Associate Multiple Security Groups with Terway ENI for Pod-Level Access Control - ACK

In a Terway-based ACK cluster, Terway uses elastic network interfaces (ENIs) to assign IP addresses to containers. Each ENI that Terway creates can be associated with up to five security groups. This lets you apply layered access control to pods without restructuring your network.

Prerequisites

Before you begin, make sure that:

Your cluster uses the Terway network plugin version 1.1.1 or later. To upgrade Terway, see Manage components

Considerations

New ENIs only: Security group changes apply only to ENIs created after you save the configuration. Existing ENIs keep their current security groups. To apply the new configuration to existing nodes, remove and re-add each node. See Remove a node and Add existing ECS instances to an ACK cluster.
Same VPC: All security groups must belong to the same VPC as the cluster.
Same type: All security groups must be of the same type (regular or enterprise).
Five-group limit: You can associate at most five security groups with a single ENI. Terway counts both security_group and security_groups toward this limit.

Associate multiple security groups with an ENI

kubectl

By default, Terway associates only one security group with each ENI it creates. To associate additional security groups, edit the eni-config ConfigMap in the kube-system namespace.

Open the ConfigMap for editing:

kubectl edit cm eni-config -n kube-system

Add the security_groups field as a JSON array alongside the existing security_group field:

Terway applies all security groups listed in both security_group and security_groups. The combined total must not exceed five groups.
```
"security_group": "sg-bp19k3sj8dk3dcd7****",
"security_groups": ["sg-bp1b39sjf3v49c33****","sg-bp1bpdfg35tg****"],
```

Recreate the Terway pod for the configuration to take effect:

kubectl delete pod -n kube-system -l app=terway-eniip

Wait until all Terway pods return to Running state before proceeding:

kubectl get pod -n kube-system -l app=terway-eniip

The output should look similar to:

NAME                  READY   STATUS    RESTARTS   AGE
terway-eniip-xxxxx    1/1     Running   0          30s

Verify the configuration

Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances.
On the Instances page, find and click the ECS instance you want to check.
On the instance details page, click the ENIs tab. Confirm that the secondary ENI now shows the security groups you specified in the ConfigMap. If the secondary ENI still shows only the original security group, the Terway pod may not have restarted yet. Run kubectl get pod -n kube-system -l app=terway-eniip to confirm all Terway pods are in Running state, then check the ENIs tab again.

Associate multiple security groups when creating a cluster

To set multiple security groups at cluster creation time, pass the SecurityGroupIDs parameter in the terway-eniip add-on configuration when calling the CreateCluster API:

{
  "name": "your_cluster_name",
  "cluster_type": "ManagedKubernetes",
  "addons": [
    {
      "name": "terway-eniip",
      "config": "{\"IPVlan\":\"true\",\"NetworkPolicy\":\"false\",\"ENITrunking\":\"true\",\"SecurityGroupIDs\": \"[\\\"sg-foo\\\"]\" }"
    }
  ],
  ....
}