All Products
Search
Document Center

Container Service for Kubernetes:Configure a security group

Last Updated:Oct 20, 2021

Security groups act as virtual firewalls to provide Stateful Packet Inspection (SPI) and packet filtering capabilities and define security domains in the cloud. You can add security group rules to control inbound and outbound traffic for elastic container instances within security groups.

Security group overview

Security group definition

A security group is a logically isolated group of instances within the same region that are mutually trusted and share the same security requirements. Security group rules control access to or from the Internet or internal network for the elastic container instances in the security group.

Note

  • Each security group can manage multiple elastic container instances within the same region.

  • Each elastic container instance must belong to a single security group.

Security group types

Security groups are classified into basic security groups and advanced security groups. By default, the following rules are added when a security group is created:

  • Inbound rules that allow access on ports 80, 443, 22, and 3389, and an inbound rule that allows access over Internet Control Message Protocol (ICMP) on all ports. These rules can be modified.

  • An outbound rule that allows all access on all ports.

The following table describes the differences in the features of basic and advanced security groups.

Feature

Basic security group

Advanced security group

Access control policy when the security group has no rules

  • Inbound: denies all access requests.

  • Outbound: allows all access requests.

  • Inbound: denies all access requests.

  • Outbound: denies all access requests.

Maximum number of private IP addresses

2,000

65,536

Mutual access between instances within the same security group

By default, instances within the same security group can access each other over the internal network.

By default, instances within the same security group are isolated from each other over the internal network. You must manually add security group rules to allow the instances to access each other over the internal network.

Control on access to or from other security groups

Rules can be added to control access to or from other security groups.

Rules cannot be added to control access to or from other security groups.

Notice

If your business requires a large number of elastic container instances and high O&M efficiency, we recommend that you use advanced security groups. Compared with basic security groups, advanced security groups can accommodate more elastic container instances and make it easier to configure security group rules.

Security group rules

Rules can be added to security groups to control inbound and outbound traffic. A security group rule is defined by attributes such as the direction, action, protocol type, port range, and authorization object. Take note of the following items about security group rules:

  • The combined number of inbound and outbound rules in each security group cannot exceed 200.

  • Follow the principle of least privilege when you add security group rules. Example:

    • Specify a single port such as port 80 in the format of 80/80, instead of a port range such as ports 1 to 80 in the format of 1/80.

    • 0.0.0.0/0 indicates all IP addresses. Do not set it as the authorization object unless necessary.

For more information, see Overview.

Specify a security group

When you create an elastic container instance, you must specify a security group for the instance.

Notice

You cannot change the security group for an elastic container instance. To use an elastic container instance within a different security group, create a new elastic container instance in that security group.

Specify security groups for elastic container instances in Kubernetes clusters

When you use Elastic Container Instance based on Virtual Kubelet in Kubernetes scenarios, all elastic container instances within a cluster are added to the default security group configured by Virtual Kubelet. You can specify a security group for an elastic container instance based on your business requirements.

  • Cluster

    You can run the kubectl edit command to modify the eci-profile ConfigMap of a cluster and change the default security group ID in the data section for the elastic container instances in the cluster.

    Note

    Virtual Kubelet 2.0.0.90-15deb126e-aliyun and later allow modifications to eci-profile for hot updates. If your Virtual Kubelet version is earlier than 2.0.0.90-15deb126e-aliyun, we recommend that you upgrade Virtual Kubelet.

    kubectl edit configmap eci-profile -n kube-system

    Modify the securityGroupId field in the data section. Sample code:

    data:
      enableClusterIp: "true"
      enableHybridMode: "false"
      enablePrivateZone: "false"
      resourceGroupId: ""
      securityGroupId: sg-2ze0b9o8pjjzts4h**** # Specify a security group ID.
      selectors: ""
      vSwitchIds: vsw-2zeet2ksvw7f14ryz****,vsw-2ze94pjtfuj9vaymf****  
      vpcId: vpc-2zeghwzptn5zii0w7****
  • Specify security groups for elastic container instances

    You can add annotations to the metadata section in pod configurations to specify a security group for an elastic container instance. Sample code:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: demo
      labels:
        app: nginx
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: nginx
      template:
        metadata:
            annotations: 
    
                k8s.aliyun.com/eci-security-group: "sg-bp1dktddjsg5nktv****"      # Specify a security group ID.
    
            labels:
                app: nginx
        spec:
          containers:
          - name: nginx
            image: nginx:latest
    

Specify security groups for elastic container instances by calling the API

When you call the CreateContainerGroup operation to create an elastic container instance, you can use the SecurityGroupId parameter to specify a security group. The following table describes the SecurityGroupId parameter. For more information, see CreateContainerGroup.

Parameter

Type

Example

Description

SecurityGroupId

String

sg-uf66jeqopgqa9hdn****

The ID of the security group

Specify security groups for elastic container instances in the console

When you create an elastic container instance on the instance buy page in the Elastic Container Instance console, you can specify a security group for the instance.

Security group

Add a security group rule

You can add rules to a security group to control inbound and outbound traffic for the elastic container instances in the security group. Example:

  • If your elastic container instance needs to communicate with a network outside the security group to which the instance belongs, you must add a security group rule to allow the instance to access the network.

  • When attacks performed by request sources are detected, you can add security group rules to block access from the sources.

For more information about how to add security group rules, see Add security group rules.