Associate multiple security groups with an ENI

In a cluster that uses the Terway network plug-in, Terway uses elastic network interfaces (ENIs) to assign IP addresses to containers. You can associate at most five security groups with an ENI that is created by Terway. This helps you regulate access control on pods in a flexible manner. This topic describes how to associate multiple security groups with an ENI in Terway mode.

Prerequisites

You can associate multiple security groups with an ENI only if the version of Terway is 1.1.1 or later. For more information about how to upgrade Terway, see Manage system components.

Background information

By default, Terway associates only one security group with an ENI when it creates the ENI. You can configure Terway to associate multiple security groups with an ENI.

Note After you modify the configurations of the security group, the configurations apply only to newly created ENIs. The existing ENIs use the previous configurations. To make the configurations take effect, you can restart the node. For more information, see Remove a node and Add existing ECS instances to an ACK cluster.

Run the following command to modify the ConfigMap of Terway named eni_conf:
```
kubectl edit cm eni-config -n kube-system
```
Add the following content to the eni_conf ConfigMap:
```
"security_groups": ["sg-foo","sg-bar"]
```
Example:
```
"security_group": "sg-bp19k3sj8dk3dcd7****",
"security_groups": ["sg-bp1b39sjf3v49c33****","sg-bp1bpdfg35tg****"],
```
Note Terway associates all security groups that are specified by security_group and security_groups. Make sure that the security groups are of the same type and belong to the same virtual private cloud (VPC). In addition, the number of security groups cannot exceed five.
Run the following command to recreate the Terway pod for the security groups configurations to take effect:
```
kubectl delete pod -n kube-system -l app=terway-eniip
```
Verify the configuration
1. Log on to the ECS Console. In the left-side navigation pane, choose Instances & Images > Instances.
2. On the Instances page, find and click the ECS instance that you want to manage.
3. On the details page of the ECS instance, click the ENIs tab.
  On the ENIs tab, you can find that the security groups specified in the ConfigMap are associated with the ENI.

Associate multiple security groups with an ENI when you create a cluster

You can associate multiple security groups with an ENI when you call the API to create a cluster. The SecurityGroupIDs parameter specifies the security groups that you want to associate with the ENI. The following code block shows an example:

{
  "name": "your_cluster_name",
  "cluster_type": "ManagedKubernetes",
  "addons": [
    {
      "name": "terway-eniip",
      "config": "{\"IPVlan\":\"true\",\"NetworkPolicy\":\"false\",\"ENITrunking\":\"true\",\"SecurityGroupIDs\": \"[\\\"sg-foo\\\"]\" }"
    }
  ],
  ....
}