If you use an existing security group when you create a Container Service for Kubernetes (ACK) cluster or node pool, the system does not add additional rules to the security group. You must manually add rules to the security group. This topic describes how to enforce access control on ACK clusters by adding rules to basic security groups and advanced security groups.
You can use security group rules to allow or forbid Elastic Compute Service (ECS) instances within a security group to communicate with the Internet or internal network. For more information, see Add a security group rule.
Basic security groups
Inbound
Access control scope | Protocol | Port | Authorization object |
Recommended settings | ICMP | -1/-1 (all ports) | 0.0.0.0/0 |
All protocols | -1/-1 (all ports) |
| |
Least privilege settings | All protocols | 53/53 (DNS) |
|
ICMP | -1/-1 (all ports) | ||
TCP |
| ||
All protocols | Ports of applications and components that you want to expose. | The IP addresses or security groups to which you want to expose applications or components. |
Outbound
Access control scope | Protocol | Port | Authorization object |
Recommended settings | All protocols | -1/-1 (all ports) | 0.0.0.0/0 |
Least privilege settings | All protocols | -1/-1 (all ports) | 100.64.0.0/10 (the CIDR block of Alibaba Cloud resources) |
All protocols | 53/53 (DNS) |
| |
TCP |
| ||
All protocols | Ports of applications and components that you want to expose. | The IP addresses or security groups to which you want to expose applications or components. |
Advanced security groups
Inbound
Access control scope | Protocol | Port | Authorization object |
Recommended settings | ICMP | -1/-1 (all ports) | 0.0.0.0/0 |
All protocols | -1/-1 (all ports) |
| |
Least privilege settings | All protocols | 53/53 (DNS) |
|
ICMP | -1/-1 (all ports) | ||
TCP |
| ||
All protocols | Ports of applications and components that you want to expose. | The IP addresses or security groups to which you want to expose applications or components. |
Outbound
Access control scope | Protocol | Port | Authorization object |
Recommended settings | All protocols | -1/-1 (all ports) | 0.0.0.0/0 |
Least privilege settings | All protocols | -1/-1 (all ports) | 100.64.0.0/10 (the CIDR block of Alibaba Cloud resources) |
All protocols | 53/53 (DNS) |
| |
TCP |
| ||
All protocols | Ports of applications and components that you want to expose. | The IP addresses or security groups to which you want to expose applications or components. |