Configuring Cluster Security Group Rules
When a CCE Autopilot cluster is created, two security groups are automatically created, one for the master nodes, and the other for the elastic network interfaces. The name of the security group for the master nodes is in the format of {Cluster name}-cce-control-{Random ID}, and that for the elastic network interfaces is in the format of {Cluster name}-cce-eni-{Random ID}.
You can modify the security group rules on the VPC console as required. (Log in to the management console, choose Service List > Networking > Virtual Private Cloud. On the page displayed, choose Access Control > Security Groups in the navigation pane on the left, locate the corresponding security groups, and modify their rules.)
- Modifying or deleting default rules in a security group may affect cluster running. If you need to modify security group rules, do not modify the rules of the port that CCE running depends on.
- When adding a security group rule, ensure that this rule does not conflict with the existing rules. If there is a conflict, existing rules may become invalid, affecting cluster running.
Security Group of the Master Nodes
A security group named {Cluster name}-cce-control-{Random ID} is automatically created for the master nodes. Table 1 lists the default ports in the security group.
Direction |
Port |
Source |
Description |
Modifiable |
Modification Suggestion |
|---|---|---|---|---|---|
Inbound |
All |
Security group of the master nodes |
Allow traffic from all IP addresses in this security group |
No |
N/A |
Outbound |
All |
All IP addresses: 0.0.0.0/0 or ::/0 |
Allow traffic from the masters nodes to any IP address over any port. |
No |
N/A |
Security Group of the Elastic Network Interfaces
When a CCE Autopilot cluster is created, an additional security group named {Cluster name}-cce-eni-{Random ID} is also created. By default, pods in the cluster are associated with this security group. Table 2 lists the default ports in the security group.
Direction |
Port |
Source |
Description |
Modifiable |
Modification Suggestion |
|---|---|---|---|---|---|
Inbound |
All |
Security group of the elastic network interfaces |
Allow traffic from all IP addresses in this security group. |
No |
N/A |
CIDR block of the master nodes |
Allow the master nodes to access kubelet on each worker node, for example, by running kubectl exec {Pod}. |
No |
N/A |
||
Outbound |
All |
All IP addresses: 0.0.0.0/0 or ::/0 |
Allow traffic from the elastic network interface to any IP address over any port. |
Yes |
If you want to harden security by allowing traffic over specific ports, you can modify the rule to allow these ports. For details, see Hardening Outbound Rules for the Security Group of the Elastic Network Interfaces. |
Hardening Outbound Rules for the Security Group of the Elastic Network Interfaces
By default, all security groups created by CCE Autopilot allow all outbound traffic. You are advised to retain this configuration. If you want to harden security by allowing traffic over specific ports, configure the ports listed in the following table.
Port |
Allowed CIDR Block |
Description |
|---|---|---|
All ports |
Security group of the elastic network interfaces |
Allow mutual access within the security group so containers can communicate with each other. |
TCP port 5443 |
VPC CIDR block |
Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. |
TCP port 443 |
100.125.0.0/16 |
Access the OBS port or SWR port to pull images. |
UDP port 53 |
100.125.0.0/16 |
Allow traffic over the port for DNS resolution. |
TCP port 443 |
VPC CIDR block |
Pull the images through the SWR endpoint. |
All ports |
198.19.128.0/17 |
Allow access to VPC Endpoint. |
TCP port 9443 |
VPC CIDR block |
Allow the network add-on on the worker nodes to access the master nodes. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
