Help Center/ Host Security Service/ User Guide/ Container Protection/ Container Firewalls/ Configuring a Network Defense Policy (for a Cluster Using the Cloud Native Network 2.0 Model)
Updated on 2024-11-15 GMT+08:00

Configuring a Network Defense Policy (for a Cluster Using the Cloud Native Network 2.0 Model)

For clusters using the cloud native network 2.0 model, you can configure network defense policies to limit the traffic that accesses the servers where containers are deployed. If no security group policies are configured, all incoming and outgoing traffic of the servers is allowed by default.

This chapter describes how to create a network defense policy for a cluster using the cloud native network 2.0 model.

Creating a Network Defense Policy

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  1. In the navigation pane on the left, choose Container Firewalls.
  2. (Optional) If you have enabled the enterprise project, select the enterprise project where the target server resides from the drop-down list.
  3. Click Synchronize above the cluster list to synchronize the policies created on clusters.

    The synchronization takes about 1 to 2 minutes. Wait for a while and click in the upper right corner of the list to refresh and view the latest data.

    Figure 1 Synchronizing CCE Cluster policies

  1. Click Manage Policy in the Operation column of a cluster using the cloud native network 2.0 model.
  2. Click Create above the policy list. The Create a Security Group Policy dialog box is displayed.

    Figure 2 Policy management

  3. Enter the policy information as prompted. For details about related parameters, see Table 1.

    Figure 3 Create a security group policy
    Table 1 Parameters for creating a security group policy

    Parameter

    Description

    Policy

    Enter a policy name.

    Namespace

    A namespace to be selected.

    Workload Type

    Select a load type. The following types are supported:

    • Deployment
    • StatefulSets
    • DaemonSets

    Workload

    Select the target workload.

    Associate a Security Group

    Select a security group to be associated. Each policy can be associated with a maximum of five groups.

    The existing security groups in the list are those you have created in the VPC service. To create a security group, click Create a Security Group to go to the VPC console. For details, see Create a Security Group.

  4. After entering the policy information, click OK.

Related Operations

Modifying or deleting a network defense policy

  1. Go to the HSS console.
  2. In the navigation pane on the left, choose Container Firewalls.
  3. (Optional) If you have enabled the enterprise project, select the enterprise project where the target server resides from the drop-down list.
  1. Click Manage Policy in the Operation column of a cluster using the cloud native network 2.0 model.
  2. Click Synchronize above the policy list to synchronize cluster policy information.

    The synchronization takes about 1 to 2 minutes. Wait for a while and click in the upper right corner of the list to refresh and view the latest data.

  3. Select the operation to be performed on the policy.

    Figure 4 Managing policies
    • View policy content.

      In the Operation column of a policy, click View YAML. In the displayed dialog box, you can select YAML or JSON to view the policy details. Click Download in the upper left corner of the dialog box.

    • Update policy content.
      1. Locate a target policy and click Update in the Operation column. The Update a Security Group Policy dialog box is displayed.
      2. Add or delete an associated security group.
      3. Click OK.
    • Delete a policy.
      1. Locate a target policy and click Delete in the Operation column. The Delete Policy dialog box is displayed.
      2. Ensure that all information is correct and click OK.