Help Center/ Cloud Container Engine/ FAQs/ Networking/ Network Planning/ How Can I Configure a Security Group Rule in a Cluster?

Updated on 2024-09-30 GMT+08:00

View PDF

How Can I Configure a Security Group Rule in a Cluster?

CCE is a universal container platform. Its default security group rules apply to common scenarios. When a cluster is created, a security group is automatically created for the master node and worker node, separately. The security group name of the master node is {Cluster name}-cce-control-{Random ID}, and the security group name of the worker node is {Cluster name}-cce-node-{Random ID}. If a CCE Turbo cluster is used, an additional ENI security group named {Cluster name}-cce-eni-{Random ID} will be created.

You can modify the security group rules on the VPC console as required. (Log in to the management console, choose Service List > Networking > Virtual Private Cloud. On the page displayed, choose Access Control > Security Groups in the navigation pane, locate the corresponding security groups, and modify their rules.)

If you need to specify a node security group when creating a cluster, allow specific ports based on the rules of the default security group automatically created in the cluster to ensure normal communication in your cluster.

The default security group rules of the clusters using different networks are as follows:

Security Group Rules of a Cluster Using a VPC Network
Security Group Rules of a Cluster Using a Tunnel Network
Security Group Rules of a CCE Turbo Cluster Using the Cloud Native 2.0 Network

Modifying or deleting security group rules may affect cluster running. Exercise caution when performing this operation. If you need to modify security group rules, do not modify the rules of the port on which CCE running depends.
When adding a new security group rule to a cluster, ensure that the new rule does not conflict with the original rules. Otherwise, the original rules may become invalid, affecting the cluster running.

Security Group Rules of a Cluster Using a VPC Network

Security group of worker nodes

A security group named {Cluster name}-cce-node-{Random ID} is automatically created for worker nodes in a cluster. For details about the default ports, see Table 1.

**Table 1** Default ports in the security group for worker nodes that use a VPC network
Direction	Port	Default Source Address	Description	Modifiable	Modification Suggestion
Inbound rules	All UDP ports	VPC CIDR block	Allow access between worker nodes and between the worker nodes and master nodes.	No	N/A
	All TCP ports	VPC CIDR block		No	N/A
	All ICMP ports	Security group of master nodes	Allow master nodes to access worker nodes.	No	N/A
	TCP port range: 30000 to 32767	All IP addresses: 0.0.0.0/0	Allow access from NodePort.	Yes	These ports must permit requests from VPC, container, and load balancer CIDR blocks.
	UDP port range: 30000 to 32767	All IP addresses: 0.0.0.0/0	Allow access from NodePort.	Yes
	All	Container CIDR block	Allow containers in a cluster to access nodes.	No	N/A
	All	Security group of worker nodes	Access outside the security group of the worker nodes is restricted, but mutual access between instances in the security group of the worker nodes is not restricted.	No	N/A
	TCP port 22	All IP addresses: 0.0.0.0/0	Allow SSH access to Linux ECSs.	Recommended	N/A
Outbound rule	All	All IP addresses: 0.0.0.0/0	Allow traffic on all ports by default. You are advised to retain this setting.	Yes	If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules.

Security group of master nodes

A security group named {Cluster name}-cce-control-{Random ID} is automatically created for master nodes in a cluster. For details about the default ports, see Table 2.

**Table 2** Default ports in the security group for master nodes that use a VPC network
Direction	Port	Default Source Address	Description	Modifiable	Modification Suggestion
Inbound rules	TCP port 5444	VPC CIDR block	Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.	No	N/A
	TCP port 5444	Container CIDR block		No	N/A
	TCP port 9443	VPC CIDR block	Allow the network add-on of the worker nodes to access master nodes.	No	N/A
	TCP port 5443	All IP addresses: 0.0.0.0/0	Allow kube-apiserver of the master nodes to listen to the worker nodes.	Recommended	The port must allow traffic from the CIDR blocks of the VPC, the control plane of the hosted service mesh, and container. NOTE: To use CloudShell, you need to allow traffic from 198.19.0.0/16 on port 5443. Otherwise, you cannot access the cluster using CloudShell.
	TCP port 8445	VPC CIDR block	Allow the storage add-on of worker nodes to access master nodes.	No	N/A
	All	Security group of master nodes	Access outside the security group of the master nodes is restricted, but mutual access between instances in the security group of the master nodes is not restricted.	No	N/A
Outbound rule	All	All IP addresses: 0.0.0.0/0	Allow traffic on all ports by default.	No	N/A

Security Group Rules of a Cluster Using a Tunnel Network

Security group of worker nodes

A security group named {Cluster name}-cce-node-{Random ID} is automatically created for worker nodes in a cluster. For details about the default ports, see Table 3.

