addresses: 0.0.0.0/0

Default access port range of the NodePort Service in the cluster.

Yes

These ports must permit requests from VPC, container, and ELB CIDR blocks.

UDP port range: 30000 to 32767

TCP port 22

All IP addresses: 0.0.0.0/0

Port that allows remote access to Linux ECSs using SSH.

Recommended

N/A

All

IP addresses of this security group

Allow traffic from all IP addresses of this security group.

No

N/A

Outbound rule

All

All IP addresses: 0.0.0.0/0

Allow traffic on all ports by default. You are advised to retain this setting.

Yes

If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules.

Security group of the master node

A security group named {Cluster name}-cce-control-{Random ID} is automatically created for the master node. For details about the default ports, see Table 4.

Table 4 Default ports in the security group for the master node that uses a tunnel network

Direction

Port

Default Source Address

Description

Modifiable

Modification Suggestion

Inbound rules

UDP port 4789

All IP addresses: 0.0.0.0/0

Allow access between containers.

No

N/A

TCP port 5444

VPC CIDR block

Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.

No

N/A

TCP port 5444

Container CIDR block

TCP port 9443

VPC CIDR block

Allow the network add-on of a worker node to access the master node.

No

N/A

TCP port 5443

All IP addresses: 0.0.0.0/0

Allow kube-apiserver of the master node to listen to the worker nodes.

Recommended

The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh.

TCP port 8445

VPC CIDR block

Allow the storage add-on of a worker node to access the master node.

No

N/A

All

IP addresses of this security group

Allow traffic from all IP addresses of this security group.

No

N/A

Outbound rule

All

All IP addresses: 0.0.0.0/0

Allow traffic on all ports by default.

No

N/A

Security Group Rules of a CCE Turbo Cluster Using the Cloud Native Network 2.0

Security group of a worker node

A security group named {Cluster name}-cce-node-{Random ID} is automatically created for each worker node. For details about the default ports, see Table 5.

Table 5 Default ports in the security group for a worker node

Direction

Port

Default Source Address

Description

Modifiable

Modification Suggestion

Inbound rules

TCP port 10250

CIDR block of the master node

Allow the master node to access kubelet on a worker node, for example, by running kubectl exec {pod}.

No

N/A

TCP port range: 30000 to 32767

All IP addresses: 0.0.0.0/0

Default access port range of the NodePort Service in the cluster.

Yes

These ports must permit requests from VPC, container, and ELB CIDR blocks.

UDP port range: 30000 to 32767

TCP port 22

All IP addresses: 0.0.0.0/0

Port that allows remote access to Linux ECSs using SSH.

Recommended

N/A

All

IP addresses of this security group

Allow traffic from all IP addresses of this security group.

No

N/A

All

Container subnet CIDR block

Allow traffic from all source IP addresses in the container subnet CIDR block.

No

N/A

Outbound rule

All

All IP addresses: 0.0.0.0/0

Allow traffic on all ports by default. You are advised to retain this setting.

Yes

If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules.

Security group of the master node

A security group named {Cluster name}-cce-control-{Random ID} is automatically created for the master node. For details about the default ports, see Table 6.

Table 6 Default ports in the security group for the master node

Direction

Port

Default Source Address

Description

Modifiable

Modification Suggestion

Inbound rules

TCP port 5444

All IP addresses: 0.0.0.0/0

Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.

No

N/A

TCP port 5444

VPC CIDR block

No

N/A

TCP port 9443

VPC CIDR block

Allow the network add-on of a worker node to access the master node.

No

N/A

TCP port 5443

All IP addresses: 0.0.0.0/0

Allow kube-apiserver of the master node to listen to the worker nodes.

Recommended

The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh.

TCP port 8445

VPC CIDR block

Allow the storage add-on of a worker node to access the master node.

No

N/A

All

IP addresses of this security group

Allow traffic from all IP addresses of this security group.

No

N/A

All

Container subnet CIDR block

Allow traffic from all source IP addresses in the container subnet CIDR block.

No

N/A

Outbound rule

All

All IP addresses: 0.0.0.0/0

Allow traffic on all ports by default.

No

N/A

Security group of an ENI

In a CCE Turbo cluster, an additional security group named {Cluster name }-cce-eni-{Random ID} is created. By default, containers in the cluster are bound to this security group. For details about the default ports, see Table 7.

Table 7 Default ports of the ENI security group

Direction

Port

Default Source Address

Description

Modifiable

Modification Suggestion

Inbound rules

All

IP addresses of this security group

Allow traffic from all IP addresses of this security group.

No

N/A

VPC CIDR block

Allow traffic from all IP addresses of the VPC CIDR block.

No

N/A

Outbound rule

All

All IP addresses: 0.0.0.0/0

Allow traffic on all ports by default.

No

N/A

Hardening Outbound Rules

By default, all security groups created by CCE allow all the outbound traffic. You are advised to retain this configuration. To harden outbound rules, ensure that the ports listed in the following table are enabled.

Table 8 Minimum configurations of outbound security group rules for a worker node

Port

Allowed CIDR

Description

UDP port 53

DNS server of the subnet

Allow traffic on the port for domain name resolution.

UDP: 4789 (required only for clusters using the container tunnel network model)

All IP addresses

Allow access between containers.

TCP port 5443

CIDR block of the master node

Allow kube-apiserver of the master node to listen to the worker nodes.

TCP port 5444

CIDR blocks of the VPC and container

Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.

TCP port 6443

CIDR block of the master node

None

TCP port 8445

VPC CIDR block

Allow the storage add-on of a worker node to access the master node.

TCP port 9443

VPC CIDR block

Allow the network add-on of a worker node to access the master node.