How Can I Configure a Security Group Rule in a Cluster?¶
CCE is a universal container platform. Its default security group rules apply to common scenarios. When a cluster is created, a security group is automatically created for the master node and worker node, separately. The security group name of the master node is {Cluster name}-cce-control-{Random ID}, and the security group name of the worker node is {Cluster name}-cce-node-{Random ID}. If a CCE Turbo cluster is used, an additional ENI security group named {Cluster name}-cce-eni-{Random ID} will be created.
You can modify the security group rules on the VPC console as required. (Log in to the management console, choose Service List > Networking > Virtual Private Cloud. On the page displayed, choose Access Control > Security Groups in the navigation pane, locate the corresponding security groups, and modify their rules.)
The default security group rules of the clusters using different networks are as follows:
Important
Modifying or deleting security group rules may affect cluster running. Exercise caution when performing this operation. If you need to modify security group rules, do not modify the rules of the port on which CCE running depends.
When adding a new security group rule to a cluster, ensure that the new rule does not conflict with the original rules. Otherwise, the original rules may become invalid, affecting the cluster running.
Security Group Rules of a Cluster Using a VPC Network¶
Security group of worker nodes
A security group named {Cluster name}-cce-node-{Random ID} is automatically created for worker nodes in a cluster. For details about the default ports, see Table 1.
Direction | Port | Default Source Address | Description | Modifiable | Modification Suggestion |
---|---|---|---|---|---|
Inbound rules | All UDP ports | VPC CIDR block | Allow access between worker nodes and between worker nodes and the master nodes. | No | N/A |
All TCP ports | |||||
All ICMP ports | Security group of master nodes | Allow master nodes to access worker nodes. | No | N/A | |
TCP port range: 30000 to 32767 | All IP addresses: 0.0.0.0/0 | Allow access from NodePort. | Yes | These ports must permit requests from VPC, container, and ELB CIDR blocks. | |
UDP port range: 30000 to 32767 | |||||
All | Container CIDR block | Allow containers in a cluster to access nodes. | No | N/A | |
All | Security group of worker nodes | Access outside the security group of the worker nodes is restricted, but mutual access between instances in the security group of the worker nodes is not restricted. | No | N/A | |
TCP port 22 | All IP addresses: 0.0.0.0/0 | Allow SSH access to ECSs. | Recommended | N/A | |
Outbound rule | All | All IP addresses: 0.0.0.0/0 | Allow traffic on all ports by default. You are advised to retain this setting. | Yes | If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules. |
Security group of master nodes
A security group named {Cluster name}-cce-control-{Random ID} is automatically created for master nodes in a cluster. For details about the default ports, see Table 2.
Direction | Port | Default Source Address | Description | Modifiable | Modification Suggestion |
---|---|---|---|---|---|
Inbound rules | TCP port 5444 | VPC CIDR block | Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. | No | N/A |
TCP port 5444 | Container CIDR block | ||||
TCP port 9443 | VPC CIDR block | Allow the network add-on of the worker nodes to access master nodes. | No | N/A | |
TCP port 5443 | All IP addresses: 0.0.0.0/0 | Allow kube-apiserver of the master nodes to listen to the worker nodes. | Recommended | The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh. | |
TCP port 8445 | VPC CIDR block | Allow the storage add-on of worker nodes to access master nodes. | No | N/A | |
All | Security group of master nodes | Access outside the security group of the master nodes is restricted, but mutual access between instances in the security group of the master nodes is not restricted. | No | N/A | |
Outbound rule | All | All IP addresses: 0.0.0.0/0 | Allow traffic on all ports by default. | No | N/A |
Security Group Rules of a Cluster Using the Tunnel Network¶
Security group of worker nodes
A security group named {Cluster name}-cce-node-{Random ID} is automatically created for worker nodes in a cluster. For details about the default ports, see Table 3.
Direction | Port | Default Source Address | Description | Modifiable | Modification Suggestion |
---|---|---|---|---|---|
Inbound rules | UDP port 4789 | All IP addresses: 0.0.0.0/0 | Allow access between containers. | No | N/A |
TCP port 10250 | CIDR block of master nodes | Allow master nodes to access kubelet on worker nodes, for example, by running kubectl exec {pod}. | No | N/A | |
TCP port range: 30000 to 32767 | All IP addresses: 0.0.0.0/0 | Allow access from NodePort. | Yes | These ports must permit requests from VPC, container, and ELB CIDR blocks. | |
UDP port range: 30000 to 32767 | |||||
TCP port 22 | All IP addresses: 0.0.0.0/0 | Allow SSH access to ECSs. | Recommended | N/A | |
All | Security group of worker nodes | Access outside the security group of the worker nodes is restricted, but mutual access between instances in the security group of the worker nodes is not restricted. | No | N/A | |
Outbound rule | All | All IP addresses: 0.0.0.0/0 | Allow traffic on all ports by default. You are advised to retain this setting. | Yes | If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules. |
Security group of master nodes
A security group named {Cluster name}-cce-control-{Random ID} is automatically created for master nodes in a cluster. For details about the default ports, see Table 4.
