Binding a Security Group to a Workload Using a Security Group Policy

In Cloud Native Network 2.0, pods use VPC ENIs or sub-ENIs for networking. You can directly bind security groups and EIPs to pods. To bind CCE pods with security groups, CCE provides a custom resource object named SecurityGroup. Using this resource object, you can customize security isolation for workloads.

Note

The priority of the security group bound to pods using the security group policy is higher than that of the security group in the NetworkAttachmentDefinition.

Notes and Constraints

  • This function is supported for CCE Turbo clusters of v1.19 and later. Upgrade your CCE Turbo clusters if their versions are earlier than v1.19.

  • A workload can be bound to a maximum of five security groups.

Using the Console

  1. Log in to the CCE console and click the cluster name to access the cluster console.

  2. In the navigation pane, choose Workloads. On the displayed page, click the desired workload name.

  3. Switch to the SecurityGroups tab and click Create.

  4. Set the parameters as described in Table 1.

    Table 1 Configuration parameters

    Parameter

    Description

    Example

    Security Group Policy Name

    Enter a security policy name.

    Enter 1 to 63 characters. The value must start with a lowercase letter and cannot end with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.

    security-group

    Associate Security Group

    The selected security group will be bound to the ENI or supplementary ENI of the selected workload. A maximum of five security groups can be selected from the drop-down list. You must select one or multiple security groups to create a SecurityGroup.

    If no security group has not been created, click Create Security Group. After the security group is created, click the refresh button.

    Important

    NOTICE:

    • A maximum of five security groups can be selected.

    • Hover the cursor on the security group name, and you can obtain details about the security group.

    64566556-bd6f-48fb-b2c6-df8f44617953

    5451f1b0-bd6f-48fb-b2c6-df8f44617953

  5. After setting the parameters, click OK.

    After the security group is created, the system automatically returns to the security group list page where you can see the new security group.

Using kubectl

  1. Use kubectl to access the cluster. For details, see Connecting to a Cluster Using kubectl.

  2. Create a description file named securitygroup-demo.yaml.

    vi securitygroup-demo.yaml

    For example, create the following SecurityGroup to bind all nginx workloads with two security groups 64566556-bd6f-48fb-b2c6-df8f44617953 and 5451f1b0-bd6f-48fb-b2c6-df8f44617953 that have been created in advance. An example is as follows:

    apiVersion: crd.yangtse.cni/v1
    kind: SecurityGroup
    metadata:
      name: demo
      namespace: default
    spec:
      podSelector:
        matchLabels:
          app: nginx
      securityGroups:
      - id: 64566556-bd6f-48fb-b2c6-df8f44617953
      - id: 5451f1b0-bd6f-48fb-b2c6-df8f44617953
    

    Table 2 describes the parameters in the YAML file.

    Table 2 Description

    Field

    Description

    Mandatory

    apiVersion

    API version. The value is crd.yangtse.cni/v1.

    Yes

    kind

    Type of the object to be created.

    Yes

    metadata

    Metadata definition of the resource object.

    Yes

    name

    Name of the SecurityGroup.

    Yes

    namespace

    Name of the namespace.

    Yes

    spec

    Detailed description of the SecurityGroup.

    Yes

    podSelector

    Used to define the workload to be associated with security groups in the SecurityGroup.

    Yes

    securityGroups

    Security group ID.

    Yes

  3. Run the following command to create the SecurityGroup:

    kubectl create -f securitygroup-demo.yaml

    If the following information is displayed, the SecurityGroup is being created.

    securitygroup.crd.yangtse.cni/demo created
    
  4. Run the following command to check the SecurityGroup:

    kubectl get sg

    If the name of the created SecurityGroup is demo in the command output, the SecurityGroup is created successfully.

    NAME                       POD-SELECTOR                      AGE
    all-no                     map[matchLabels:map[app:nginx]]   4h1m
    s001test                   map[matchLabels:map[app:nginx]]   19m
    demo                       map[matchLabels:map[app:nginx]]   2m9s