**Table 3** Default ports in the security group for worker nodes that use a tunnel network
Direction	Port	Default Source Address	Description	Modifiable	Modification Suggestion
Inbound rules	UDP port 4789	All IP addresses: 0.0.0.0/0	Allow access between containers.	No	N/A
	TCP port 10250	CIDR block of master nodes	Allow master nodes to access kubelet on worker nodes, for example, by running kubectl exec {pod}.	No	N/A
	TCP port range: 30000 to 32767	All IP addresses: 0.0.0.0/0	Allow access from NodePort.	Yes	The ports must allow traffic from the CIDR blocks of the VPC, load balancer, and container.
	UDP port range: 30000 to 32767	All IP addresses: 0.0.0.0/0	Allow access from NodePort.	Yes
	TCP port 22	All IP addresses: 0.0.0.0/0	Allow SSH access to Linux ECSs.	Recommended	N/A
	All	Security group of worker nodes	Access outside the security group of the worker nodes is restricted, but mutual access between instances in the security group of the worker nodes is not restricted.	No	N/A
Outbound rule	All	All IP addresses: 0.0.0.0/0	Allow traffic on all ports by default. You are advised to retain this setting.	Yes	If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules.

Security group of master nodes

A security group named {Cluster name}-cce-control-{Random ID} is automatically created for master nodes in a cluster. For details about the default ports, see Table 4.

**Table 4** Default ports in the security group for master nodes that use a tunnel network
Direction	Port	Default Source Address	Description	Modifiable	Modification Suggestion
Inbound rules	UDP port 4789	All IP addresses: 0.0.0.0/0	Allow access between containers.	No	N/A
	TCP port 5444	VPC CIDR block	Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.	No	N/A
	TCP port 5444	Container CIDR block		No	N/A
	TCP port 9443	VPC CIDR block	Allow the network add-on of the worker nodes to access master nodes.	No	N/A
	TCP port 5443	All IP addresses: 0.0.0.0/0	Allow kube-apiserver of the master nodes to listen to the worker nodes.	Recommended	The port must allow traffic from the CIDR blocks of the VPC, the control plane of the hosted service mesh, and container. NOTE: To use CloudShell, you need to allow traffic from 198.19.0.0/16 on port 5443. Otherwise, you cannot access the cluster using CloudShell.
	TCP port 8445	VPC CIDR block	Allow the storage add-on of worker nodes to access master nodes.	No	N/A
	All	Security group of master nodes	Access outside the security group of the master nodes is restricted, but mutual access between instances in the security group of the master nodes is not restricted.	No	N/A
Outbound rule	All	All IP addresses: 0.0.0.0/0	Allow traffic on all ports by default.	No	N/A

Security Group Rules of a CCE Turbo Cluster Using the Cloud Native 2.0 Network

Security group of worker nodes

A security group named {Cluster name}-cce-node-{Random ID} is automatically created for worker nodes in a cluster. For details about the default ports, see Table 5.