Direction | Port | Default Source Address | Description | Modifiable | Modification Suggestion |
---|---|---|---|---|---|
Inbound rules | UDP port 4789 | All IP addresses: 0.0.0.0/0 | Allow access between containers. | No | N/A |
TCP port 5444 | VPC CIDR block | Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. | No | N/A | |
TCP port 5444 | Container CIDR block | ||||
TCP port 9443 | VPC CIDR block | Allow the network add-on of the worker nodes to access master nodes. | No | N/A | |
TCP port 5443 | All IP addresses: 0.0.0.0/0 | Allow kube-apiserver of the master nodes to listen to the worker nodes. | Recommended | The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh. | |
TCP port 8445 | VPC CIDR block | Allow the storage add-on of worker nodes to access master nodes. | No | N/A | |
All | Security group of master nodes | Access outside the security group of the master nodes is restricted, but mutual access between instances in the security group of the master nodes is not restricted. | No | N/A | |
Outbound rule | All | All IP addresses: 0.0.0.0/0 | Allow traffic on all ports by default. | No | N/A |
Security Group Rules of a CCE Turbo Cluster Using the Cloud Native 2.0 Network¶
Security group of worker nodes
A security group named {Cluster name}-cce-node-{Random ID} is automatically created for worker nodes in a cluster. For details about the default ports, see Table 5.
Direction | Port | Default Source Address | Description | Modifiable | Modification Suggestion |
---|---|---|---|---|---|
Inbound rules | TCP port 10250 | CIDR block of master nodes | Allow master nodes to access kubelet on worker nodes, for example, by running kubectl exec {pod}. | No | N/A |
TCP port range: 30000 to 32767 | All IP addresses: 0.0.0.0/0 | Allow access from NodePort. | Yes | These ports must permit requests from VPC, container, and ELB CIDR blocks. | |
UDP port range: 30000 to 32767 | |||||
TCP port 22 | All IP addresses: 0.0.0.0/0 | Allow SSH access to ECSs. | Recommended | N/A | |
All | Security group of worker nodes | Access outside the security group of the worker nodes is restricted, but mutual access between instances in the security group of the worker nodes is not restricted. | No | N/A | |
All | Container subnet CIDR block | Allow containers in a cluster to access nodes. | No | N/A | |
Outbound rule | All | All IP addresses: 0.0.0.0/0 | Allow traffic on all ports by default. You are advised to retain this setting. | Yes | If you want to harden security by allowing traffic only on specific ports, remember to allow such ports. For details, see Hardening Outbound Rules. |
Security group of master nodes
A security group named {Cluster name}-cce-control-{Random ID} is automatically created for master nodes in a cluster. For details about the default ports, see Table 6.
Direction | Port | Default Source Address | Description | Modifiable | Modification Suggestion |
---|---|---|---|---|---|
Inbound rules | TCP port 5444 | All IP addresses: 0.0.0.0/0 | Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. | No | N/A |
TCP port 5444 | VPC CIDR block | No | N/A | ||
TCP port 9443 | VPC CIDR block | Allow the network add-on of the worker nodes to access master nodes. | No | N/A | |
TCP port 5443 | All IP addresses: 0.0.0.0/0 | Allow kube-apiserver of the master nodes to listen to the worker nodes. | Recommended | The port must allow traffic from the CIDR blocks of the VPC, container, and the control plane of the hosted service mesh. | |
TCP port 8445 | VPC CIDR block | Allow the storage add-on of worker nodes to access master nodes. | No | N/A | |
All | Security group of master nodes | Access outside the security group of the master nodes is restricted, but mutual access between instances in the security group of the master nodes is not restricted. | No | N/A | |
All | Container subnet CIDR block | Allow traffic from all source IP addresses in the container subnet CIDR block. | No | N/A | |
Outbound rule | All | All IP addresses: 0.0.0.0/0 | Allow traffic on all ports by default. | No | N/A |
Security group of ENI
In a CCE Turbo cluster, an additional security group named {Cluster name}-cce-eni-{Random ID} is created. By default, containers in the cluster are bound to this security group. For details about the default ports, see Table 7.
Direction | Port | Default Source Address | Description | Modifiable | Modification Suggestion |
---|---|---|---|---|---|
Inbound rules | All | ENI security group | Allow containers in a cluster to access each other. | No | N/A |
VPC CIDR block | Allow instances in the cluster VPC to access containers. | No | N/A | ||
Outbound rule | All | All IP addresses: 0.0.0.0/0 | Allow traffic on all ports by default. | No | N/A |
Hardening Outbound Rules¶
By default, all security groups created by CCE allow all the outbound traffic. You are advised to retain this configuration. To harden outbound rules, ensure that the ports listed in the following table are enabled.
Port | Allowed CIDR | Description |
---|---|---|
UDP port 53 | DNS server of the subnet | Allow traffic on the port for domain name resolution. |
UDP port 4789 (required only for clusters that use the tunnel networks) | All IP addresses | Allow access between containers. |
TCP port 5443 | CIDR block of master nodes | Allow kube-apiserver of the master nodes to listen to the worker nodes. |
TCP port 5444 | CIDR blocks of the VPC and container | Allow access from kube-apiserver, which provides lifecycle management for Kubernetes resources. |
TCP port 6443 | CIDR block of master nodes | None |
TCP port 8445 | VPC CIDR block | Allow the storage add-on of worker nodes to access master nodes. |
TCP port 9443 | VPC CIDR block | Allow the network add-on of the worker nodes to access master nodes. |
All ports | 198.19.128.0/17 | Allow worker nodes to access the VPC Endpoint (VPCEP) service. |
UDP port123 | 100.126.0.0/16 | Allow worker nodes to access the internal NTP server. |
TCP port 443 | 100.126.0.0/16 | Allow worker nodes to access OBS over internal networks to pull the installation package. |
TCP port 6443 | 100.126.0.0/16 | Allow worker nodes to report that the worker nodes are installed. |