**Table 5** Default ports in the security group for worker nodes
Direction	Port	Default Source Address	Description	Modifiable	Modification Suggestion
Inbound rules	TCP port 10250	CIDR block of master nodes	Allow master nodes to access kubelet on worker nodes, for example, by running kubectl exec {pod}.	No	N/A
	TCP port range: 30000 to 32767	All IP addresses: 0.0.0.0/0	Allow access from NodePort.	Yes	The ports must allow traffic from the CIDR blocks of the VPC, load balancer, and container.
	UDP port range: 30000 to 32767	All IP addresses: 0.0.0.0/0	Allow access from NodePort.	Yes
	TCP port 22	All IP addresses: 0.0.0.0/0	Allow SSH access to Linux ECSs.	Recommended	N/A
	All	Security group of worker nodes	Access outside the security group of the worker nodes is restricted, but mutual access between instances in the security group of the worker nodes is not restricted.	No	N/A
	All	Container subnet CIDR block	Allow containers in a cluster to access nodes.	No	N/A
Outbound rule	All	All IP addresses: 0.0.0.0/0	Allow traffic on all ports by default. You are advised to retain this setting.	Yes	If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules.

Security group of master nodes

A security group named {Cluster name}-cce-control-{Random ID} is automatically created for master nodes in a cluster. For details about the default ports, see Table 6.

**Table 6** Default ports in the security group for master nodes
Direction	Port	Default Source Address	Description	Modifiable	Modification Suggestion
Inbound rules	TCP port 5444	All IP addresses: 0.0.0.0/0	Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.	No	N/A
	TCP port 5444	VPC CIDR block		No	N/A
	TCP port 9443	VPC CIDR block	Allow the network add-on of the worker nodes to access master nodes.	No	N/A
	TCP port 5443	All IP addresses: 0.0.0.0/0	Allow kube-apiserver of the master nodes to listen to the worker nodes.	Recommended	The port must allow traffic from the CIDR blocks of the VPC, the control plane of the hosted service mesh, and container. NOTE: To use CloudShell, you need to allow traffic from 198.19.0.0/16 on port 5443. Otherwise, you cannot access the cluster using CloudShell.
	TCP port 8445	VPC CIDR block	Allow the storage add-on of worker nodes to access master nodes.	No	N/A
	All	Security group of master nodes	Access outside the security group of the master nodes is restricted, but mutual access between instances in the security group of the master nodes is not restricted.	No	N/A
	All	Container subnet CIDR block	Allow traffic from all source IP addresses in the container subnet CIDR block.	No	N/A
Outbound rule	All	All IP addresses: 0.0.0.0/0	Allow traffic on all ports by default.	No	N/A

Security group of ENI

In a CCE Turbo cluster, an additional security group named {Cluster name}-cce-eni-{Random ID} is created. By default, containers in the cluster are bound to this security group. For details about the default ports, see Table 7.

**Table 7** Default ports of the ENI security group
Direction	Port	Default Source Address	Description	Modifiable	Modification Suggestion
Inbound rules	All	ENI security group	Allow containers in a cluster to access each other.	No	N/A
Inbound rules	All	VPC CIDR block	Allow instances in the cluster VPC to access containers.	No	N/A
Outbound rule	All	All IP addresses: 0.0.0.0/0	Allow traffic on all ports by default.	No	N/A

Hardening Outbound Rules

By default, all security groups created by CCE allow all the outbound traffic. You are advised to retain this configuration. To harden outbound rules, ensure that the ports listed in the following table are enabled.

**Table 8** Minimum configurations of outbound security group rules for a worker node
Port	Allowed CIDR	Description
UDP port 53	DNS server of the subnet	Allow traffic on the port for domain name resolution.
UDP port 4789 (required only by clusters that use the tunnel networks)	All IP addresses	Allow access between containers.
TCP port 5443	CIDR block of master nodes	Allow kube-apiserver of the master nodes to listen to the worker nodes.
TCP port 5444	CIDR blocks of the VPC and container	Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources.
TCP port 6443	CIDR block of master nodes	None
TCP port 8445	VPC CIDR block	Allow the storage add-on of worker nodes to access master nodes.
TCP port 9443	VPC CIDR block	Allow the network add-on of the worker nodes to access master nodes.
All ports	198.19.128.0/17	Allow worker nodes to access the VPC Endpoint (VPCEP) service.
UDP port 123	100.125.0.0/16	Allow worker nodes to access the internal NTP server.
TCP port 443	100.125.0.0/16	Allow worker nodes to access OBS over internal networks to pull the installation package.
TCP port 6443	100.125.0.0/16	Allow worker nodes to report that the worker nodes are installed.

Parent Topic: Network Planning

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot